Skip to main content

Debug mode

Description

When Debug mode is left turned on by developers, it allows attackers to gather precious information from excessive error reporting messages such as entire stack traces or tracebacks.

Remediation

Disabled Debug mode.

GraphQL Specific

Apollo

To address potential issues within the Apollo framework engine, ensure that the debug mode is used only during development phases to prevent exposing sensitive information in production. Regularly update the Apollo libraries to their latest versions to incorporate security patches and improvements. Additionally, review and follow the Apollo documentation for best practices on securing your GraphQL implementation.

Yoga

To address issues within the Yoga framework engine while in debug mode, ensure that you are running the latest version of the framework to benefit from recent fixes and improvements. Additionally, enable detailed logging to track down errors more efficiently. If a problem persists, consult the Yoga framework's documentation for specific debug options or reach out to the community forums for support. Remember to disable debug mode in production environments to prevent exposing sensitive information.

Awsappsync

To address issues within the AWS AppSync framework engine, ensure that debug mode is enabled only during development or troubleshooting to avoid exposing sensitive information in error messages or logs. Once the necessary information has been gathered, disable debug mode to maintain the security and performance of your production environment. Additionally, regularly review and monitor the logs to detect and respond to any anomalies or issues promptly.

Graphqlgo

To mitigate potential security risks in a GraphQL Go framework engine, ensure that the debug mode is disabled in production environments. Debug mode can expose sensitive information about the backend structure and errors that can be exploited by attackers. Always review the configuration files and environment variables to confirm that debug mode is turned off before deploying the application. Additionally, consider implementing logging mechanisms that capture necessary information for debugging without exposing it through the API responses.

Graphqlruby

In the GraphQL Ruby framework, ensure that the debug mode is disabled in production environments to prevent the exposure of sensitive information. This can be achieved by configuring the debug option to false within the GraphQL schema definition or by conditionally enabling debug mode based on the environment. Additionally, regularly review the codebase for accidental commits that may enable debug mode and establish a secure deployment process that verifies the configuration before release.

Hasura

To address potential security risks in the Hasura framework engine, ensure that the 'debug mode' is disabled in production environments. Debug mode can leak sensitive information in error messages or logs, which could be exploited by attackers. You can disable debug mode by setting the 'HASURA_GRAPHQL_DEV_MODE' environment variable to 'false'. Additionally, always review and sanitize error messages to prevent the exposure of any sensitive data.

REST Specific

Asp_net

Ensure that the customErrors mode is set to 'RemoteOnly' or 'On' in the web.config file to prevent detailed error information from being sent to the client. Additionally, disable the 'trace' attribute in the system.web section to avoid exposing application behavior details to users.

Ruby_on_rails

In Ruby on Rails, ensure that the 'config.consider_all_requests_local' setting is set to 'false' in the 'config/environments/production.rb' file to prevent detailed error reports from being displayed to users. Additionally, disable the 'config.debug_exception_response_format' or set it to ':default' to avoid leaking stack traces in a production environment.

Next_js

Ensure that the 'debug' flag is set to 'false' in the Next.js configuration file for production environments to prevent verbose error reporting that could expose sensitive information to attackers.

Laravel

In Laravel, ensure that the APP_DEBUG environment variable is set to false in your .env file when deploying to production to prevent detailed error messages from being displayed to users. Additionally, regularly review your logging and error handling configurations to avoid exposing sensitive information.

Express_js

Ensure that the 'NODE_ENV' environment variable is set to 'production' to minimize verbose error reporting. Additionally, use middleware like 'express-error-handler' to catch and handle errors gracefully without exposing sensitive information.

Django

Ensure that the 'DEBUG' setting in Django's settings.py file is set to 'False' in production environments to prevent the display of sensitive error information.

Symfony

In Symfony, ensure that the 'debug' mode is set to 'false' in the 'app/config/config_prod.yml' file for production environments to prevent verbose error reporting. Additionally, regularly review the 'app/config/security.yml' to enforce proper error handling and logging strategies.

Spring_boot

Ensure that the 'spring.profiles.active' property is set to 'prod' in the application properties or YAML configuration file for production environments, and that the 'debug' property is set to 'false'. Additionally, review and configure appropriate logging levels to prevent sensitive information from being logged.

Flask

Ensure that the Flask application is configured to run with 'DEBUG' set to 'False' in production environments to prevent the exposure of sensitive error information. Use environment variables or a separate configuration file to manage the debug setting securely.

Nuxt

Ensure that the 'debug' property is set to 'false' in the Nuxt.js configuration file for production environments to prevent the exposure of sensitive error information.

Fastapi

Ensure that FastAPI's debug mode is turned off in production environments by setting the 'debug' parameter to 'False' in the application's configuration. Additionally, review error handling to prevent sensitive information from being exposed in error messages or logs.

Configuration

Identifier: information_disclosure/debug_mode

Examples

Ignore this check

checks:
information_disclosure/debug_mode:
skip: true

Score

  • Escape Severity: LOW

Compliance

  • OWASP: API7:2023

  • pci: 6.5.5

  • gdpr: Article-32

  • soc2: CC6

  • psd2: Article-95

  • iso27001: A.14.2

  • nist: SP800-53

  • fedramp: AC-6

Classification

  • CWE: 215

Score

  • CVSS_VECTOR: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:H/RL:O/RC:C
  • CVSS_SCORE: 5.1

References