Skip to content

Debug mode

Description

When Debug mode is left turned on by developers, it allows attackers to gather precious information from excessive error reporting messages such as entire stack traces or tracebacks.

Remediation

Disabled Debug mode.

GraphQL Specific

Apollo To address potential issues within the Apollo framework engine, ensure that the debug mode is used only during development phases to prevent exposing sensitive information in production. Regularly update the Apollo libraries to their latest versions to incorporate security patches and improvements. Additionally, review and follow the Apollo documentation for best practices on securing your GraphQL implementation.
Yoga To address issues within the Yoga framework engine while in debug mode, ensure that you are running the latest version of the framework to benefit from recent fixes and improvements. Additionally, enable detailed logging to track down errors more efficiently. If a problem persists, consult the Yoga framework's documentation for specific debug options or reach out to the community forums for support. Remember to disable debug mode in production environments to prevent exposing sensitive information.
Awsappsync To address issues within the AWS AppSync framework engine, ensure that debug mode is enabled only during development or troubleshooting to avoid exposing sensitive information in error messages or logs. Once the necessary information has been gathered, disable debug mode to maintain the security and performance of your production environment. Additionally, regularly review and monitor the logs to detect and respond to any anomalies or issues promptly.
Graphqlgo To mitigate potential security risks in a GraphQL Go framework engine, ensure that the debug mode is disabled in production environments. Debug mode can expose sensitive information about the backend structure and errors that can be exploited by attackers. Always review the configuration files and environment variables to confirm that debug mode is turned off before deploying the application. Additionally, consider implementing logging mechanisms that capture necessary information for debugging without exposing it through the API responses.
Graphqlruby In the GraphQL Ruby framework, ensure that the debug mode is disabled in production environments to prevent the exposure of sensitive information. This can be achieved by configuring the `debug` option to `false` within the GraphQL schema definition or by conditionally enabling debug mode based on the environment. Additionally, regularly review the codebase for accidental commits that may enable debug mode and establish a secure deployment process that verifies the configuration before release.
Hasura To address potential security risks in the Hasura framework engine, ensure that the 'debug mode' is disabled in production environments. Debug mode can leak sensitive information in error messages or logs, which could be exploited by attackers. You can disable debug mode by setting the 'HASURA_GRAPHQL_DEV_MODE' environment variable to 'false'. Additionally, always review and sanitize error messages to prevent the exposure of any sensitive data.
Agoo Disable debug mode in the Agoo framework engine in production environments to prevent exposure of sensitive information through detailed error messages.
Ariadne Disable debug mode in the Ariadne framework engine in production environments to prevent exposure of sensitive information through detailed error messages.
Caliban Disable debug mode in production environments to prevent exposure of sensitive information through error messages.
Dgraph Disable debug mode in production environments to prevent exposure of sensitive information through detailed error messages.
Dianajl Disable debug mode in the DianaJL framework engine before deploying to production to prevent exposure of sensitive information through detailed error messages.
Directus Disable debug mode in the Directus framework in production environments to prevent exposure of sensitive information through error messages.
Flutter Disable debug mode in the Flutter framework before deploying to production to prevent exposure of sensitive information through detailed error messages.
Graphene Disable debug mode in production for the Graphene framework to prevent exposure of sensitive information through detailed error messages.
Graphqlapiforwp Disable debug mode in the GraphQL API for WordPress framework engine to prevent exposure of sensitive information through detailed error messages.
Graphqlgophergo Disable debug mode in the GraphQLGopherGo framework engine to prevent exposure of sensitive information through detailed error messages.
Graphqljava Disable introspection queries in production environments to prevent exposure of the GraphQL schema and potential sensitive information.
Graphqlphp Disable debug mode in production environments to prevent exposure of sensitive information through error messages.
Graphqlyoga Disable debug mode in production environments to prevent exposure of sensitive information through detailed error messages.
Hypergraphql Disable debug mode in production environments to prevent exposure of sensitive information through detailed error messages.
Jaal Disable debug mode in the Jaal framework engine before deploying to production to prevent exposure of sensitive information through error messages.
Juniper Disable debug mode in the Juniper framework engine before deploying to production to prevent exposure of sensitive information through detailed error messages.
Lacinia Disable debug mode in the Lacinia framework engine in production environments to prevent exposure of sensitive information through detailed error messages.
Lighthouse Disable debug mode in production environments to prevent exposure of sensitive information through error messages.
Mercurius Disable debug mode in the Mercurius framework engine in production environments to prevent exposure of sensitive information through detailed error messages.
Morpheusgraphql Disable debug mode in the Morpheus GraphQL engine in production environments to prevent exposure of sensitive information through detailed error messages.
Qglgen Disable debug mode in the gqlgen framework to prevent exposure of sensitive information through detailed error messages.
Sangria Disable debug mode in production environments to prevent exposure of sensitive information through detailed error messages.
Shopify Ensure that the debug mode is disabled in the Shopify framework engine before deploying to production to prevent exposure of sensitive information through error messages.
Stepzen Disable debug mode in the StepZen framework engine before deploying to production to prevent exposure of sensitive information through error messages.
Strawberry Disable debug mode in the Strawberry framework engine in production environments to prevent exposure of sensitive information through detailed error messages.
Tartiflette Disable debug mode in production for the Tartiflette engine to prevent exposure of sensitive information through detailed error messages.
Wpgraphql Disable debug mode in the wpgraphql framework to prevent exposure of sensitive information through detailed error messages.

REST Specific

Asp_net Ensure that the customErrors mode is set to 'RemoteOnly' or 'On' in the web.config file to prevent detailed error information from being sent to the client. Additionally, disable the 'trace' attribute in the system.web section to avoid exposing application behavior details to users.
Ruby_on_rails In Ruby on Rails, ensure that the 'config.consider_all_requests_local' setting is set to 'false' in the 'config/environments/production.rb' file to prevent detailed error reports from being displayed to users. Additionally, disable the 'config.debug_exception_response_format' or set it to ':default' to avoid leaking stack traces in a production environment.
Next_js Ensure that the 'debug' flag is set to 'false' in the Next.js configuration file for production environments to prevent verbose error reporting that could expose sensitive information to attackers.
Laravel In Laravel, ensure that the APP_DEBUG environment variable is set to false in your .env file when deploying to production to prevent detailed error messages from being displayed to users. Additionally, regularly review your logging and error handling configurations to avoid exposing sensitive information.
Express_js Ensure that the 'NODE_ENV' environment variable is set to 'production' to minimize verbose error reporting. Additionally, use middleware like 'express-error-handler' to catch and handle errors gracefully without exposing sensitive information.
Django Ensure that the 'DEBUG' setting in Django's settings.py file is set to 'False' in production environments to prevent the display of sensitive error information.
Symfony In Symfony, ensure that the 'debug' mode is set to 'false' in the 'app/config/config_prod.yml' file for production environments to prevent verbose error reporting. Additionally, regularly review the 'app/config/security.yml' to enforce proper error handling and logging strategies.
Spring_boot Ensure that the 'spring.profiles.active' property is set to 'prod' in the application properties or YAML configuration file for production environments, and that the 'debug' property is set to 'false'. Additionally, review and configure appropriate logging levels to prevent sensitive information from being logged.
Flask Ensure that the Flask application is configured to run with 'DEBUG' set to 'False' in production environments to prevent the exposure of sensitive error information. Use environment variables or a separate configuration file to manage the debug setting securely.
Nuxt Ensure that the 'debug' property is set to 'false' in the Nuxt.js configuration file for production environments to prevent the exposure of sensitive error information.
Fastapi Ensure that FastAPI's debug mode is turned off in production environments by setting the 'debug' parameter to 'False' in the application's configuration. Additionally, review error handling to prevent sensitive information from being exposed in error messages or logs.
Frappe Disable Debug mode in the Frappe framework before deploying to production to prevent exposure of sensitive information through detailed error messages.
Genzio Disable debug mode in the Genzio framework engine before deploying to production to prevent exposure of sensitive information through error messages.
Gin Disable debug mode in the Gin framework by setting the GIN_MODE environment variable to 'release' to prevent excessive error reporting and protect sensitive information.
Gorilla Disable debug mode in production environments to prevent exposure of sensitive information through detailed error messages.
Hapi Disable debug mode in production by setting 'debug' to false in the Hapi server configuration to prevent exposure of sensitive information.
Hono Disable debug mode in the Hono framework engine before deploying to production to prevent exposure of sensitive information through error messages.
Jersey Disable debug mode in the Jersey framework by setting the 'jersey.config.server.tracing' property to 'OFF' in the configuration to prevent exposure of sensitive information through detailed error messages.
Koa Disable debug mode in the Koa framework by setting the environment variable NODE_ENV to 'production' to prevent exposure of sensitive error information.
Ktor Disable debug mode in production by setting 'developmentMode' to false in the Ktor application configuration.
Leptos Disable debug mode in production environments to prevent exposure of sensitive information through error messages.
Macaron Disable Debug mode in the Macaron framework by setting 'macaron.Env' to 'macaron.PROD' in the configuration to prevent exposure of sensitive information through error messages.
Phoenix Disable debug mode in the Phoenix framework by setting `config :your_app, :debug_errors, false` in your production configuration to prevent exposure of sensitive information.
Redwoodjs Disable debug mode in production by setting the 'REDWOOD_ENV' environment variable to 'production' to prevent exposure of sensitive error information.
Rocket Disable debug mode in the Rocket framework by setting the 'ROCKET_ENV' environment variable to 'production' to prevent detailed error messages from being exposed.
Sveltekit Disable debug mode in production by setting 'dev' to 'false' in the SvelteKit configuration to prevent exposure of sensitive information through error messages.

Configuration

Identifier: information_disclosure/debug_mode

Examples

Ignore this check

checks:
  information_disclosure/debug_mode:
    skip: true

Score

  • Escape Severity:

Compliance

  • OWASP: API7:2023
  • OWASP LLM: LLM06:2023
  • pci: 6.5.5
  • gdpr: Article-32
  • soc2: CC6
  • psd2: Article-95
  • iso27001: A.14.2
  • nist: SP800-53
  • fedramp: AC-6

Classification

  • CWE: 215

Score

  • CVSS_VECTOR: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:H/RL:O/RC:C
  • CVSS_SCORE: 5.1

References