Development tools and frameworks usually have options to make debugging easier for developers, but these features should never be enabled for applications deployed in production.

Why is this an issue?

Debug instructions or error messages can leak detailed information about the system, such as the application’s path, file names, or stack traces. The rule flags configurations and API calls that enable debug features, including stack trace printing, verbose logging, debug mode flags, and remote debugging endpoints.

What is the potential impact?

Information disclosure

Attackers can exploit debug output to learn internal application details, file paths, stack traces, and configuration data that can be leveraged to craft further attacks.

Increased attack surface

Debug features may expose remote debugging endpoints, profiling APIs, or detailed error pages that significantly increase the attack surface of the application.

How to fix it

Code examples

Debug features should be disabled or guarded by environment checks before deploying to production.

Noncompliant code example

FROM example
# Noncompliant
ENV APP_DEBUG=true
# Noncompliant
ENV ENV=development
CMD /run.sh

Compliant solution

FROM example
ENV APP_DEBUG=false
ENV ENV=production
CMD /run.sh

Resources

Standards

• OWASP - Top 10 2021 Category A5 - Security Misconfiguration
• OWASP - Top 10 2017 Category A3 - Sensitive Data Exposure
• CWE - CWE-489 - Active Debug Code
• CWE - CWE-215 - Information Exposure Through Debug Information