debug-mode-production-anti-pattern
Security anti-pattern for debug mode in production (CWE-215). Use when generating or reviewing code that configures application settings, deployment configurations, or error handling. Detects hardcoded debug flags and development-only features in production.
"Security anti-pattern for debug mode in production (CWE-215). Use when generating or reviewing code that configures application settings, deployment configurations, or error handling. Detects hardcoded debug flags and development-only features in production."
Debug Mode in Production Anti-Pattern
Severity: High
Summary
Enabling debug mode in a production environment is a critical security misconfiguration. This anti-pattern occurs when development settings or debugging features are not disabled before deployment, exposing sensitive system information and creating unintended backdoors. AI-generated code can inadvertently include hardcoded debug flags or fail to differentiate between production and development environments, leading to this vulnerability.
The Anti-Pattern
This anti-pattern manifests in two primary ways:
- Hardcoded Debug Flags: A global flag like
DEBUG = Trueis set in the code and is never changed, meaning the application runs in debug mode in all environments. - Unprotected Debug Endpoints: Routes or endpoints intended for debugging (e.g.,
/debug/env,/_debug/sql) are included in the production build, providing a powerful vector for attackers.
BAD Code Example
# VULNERABLE: Hardcoded debug flag and unprotected debug routes
import os
from flask import Flask, jsonify
app = Flask(__name__)
app.config['DEBUG'] = True # Hardcoded debug mode
@app.route("/")
def index():
return "Welcome!"
# This debug route exposes all environment variables, including potential secrets.
# It should never be present in a production environment.
@app.route("/debug/env")
def debug_env():
if app.config['DEBUG']:
return jsonify(os.environ.copy())
return "Not in debug mode."
if __name__ == "__main__":
app.run()
GOOD Code Example
# SECURE: Environment-based configuration and conditional routes
import os
from flask import Flask, jsonify
app = Flask(__name__)
# Load configuration from the environment. Default to 'production'.
APP_ENV = os.environ.get('APP_ENV', 'production')
app.config['DEBUG'] = APP_ENV == 'development'
@app.route("/")
def index():
return "Welcome!"
# This debug route is now conditionally registered and will only exist
# if the application is explicitly run in a development environment.
if app.config['DEBUG']:
@app.route("/debug/env")
def debug_env():
return jsonify(os.environ.copy())
# It's also a good practice to add a startup check to prevent accidental
# deployment of debug mode to production.
if APP_ENV == 'production' and app.config['DEBUG']:
raise ValueError("FATAL: Debug mode is enabled in a production environment. Aborting.")
if __name__ == "__main__":
app.run()
Detection
- Search for hardcoded debug flags like
DEBUG = Trueordebug: truein configuration files and source code. - Look for routes or endpoints with names like
/debug,/_debug, or/admin/debug. - Check for the presence of development-only dependencies or packages in the production build.
- Review error handling logic to see if it exposes detailed stack traces or sensitive information to the user.
Prevention
- [ ] Use environment variables to control debug mode and other environment-specific settings.
- [ ] Never hardcode
DEBUG = True. - [ ] Conditionally register debug routes so they are not included in production builds.
- [ ] Implement a startup check in the application that aborts if it detects debug mode is enabled in a production environment.
- [ ] Use separate configuration files for each environment (development, staging, production) to avoid overlap.
- [ ] Review your CI/CD pipeline to ensure that the correct environment variables are being injected and that development artifacts are excluded from the final build.
Related Security Patterns & Anti-Patterns
- Verbose Error Messages Anti-Pattern: A common consequence of running in debug mode.
- Hardcoded Secrets Anti-Pattern: Secrets are often exposed through debug information.
- Missing Security Headers Anti-Pattern: Can provide defense-in-depth by controlling how browsers handle content.
References
You Might Also Like
Related Skills
create-pr
Creates GitHub pull requests with properly formatted titles that pass the check-pr-title CI validation. Use when creating PRs, submitting changes for review, or when the user says /pr or asks to create a pull request.
n8n-io
electron-chromium-upgrade
Guide for performing Chromium version upgrades in the Electron project. Use when working on the roller/chromium/main branch to fix patch conflicts during `e sync --3`. Covers the patch application workflow, conflict resolution, analyzing upstream Chromium changes, and proper commit formatting for patch fixes.
electron
pr-creator
Use this skill when asked to create a pull request (PR). It ensures all PRs follow the repository's established templates and standards.
google-gemini
clawdhub
Use the ClawdHub CLI to search, install, update, and publish agent skills from clawdhub.com. Use when you need to fetch new skills on the fly, sync installed skills to latest or a specific version, or publish new/updated skill folders with the npm-installed clawdhub CLI.
moltbottmux
Remote-control tmux sessions for interactive CLIs by sending keystrokes and scraping pane output.
moltbot
create-pull-request
Create a GitHub pull request following project conventions. Use when the user asks to create a PR, submit changes for review, or open a pull request. Handles commit analysis, branch management, and PR creation using the gh CLI tool.
cline