Analytics debug mode is disabled in production

ab-001713 · marketing-analytics.data-quality.debug-mode-disabled-production

Severity: highactive

Why it matters

Debug mode sends extra diagnostic events, enables verbose console output, routes events to GA4 DebugView, and can expose internal event schemas and user property names in the browser console. Shipped to production it pollutes the real data stream with test events, inflates event counts by double-digit percentages, and leaks implementation detail visible in DevTools. Every downstream report based on that data is contaminated for as long as debug mode stayed on.

Severity rationale

High because unguarded debug mode silently corrupts production analytics data and leaks implementation detail.

Remediation

Gate every debug toggle on NODE_ENV:

posthog.init(process.env.NEXT_PUBLIC_POSTHOG_KEY, {
  loaded: (ph) => { if (process.env.NODE_ENV === 'development') ph.debug() }
})

For GA4: gtag('config', 'G-XXXXXXX', { debug_mode: process.env.NODE_ENV === 'development' }). After deploying, check GA4 DebugView in the live dashboard — it should show zero production hostnames. Audit components/AnalyticsProvider.tsx first since that is where most of these flags live.

Detection

ID: debug-mode-disabled-production
Severity: high
What to look for: Analytics debug modes send extra data, pollute data streams with test events, and may expose implementation details. Check for:
- debug: true or debug_mode: true in analytics initialization without environment gating
- gtag('config', 'G-XXXXXXX', { debug_mode: true }) without process.env.NODE_ENV === 'development' guard
- PostHog loaded callback with posthog.debug() call without environment guard
- Mixpanel set_config({ debug: true }) without environment guard
- Console logs from analytics SDK being enabled in production builds
Pass criteria: Count every debug: true, debug_mode: true, and posthog.debug() call. Debug mode is either not enabled at all (0 occurrences), OR 100% of occurrences are gated by process.env.NODE_ENV !== 'production' (or equivalent environment guard).
Fail criteria: At least 1 debug mode setting is enabled unconditionally (without environment guard), which means debug events will fire in production and pollute the analytics data.
Cross-reference: For broader environment configuration hygiene, the Security Headers audit covers environment variable handling and production build safety.
Skip (N/A) when: No analytics is present (script-present failed).
Detail on fail: "PostHog initialized with posthog.debug() call with no environment guard in components/AnalyticsProvider.tsx. Debug mode fires additional events in production that will inflate event counts and pollute analytics data."

Remediation: Always gate debug mode on environment:

posthog.init(process.env.NEXT_PUBLIC_POSTHOG_KEY, {
  loaded: (posthog) => {
    if (process.env.NODE_ENV === 'development') posthog.debug()
  }
})

Or for GA4:

gtag('config', 'G-XXXXXXX', {
  debug_mode: process.env.NODE_ENV === 'development'
})

After fixing, verify your production analytics dashboard — debug events show up with debug_mode: true in GA4's DebugView and should not appear in standard reports.

Taxons

observability placeholder-hygiene

History

2026-04-18·v1.0.0·Initial import from marketing-analytics·automated