Debug mode is disabled in production

ab-002104 · pre-launch.infrastructure.debug-mode-disabled

Severity: criticalactive

Why it matters

Debug mode in production exposes stack traces, internal file paths, verbose application state, and detailed error messages directly to users and attackers. CWE-215 (Information Exposure Through Debug Information) and CWE-11 both describe this class of vulnerability: an attacker who can trigger an error in debug mode learns your framework version, database schema hints, and code structure — all inputs for targeted exploitation. OWASP A05 (Security Misconfiguration) lists debug-enabled production as a canonical misconfiguration. Beyond security, verbose logging inflates log costs and obscures real signals.

Severity rationale

Critical because active debug flags expose stack traces and application internals to any user who can trigger an error, directly aiding targeted attacks per CWE-215.

Remediation

Ensure NODE_ENV=production is set by the hosting platform (Vercel and Netlify do this automatically) and remove any explicit debug flags from your production environment variables.

// next.config.js — disable source map exposure in production
module.exports = { productionBrowserSourceMaps: false }

Remove DEBUG=true, APP_DEBUG=true, or any framework-specific debug flags from production environment variable configuration. Set logging levels to warn or error — not debug or verbose. Verify Next.js is not serving in development mode: the build output should report info - Creating an optimized production build.

Detection

ID: debug-mode-disabled
Severity: critical
What to look for: Count all debug/development mode flags in the codebase. Enumerate occurrences of debug: true, NODE_ENV !== "production" guards, verbose logging, and source map exposure. Check framework config for debug settings. In Next.js, look for any non-standard debug configuration. Check for DEBUG=true, APP_DEBUG=true, or similar debug flags. Look for development-only middleware or error handlers that might be included in production. Check for verbose logging configuration that should not run in production. Check for any framework-specific dev tools that might be bundled (React DevTools in production builds, Vue DevTools, etc.).
Pass criteria: No explicit debug mode enabled for production. NODE_ENV is expected to be "production" in the deployment context. No debug flags set in deployment configuration. Zero debug/development flags active in production configuration. No more than 0 debug flags should be enabled in production.
Fail criteria: DEBUG=true or equivalent debug flags set in production deployment configuration. Development-only error handlers or verbose logging configured to run in production without environment guards.
Skip (N/A) when: Never — debug mode discipline applies to all projects.
Do NOT pass when: Debug mode is disabled in the main config but a middleware or plugin re-enables verbose logging or exposes source maps.
Cross-reference: For console.log cleanup, see console-logs-cleaned. For environment variables, see env-vars-production.
Detail on fail: "Debug flag or verbose development mode configuration found that should not be active in production: check DEBUG, APP_DEBUG, or framework-specific debug settings in deployment config"
Remediation: Debug mode in production exposes internal application state, detailed error messages, and stack traces that attackers can exploit:
```
// next.config.js — ensure production mode
module.exports = { productionBrowserSourceMaps: false }
```
1. Ensure your deployment platform sets NODE_ENV=production (Vercel and Netlify do this automatically).
2. Remove any DEBUG=true or APP_DEBUG=true from production environment variable configuration.
3. If you use custom logging levels, ensure production uses warn or error level, not debug or verbose.
4. Verify your framework is not serving development-mode assets (Next.js will warn if you accidentally deploy in development mode).
For a deeper analysis of information exposure through error handling, the Security Headers & Basics Audit covers this in detail.

External references

cwe · CWE-215 — Insertion of Sensitive Information Into Debugging Code
owasp:2021 · A05 — Security Misconfiguration
cwe · CWE-11 — ASP.NET Misconfiguration: Creating Debug Binary

Taxons

placeholder-hygiene operational-readiness

History

2026-04-18·v1.0.0·Initial import from pre-launch·automated

Why it matters

Remediation

Ensure NODE_ENV=production is set by the hosting platform (Vercel and Netlify do this automatically) and remove any explicit debug flags from your production environment variables.

// next.config.js — disable source map exposure in production
module.exports = { productionBrowserSourceMaps: false }

Detection

ID: debug-mode-disabled
Severity: critical
What to look for: Count all debug/development mode flags in the codebase. Enumerate occurrences of debug: true, NODE_ENV !== "production" guards, verbose logging, and source map exposure. Check framework config for debug settings. In Next.js, look for any non-standard debug configuration. Check for DEBUG=true, APP_DEBUG=true, or similar debug flags. Look for development-only middleware or error handlers that might be included in production. Check for verbose logging configuration that should not run in production. Check for any framework-specific dev tools that might be bundled (React DevTools in production builds, Vue DevTools, etc.).
Pass criteria: No explicit debug mode enabled for production. NODE_ENV is expected to be "production" in the deployment context. No debug flags set in deployment configuration. Zero debug/development flags active in production configuration. No more than 0 debug flags should be enabled in production.
Fail criteria: DEBUG=true or equivalent debug flags set in production deployment configuration. Development-only error handlers or verbose logging configured to run in production without environment guards.
Skip (N/A) when: Never — debug mode discipline applies to all projects.
Do NOT pass when: Debug mode is disabled in the main config but a middleware or plugin re-enables verbose logging or exposes source maps.
Cross-reference: For console.log cleanup, see console-logs-cleaned. For environment variables, see env-vars-production.
Detail on fail: "Debug flag or verbose development mode configuration found that should not be active in production: check DEBUG, APP_DEBUG, or framework-specific debug settings in deployment config"
Remediation: Debug mode in production exposes internal application state, detailed error messages, and stack traces that attackers can exploit:
```
// next.config.js — ensure production mode
module.exports = { productionBrowserSourceMaps: false }
```
1. Ensure your deployment platform sets NODE_ENV=production (Vercel and Netlify do this automatically).
2. Remove any DEBUG=true or APP_DEBUG=true from production environment variable configuration.
3. If you use custom logging levels, ensure production uses warn or error level, not debug or verbose.
4. Verify your framework is not serving development-mode assets (Next.js will warn if you accidentally deploy in development mode).
For a deeper analysis of information exposure through error handling, the Security Headers & Basics Audit covers this in detail.