Avoid enabling debug mode in applications

Docs > Plateforme de sécurité Datadog > Code Security > Static Analysis (SAST) > SAST Rules > Avoid enabling debug mode in applications

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Metadata

ID: php-security/debug-mode-on

Language: PHP

Severity: Error

Category: Security

CWE: 489

Description

Debug mode, while useful during development and testing stages, can expose sensitive information such as server configuration, third-party modules, and other internal details of the application that can be exploited by attackers. In the worst-case scenario, it can lead to a serious security breach.

Make sure that debug mode is disabled in the production environment. This can be achieved by setting the debug configuration to false or 0 in the application’s configuration settings. For example, in CakePHP, use Config::write('debug', 0); or Configure::config('debug', false);, and in WordPress, use define('WP_DEBUG', false);.

Non-Compliant Code Examples

<?php
// CakePHP 1.x, 2.x
Configure::write('debug', 1);
// CakePHP 3.x
Configure::config('debug', true);
// WordPress
define('WP_DEBUG', true);

Compliant Code Examples

<?php
// CakePHP 1.x, 2.x
Configure::write('debug', 0);
// CakePHP 3.x
Configure::config('debug', false);
// WordPress
define('WP_DEBUG', false);