Avoid enabling debug mode in applications

Docs > Datadog Security > Code Security > Static Analysis (SAST) > SAST Rules > Avoid enabling debug mode in applications

Metadata

ID: php-security/debug-mode-on

Language: PHP

Severity: Error

Category: Security

CWE: 489

Description

Debug mode, while useful during development and testing stages, can expose sensitive information such as server configuration, third-party modules, and other internal details of the application that can be exploited by attackers. In the worst-case scenario, it can lead to a serious security breach.

Make sure that debug mode is disabled in the production environment. This can be achieved by setting the debug configuration to false or 0 in the application’s configuration settings. For example, in CakePHP, use Config::write('debug', 0); or Configure::config('debug', false);, and in WordPress, use define('WP_DEBUG', false);.

Non-Compliant Code Examples

<?php
// CakePHP 1.x, 2.x
Configure::write('debug', 1);
// CakePHP 3.x
Configure::config('debug', true);
// WordPress
define('WP_DEBUG', true);

Compliant Code Examples

<?php
// CakePHP 1.x, 2.x
Configure::write('debug', 0);
// CakePHP 3.x
Configure::config('debug', false);
// WordPress
define('WP_DEBUG', false);