Debugging Enabled in Production
Need
Prevent sensitive information disclosure
Context
- Usage of Elixir (v1.10+) for building scalable and fault-tolerant applications
- Usage of Plug.Debugger for debugging Elixir applications
Description
Non compliant code
defmodule MyApp do
use Plug.Router
if Mix.env() == :prod do
use Plug.Debugger
end
plug :match
plug :dispatch
get "/" do
send_resp(conn, 200, "Hello, world!")
end
end
In this Elixir code, the application is using the Plug.Debugger middleware in a production environment (when Mix.env() == :prod). This means that in the event of a server error, detailed debugging information (like stack traces) will be displayed in the user's browser, which could expose sensitive information about the application's internals.
Steps
- Ensure that the Plug.Debugger middleware is not used in a production environment.
- Regularly review and update application configurations to ensure they are secure.
Compliant code
defmodule MyApp do
use Plug.Router
if Mix.env() == :dev do
use Plug.Debugger
end
plug :match
plug :dispatch
get "/" do
send_resp(conn, 200, "Hello, world!")
end
end
In the updated code, the application only uses the Plug.Debugger middleware when the Mix.env() is :dev, which means during development. In a production environment, no debugging information will be displayed to the user.