Debugging Enabled in Production

Need

Prevent sensitive information disclosure

Context

• Usage of Elixir (v1.10+) for building scalable and fault-tolerant applications

• Usage of Plug.Debugger for debugging Elixir applications

Description

1. Non compliant code

defmodule MyApp do
  use Plug.Router

  if Mix.env() == :prod do
    use Plug.Debugger
  end

  plug :dispatch...

In this Elixir code, the application is using the Plug.Debugger middleware in a production environment (when Mix.env() == :prod). This means that in the event of a server error, detailed debugging information (like stack traces) will be displayed in the user's browser, which could expose sensitive information about the application's internals.

2. Steps

• Ensure that the Plug.Debugger middleware is not used in a production environment.

• Regularly review and update application configurations to ensure they are secure.

3. Secure code example

defmodule MyApp do
  use Plug.Router

  if Mix.env() == :dev do
    use Plug.Debugger
  end

  plug :dispatch...

In the updated code, the application only uses the Plug.Debugger middleware when the Mix.env() is :dev, which means during development. In a production environment, no debugging information will be displayed to the user.

References

• 183. Debugging Enabled in Production

On this page