Django Debug Mode Enabled
Description
This Django web application is configured with debug mode enabled (DEBUG = True), which is intended only for development environments. When debug mode is active, Django displays detailed error pages whenever an exception occurs, exposing sensitive system information including environment variables, database settings, installed applications, middleware configuration, file paths, and complete stack traces. This configuration setting should never be enabled in production environments as it transforms normal application errors into significant information disclosure vulnerabilities.
Remediation
Immediately disable debug mode in production environments by modifying your Django settings configuration:
1. Update settings.py:
DEBUG = False # Also ensure ALLOWED_HOSTS is properly configured ALLOWED_HOSTS = ['yourdomain.com', 'www.yourdomain.com']
2. Use environment-specific settings:
Implement separate configuration files for development and production, or use environment variables:
import os
DEBUG = os.getenv('DJANGO_DEBUG', 'False') == 'True'
ALLOWED_HOSTS = os.getenv('DJANGO_ALLOWED_HOSTS', '').split(',')3. Configure proper error logging:
Set up logging to capture errors without exposing them to users:
LOGGING = {
'version': 1,
'handlers': {
'file': {
'class': 'logging.FileHandler',
'filename': '/var/log/django/error.log',
},
},
'loggers': {
'django': {
'handlers': ['file'],
'level': 'ERROR',
},
},
}4. Verify the change:
After deployment, confirm debug mode is disabled by checking that error pages show generic messages instead of detailed tracebacks.