Symfony debug mode enabled (Invicti IAST)
Description
The Symfony web application is configured to run with debug mode enabled in a production environment. Debug mode is controlled by the APP_DEBUG environment variable (set to 1 or true to enable, 0 or false to disable). When enabled, the application displays detailed error messages with stack traces, rebuilds cache files on each request, and exposes internal application details. While useful during development, debug mode should always be disabled in production environments to prevent information disclosure.
Remediation
Disable debug mode by setting the APP_DEBUG environment variable to 0 in your production environment configuration file:
# In .env.local or .env.production file APP_DEBUG=0 APP_ENV=prod
After making this change, clear the application cache to ensure the new configuration takes effect:
php bin/console cache:clear --env=prod
Verify that debug mode is disabled by triggering an error page and confirming that detailed stack traces are not displayed. Implement proper environment-specific configuration management to ensure debug mode is only enabled in development and testing environments, never in production.