Symfony web debug toolbar
Description
The Symfony web debug toolbar is a development feature that displays detailed profiling and diagnostic information at the bottom of web pages. When left enabled in production environments, this toolbar exposes sensitive application internals including configuration details, database queries, request/response data, and performance metrics. This vulnerability occurs when applications are deployed with debug mode still active, making internal system information publicly accessible.
Remediation
Disable the Symfony debug toolbar and profiler in production environments by ensuring the application runs in production mode. Verify the following configurations:
1. Set the APP_ENV environment variable to 'prod' in your deployment environment:
APP_ENV=prod2. Ensure the framework configuration disables the toolbar in config/packages/prod/web_profiler.yaml:
when@prod:
web_profiler:
toolbar: false
intercept_redirects: false3. Clear the application cache after configuration changes:php bin/console cache:clear --env=prod4. Verify that .env files are not accessible via web requests by placing them outside the web root or using web server configuration to deny access. Regularly audit deployed applications to confirm debug features remain disabled in production.