Tornado debug mode
Description
This Tornado web application is configured to run in debug mode, which is enabled by passing debug=True to the Application constructor. Debug mode is designed for development environments and enables several convenience features that should never be exposed in production. When enabled, the application may expose sensitive information including source code fragments, stack traces with local variables, filesystem paths, and internal application structure. This configuration represents a security misconfiguration that can aid attackers in reconnaissance and further exploitation.
Remediation
Disable debug mode in all production and production-like environments (staging, pre-production, etc.). Ensure the Tornado Application constructor is called with debug=False or omit the debug parameter entirely, as it defaults to False.
Example of insecure configuration:
import tornado.web
app = tornado.web.Application([
(r"/", MainHandler),
], debug=True) # INSECURE - Remove in productionSecure configuration:
import tornado.web
import os
# Use environment variable to control debug mode
is_debug = os.getenv('ENVIRONMENT') == 'development'
app = tornado.web.Application([
(r"/", MainHandler),
], debug=is_debug) # Only True in developmentAdditionally, implement proper error handling and logging mechanisms that capture detailed errors securely on the server side while presenting generic error messages to users. Review deployment configurations and CI/CD pipelines to ensure debug mode is never enabled in production deployments.