Tracy debugging tool enabled
Description
The Tracy debugging tool, a diagnostic and development utility for PHP applications, has been detected running on this web application. Tracy is designed to display detailed error messages, application state information, and system configuration details during development. When left enabled in production environments, it exposes sensitive technical information that should remain confidential.
Remediation
Immediately disable Tracy in production environments. For PHP applications using Nette Framework or Tracy as a standalone component, ensure the debugger is only enabled in development mode by modifying the configuration:
1. Set Tracy to development mode only in your bootstrap or configuration file:
Tracy\Debugger::enable(Tracy\Debugger::DEVELOPMENT); // or explicitly disable in production Tracy\Debugger::enable(Tracy\Debugger::PRODUCTION);
2. Use environment-based configuration to ensure Tracy is never active in production:
if (getenv('APP_ENV') === 'development') {
Tracy\Debugger::enable();
} else {
Tracy\Debugger::enable(Tracy\Debugger::PRODUCTION);
}
3. If access to Tracy is required in production for debugging purposes, restrict access using IP whitelisting or authentication mechanisms, and limit the exposure window to the minimum time necessary.
4. Review web server configurations to ensure Tracy bar endpoints (typically /tracy/) are blocked from public access.