Yii2 debug toolkit
Description
The Yii2 Debug Toolbar is enabled and accessible on this web application. This development tool is designed for debugging purposes during application development and should never be enabled in production environments. When active, it exposes detailed technical information including database queries, configuration parameters, application structure, request/response data, and internal application state that could be leveraged by attackers to identify vulnerabilities.
Remediation
Immediately disable the Yii2 Debug Toolbar in production environments by modifying the application configuration. In the <code>config/web.php</code> file, remove or comment out the debug module from the bootstrap array and modules section:<br/><br/><pre>// Remove these lines in production: // 'bootstrap' => ['debug'], // 'modules' => [ // 'debug' => [ // 'class' => 'yii\debug\Module', // ], // ]</pre><br/>If the debug toolbar is required in development environments, restrict access using IP address allowlisting:<br/><br/><pre>'modules' => [ 'debug' => [ 'class' => 'yii\debug\Module', 'allowedIPs' => ['127.0.0.1', '::1', '192.168.1.*'], ], ]</pre><br/>Verify the change by accessing the debug endpoint (typically <code>/debug</code>) and confirming it returns a 403 Forbidden or 404 Not Found response. Ensure the <code>YII_DEBUG</code> constant is set to <code>false</code> and <code>YII_ENV</code> is set to <code>'prod'</code> in production deployments.