Yii2 Gii extension
Description
The Yii2 Gii extension, a web-based code generation tool, has been detected as accessible on this application. Gii is intended exclusively for development environments and should never be enabled in production systems. When properly configured, access should be restricted to a whitelist of specific IP addresses to prevent unauthorized use.
Remediation
Immediately disable the Gii extension in production environments by removing it from the application configuration. In the main configuration file (typically config/web.php), remove or comment out the Gii module entry:<br/><br/><pre>// Remove or comment out this section in production: /* 'modules' => [ 'gii' => [ 'class' => 'yii\gii\Module', ], ], */</pre><br/>If Gii must remain enabled for staging or development purposes, restrict access to specific IP addresses only:<br/><br/><pre>'modules' => [ 'gii' => [ 'class' => 'yii\gii\Module', 'allowedIPs' => ['127.0.0.1', '::1', '192.168.1.*'], ], ],</pre><br/>Verify that the extension is inaccessible by attempting to access /gii or /index.php?r=gii from an unauthorized IP address. The request should return a 403 Forbidden or 404 Not Found response.