Usage of Django debug mode

• Rule ID: python_django_debug_mode_enabled
• Languages: python
• Source: debug_mode_enabled.yml

Description

When debug mode is enabled, Django displays detailed error pages with stack traces and other sensitive information when an error occurs. While this can be useful during development, debug mode should never be enabled in production or other such environments because it can lead to the exposure of sensitive data to unauthorized users.

Remediations

• Do not set DEBUG to True in production or other such environments

DEBUG = True # not safe for production

• Do use environment variables to configure DEBUG mode appropriately for development and production.

import os

DEBUG = os.getenv('DJANGO_DEBUG', 'False') == 'True'

Associated CWE

• CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

OWASP Top 10

• A01:2021 - Broken Access Control

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=python_django_debug_mode_enabled

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=python_django_debug_mode_enabled