Will It Vibe logoWill It Vibe?
ENVCFG-008Medium severity-8 points

Debug mode enabled in config

Part of Security, which counts for 30% of the overall score. When this check fires it deducts 8 points from that category, once per scan, no matter how many places it turns up.

What it detects

A DEBUG/APP_DEBUG/FLASK_DEBUG flag is set on in a config or env file. In production, framework debug mode leaks stack traces, source, settings, and sometimes an interactive console to anyone who triggers an error.

Why it matters

Debug mode in production turns errors into detailed responses that expose stack traces, source snippets, settings, and sometimes an interactive console. Attackers use that output to learn your stack and find the next weakness, and in some frameworks the debug console is direct code execution. A DEBUG flag left on in config is a common cause.

How to fix it

Set debug off for production config and drive it from an environment variable that defaults to off. Keep debug on only in local or development config that never ships. Confirm the framework reads the production value, and verify errors return a generic page.

The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing

Does your repo trip this check?

Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.

Scan your repo

Related Security checks