Debug mode enabled
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 15 points from that category, once per scan, no matter how many places it turns up.
What it detects
Framework debug mode left on can leak stack traces, source, and environment details in production.
Why it matters
Debug mode in Flask or Django shows full stack traces, settings, and sometimes an interactive console to whoever triggers an error, which maps out your internals for attackers. Flask's debugger in particular allows running code from the browser. It only takes one deploy with the flag still on.
How to fix it
Drive the flag from the environment with a default of off: in Django, DEBUG = os.environ.get('DJANGO_DEBUG') == '1'; in Flask, remove debug=True from app.run and use the FLASK_DEBUG environment variable for local runs. Keep debug enabled only in your local .env. Confirm your production start command does not set it.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo