DeepSource
Dashboard Resources Pricing Discover Directory Log in

Run your first analysis.

Find thousands of code security and quality issues in your codebase, before they end up in production.

Start now
Python

Python

Made by DeepSource
Use Analyzer

Django app detected with DEBUG mode enabled PY-S0900

Security
Critical
 Autofix a05 owasp top 10

Running a Django application with debug mode enabled may allow an attacker to gain access to sensitive information. Ensure that Django applications that are run in a production environment have DEBUG set to False.

Debug mode helps developers to find bugs by providing information about the system and the users. The information may be security-sensitive. If enabled in a production environment, this information can help attackers know about the underlying tools, application settings, and so on. It is recommended to configure another file (say, development_settings.py) in order to configure development-specific settings. Another recommended way is to read these values from environment variables.

Not Preferred:

import django
from django.conf import settings

settings.configure(DEBUG=True)  # Sensitive
settings.configure(DEBUG_PROPAGATE_EXCEPTIONS=True)  # Sensitive

def some_config(config):
    settings.configure(default_settings=config, DEBUG=True)  # Sensitive

Django's "settings.py" or "global_settings.py" configuration file

DEBUG = True  # Sensitive
DEBUG_PROPAGATE_EXCEPTIONS = True  # Sensitive

Issue is raised for this case only if the file is named "settings.py" or "global_settings.py", the default names for Django configuration file.