Description
Development artifacts like .env files, debug modes, console logs, and internal IP addresses accidentally left in production code can leak sensitive information about your infrastructure.
While not directly exploitable, these artifacts help attackers understand your system architecture, identify potential attack vectors, and discover additional vulnerabilities.
Debug modes and verbose error messages often reveal internal system details, file paths, database structures, and software versions that make targeted attacks easier.
Potential Impact & Risks
- Information disclosure
- Exposure of internal architecture
- Discovery of additional vulnerabilities
- Performance degradation
- Increased attack surface
Remediation
Immediate Actions
1. Disable debug mode in production
2. Remove console.log() statements
3. Block access to .env and config files
4. Hide internal IP addresses
Production Checklist
1. **Environment-specific configs**: Use process.env.NODE_ENV
2. **Remove debug code**: Strip console.log, debugger statements
3. **Minify/obfuscate**: Make code harder to analyze
4. **Generic error messages**: Don't expose stack traces
5. **Secure .env files**: Never commit, use .gitignore
6. **Block sensitive files**: .htaccess or nginx config
7. **Remove comments**: Strip developer comments
8. **Disable directory listing**: Hide file structure
Code Examples
// ❌ BAD - Debug code in production:
if (process.env.DEBUG === "true") {
console.log("User data:", userData);
console.log("Database config:", dbConfig);
}
// ✅ GOOD - Environment-aware:
if (process.env.NODE_ENV === "development") {
console.log("Debug info");
}
// Nginx - Block sensitive files:
location ~ /\. {
deny all;
}
location ~ \.(env|config)$ {
deny all;
}
// Apache - .htaccess:
<FilesMatch "\.(env|config)$">
Order allow,deny
Deny from all
</FilesMatch>