—

Why it Matters

Magento has developer-oriented settings (template hints, symlink templates, profiler, verbose logging). These are useful for debugging, but if enabled on production they expose sensitive paths, slow down performance, and may leak information about the internal application structure.

Ensuring that no developer configs are active in production keeps the site fast, reduces attack surface, and prevents unintentional information disclosure.

Verification Steps

Stores → Configuration → Advanced → Developer
- Template Path Hints: Off
- Allow Symlinks: No
- Profiler: Disabled

# Inspect env.php or config.php for dev settings
grep -Ri profiler app/etc/
grep -Ri template_hints app/etc/
grep -Ri dev app/etc/

Remediation / Fix Guidance

1. Disable all developer tools and configs in production:
   • Template Path Hints → Off
   • Allow Symlinks → No
   • Profiler → Disabled
2. Verify logs are not set to “debug” level in env.php or custom modules.
3. Enforce production mode (MB-R031) to ensure dev features are not exposed.
4. Document and automate config changes in deployment scripts to avoid regressions.

Examples

# app/etc/config.php
'dev' => [
  'debug' => [
    'template_hints' => 1,
  ],
  'profiler' => [
    'enabled' => true,
  ],
]

# app/etc/config.php
'dev' => [
  'debug' => [
    'template_hints' => 0,
  ],
  'profiler' => [
    'enabled' => false,
  ],
]

References

• OWASP Top 10 — A05: Security Misconfiguration