Magebean Logo Magebean
← Back to Baseline

MB-R036No dev configs on prod

C05 Production Mode & Deployment Hygiene High

Development configurations such as sandbox API keys, test SMTP servers, or verbose logging must not remain in production. They often bypass security controls and can leak sensitive data. Audit environment configs to ensure only production values are applied on live systems.

Why it Matters

Magento has developer-oriented settings (template hints, symlink templates, profiler, verbose logging). These are useful for debugging, but if enabled on production they expose sensitive paths, slow down performance, and may leak information about the internal application structure.

Ensuring that no developer configs are active in production keeps the site fast, reduces attack surface, and prevents unintentional information disclosure.

Verification Steps

Magento Admin (if accessible)

Stores → Configuration → Advanced → Developer
- Template Path Hints: Off
- Allow Symlinks: No
- Profiler: Disabled

File check

# Inspect env.php or config.php for dev settings
grep -Ri profiler app/etc/
grep -Ri template_hints app/etc/
grep -Ri dev app/etc/

Remediation / Fix Guidance

  1. Disable all developer tools and configs in production:
    • Template Path Hints → Off
    • Allow Symlinks → No
    • Profiler → Disabled
  2. Verify logs are not set to “debug” level in env.php or custom modules.
  3. Enforce production mode (MB-R031) to ensure dev features are not exposed.
  4. Document and automate config changes in deployment scripts to avoid regressions.

Examples

Fail Example
# app/etc/config.php
'dev' => [
  'debug' => [
    'template_hints' => 1,
  ],
  'profiler' => [
    'enabled' => true,
  ],
]
Pass Example
# app/etc/config.php
'dev' => [
  'debug' => [
    'template_hints' => 0,
  ],
  'profiler' => [
    'enabled' => false,
  ],
]

References