—

Why it Matters

Debug or verbose output in production may reveal sensitive details like SQL queries, file paths, stack traces, or even secret values. Attackers can use this information to map the system, exploit weaknesses, or plan targeted attacks.

Disabling debug and verbose settings in production ensures that only generic error messages are shown to users, while full diagnostic details remain protected in secure logs accessible only to administrators.

Verification Steps

# Check debug and verbose flags
bin/magento config:show dev/debug/debug_logging
bin/magento config:show dev/template/debug
bin/magento config:show dev/js/enable_js_bundling

# Expected: disabled (0)

# In php.ini or pool config
display_errors = Off
error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT
log_errors = On

Remediation / Fix Guidance

1. Ensure display_errors is disabled in PHP configuration on production servers.
2. Disable Magento developer/debug flags in app/etc/config.php and Admin panel.
3. Route errors and verbose logs to var/log/ or centralized logging systems, never to the browser.
4. Apply the principle of least privilege — only developers with access to staging environments see verbose logs.
5. Test production with invalid input to confirm that no stack traces or debug output are exposed.

Examples

# Browser error page
SQLSTATE[42S22]: Column not found: 1054 Unknown column 'secret' in 'field list'
in /var/www/magento/vendor/module/file.php:123
# FAIL: Verbose debug output exposed

# Browser error page
"Something went wrong while processing your request."
# Full stack trace written only to var/log/exception.log → PASS

References

• OWASP Top 10 — A05: Security Misconfiguration
• OWASP — Error Handling Cheat Sheet