Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

DEBUG = True Django

Tags:

django

In a production environment, why do I hear people saying that leaving DEBUG = True is potentially dangerous?

What is one example where someone might exploit this security issue to perform a malicious task on my server?

like image 350
user1431282 Avatar asked Jan 23 '13 00:01

user1431282

People also ask

What is debug true in Django?

The debug mode (DEBUG=True) is turned on by default in the Django framework. It provides a detailed traceback with the local variables to find out the error with the line numbers. The error can be triggered from the view page by setting the value of assert to False in the view file.

What is debug true?

debug=true is for debugging during development. It creates debugging symbols used to provide metadata about the current executing code. debug=false is is for deployment to a production server.

What is debug false in Django?

Open your settings.py file (or settings_local.py ) and set DEBUG = False (just add that line if necessary). Turning off the Django debug mode will: Suppress the verbose Django error messages in favor of a standard 404 or 500 error page. You will now find Django error messages printed in your arches.

2 Answers

https://docs.djangoproject.com/en/dev/ref/settings/#debug

"Never deploy a site into production with DEBUG turned on.

Did you catch that? NEVER deploy a site into production with DEBUG turned on.

One of the main features of debug mode is the display of detailed error pages. If your app raises an exception when DEBUG is True, Django will display a detailed traceback, including a lot of metadata about your environment, such as all the currently defined Django settings (from settings.py)."

Basically, it's a gaping security hole.

It also wastes a lot of memory:

"It is also important to remember that when running with DEBUG turned on, Django will remember every SQL query it executes. This is useful when you're debugging, but it'll rapidly consume memory on a production server."

like image 77
Patashu Avatar answered Sep 22 '22 14:09

Patashu

Django tries its best to obfuscate secure information in your debug page, but it's not perfect.

By default any settings which include KEY (starting Django 1.4), SECRET etc. are automatically replaced with *. However if someone decides to get creative and call SECRET as SECURE_STR or whatever, that will be displayed as plain text! Would you want that? Also it's just more fodder for someone to hack into your server easily.

like image 44
Praveen Gollakota Avatar answered Sep 20 '22 14:09

Praveen Gollakota
Sign in to Comment

Related questions

My django template boolean variable isn't working as expected in javascript
Django Model set foreign key to a field of another Model
django-rest-framework how to make model serializer fields required
Hidden field in Django Model
Is there a django template filter to display percentages?
Django and client-side javascript templates
Token Based Authentication in Django
Multi-tenant Django applications: altering database connection per request?
Blank, Null, and Required in Django Models and ModelForms
Django : get_or_create Raises duplicate entry with together_unique
Running Django tests in PyCharm
Django REST Framework pagination links do not use HTTPS
Django variable in base.html
Updating User model in Django with class based UpdateView
is it possible to create a custom admin view without a model behind it
Apache + mod_wsgi vs nginx + gunicorn
How do I generate a static html file from a django template?
How do I write Facebook apps using Django?
Is there a way to pass a variable to an 'extended' template in Django?
Django multi-database routing

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!