Flask Application Running with Debug Mode Enabled
Description
The Flask application is running with `debug=True` configured, which could cause sensitive information to be leaked in HTTP responses. It is not recommended to run a Flask application using `Flask.run(...)` in production. Instead, a WSGI server such as gunicorn or waitress should be used.
Examples
Insecure Code
python
app.run(debug=True)Secure Code
python
app.run(debug=False)Remediation
Set `debug=False` when running the Flask application in production and use a WSGI server like gunicorn or waitress.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0155 |
| Category | InsecureConfig |
| Severity | MEDIUM |
| CWE | CWE-489 |
| Confidence | HIGH |
| Impact | MEDIUM |
| Likelihood | MEDIUM |
| Exploitability | EASY |
| Tags | security misconfiguration |
| OWASP | A6:2017-Security Misconfiguration, A05:2021-Security Misconfiguration |