Critiq Docs
Get started
security.misconfiguration

Do not expose debug routes or middleware in production

Debug handlers, stack-showing middleware, and diagnostic endpoints should stay behind explicit development-only guards.

#Metadata

Rule ID
ts.security.debug-mode-enabled
Severity
medium
Confidence
0.92
Languages
javascript, typescript
Presets
recommended, security, strict
Stability
stable
Applies to
block
Tags
diagnostics, express, misconfiguration, rules-catalog, security

#Why it matters

Debug endpoints and stack-showing middleware can disclose internal topology, environment details, and request data with very little attacker effort.

#Remediation

Wrap the registration in an explicit development-only guard or remove the endpoint or middleware from production builds.

#Repository path

The generated metadata points to critiq-rules/libs/rules/catalog/rules/typescript/ts.security.debug-mode-enabled.rule.yaml.

Back to registryOpen rule in repository