When the framework helps the attacker debug your production secrets.
Web frameworks (like Django, Flask, Express, Rails) come with a "Debug Mode" intended for local development. When an error occurs (like a 500 Internal Server Error), Debug Mode prevents the app from silently crashing. Instead, it renders a beautiful, highly detailed HTML page in the browser showing the exact line of code that failed, the stack trace, and the current value of all local variables.
If you accidentally deploy your application to production with Debug Mode left ON, any user who triggers an error will see your source code, your environment variables (like API keys), and your database connection strings.
Never hardcode `DEBUG=True` in your code. Always rely on environment variables that differ between your local laptop and the production servers.
# VULNERABLE: Hardcoded debug mode
# settings.py
DEBUG = True
SECRET_KEY = "super_secret_key"
# SECURE: Environment-driven configuration
import os
# os.environ.get returns a string. We must parse it.
# If not set, it defaults to False (safe).
DEBUG = os.environ.get('DJANGO_DEBUG', 'False') == 'True'
SECRET_KEY = os.environ.get('DJANGO_SECRET_KEY')
Patreon suffered a massive breach in 2015. One of the contributing factors was a web framework (Werkzeug) running with Debug Mode enabled on a production server. An attacker intentionally sent a malformed request to trigger a crash. The debug page appeared, providing the attacker with the interactive console they needed to run arbitrary code, pivot into the database, and steal 15 gigabytes of user data.
A junior developer says: "I left Debug Mode on in production so that if users experience a crash, they can screenshot the stack trace and email it to us so we can fix it faster." What is the proper way to achieve this goal?