Spring Security's debug mode is useful during development and debugging, but could expose sensitive information to attackers such as request parameters or headers and should not be included in production code.

Noncompliant Code Example

@Configuration
@EnableWebSecurity(debug = true) // Noncompliant
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
...
}

Compliant Solution

@Configuration
@EnableWebSecurity(debug = false) // Compliant
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
...
}

See

• MITRE, CWE-489 - Leftover Debug Code
• OWASP Top 10 2017 Category A3 - Sensitive Data Exposure