Skip to content

Review Production Exposure of Environment and JSON Endpoints #117

Open
Open
Review Production Exposure of Environment and JSON Endpoints#117
Assignees
DevSars24
Labels
bugSomething isn't working

Description

@georgidhristov
georgidhristov
opened on Jun 12, 2026

Description

DebugProbe currently keeps /debug/environment and /debug/json/{id} mapped in Production by default.

Tests confirm this behavior is intentional, but it should be reviewed from a security and product standpoint.

Current Behavior

When DebugProbe UI endpoints are disabled in Production, these endpoints may still remain available:

/debug/environment
/debug/json/{id}

This can expose debug-related metadata or trace details even when the main UI is not available.

Expected Behavior

Production endpoint exposure should be explicit and easy to understand.

If UI access is disabled in Production, related debug data endpoints should either also be disabled or clearly documented as intentionally available.

Suggested Fix

Review whether these endpoints should be controlled by the same Production UI protection rules.

Recommended options:

  • Disable /debug/environment and /debug/json/{id} in Production unless AllowUiInProduction = true.
  • Or keep them available, but document clearly why they are safe and intended.
  • Add or update tests to lock the final decision.

Result

After this review:

  • Production behavior becomes clearer.
  • Security expectations are easier to understand.
  • DebugProbe avoids accidentally exposing sensitive debug data.
  • Tests and documentation match the intended product behavior.

Metadata

Metadata

Assignees

Labels

bugSomething isn't working

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions