Spring Security's debug mode is useful during development and debugging, but could expose sensitive information to attackers such as request parameters, passwords, tokens or headers and should not be included in production code.

Recommended Secure Coding Practices

Noncompliant Code Example

@Configuration
@EnableWebSecurity(debug = true) // Noncompliant
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
...
}

Compliant Solution

@Configuration
@EnableWebSecurity(debug = false) // Compliant
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
...
}

See