CakePHP's debug mode is useful during development and debugging, but could expose sensitive information to attackers such as request parameters, passwords, tokens or headers and should not be included in production code. Only the value "0" or "false" for CakePHP 3.x is suitable (production mode) to not leak sensitive data on the logs.

Recommended Secure Coding Practices

Noncompliant Code Example

CakePHP 1.x, 2.x:

Configure::write('debug', 1); // Noncompliant; development mode
or
Configure::write('debug', 2); // Noncompliant; development mode
or
Configure::write('debug', 3); // Noncompliant; development mode

CakePHP 3.0:

use Cake\Core\Configure;

Configure::config('debug', true);

Compliant Solution

CakePHP 1.2:

Configure::write('debug', 0); // Compliant; this is the production mode

CakePHP 3.0:

use Cake\Core\Configure;

Configure::config('debug', false);

See