Spring Security Debug Enabled

ID

java.spring_security_debug_enabled

Severity

high

Resource

Misconfiguration

Language

Java

Tags

CWE:489, CWE:532, NIST.SP.800-53, OWASP:2025:A02, PCI-DSS:6.5.6, asvs50-v13.1.1, asvs50-v16.2.5, spring

Description

Reports @EnableWebSecurity(debug = true) on configuration classes. Spring Security debug mode logs request headers, session details and the full filter-chain execution. Leaving this active in production exposes session material and internal authentication flow to anyone with log access.

Rationale

Debug output includes session tokens, Authorization headers and internal filter ordering that should never leak outside the development environment. Active debug code in production violates the principle of least information exposure and is commonly required to be disabled by compliance regimes (PCI-DSS, NIST SP 800-53).

Remediation

Remove debug = true from @EnableWebSecurity. If verbose authentication tracing is needed transiently, enable it in a dev-only configuration profile.

Non-compliant code

@Configuration
@EnableWebSecurity(debug = true)
public class SecurityConfig extends WebSecurityConfigurerAdapter {
}

Compliant code

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
}

References