Impact
DEBUG defaults to True when DJANGO_DEBUG is unset:
DEBUG = env_bool("DJANGO_DEBUG", True)All of the production safety guards in config/settings.py are gated on not DEBUG — they only fire when DEBUG is already False:
SECRET_KEY must be set (config/settings.py:23)ALLOWED_HOSTS must be tight (config/settings.py:30)CSRF_TRUSTED_ORIGINS must be set (config/settings.py:34)DATABASE_URL must be set and non-SQLite (config/settings.py:80, config/settings.py:89)SESSION_COOKIE_SECURE / CSRF_COOKIE_SECURE / HSTS default on (config/settings.py:119, config/settings.py:126)
This means the configuration fails open: if DJANGO_DEBUG is simply absent from the environment (a commented-out or missing line in .env, a forgotten variable in a new deployment path, a one-off docker run without the env file), the app silently boots with DEBUG=True, the dev SECRET_KEY, the SQLite fallback, and none of the guards raising. For an app whose whole purpose is to hold highly sensitive forensic data (bearer tokens, engine ids, account refs, message ids, payload digests, IPs, user agents, raw upload bodies), running with DEBUG=True exposes full settings and data-bearing tracebacks on any unhandled error.
.env.example does set DJANGO_DEBUG=0 and docker-compose.yml loads it via env_file, so the documented happy path is safe — but the default should be the safe value so that a missing var fails closed, not open.
Code pointers
config/settings.py:21 — DEBUG = env_bool("DJANGO_DEBUG", True).config/settings.py:23-90 — every production guard is conditioned on not DEBUG, so they do nothing when the var is missing and DEBUG stays True.
Expected behavior
A missing DJANGO_DEBUG should fail closed (production-safe), so that an operator must opt in to debug mode rather than opt out of it.
Suggested fix
- Default
DEBUG to False: DEBUG = env_bool("DJANGO_DEBUG", False), and set DJANGO_DEBUG=1 (or true) in the local just workflow / dev .env so local development is unaffected.
- Alternatively, require
DJANGO_DEBUG to be set explicitly and raise ImproperlyConfigured if it is absent, so neither mode is implicit.
- Add a test asserting that, with a representative production-style environment but
DJANGO_DEBUG unset, the app does not come up in debug mode.
Impact
DEBUGdefaults toTruewhenDJANGO_DEBUGis unset:All of the production safety guards in
config/settings.pyare gated onnot DEBUG— they only fire whenDEBUGis alreadyFalse:SECRET_KEYmust be set (config/settings.py:23)ALLOWED_HOSTSmust be tight (config/settings.py:30)CSRF_TRUSTED_ORIGINSmust be set (config/settings.py:34)DATABASE_URLmust be set and non-SQLite (config/settings.py:80,config/settings.py:89)SESSION_COOKIE_SECURE/CSRF_COOKIE_SECURE/ HSTS default on (config/settings.py:119,config/settings.py:126)This means the configuration fails open: if
DJANGO_DEBUGis simply absent from the environment (a commented-out or missing line in.env, a forgotten variable in a new deployment path, a one-offdocker runwithout the env file), the app silently boots withDEBUG=True, the devSECRET_KEY, the SQLite fallback, and none of the guards raising. For an app whose whole purpose is to hold highly sensitive forensic data (bearer tokens, engine ids, account refs, message ids, payload digests, IPs, user agents, raw upload bodies), running withDEBUG=Trueexposes full settings and data-bearing tracebacks on any unhandled error..env.exampledoes setDJANGO_DEBUG=0anddocker-compose.ymlloads it viaenv_file, so the documented happy path is safe — but the default should be the safe value so that a missing var fails closed, not open.Code pointers
config/settings.py:21—DEBUG = env_bool("DJANGO_DEBUG", True).config/settings.py:23-90— every production guard is conditioned onnot DEBUG, so they do nothing when the var is missing andDEBUGstaysTrue.Expected behavior
A missing
DJANGO_DEBUGshould fail closed (production-safe), so that an operator must opt in to debug mode rather than opt out of it.Suggested fix
DEBUGtoFalse:DEBUG = env_bool("DJANGO_DEBUG", False), and setDJANGO_DEBUG=1(ortrue) in the localjustworkflow / dev.envso local development is unaffected.DJANGO_DEBUGto be set explicitly and raiseImproperlyConfiguredif it is absent, so neither mode is implicit.DJANGO_DEBUGunset, the app does not come up in debug mode.