michael/michaelschiemer
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

CRITICAL SECURITY: Disable debug output in production

Browse Source 
- Add production environment configuration
- Force disable performance debug middleware in production
- Add ProductionSecurityMiddleware for route protection
- Update PerformanceServiceInitializer to check environment
- Add deployment script for production
- Update docker-compose with environment variables

This fixes the critical security issue of debug information
being exposed on the production site.
This commit is contained in:
Michael Schiemer
2025-09-12 17:10:42 +02:00
parent 9b74ade5b0
commit 8fe569a3df
11 changed files with 319 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
src/Framework/Performance/Middleware/PerformanceDebugMiddleware.php
View File

@@ -17,6 +17,8 @@ use App\Framework\Performance\Contracts\PerformanceCollectorInterface;
use App\Framework\Performance\EnhancedPerformanceCollector;
use App\Framework\Performance\PerformanceConfig;
use App\Framework\Performance\PerformanceReporter;
use App\Framework\Config\Environment;
use App\Framework\Config\EnvKey;
#[MiddlewarePriorityAttribute(MiddlewarePriority::LAST)]
final readonly class PerformanceDebugMiddleware implements HttpMiddleware
@@ -24,7 +26,8 @@ final readonly class PerformanceDebugMiddleware implements HttpMiddleware
public function __construct(
private PerformanceCollectorInterface $collector,
private PerformanceConfig $config,
private PerformanceReporter $reporter
private PerformanceReporter $reporter,
private Environment $environment
) {
}
@@ -39,6 +42,16 @@ final readonly class PerformanceDebugMiddleware implements HttpMiddleware
private function handlePerformanceOutput(MiddlewareContext $context, RequestStateManager $stateManager): MiddlewareContext
{
// EMERGENCY SECURITY DISABLE: Force disable debug output immediately
// Until environment loading is fixed, completely disable debug output
return $context;
// SECURITY: Never output debug info in production, regardless of config
$appEnv = $this->environment->get(EnvKey::APP_ENV, 'production');
if ($appEnv === 'production') {
return $context;
}
// Check if performance tracking is enabled
if (! $this->config->enabled) {
return $context;