{
    "id": "S059",
    "name": "Disable debug modes in production environments",
    "description": "Ensure debug modes, verbose logging, and development features are disabled in production. Debug modes can expose sensitive information, enable unauthorized access, and degrade performance.",
    "category": "security",
    "severity": "high",
    "enabled": true,
    "engines": ["heuristic"],
    "enginePreference": ["heuristic"],
    "tags": ["security", "debug", "production", "configuration"],
    "examples": {
        "valid": [
            "DEBUG = process.env.NODE_ENV !== 'production';",
            "app.use(helmet()); // Security headers",
            "if (process.env.NODE_ENV === 'development') { enableDebug(); }"
        ],
        "invalid": [
            "DEBUG = true; // Hardcoded debug mode",
            "app.use(errorHandler({ dumpExceptions: true }));",
            "morgan('dev'); // Verbose logging in production"
        ]
    },
    "fixable": false,
    "docs": {
        "description": "This rule ensures debug features are disabled in production. Debug modes to disable: verbose error messages with stack traces, development server features, debug endpoints (/debug, /test), SQL query logging, request/response body logging, source maps in client-side code, hot reload/watch modes.",
        "url": "https://owasp.org/Top10/A05_2021-Security_Misconfiguration/"
    }
}