Seeing debug header across secure.phabricator.org

#1

Observed Behavior:
Seeing a debug header with various bits of data, including the ability to see database queries.

Expected Behavior:
Not seeing this debug header, or at least having a way to close it. I would imagine you probably don’t want site guests to see the queries you’re running on the page.

Phabricator Version:
secure.phabricator.org

Reproduction Steps:
Steps the upstream can follow on a clean install to see the same issue

0 Likes

#2

We sometimes enable debugging modes on secure.phabricator.com for debugging or development. You can adjust this behavior on your own install with darkconsole.always-on in Config. (In this case, we were fixing an issue which was easiest to reproduce as a logged-out user viewing Conpherence on secure.phabricator.com.)

Although it’s possible that something sensitive could be visible in the debugging information, it is unlikely. Generally, queries issued by the application do not contain sensitive information, and we mask the handful of known-sensitive values, as here:

(Even unmasked, these values are cookie values from the client machine – so they’re masked to protect you from someone looking over your shoulder, not to protect Phabricator from users with access to the debug console.)

You can press the “`” (backtick) key to toggle the header.

0 Likes

closed #3
0 Likes