no-exposed-debug-endpoints
ESLint rule documentation for no-exposed-debug-endpoints
📡 Live from GitHub — This documentation is fetched directly from no-exposed-debug-endpoints.md and cached for 6 hours.
Keywords: NestJS, debug endpoint, admin path, exposed routes, @Get, @Post, decoractor security, CWE-489, OWASP M8, test endpoints, information disclosure, unauthorized access
Identifies potential debug, administration, or testing endpoints that are often left exposed in production environmen...
CWE: CWE-489
OWASP Mobile: OWASP Mobile Top 10 M8
Identifies potential debug, administration, or testing endpoints that are often left exposed in production environments without proper authentication. This rule is part of eslint-plugin-nestjs-security and provides LLM-optimized error messages.
🚨 Security rule | 💡 Provides LLM-optimized guidance | ⚠️ Set to error in recommended
Quick Summary
| Aspect | Details |
|---|---|
| CWE Reference | CWE-489 (Active Debug) |
| Severity | 🟠 HIGH (security misconfiguration) |
| Auto-Fix | ❌ Not available |
| Category | Security |
| ESLint MCP | ✅ Optimized |
| Best For | NestJS Controllers |
Rule Details
This rule scans for NestJS HTTP decorators (@Get, @Post, etc.) and literal string constants that match known sensitive paths.
❌ Incorrect
@Controller('utils')
export class UtilsController {
// ❌ NestJS Get decorator using a debug path
@Get('debug')
getDebugInfo() {
return process.memoryUsage();
}
// ❌ Admin path exposed
@Post('/admin/reset')
resetSystem() {
// ...
}
}
// ❌ Literal string matching a forbidden path
const myPath = 'test-endpoint';✅ Correct
@Controller('profile')
export class ProfileController {
// ✅ Standard production endpoint
@Get('me')
getProfile() {
return { name: 'User' };
}
// ✅ Debug endpoint protected by a Guard (Rule still flags path, but this is the goal)
@UseGuards(AdminGuard)
@Get('internal-status')
getStatus() {
return { status: 'OK' };
}
}⚙️ Configuration
| Option | Type | Default | Description |
|---|---|---|---|
endpoints | string[] | ['debug', ...] | Custom list of debug/admin endpoints to flag |
ignoreFiles | string[] | [] | List of files or patterns to ignore |
Example Configuration
{
"rules": {
"nestjs-security/no-exposed-debug-endpoints": [
"error",
{
"endpoints": ["internal-tools", "dev-only"],
"ignoreFiles": ["**/*.spec.ts"]
}
]
}
}Known False Negatives
- Values stored in variables/constants used in decorators.
- Dynamic path generation using template literals if not easily resolvable.