保護DataHogo
Security Encyclopedia/Deployment Best Practices
mediumCWE-16A05:2021

NODE_ENV Not Set to Production

Running Node.js without NODE_ENV=production enables verbose error messages, disables caching optimizations, and can activate development-only middleware.

How It Works

Many libraries (Express, React, Next.js) check NODE_ENV to decide behavior. In non-production mode, Express includes stack traces in error responses, React includes dev warnings and slower reconciliation, and some libraries skip security headers or enable CORS for localhost. A missing or wrong NODE_ENV in production is a misconfiguration that leaks information and reduces performance.

Vulnerable Code
# BAD: NODE_ENV not set or set to development in production
# Dockerfile or deployment config
ENV NODE_ENV=development  # or not set at all
# Express will include stack traces in 500 responses
# React builds will be unoptimized dev bundles
Secure Code
# GOOD: explicitly set NODE_ENV=production in all production environments
# Dockerfile
ENV NODE_ENV=production

# Or in your deployment platform (Vercel, Railway, Heroku):
# NODE_ENV=production in Environment Variables settings

Real-World Example

A security audit of a fintech application found that NODE_ENV was set to 'development' in production, causing Express to return full stack traces to API clients. The stack traces revealed internal file paths, library versions, and database query strings.

How to Prevent It

  • Set NODE_ENV=production explicitly in all production deployments
  • Add a startup check that exits if NODE_ENV is not 'production' in a production environment
  • Verify NODE_ENV in your health check endpoint response
  • Audit all NODE_ENV checks in your codebase to understand what changes between dev and prod

Affected Technologies

Node.js

Data Hogo detects this vulnerability automatically.

Scan Your Repo Free

Related Vulnerabilities

Debug Mode Active in Production

medium

Debug mode enabled in production exposes internal state, enables verbose logging, and sometimes activates interactive debugging endpoints that attackers can exploit.

CWE-215A05:2021

No Health Check Endpoint

low

Without a /health endpoint, load balancers and orchestrators can't verify your application is actually working before routing traffic to it.

CWE-778

No Error Monitoring

low

Without error monitoring, production errors are invisible until a user reports them — which most never do.

CWE-778A09:2021

Dev Environment Variables in Production

high

Using development credentials (test API keys, local database URLs, sandbox payment keys) in production puts real users at risk.

CWE-547A05:2021