-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
What are drawbacks of having debug toolbar in production settings ? #1435
Comments
Thank you! 💜 Here's a pull request changing the cache panel and an excerpt from the discussion: #1427
So, it may be the case that some tracking happens; performance may be degraded. There may also be security-related implications. I'm not sure. I'd like to have better dev/prod parity too, but in this case I'm a bit wary – django-debug-toolbar definitely isn't being audited properly and continuously as it should probably be for this. |
Thanks for your input ! At the moment, I ended up with the following compromise (a bit a magic don't hurt to be confy and safe at the same time !) settings.py
base_settings.py
local_settings.py (not git-versioned, example for development setup)
|
I believe the logger also gets monkey-patched regardless if it's enabled or not. I'm torn about wanting to have this installed and be a no-op at the production level because of my perceived prevalence of devs struggling to get the toolbar to show on a non-local, staging type machine and default to setting An alternative is to make it easier to configure |
I think this could go a long way. Although I might suggest making a new permission if possible instead of directly using the |
I can see a future in which that's reasonable where the toolbar has the serializable branch done, can run in production with the metrics logged somewhere, and then accessed via the web app. However, that's a very optimistic perspective on the toolbar's feature development. I'd be more in favor of keeping it very basic until it needs to be expanded. |
OK, I can see that. Adding the permission would be a backward-compatible change, after all. It feels like the "right" way to do it, but this is more about making sure the production failure mode is mitigated to an acceptable degree than anything else. |
INTERNAL_IPS
orDEBUG=False
being not set means DDT is disabled… Or at least out of sight.But I am wondering what are actual (performance or security) drawbacks of having DDT listed in
INSTALLED_APPS
andMIDDLEWARE
settings whenINTERNAL_IPS
is not set andDEBUG=False
.In other words : How far DDT is to being a no-op when
DEBUG=False
andINTERNAL_IPS
is not set ?Asking because it can be handy to have same
INSTALLED_APPS
andMIDDLEWARE
settings for dev/prod and vary only onDEBUG
andINTERNAL_IPS
; it offers simpler settings management and the ability to enable it temporarily (ex: on test/pre-production server).Thanks by advance for your input :)
Oh and thanks for that great piece of software that
rocksjazzes !The text was updated successfully, but these errors were encountered: