Disable DebugProbe UI in Production by Default
Description
DebugProbe currently exposes its UI endpoints whenever the middleware is configured.
While DebugProbe is primarily intended for local development and controlled environments, there is currently no built-in mechanism to prevent the UI from being exposed in Production environments.
DebugProbe should disable its UI endpoints in Production by default and require explicit opt-in when UI access is desired.
Current Behavior
DebugProbe UI endpoints are available whenever DebugProbe is enabled.
Users must manually decide whether exposing the UI in Production is appropriate for their environment.
Expected Behavior
DebugProbe should not expose UI endpoints in Production unless explicitly configured.
Example:
builder.Services.AddDebugProbe(options =>
{
options.AllowUiInProduction = true;
});Default behavior:
options.AllowUiInProduction = false;
When running in a Production environment and AllowUiInProduction is not enabled:
- DebugProbe UI endpoints should not be registered
- DebugProbe dashboard should not be accessible
- DebugProbe trace viewer should not be accessible
- DebugProbe compare UI should not be accessible
- Any future DebugProbe UI pages should follow the same behavior
This setting should affect only the UI layer.
Request capture, response capture, trace storage, and other DebugProbe functionality should continue to operate normally unless disabled through separate configuration.
Result
After this change:
- DebugProbe UI is safer by default in Production environments
- accidental exposure of debugging interfaces becomes less likely
- users can explicitly opt in when Production UI access is required
- existing tracing and capture functionality remains unaffected
- DebugProbe follows a more secure default configuration while remaining flexible
Documentation Updates
After implementation, the following documentation should be updated:
- README Quick Start section
- Optional Configuration examples
- Security Defaults section
Examples should demonstrate how to enable UI access in Production when required.
Disable DebugProbe UI in Production by Default
Description
DebugProbe currently exposes its UI endpoints whenever the middleware is configured.
While DebugProbe is primarily intended for local development and controlled environments, there is currently no built-in mechanism to prevent the UI from being exposed in Production environments.
DebugProbe should disable its UI endpoints in Production by default and require explicit opt-in when UI access is desired.
Current Behavior
DebugProbe UI endpoints are available whenever DebugProbe is enabled.
Users must manually decide whether exposing the UI in Production is appropriate for their environment.
Expected Behavior
DebugProbe should not expose UI endpoints in Production unless explicitly configured.
Example:
Default behavior:
When running in a Production environment and
AllowUiInProductionis not enabled:This setting should affect only the UI layer.
Request capture, response capture, trace storage, and other DebugProbe functionality should continue to operate normally unless disabled through separate configuration.
Result
After this change:
Documentation Updates
After implementation, the following documentation should be updated:
Examples should demonstrate how to enable UI access in Production when required.