Debug endpoint is left exposed #799
Description
Issue
By default, the application exposes internal variables at the /debug/vars endpoint. These should not be exposed by default as it can provide information to an attacker on how to compromise the application.
Expected Behavior
When attempting to visit /debug/vars, the server should return an HTTP 400 error code (i.e., 403 Forbidden, 404 Not Found, etc.).
Actual Behavior
Internal Go debug variables are provided to the client
Recommended Remediation
Disable showing these debug variables unless it has been explicitly enabled by the server owner.
Workaround
If you are using an nginx reverse proxy, you can add the following to the server directive in your conf file to block access:
location /debug { deny all; return 403; }