Skip to content

Document DEBUG_ENDPOINTS_ENABLED (debug endpoints disabled by default in v1.37.9)#450

Open
g-despot wants to merge 3 commits into
mainfrom
docs/debug-endpoints-disabled-by-default
Open

Document DEBUG_ENDPOINTS_ENABLED (debug endpoints disabled by default in v1.37.9)#450
g-despot wants to merge 3 commits into
mainfrom
docs/debug-endpoints-disabled-by-default

Conversation

@g-despot

@g-despot g-despot commented Jun 16, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Summary

In v1.37.9 (weaviate#11173, "fix: disable debug endpoints by default"), the debug HTTP listener on the profiling port (default 6060) is now disabled by default. Confirmed the change ships in v1.37.9 (git tag --contains on the merge commit) and is runtime-configurable.

The listener serves Weaviate's unauthenticated internal debug and profiling endpoints — /debug/config, Go profiling (/debug/pprof/*, /debug/fgprof), and various maintenance/diagnostic routes. When disabled it still binds but returns 404 for every request. Set DEBUG_ENDPOINTS_ENABLED=true (or the debug_endpoints_enabled runtime override) to serve them.

This is a security-hardening behavior change, not a breaking API change:

  • The main REST API (8080) and gRPC are untouched. The /v1/debug/* REST endpoints (e.g. async-replication repair) live on the main API mux and are not gated by this flag.
  • GO_PROFILING_DISABLE still controls whether the listener binds at all (separate switch).
  • The same change redacts secrets (API keys, cluster basic-auth password, Sentry DSN) from /debug/config.
  • The default flipped in a patch release, and our profiling docs instruct users to hit :6060/debug/pprof/heap — so it's worth a clear callout for self-hosters.

Changes

  • docs/deploy/configuration/env-vars/index.md — document DEBUG_ENDPOINTS_ENABLED (default false, runtime-configurable, Added in v1.37.9) next to the GO_PROFILING_* vars; note the endpoints are unauthenticated and the port should not be exposed to untrusted networks.
  • docs/deploy/configuration/env-vars/runtime-config.md — add the debug_endpoints_enabled runtime override.
  • docs/weaviate/best-practices/index.md — add a caution in the pprof profiling section: DEBUG_ENDPOINTS_ENABLED=true is required on v1.37.9+, the endpoints are unauthenticated and include destructive operations, and heap profiles may still contain in-memory secrets.

Related: split out from the backup/export access-check docs in #449.

🤖 Generated with Claude Code

@g-despot @claude
Document DEBUG_ENDPOINTS_ENABLED and debug endpoints disabled by default
ba188f6 
As of v1.37.9 (weaviate#11173), the debug HTTP listener on the profiling
port (default 6060) is disabled by default: pprof/fgprof and /debug/config
return 404 unless DEBUG_ENDPOINTS_ENABLED=true. This is a security
hardening change; the main REST/gRPC API and /v1/debug/* endpoints are
unaffected.

- env-vars/index.md: document DEBUG_ENDPOINTS_ENABLED (default false,
  runtime-configurable), Added in v1.37.9
- best-practices/index.md: note that pprof profiling now requires
  DEBUG_ENDPOINTS_ENABLED=true on v1.37.9+

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
orca-security-eu[bot]
orca-security-eu Bot reviewed Jun 16, 2026
View reviewed changes

@orca-security-eu orca-security-eu Bot left a comment
edited
Loading

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Orca Security Scan Summary

Status Check Issues by priority
Passed Passed Infrastructure as Code high 0   medium 0   low 0   info 0 View in Orca
Passed Passed SAST high 0   medium 0   low 0   info 0 View in Orca
Passed Passed Secrets high 0   medium 0   low 0   info 0 View in Orca
Passed Passed Vulnerabilities high 0   medium 0   low 0   info 0 View in Orca

@g-despot g-despot requested a review from Copilot June 16, 2026 07:37
Copilot AI reviewed Jun 16, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Documents the DEBUG_ENDPOINTS_ENABLED environment variable introduced in Weaviate v1.37.9, clarifying that debug/profiling endpoints on the profiling port are disabled by default unless explicitly enabled, and updates profiling guidance accordingly.

Changes:

  • Add DEBUG_ENDPOINTS_ENABLED to the environment variables reference (including default behavior and version note).
  • Add a pprof profiling note calling out the need to enable DEBUG_ENDPOINTS_ENABLED=true on v1.37.9+.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File Description
docs/deploy/configuration/env-vars/index.md Adds DEBUG_ENDPOINTS_ENABLED reference entry near profiling-related variables.
docs/weaviate/best-practices/index.md Adds a note in the pprof section that debug endpoints must be enabled in v1.37.9+.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread docs/weaviate/best-practices/index.md Outdated
- Have a go runtime installed, or start a Go-based docker container
- Expose port 6060 if running in docker/k8s

:::note `DEBUG_ENDPOINTS_ENABLED` required in `v1.37.9`+
Comment thread docs/deploy/configuration/env-vars/index.md Outdated
| `INVERTED_SORTER_DISABLED` | Forces the "objects bucket" strategy and doesn't consider inverted sorting. Most users should never set this flag; it exists for benchmarking and as a safety net. Default: `false` | `boolean` | `false` |
| `GO_PROFILING_DISABLE` | If `true`, disables Go profiling. Default: `false`. | `boolean` | `false` |
| `GO_PROFILING_PORT` | Sets the port for the Go profiler. Default: `6060` | `integer` | `6060` |
| `DEBUG_ENDPOINTS_ENABLED` | Gate for the debug HTTP listener (the profiling port set by `GO_PROFILING_PORT`, default `6060`), which serves the Go profiling endpoints (`/debug/pprof/*`, `/debug/fgprof`) and `/debug/config`. When `false`, the listener still binds but returns `404` for every request. Set to `true` to serve these endpoints. Runtime-configurable. Default: `false`<br/>Added in `v1.37.9` (previously these endpoints were always served). `GO_PROFILING_DISABLE` still controls whether the listener binds at all. | `boolean` | `true` |
g-despot and others added 2 commits June 16, 2026 09:44
@g-despot @claude
Add DEBUG_ENDPOINTS_ENABLED runtime override; clarify scope and security
414cb1e 
- runtime-config.md: add debug_endpoints_enabled runtime override
  (DEBUG_ENDPOINTS_ENABLED is wired into WeaviateRuntimeConfig)
- env-vars/index.md: broaden the description — the listener serves
  unauthenticated debug AND profiling/maintenance routes, not just pprof;
  link the runtime override; add "do not expose this port" guidance
- best-practices/index.md: note the endpoints are unauthenticated and
  include destructive operations; /debug/config redacts secrets but heap
  profiles may still contain in-memory secrets

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@g-despot
Minor updates
73f1567
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@orca-security-eu orca-security-eu[bot] orca-security-eu[bot] left review comments

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@g-despot