Remote debugging on an Azure App Service opens a developer backdoor into your running application and should never be on in production. Turn it off with az webapp config set --remote-debugging-enabled false and block it with policy.
Remote debugging is a handy feature when you are tracking down a bug that only reproduces in a deployed environment. Visual Studio (or VS Code) attaches to the running process, lets you set breakpoints, and steps through code line by line on a live App Service instance. The problem is that this same convenience leaves a direct debugging channel into your production workload, often long after the original debugging session is forgotten.
This Lensix check, appservice_remotedebugging, flags any Azure App Service where remote debugging is currently enabled.
What this check detects
The check inspects the configuration of each Azure App Service (web app, API app, or function app on an App Service plan) and reports any resource where the remoteDebuggingEnabled property is set to true.
In practical terms, when remote debugging is on, App Service keeps a debugging endpoint available so that a developer IDE can attach to the worker process. The setting also records which Visual Studio version the debugger expects, exposed as remoteDebuggingVersion (for example VS2022).
Note: Remote debugging is disabled by default on new App Service instances. When this check fires, it usually means someone enabled it manually during a troubleshooting session and never switched it back off.
Why it matters
A debugging interface is one of the most powerful tools you can hand to an attacker. When the debugger attaches, it can read process memory, inspect variables, and in many cases alter execution flow. None of that should be reachable from a production app.
Here is the realistic risk picture:
- Expanded attack surface. Remote debugging adds an extra listening channel to the app. Any open channel is something an attacker can probe, fuzz, or exploit if a vulnerability is found.
- Exposure of secrets in memory. Connection strings, API tokens, and decrypted user data live in process memory while the app runs. A debugger session can surface all of it without touching a single log file.
- Forgotten configuration drift. Debugging is meant to be temporary. Once it is enabled and left on, it becomes invisible technical debt that never shows up in a normal code review.
- Compliance findings. Frameworks like CIS Azure Foundations and SOC 2 expect production services to disable diagnostic and debug interfaces. An enabled debugger is a straightforward audit failure.
Warning: Remote debugging also auto-disables itself after a period of inactivity, which gives a false sense of safety. The flag stays set in your configuration, so the next deployment or restart can re-enable the live channel without anyone intending to.
How to fix it
The fix is to set remoteDebuggingEnabled to false. There is no downtime and no real downside in production, so you can act on this immediately.
Azure Portal
- Open the App Service in the Azure Portal.
- Go to Settings → Configuration.
- Select the General settings tab.
- Under Debugging, set Remote debugging to Off.
- Click Save.
Azure CLI
To check the current state across an app:
az webapp config show \
--name my-web-app \
--resource-group my-rg \
--query remoteDebuggingEnabledTo disable it:
az webapp config set \
--name my-web-app \
--resource-group my-rg \
--remote-debugging-enabled falseIf you manage many apps, loop over them in a resource group:
for app in $(az webapp list --resource-group my-rg --query "[].name" -o tsv); do
echo "Disabling remote debugging on $app"
az webapp config set \
--name "$app" \
--resource-group my-rg \
--remote-debugging-enabled false
doneTip: For function apps on an App Service plan, the same az webapp config set command applies, since function apps share the underlying App Service configuration surface.
PowerShell
Set-AzWebApp `
-ResourceGroupName "my-rg" `
-Name "my-web-app" `
-RemoteDebuggingEnabled $falseTerraform
If you provision App Services with Terraform, set the flag explicitly so that no one re-enables it out of band. For the azurerm_linux_web_app resource:
resource "azurerm_linux_web_app" "example" {
name = "my-web-app"
resource_group_name = azurerm_resource_group.example.name
location = azurerm_resource_group.example.location
service_plan_id = azurerm_service_plan.example.id
site_config {
remote_debugging_enabled = false
}
}For Windows apps, use azurerm_windows_web_app with the same remote_debugging_enabled = false inside site_config.
Note: Declaring remote_debugging_enabled = false in IaC does more than set the value once. On the next terraform apply, Terraform will detect and revert any manual change that turned debugging back on.
How to prevent it from happening again
Disabling debugging on one app is a fix. Stopping it from creeping back across your estate is the real goal.
Enforce with Azure Policy
Azure Policy can audit or deny App Services that have remote debugging enabled. Here is a custom policy definition that audits non-compliant resources:
{
"properties": {
"displayName": "App Service should have remote debugging disabled",
"mode": "All",
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Web/sites"
},
{
"field": "Microsoft.Web/sites/config/remoteDebuggingEnabled",
"equals": "true"
}
]
},
"then": {
"effect": "audit"
}
}
}
}Start with the audit effect so you can see how many resources are affected, then switch to deny once your teams have remediated the existing findings.
Warning: Switching the effect to deny before cleaning up existing apps will not retroactively break anything, but it will block future deployments that try to ship with debugging on. Communicate the change to your teams first so a CI/CD pipeline does not fail unexpectedly.
Gate it in CI/CD
Catch the misconfiguration before it reaches Azure. If you use Terraform, run a static scan on the plan with a tool like tfsec or checkov as a pipeline step:
checkov -d ./infra --check CKV_AZURE_72Fail the build when remote debugging is enabled. This keeps the decision visible in code review rather than buried in a portal toggle.
Monitor continuously
Because debugging can be enabled at runtime by anyone with the right RBAC role, point-in-time scans are not enough. Continuous monitoring through Lensix re-runs the appservice_remotedebugging check on a schedule and alerts you the moment a resource drifts out of compliance.
Best practices
- Treat remote debugging as a break-glass action. Enable it only for a specific investigation, document who turned it on, and disable it the moment you are done.
- Use Application Insights instead. For most production troubleshooting, distributed tracing, live metrics, and the snapshot debugger in Application Insights give you what you need without leaving a live debug channel open.
- Scope RBAC tightly. Limit who can modify App Service configuration. The fewer people who can flip the debugging toggle, the smaller your drift risk.
- Manage all App Service settings as code. When configuration lives in Terraform or Bicep, debugging cannot be silently enabled and forgotten because IaC reconciles state on every apply.
- Pair this with related hardening. Enforce HTTPS only, require TLS 1.2 or higher, and disable FTP deployment. Remote debugging is one of several App Service settings worth locking down together.
Tip: If you need to debug a production-like issue, deploy to a dedicated staging slot, enable remote debugging there, reproduce the problem, then discard the slot. Your production slot never carries the debug flag.
Remote debugging is a quick toggle that is easy to leave on and easy to forget. Disable it everywhere, enforce that decision with policy and IaC, and lean on Application Insights for the diagnostics you actually need in production.