The Application Dispatcher has several debugging options
that can be turned on and off through the _DEBUG field in Application
Dispatcher requests. Some of these options might represent security
risks, including a few that are not documented and are used by Technical
Support. For example, the Application Dispatcher includes an option
to show the SAS log (which might contain source code), the host name
and port number where the Application Server is running, or a list
of all services known to the Application Broker.
To create
a secure Application Dispatcher setup, decide which debugging options
you want to allow and set the value of DebugMask or ServiceDebugMask
in the
Application Broker configuration
file to the sum of those options.
Add together the debug values that you want to allow and use that
number in the directive. For example, if you want to allow only the
field echo (1), status message (2), and output dump (16) values, you
would set DebugMask to 19 (1+2+16). You can also use keywords to specify
these options.
For a list of valid debug values and keywords, see the List of Valid Debug Values.
Note: By default, all debugging
options are allowed because the DebugMask and ServiceDebugMask directives
are global and by-service directives.
The default value for
the DebugMask is
32767, which is acceptable
for most sites. The value 32767 indicates that all debug values are
allowed. If you comment out the DebugMask option by maintaining the
# sign in front of DebugMask, you are also allowing all debug values.
Some debug values pose
a security risk, so it is recommended that you selectively
disable these
values by specifying a different DebugMask value. Setting a different
DebugMask value controls the allowable values for the _DEBUG field
in the HTML form or link.