Production profile in security guide (#2064)

BraunMatthias · matthia.braun@sap.com · sjvans · web-flow · commit 46b1bf8f5e32 · 2025-08-29T14:36:04.000+02:00
As a reaction to a security incident. Several customers activated the
index page in production.

---------

Co-authored-by: matthia.braun@sap.com &lt;matthias@W-5CG3323MK3&gt;
Co-authored-by: sjvans &lt;30337871+sjvans@users.noreply.github.com&gt;
Co-authored-by: René Jeglinsky &lt;rene.jeglinsky@sap.com&gt;
diff --git a/guides/security/aspects.md b/guides/security/aspects.md
@@ -693,6 +693,23 @@ For instance, this is true for [authorizations](#secure-authorization) or applic
 It's recommended to ensure security settings by automated integration tests.
 :::
 
+CAP provides some features that are suitable for development only such as 
+- Index Page
+- Mock Users
+- Developer Dashboard (Java only)
+
+These features are deactivated in the production profile by default.
+
+::: warning 
+**Do not manually enable features for production that are disabled by the production profile**, as this could introduce serious security vulnerabilities.
+:::
+
+[Learn more about production profiles in Java](../../java/developing-applications/configuring#production-profile){.learn-more}
+[Learn more about production profiles in Node.js](../../node.js/cds-env#profiles){.learn-more}
+
+
+
+
 
 ### Fail Securely { #fail-securely }
 <!-- #SEC-239 -->
diff --git a/java/developing-applications/configuring.md b/java/developing-applications/configuring.md
@@ -39,9 +39,14 @@ Property defaults adjusted with the production profile are the following:
 
 - Index Page is disabled: `cds.index-page.enabled` is set to `false`
 - Mock Users are strictly disabled: `cds.security.mock.enabled` is set to `false`
+- Access for internal testing is disabled: `cds.security.authentication.internalUserAccess.enabled` is set to `false`
 
 Note, that explicit configuration in the application takes precedence over property defaults from the production profile.
 
+::: warning 
+**Do not manually enable features for production that are disabled by the production profile**, as this could introduce serious security vulnerabilities.
+:::
+
 ## Using SAP Java Buildpack { #buildpack }
 
 In SAP BTP Cloud Foundry environment, the Java runtime that is used to run your application is defined by the so-called [buildpack](https://docs.cloudfoundry.org/buildpacks/).
diff --git a/node.js/cds-server.md b/node.js/cds-server.md
@@ -261,7 +261,7 @@ The built-in CORS middleware can be enabled explicitly with <Config>cds.server.c
 
 ### Toggle Generic Index Page
 
-The default generic _index.html_ page is not served if `NODE_ENV` is set to `production`. Set <Config>cds.server.index: true</Config> to restore the generic index page in production.
+The default generic _index.html_ page is not served if `NODE_ENV` is set to `production`. Set <Config>cds.server.index: true</Config> to activate explicitly also in production-like test environments, for example for deployed PoCs. You must not do this in real production environments!
 
 [See the **Generic *index.html*** page in action.](../get-started/in-a-nutshell.md#generic-index-html) {.learn-more}
 
