Fix security vulnerability Issue 706 by removing hardcoded debug mode

[Shubham-Gotawade]

Summary

This PR addresses a critical security vulnerability where debug=True was hardcoded into the application runner. In a production environment, this could allow arbitrary code execution by exposing an interactive debugger console to end-users during unhandled runtime exceptions. This fix dynamically switches the debug state based on the host environment settings.

Related Issue

Closes #706

Type of Change

• Bug fix — resolves a broken behaviour
• Feature — adds new functionality
• Data — adds new projects to data/projects.json
• Documentation — updates docs, README, or code comments only
• Style — CSS or visual changes only, no logic change
• Refactor — restructures code without changing behaviour
• Test — adds or updates tests

What Was Changed

File	Change made
app.py	Replaced hardcoded debug=True with os.environ.get() environment variable tracking and safe fallback logic.

How to Test This PR

1. Clone this branch: git checkout security/backend-fixes
2. Run the application locally without setting any environment variable: python app.py (Verify it outputs that debug mode is OFF).
3. Set your system variable FLASK_DEBUG=True (or 1) and run python app.py again (Verify debug mode safely turns ON for development configuration).

Test Results

Baseline manual confirmation verified. The application configuration successfully blocks the deployment of an exposed interactive console unless explicitly configured via host variables.

Self-Review Checklist

• I have read CONTRIBUTING.md and followed all guidelines
• My branch name follows the convention: feat/, fix/, docs/, data/, style/, test/
• Every new function I wrote has a docstring
• I have not modified files outside the scope of the linked issue

Notes for Reviewer

None. The logic isolates local development environments from production execution parameters safely.

[vercel]

@Shubham-Gotawade is attempting to deploy a commit to the komalsony234-1530's projects Team on Vercel.

A member of the Team first needs to authorize it.

[komalharshita]

Thank you for the contribution.

I reviewed the changes and verified that the hardcoded debug=True configuration has been replaced with an environment-variable-based approach using FLASK_DEBUG.

This is a safer configuration for deployments, prevents accidental exposure of Flask's debugger in production environments, and maintains flexibility for local development.

The change is small, focused, and directly addresses the reported security issue without affecting application functionality.

Looks good to me and is ready to be merged.