diff --git a/test-apps/02-flask-blog-api/app.py b/test-apps/02-flask-blog-api/app.py
index e20a9d7..302ed24 100644
--- a/test-apps/02-flask-blog-api/app.py
+++ b/test-apps/02-flask-blog-api/app.py
@@ -637,4 +637,6 @@ def setup_rbac(rbac: RBAC):
     ║                                                ║
     ╚════════════════════════════════════════════════╝
     """)
-    app.run(debug=True, host='0.0.0.0', port=5000)
+    # Use debug flag from app config (controlled via FLASK_DEBUG env var) rather than
+    # hardcoding debug=True, which would enable the interactive debugger in production.
+    app.run(debug=app.config.get('DEBUG', False), host='0.0.0.0', port=5000)
diff --git a/test-apps/02-flask-blog-api/auth.py b/test-apps/02-flask-blog-api/auth.py
index 862f939..903d8c7 100644
--- a/test-apps/02-flask-blog-api/auth.py
+++ b/test-apps/02-flask-blog-api/auth.py
@@ -109,10 +109,11 @@ def decorated_function(*args, **kwargs):
                 'message': 'Please login again'
             }), 401
             
-        except jwt.InvalidTokenError as e:
+        except jwt.InvalidTokenError:
+            # Do not expose internal JWT error details to the client
             return jsonify({
                 'error': 'Invalid token',
-                'message': str(e)
+                'message': 'Token is invalid'
             }), 401
     
     return decorated_function
diff --git a/test-apps/02-flask-blog-api/decorators.py b/test-apps/02-flask-blog-api/decorators.py
index ea31f0b..21692d4 100644
--- a/test-apps/02-flask-blog-api/decorators.py
+++ b/test-apps/02-flask-blog-api/decorators.py
@@ -2,10 +2,13 @@
 RBAC Decorators for Flask Blog API.
 Provides decorators for permission and role-based authorization.
 """
+import logging
 from functools import wraps
 from flask import g, jsonify
 from auth import get_current_user
 
+logger = logging.getLogger(__name__)
+
 
 def require_permission(action: str, resource_type: str = None, check_ownership: bool = False):
     """
@@ -110,9 +113,11 @@ def decorated_function(*args, **kwargs):
                 return f(*args, **kwargs)
                 
             except Exception as e:
+                # Log the full error internally; do not expose exception details to the client
+                logger.error('Authorization check failed: %s', str(e), exc_info=True)
                 return jsonify({
                     'error': 'Authorization error',
-                    'message': f'Failed to check permissions: {str(e)}'
+                    'message': 'Failed to check permissions'
                 }), 500
         
         return decorated_function