A thread on cfcdev today discussed whether ColdFusion debugging should ever be activated on a production server. The bottom line is no, never turn on debugging on a production server (you should never need to debug on a live server anyway, that’s what development and testing servers are for).
But what about enabling debugging and simply not listing any IP addresses so that debug information is not returned? Not good enough. While turning on and off the display of debugging does have a slight performance impact, the bigger impact is the gathering and tracking of debug output. The IP address list simply turns on or off output of accumulated debug information, but that information will still be maintained if debugging is enabled on the server.
Bottom line, do not turn on debugging on product servers. Ever.