Laravel Telescope in Production: Security Risks You Need to Know
Laravel Telescope records every request, query, job, and log entry in your application. Left exposed in production, it gives attackers a real-time view into your entire system.
Laravel Telescope is one of the best debugging tools in the Laravel ecosystem. It gives you a real-time window into everything your application does: every HTTP request, every database query, every queued job, every mail sent, every cache hit and miss, every log entry, and more.
That makes it incredibly powerful for development. And incredibly dangerous in production.
What Telescope Records
Telescope captures detailed data across these watchers:
| Watcher | What It Records |
|---|---|
| Requests | Full URL, headers (including Authorization), request body, response status, session data |
| Queries | Every SQL query with bindings, execution time, and the request that triggered it |
| Jobs | Queued job class names, payloads, status, and processing time |
| Recipients, subject lines, and full email content | |
| Notifications | Notification class, channel, and recipient |
| Cache | Every cache get, put, and forget operation with keys and values |
| Logs | Every log entry with full context arrays |
| Models | Every model create, update, and delete event with changed attributes |
| Exceptions | Full stack traces with file paths and line numbers |
| Gates | Every authorization check and its result |
This is a complete record of your application's internal behavior.
What an Attacker Learns from Exposed Telescope
An attacker who finds your Telescope dashboard at /telescope gets the equivalent of full application access.
From Requests: Every API endpoint, Authorization headers with Bearer tokens, request bodies with user credentials and personal data, session data with CSRF tokens.
From Queries: Your entire database schema. Table names, column names, relationships. Query bindings expose actual data values.
From Jobs and Mail: Job payloads with user data, password reset tokens, invitation links, full transactional email content. Enough to hijack accounts.
From Logs and Exceptions: Full directory structure, file paths, class names. Logged errors may contain credentials and API responses.
How to Check If Telescope Is Exposed
Open an incognito browser window and navigate to:
https://yourdomain.com/telescope
If you see the dashboard without logging in, it's exposed. Also check the API:
curl -s -o /dev/null -w "%{http_code}" https://yourdomain.com/telescope/telescope-api/requests
A 200 response means the API is open.
How to Secure Telescope
Option 1: Disable in Production (Safest)
TELESCOPE_ENABLED=false
Or conditionally register in TelescopeServiceProvider:
public function register(): void
{
if ($this->app->environment('local')) {
$this->app->register(TelescopeServiceProvider::class);
}
}
Option 2: Authorization Gate
protected function gate(): void
{
Gate::define('viewTelescope', function ($user) {
return in_array($user->email, [
'admin@yourdomain.com',
]);
});
}
Option 3: IP Restriction + Auth
protected function gate(): void
{
Gate::define('viewTelescope', function ($user) {
$allowedIps = ['203.0.113.50', '198.51.100.25'];
return in_array(request()->ip(), $allowedIps)
&& in_array($user->email, ['admin@yourdomain.com']);
});
}
Option 4: Filter Sensitive Data
If you must run Telescope in production, limit what it records:
use Laravel\Telescope\IncomingEntry;
use Laravel\Telescope\Telescope;
Telescope::filter(function (IncomingEntry $entry) {
if (app()->environment('local')) {
return true;
}
return $entry->isReportableException() ||
$entry->isFailedRequest() ||
$entry->isFailedJob();
});
Telescope::hideRequestParameters(['password', 'password_confirmation']);
Telescope::hideRequestHeaders(['authorization', 'cookie']);
Better Alternatives for Production
Laravel Pulse is built for production monitoring. It shows aggregated performance metrics without storing sensitive request-level data.
Error tracking (Sentry, Flare, Bugsnag) captures exceptions with proper access controls.
External monitoring like StackShield detects exposed Telescope dashboards from the outside, alerting you before an attacker finds it.
The Bottom Line
Telescope is an excellent development tool, not a production monitoring tool. Disable it in production, or lock it down with multiple layers of access control. Set up external monitoring to catch the inevitable misconfiguration before someone else does.
Is your Laravel app exposed right now?
34% of Laravel apps we scan have at least one critical issue. Most teams don't find out until something breaks. Our free scan checks your live application in under 60 seconds.
Frequently Asked Questions
Should I use Laravel Telescope in production?
It depends on your needs. Telescope is useful for debugging production issues, but it records sensitive data including request payloads, database queries, and log entries. If you run it in production, you must restrict access with authorization gates, IP whitelisting, and ideally a separate subdomain behind VPN. Many teams choose to disable it entirely in production and use dedicated monitoring tools instead.
How do I check if my Telescope dashboard is publicly accessible?
Navigate to yourdomain.com/telescope in a browser where you are not logged in (or use an incognito window). If you can see the dashboard, it is publicly accessible. An automated scanner or a tool like StackShield can check this for you continuously.
What is the difference between Telescope and Laravel Pulse for production use?
Telescope is a debugging tool that records detailed information about individual requests, queries, jobs, and exceptions. Pulse is a performance monitoring dashboard designed for production. Pulse shows aggregated metrics like slow queries, busy jobs, and server health without storing sensitive request-level details. For production monitoring, Pulse is the safer choice.
Can I restrict which data Telescope records in production?
Yes. You can filter what Telescope records using the filter callback in TelescopeServiceProvider. For example, you can only record failed requests, slow queries above a threshold, or exceptions. This reduces both the security exposure and the storage overhead.
Related Articles
Laravel Session Security: Cookies, Hijacking & config/session.php
A deep dive into Laravel session security. Learn how cookie flags, session drivers, and config/session.php settings protect against hijacking, fixation, and sidejacking attacks.
SecurityAutomated Security Testing in Laravel CI/CD Pipelines
How to add security gates to your Laravel CI/CD pipeline with GitHub Actions. Covers dependency scanning, static analysis, secret detection, and automated security monitoring.
SecurityLaravel Content Security Policy: Configure CSP Without Breaking Your App
Only 22% of Laravel apps have a Content Security Policy. Learn how to implement CSP with spatie/laravel-csp, handle Livewire and Vite nonces, and avoid the mistakes that break production.
Compare StackShield
Security Checklists
Laravel Production Deployment Security Checklist
A comprehensive security checklist for deploying Laravel applications to production. Covers environment config, server hardening, access control, and monitoring.
20 itemsLaravel API Security Checklist
Secure your Laravel API endpoints against common vulnerabilities. Covers authentication, input validation, rate limiting, and response security.
Stay Updated on Laravel Security
Get actionable security tips, vulnerability alerts, and best practices for Laravel apps.