Should I use Laravel Telescope in production?

It depends on your needs. Telescope is useful for debugging production issues, but it records sensitive data including request payloads, database queries, and log entries. If you run it in production, you must restrict access with authorization gates, IP whitelisting, and ideally a separate subdomain behind VPN. Many teams choose to disable it entirely in production and use dedicated monitoring tools instead.

How do I check if my Telescope dashboard is publicly accessible?

Navigate to yourdomain.com/telescope in a browser where you are not logged in (or use an incognito window). If you can see the dashboard, it is publicly accessible. An automated scanner or a tool like StackShield can check this for you continuously.

What is the difference between Telescope and Laravel Pulse for production use?

Telescope is a debugging tool that records detailed information about individual requests, queries, jobs, and exceptions. Pulse is a performance monitoring dashboard designed for production. Pulse shows aggregated metrics like slow queries, busy jobs, and server health without storing sensitive request-level details. For production monitoring, Pulse is the safer choice.

Can I restrict which data Telescope records in production?

Yes. You can filter what Telescope records using the filter callback in TelescopeServiceProvider. For example, you can only record failed requests, slow queries above a threshold, or exceptions. This reduces both the security exposure and the storage overhead.

Laravel Telescope in Production: Security Risks You Need to Know

Laravel Telescope is one of the best debugging tools in the Laravel ecosystem. It gives you a real-time window into everything your application does: every HTTP request, every database query, every queued job, every mail sent, every cache hit and miss, every log entry, and more.

That makes it incredibly powerful for development. And incredibly dangerous in production.

What Telescope Records

Telescope captures detailed data across these watchers:

Watcher	What It Records
Requests	Full URL, headers (including Authorization), request body, response status, session data
Queries	Every SQL query with bindings, execution time, and the request that triggered it
Jobs	Queued job class names, payloads, status, and processing time
Mail	Recipients, subject lines, and full email content
Notifications	Notification class, channel, and recipient
Cache	Every cache get, put, and forget operation with keys and values
Logs	Every log entry with full context arrays
Models	Every model create, update, and delete event with changed attributes
Exceptions	Full stack traces with file paths and line numbers
Gates	Every authorization check and its result

This is a complete record of your application's internal behavior.

What an Attacker Learns from Exposed Telescope

An attacker who finds your Telescope dashboard at /telescope gets the equivalent of full application access.

From Requests: Every API endpoint, Authorization headers with Bearer tokens, request bodies with user credentials and personal data, session data with CSRF tokens.

From Queries: Your entire database schema. Table names, column names, relationships. Query bindings expose actual data values.

From Jobs and Mail: Job payloads with user data, password reset tokens, invitation links, full transactional email content. Enough to hijack accounts.

From Logs and Exceptions: Full directory structure, file paths, class names. Logged errors may contain credentials and API responses.

How to Check If Telescope Is Exposed

Open an incognito browser window and navigate to:

https://yourdomain.com/telescope

If you see the dashboard without logging in, it's exposed. Also check the API:

curl -s -o /dev/null -w "%{http_code}" https://yourdomain.com/telescope/telescope-api/requests

A 200 response means the API is open.

How to Secure Telescope

Option 1: Disable in Production (Safest)

TELESCOPE_ENABLED=false

Or conditionally register in TelescopeServiceProvider:

public function register(): void
{
    if ($this->app->environment('local')) {
        $this->app->register(TelescopeServiceProvider::class);
    }
}

Option 2: Authorization Gate

protected function gate(): void
{
    Gate::define('viewTelescope', function ($user) {
        return in_array($user->email, [
            'admin@yourdomain.com',
        ]);
    });
}

Option 3: IP Restriction + Auth

protected function gate(): void
{
    Gate::define('viewTelescope', function ($user) {
        $allowedIps = ['203.0.113.50', '198.51.100.25'];
        return in_array(request()->ip(), $allowedIps)
            && in_array($user->email, ['admin@yourdomain.com']);
    });
}

Option 4: Filter Sensitive Data

If you must run Telescope in production, limit what it records:

use Laravel\Telescope\IncomingEntry;
use Laravel\Telescope\Telescope;

Telescope::filter(function (IncomingEntry $entry) {
    if (app()->environment('local')) {
        return true;
    }
    return $entry->isReportableException() ||
           $entry->isFailedRequest() ||
           $entry->isFailedJob();
});

Telescope::hideRequestParameters(['password', 'password_confirmation']);
Telescope::hideRequestHeaders(['authorization', 'cookie']);

Better Alternatives for Production

Laravel Pulse is built for production monitoring. It shows aggregated performance metrics without storing sensitive request-level data.

Error tracking (Sentry, Flare, Bugsnag) captures exceptions with proper access controls.

External monitoring like StackShield detects exposed Telescope dashboards from the outside, alerting you before an attacker finds it.

The Bottom Line

Telescope is an excellent development tool, not a production monitoring tool. Disable it in production, or lock it down with multiple layers of access control. Set up external monitoring to catch the inevitable misconfiguration before someone else does.