StackShield

Laravel Telescope Exposure

Easy

Checks if Laravel Telescope debugging tool is exposed in production.

Estimated fix time: 10 minutes

What is Telescope?

Laravel Telescope is a debugging and monitoring tool that provides insights into requests, exceptions, database queries, and more. If accessible in production without authentication, it exposes sensitive application data.

Security Impact

Severity: High

  • Request/response data exposed
  • Database queries visible
  • User information disclosed
  • API requests revealed
  • Performance metrics exposed

How to Fix

// app/Providers/TelescopeServiceProvider.php
public function register()
{
    // Only register Telescope in local/staging
    if ($this->app->environment('local', 'staging')) {
        $this->app->register(\Laravel\Telescope\TelescopeServiceProvider::class);
    }
}

2. Implement Authorization Gate

// app/Providers/TelescopeServiceProvider.php
use Laravel\Telescope\Telescope;
use Laravel\Telescope\IncomingEntry;

protected function gate()
{
    Gate::define('viewTelescope', function ($user) {
        return in_array($user->email, [
            'admin@yourdomain.com',
        ]);
    });
}

public function register()
{
    Telescope::night();

    $this->hideSensitiveRequestDetails();

    Telescope::filter(function (IncomingEntry $entry) {
        if ($this->app->environment('production')) {
            return $entry->isReportableException() ||
                   $entry->isFailedRequest() ||
                   $entry->isFailedJob() ||
                   $entry->isScheduledTask() ||
                   $entry->hasMonitoredTag();
        }

        return true;
    });
}

3. Hide Sensitive Data

// app/Providers/TelescopeServiceProvider.php
protected function hideSensitiveRequestDetails()
{
    Telescope::hideRequestParameters(['password', 'password_confirmation']);

    Telescope::hideRequestHeaders([
        'cookie',
        'x-csrf-token',
        'x-xsrf-token',
    ]);
}

4. Disable in Production Entirely

// config/telescope.php
'enabled' => env('TELESCOPE_ENABLED', false),

# Local
TELESCOPE_ENABLED=true

# Production
TELESCOPE_ENABLED=false

5. Protect Route with Middleware

// routes/web.php - If you must have it in production
Route::middleware(['auth', 'admin'])->group(function () {
    Telescope::routes();
});

Verification Steps

  1. Visit /telescope without authentication
  2. Should be blocked or return 404
  3. Verify gate authorization works
  4. Check sensitive data is hidden
  5. Confirm it's disabled in production

Best Practices

  • Use only in local/staging
  • Never expose to public
  • Implement strong authentication
  • Hide sensitive parameters
  • Regularly prune old entries
  • Use role-based access
  • Laravel Debug Mode
  • Ignition Exposure
  • Session Configuration

Automatically detect this issue

StackShield can automatically scan your Laravel application for this security issue and alert you when it's detected.

Start Free Trial
Was this guide helpful?

Related Security Issues

Laravel Ignition Exposure

Checks if Laravel Ignition error page is exposed in production.

Easy

Laravel Debug Mode

Checks if Laravel debug mode is enabled in production.

Easy