Why does Laravel Telescope Exposure matter for Laravel security?

Failing to address laravel telescope exposure can leave your Laravel application vulnerable to attacks. StackShield continuously monitors for this issue so you can catch it before attackers do.

How do I fix a Laravel Telescope Exposure issue?

This is rated as an easy fix, typically taking 10 minutes. See the full documentation above for step-by-step instructions.

How to Secure Laravel Telescope in Production

What This Check Detects

Checks if Laravel Telescope debugging tool is exposed in production.

Full Documentation

What is Telescope?

Laravel Telescope is a debugging and monitoring tool that provides insights into requests, exceptions, database queries, and more. If accessible in production without authentication, it exposes sensitive application data.

Security Impact

Severity: High

Request/response data exposed
Database queries visible
User information disclosed
API requests revealed
Performance metrics exposed

How to Fix

1. Restrict to Local Environment (Recommended)

// app/Providers/TelescopeServiceProvider.php
public function register()
{
    // Only register Telescope in local/staging
    if ($this->app->environment('local', 'staging')) {
        $this->app->register(\Laravel\Telescope\TelescopeServiceProvider::class);
    }
}

2. Implement Authorization Gate

// app/Providers/TelescopeServiceProvider.php
use Laravel\Telescope\Telescope;
use Laravel\Telescope\IncomingEntry;

protected function gate()
{
    Gate::define('viewTelescope', function ($user) {
        return in_array($user->email, [
            'admin@yourdomain.com',
        ]);
    });
}

public function register()
{
    Telescope::night();

    $this->hideSensitiveRequestDetails();

    Telescope::filter(function (IncomingEntry $entry) {
        if ($this->app->environment('production')) {
            return $entry->isReportableException() ||
                   $entry->isFailedRequest() ||
                   $entry->isFailedJob() ||
                   $entry->isScheduledTask() ||
                   $entry->hasMonitoredTag();
        }

        return true;
    });
}

3. Hide Sensitive Data

// app/Providers/TelescopeServiceProvider.php
protected function hideSensitiveRequestDetails()
{
    Telescope::hideRequestParameters(['password', 'password_confirmation']);

    Telescope::hideRequestHeaders([
        'cookie',
        'x-csrf-token',
        'x-xsrf-token',
    ]);
}

4. Disable in Production Entirely

// config/telescope.php
'enabled' => env('TELESCOPE_ENABLED', false),

# Local
TELESCOPE_ENABLED=true

# Production
TELESCOPE_ENABLED=false

5. Protect Route with Middleware

// routes/web.php - If you must have it in production
Route::middleware(['auth', 'admin'])->group(function () {
    Telescope::routes();
});

Verification Steps

Visit /telescope without authentication
Should be blocked or return 404
Verify gate authorization works
Check sensitive data is hidden
Confirm it's disabled in production

Best Practices

Use only in local/staging
Never expose to public
Implement strong authentication
Hide sensitive parameters
Regularly prune old entries
Use role-based access

Related Issues

Laravel Debug Mode
Ignition Exposure
Session Configuration

Related Security Checks

Laravel Ignition Exposure

Checks if Laravel Ignition error page is exposed in production.

Easy fix 5 minutes

Laravel Debug Mode

Checks if Laravel debug mode is enabled in production.