Security: Telescope hides insufficient request headers in production

[Snider]

Description

The TelescopeServiceProvider only hides a limited set of sensitive request headers.

Location

• File: src/Providers/TelescopeServiceProvider.php
• Lines: 58-65

Issue

Currently hidden headers:

• cookie
• x-csrf-token
• x-xsrf-token

Missing headers that should also be hidden:

• Authorization (Bearer tokens, Basic auth)
• X-API-Key
• X-Auth-Token
• Proxy-Authorization

Additionally, only _token is hidden from request parameters, but other sensitive fields could leak:

• password, password_confirmation
• credit_card, cvv, card_number
• ssn, social_security
• secret, api_key

Recommendation

Expand the lists:

hideRequestHeaders:

• authorization
• proxy-authorization
• x-api-key
• x-auth-token

hideRequestParameters:

• password, password_confirmation
• credit_card, card_number, cvv, cvc
• ssn, social_security
• secret, api_secret, api_key

Severity

Medium - Sensitive data could be logged in Telescope entries