X-ChromeLogger-Data (XCOLD) Header Information Leak

Summary: The server is leaking information through the X-ChromeLogger-Data (or X-ChromePhp-Data) response header. The content of such headers can be customized by the developer, however it is not uncommon to find: server file system locations, vhost declarations, etc.

Solution: Disable this functionality in Production when it might leak information that could be leveraged by an attacker. Alternatively ensure that use of the functionality is tied to a strong authorization check and only available to administrators or support personnel for troubleshooting purposes not general users.

Other info: The following represents an attempt to base64 decode the value: {"version":"4.0","columns":["label","log","backtrace","type"],"rows":[["request","Matched route \"app_security_login\" (parameters: \"_controller\": \"BackEnd\\AppBundle\\Controller\\SecurityController::loginAction\", \"_route\": \"app_security_login\")","unknown","info"],["security","Populated SecurityContext with an anonymous Token","unknown","info"]],"request_uri":"\/login"}