X-Debug-Token Information Leak

Risk:
Low

Type:
Passive

CWE:
200

Summary: The response contained an X-Debug-Token or X-Debug-Token-Link header. This indicates that Symfony’s Profiler may be in use and exposing sensitive data.

Solution: Limit access to Symfony's Profiler, either via authentication/authorization or limiting inclusion of the header to specific clients (by IP, etc.).

Other info: By accessing a URL in the form http://target_host/_profiler/token_value (i.e.: http://example.com/_profiler_/123ab4), you may gain access to the profiler and further leaked information.

References

https://symfony.com/doc/current/cookbook/profiler/profiling_data.html

https://symfony.com/blog/new-in-symfony-2-4-quicker-access-to-the-profiler-when-working-on-an-api