Clockwork PHP dev tool enabled
Description
Clockwork, a PHP debugging and profiling tool, has been detected as accessible on this web application. Clockwork provides detailed runtime information including database queries, application logs, routes, session data, and performance metrics through a web-based interface. This tool is intended solely for development environments and should never be enabled or accessible in production systems as it exposes sensitive internal application details to unauthorized users.
Remediation
Immediately disable Clockwork in production environments. For Laravel applications, ensure the APP_DEBUG environment variable is set to false and remove or disable the Clockwork service provider in production configurations:
// In config/app.php, remove Clockwork from providers array (production only)
// Or use environment-based conditional loading:
if (env('APP_DEBUG')) {
$app->register(Clockwork\Support\Laravel\ClockworkServiceProvider::class);
}
// In .env file for production:
APP_DEBUG=false
CLOCKWORK_ENABLE=falseIf Clockwork must remain installed for development purposes, implement IP-based access restrictions or authentication middleware to ensure it is only accessible to authorized developers. Verify that the /__clockwork/ endpoint returns a 404 or 403 error in production. Additionally, review web server configurations to block access to debugging endpoints and conduct regular security audits to ensure no development tools are exposed in production environments.