Laravel Health Monitor open
Description
The Laravel Health Monitor package is publicly accessible without authentication. This monitoring tool exposes detailed system diagnostics including application configuration, database connections, cache status, filesystem information, and installed dependencies. When left accessible in production environments, it provides attackers with a comprehensive map of the application's internal architecture and potential weaknesses.
Remediation
Immediately restrict access to the Laravel Health Monitor in production environments using one of the following methods:
1. Disable the Health Monitor entirely by removing or commenting out the service provider in config/app.php:
// Remove or comment out: // PragmaRX\Health\ServiceProvider::class,
2. Restrict access using middleware authentication in your routes file:
Route::middleware(['auth', 'admin'])->group(function () {
Route::get('health', '\PragmaRX\Health\Http\Controllers\Health@check');
});
3. Limit access by IP address in your web server configuration or use environment-based route registration to ensure the Health Monitor is only available in non-production environments:
if (app()->environment('local', 'staging')) {
Route::get('health', '\PragmaRX\Health\Http\Controllers\Health@check');
}
After implementing restrictions, verify that the Health Monitor endpoint is no longer publicly accessible by testing access without authentication.