Laravel Horizon open
Description
Laravel Horizon, a queue monitoring dashboard for Laravel applications, is publicly accessible without authentication. Horizon provides detailed insights into queue operations, job processing, and application internals. When exposed in production environments, it reveals sensitive configuration details, database information, job payloads, and application architecture that should remain confidential.
Remediation
Restrict access to Laravel Horizon in production environments using one of the following methods:
1. Configure Horizon authorization in app/Providers/HorizonServiceProvider.php:
protected function gate()
{
Gate::define('viewHorizon', function ($user) {
return in_array($user->email, [
'admin@example.com',
]);
});
}2. Disable Horizon entirely in production by removing it from the deployment or setting
HORIZON_ENABLED=false in your environment configuration.3. Implement IP-based access restrictions in your web server configuration to limit access to trusted networks only.
4. Use middleware to protect the
/horizon route with authentication requirements in routes/web.php.