HawkScan Test Info for X-Debug-Token Information Leak

X-Debug-Token Information Leak


Plugin Id: 10056 | CWE: 200


To remediate the vulnerability “X-Debug-Token Information Leak,” you should take the following steps:

  1. Disable Symfony’s Profiler in production: Ensure that Symfony’s Profiler is disabled in your production environment to prevent the exposure of sensitive data. This can be done by setting the profiler option to false in your Symfony configuration file (config/packages/profiler.yaml):

    # config/packages/profiler.yaml
        enabled: false
  2. Remove X-Debug-Token and X-Debug-Token-Link headers: Remove any occurrences of the X-Debug-Token and X-Debug-Token-Link headers from your server’s response. This can be done by modifying your web server configuration (e.g., Apache or Nginx) to exclude these headers. For example, in an Apache .htaccess file, you can use the Header directive to unset these headers:

    # .htaccess
    Header unset X-Debug-Token
    Header unset X-Debug-Token-Link


The vulnerability “X-Debug-Token Information Leak” occurs when the server’s response contains the X-Debug-Token or X-Debug-Token-Link header. These headers are typically used by Symfony’s Profiler, a development tool that provides detailed information about the application’s performance and debugging data. However, exposing these headers in a production environment can lead to the leakage of sensitive information.


The risks associated with the “X-Debug-Token Information Leak” vulnerability include:

  • Exposure of sensitive data: The presence of the X-Debug-Token or X-Debug-Token-Link header in the server’s response can expose sensitive information, such as database credentials, API keys, or other confidential data.
  • Information disclosure: Attackers can exploit this vulnerability to gain insights into the application’s internal workings, potentially aiding them in further attacks or exploitation.
  • Violation of compliance requirements: Depending on the nature of the exposed data, the vulnerability may lead to non-compliance with data protection regulations, industry standards, or internal security policies.