X-ChromeLogger-Data (XCOLD) Header Information Leak

The server is leaking information through the X-ChromeLogger-Data (or X-ChromePhp-Data) response header. The content of such headers can be customized by the developer, however it is not uncommon to find: server file system locations, vhost declarations, etc.

The X-ChromeLogger-Data header transmits server-side debugging information in base64-encoded JSON format directly to the browser, often containing sensitive details never intended for production exposure. Attackers can decode this header to extract file system paths, database queries, variable contents, error messages, authentication tokens, or configuration details. This information disclosure provides attackers with deep insights into application internals, enabling more sophisticated attacks against discovered vulnerabilities or misconfigurations.

Disable this functionality in Production when it might leak information that could be leveraged by an attacker. Alternatively ensure that use of the functionality is tied to a strong authorization check and only available to administrators or support personnel for troubleshooting purposes not general users.