X-Debug-Token Information Leak

The response contained an X-Debug-Token or X-Debug-Token-Link header. This indicates that Symfony’s Profiler may be in use and exposing sensitive data.

Symfony’s Profiler exposes detailed debugging information including executed queries, rendered templates, security context, configuration parameters, and performance metrics through a web interface accessible via the debug token. When exposed in production, attackers can access the profiler URL constructed from the X-Debug-Token header value to view sensitive application internals, extract database schema information, discover authentication mechanisms, identify framework vulnerabilities, or locate configuration weaknesses that facilitate further exploitation.

Limit access to Symfony’s Profiler, either via authentication/authorization or limiting inclusion of the header to specific clients (by IP, etc.).