At the moment the code is exporting the complete configuration of all health resource to the ui. This means some highly sensitive information is exported, like the APP_KEY (used for encryption), database or external service credentials. But there's absolutely no need to export anything of it. The code should be cleaned to only export relevant information for the ui and never ever (!) export any of the resource configuration options as they may contain very sensitive information. They should never be transmitted!

One could argue that the health panel should only be visible to administrators and route middleware should be configured to ensure this, but...

• Most people will use it without further configuration. I mean who would expect his database credentials embedded in a health page.
• If no HTTPs is used this information is sent in plaintext on the web
• This information may be cached by the browser. I hope you are never opening it from anywhere than your devices.
• There may be many more reasons.

At the moment using this plugin is in my humble opinion a very hard security breach.

I haven't even thought about this, this is enough for me to not use it until it's changed. The project is really good, but I can't have this security flaw.