Exclude some routes by default #639
Replies: 6 comments
-
|
its simple operation you create |
Beta Was this translation helpful? Give feedback.
-
|
Does anyone else feel this is a bit of a security risk? I mean I know security by obscurity is 💩 but making it this easy (since there is no sitemap.xml) to find all these routes for someone to explore concerns me. Just curious what others think. Thanks! |
Beta Was this translation helpful? Give feedback.
-
|
btw I made the ziggy.php and it helped a bit here is a copy if anyone wants it <?php
return [
'except' => [
'sanctum.*',
'debugbar.*',
'default.*',
'ignition.*',
'nova-*',
'nova.*',
'vapor-*',
"dusk.*"
],
]; |
Beta Was this translation helpful? Give feedback.
-
|
@alnutile by "this" do you mean... Ziggy? 😂 Personally no, I don't think dumping out all your named routes into the page source is a security risk. Any routes that are remotely 'sensitive' should be protected with authentication, if they aren't then that's the security risk, not Ziggy exposing their existence to users. Technically no route can really be 'secret' or entirely hidden, but if that's something an app relies on it should be excluded from Ziggy during setup (and probably protected in other ways anyway, like by signing it). We do mention this in the docs: https://github.com/tighten/ziggy#installation That config is helpful, thanks! I didn't know Dusk registered routes. |
Beta Was this translation helpful? Give feedback.
-
|
I tried in past but no luck :( |
Beta Was this translation helpful? Give feedback.
-
return [
'except' => [
'debugbar.*',
'dusk.*',
'horizon.*',
'ignition.*',
'nova-*',
'nova.*',
'sanctum.*',
'telescope.*',
'vapor-*',
],
]; |
Beta Was this translation helpful? Give feedback.
-
Beta Was this translation helpful? Give feedback.
All reactions