However, without proper serialization guards this can be quite dangerous, since it's easy to send more data to the frontend than needed. Inertia has no safeguards against this and it would be impossible for Inertia prevent any secret data to be shared with the frontend. However, we can inspect the type of data that is sent to the frontend.
If the data is not a model it is allowed, this would include the usage of a JsonResource or Spatie's Laravel Data
If it is a model a check is done to make sure either the hidden or visible property is filled
I always use Eloquent's API resources or Spatie's Laravel Data for data that's sent to the frontend, with this it would be easier to enforce this in projects.
With Inertia it's rather common to make a response like the following:
However, without proper serialization guards this can be quite dangerous, since it's easy to send more data to the frontend than needed. Inertia has no safeguards against this and it would be impossible for Inertia prevent any secret data to be shared with the frontend. However, we can inspect the type of data that is sent to the frontend.
For this reason I propose a
Inertia::strictModels()
method, inspired by Laravel'sModel::shouldBeStrict()
(https://laravel.com/api/11.x/Illuminate/Database/Eloquent/Model.html#method_shouldBeStrict). This should be called in a service provider by the developer. Then when it is enabled a fairly basic check is performed;hidden
orvisible
property is filledI always use Eloquent's API resources or Spatie's Laravel Data for data that's sent to the frontend, with this it would be easier to enforce this in projects.