bakerkretzmar
commented
2 years ago - Ignition, debugbar, etc.
- We could add this to the default exclude config so it only affects new installs?
Closed bakerkretzmar closed 1 year ago
bakerkretzmar
commented
2 years ago 
hawkiq
commented
2 years ago its simple operation you create ziggy.php in config folder if you are using Laravel
<?php
return [
'except' => ['sanctum.*','ignition*'],
];
alnutile
commented
2 years ago Does anyone else feel this is a bit of a security risk? I mean I know security by obscurity is 💩 but making it this easy (since there is no sitemap.xml) to find all these routes for someone to explore concerns me. Just curious what others think. Thanks!
alnutile
commented
2 years ago btw I made the ziggy.php and it helped a bit here is a copy if anyone wants it
<?php
return [
'except' => [
'sanctum.*',
'debugbar.*',
'default.*',
'ignition.*',
'nova-*',
'nova.*',
'vapor-*',
"dusk.*"
],
];@alnutile by "this" do you mean... Ziggy? 😂
Personally no, I don't think dumping out all your named routes into the page source is a security risk. Any routes that are remotely 'sensitive' should be protected with authentication, if they aren't then that's the security risk, not Ziggy exposing their existence to users. Technically no route can really be 'secret' or entirely hidden, but if that's something an app relies on it should be excluded from Ziggy during setup (and probably protected in other ways anyway, like by signing it). We do mention this in the docs: https://github.com/tighten/ziggy#installation
That config is helpful, thanks! I didn't know Dusk registered routes.
ankurk91
commented
1 year ago I tried in past but no luck :(
laserhybiz
commented
1 year ago return [
'except' => [
'debugbar.*',
'dusk.*',
'horizon.*',
'ignition.*',
'nova-*',
'nova.*',
'sanctum.*',
'telescope.*',
'vapor-*',
],
];