Closed bakerkretzmar closed 1 year ago
its simple operation you create ziggy.php
in config folder if you are using Laravel
<?php
return [
'except' => ['sanctum.*','ignition*'],
];
Does anyone else feel this is a bit of a security risk? I mean I know security by obscurity is 💩 but making it this easy (since there is no sitemap.xml) to find all these routes for someone to explore concerns me. Just curious what others think. Thanks!
btw I made the ziggy.php and it helped a bit here is a copy if anyone wants it
<?php
return [
'except' => [
'sanctum.*',
'debugbar.*',
'default.*',
'ignition.*',
'nova-*',
'nova.*',
'vapor-*',
"dusk.*"
],
];
@alnutile by "this" do you mean... Ziggy? 😂
Personally no, I don't think dumping out all your named routes into the page source is a security risk. Any routes that are remotely 'sensitive' should be protected with authentication, if they aren't then that's the security risk, not Ziggy exposing their existence to users. Technically no route can really be 'secret' or entirely hidden, but if that's something an app relies on it should be excluded from Ziggy during setup (and probably protected in other ways anyway, like by signing it). We do mention this in the docs: https://github.com/tighten/ziggy#installation
That config is helpful, thanks! I didn't know Dusk registered routes.
I tried in past but no luck :(
return [
'except' => [
'debugbar.*',
'dusk.*',
'horizon.*',
'ignition.*',
'nova-*',
'nova.*',
'sanctum.*',
'telescope.*',
'vapor-*',
],
];