Level 50
Route URLs aren't sensitive information per se, but if you want to hide them, read this section from Ziggy's docs.
Sep 24, 2025
2
Level 1
How to hide some information in data-page?
I successfully deployed a project with Laravel 12 + React + TSX and discovered that even the admin routes are visible in the data-page HTML.
Here's my HandleInertiaRequests
<?php
namespace App\Http\Middleware;
use Illuminate\Http\Request;
use Inertia\Middleware;
use Mcamara\LaravelLocalization\Facades\LaravelLocalization;
use Tighten\Ziggy\Ziggy;
class HandleInertiaRequests extends Middleware
{
/**
* The root template that is loaded on the first page visit.
*
* @var string
*/
protected $rootView = 'app';
/**
* Determine the current asset version.
*/
public function version(Request $request): ?string
{
return parent::version($request);
}
/**
* Define the props that are shared by default.
*
* @return array<string, mixed>
*/
public function share(Request $request): array
{
return [
...parent::share($request),
'auth' => [
'user' => $request->user() ? $request->user()->load('permissions', 'roles')->append(['avatar_url', 'isAdminRole']) : null,
],
'ziggy' => fn () => [
...(new Ziggy)->toArray(),
'location' => $request->url(),
],
'locale' => LaravelLocalization::getCurrentLocale(),
'languages' => collect(LaravelLocalization::getSupportedLocales())->map(function ($properties, $code) {
return [
'code' => $code,
'name' => $properties['name'],
'native' => $properties['native'],
'url' => LaravelLocalization::getLocalizedURL($code, null, [], true),
];
})->toArray(),
'translations' => $this->getTranslations(),
'recaptchaSiteKey' => config('services.recaptcha.site_key'),
];
}
private function getTranslations(): array
{
$locale = LaravelLocalization::getCurrentLocale();
return [
'common' => trans('common', [], $locale),
'navbar' => trans('navbar', [], $locale),
'home' => trans('home', [], $locale),
'article' => trans('article', [], $locale),
'footer' => trans('footer', [], $locale),
'announcer' => trans('announcer', [], $locale),
'videos' => trans('videos', [], $locale),
'profile' => trans('profile', [], $locale),
'auth' => trans('auth', [], $locale),
'streams' => trans('streams', [], $locale),
'telegram_bot' => trans('telegram_bot', [], $locale),
'chat' => trans('chat', [], $locale),
];
}
}
Here's my ssr.tsx:
import { createInertiaApp } from '@inertiajs/react';
import createServer from '@inertiajs/react/server';
import { resolvePageComponent } from 'laravel-vite-plugin/inertia-helpers';
import ReactDOMServer from 'react-dom/server';
import { RouteName } from 'ziggy-js';
import { route } from 'ziggy-js';
import { TranslationsProvider } from '@/Contexts/TranslationsContext';
import ToastProvider from '@/Components/UI/ToastProvider';
const appName = import.meta.env.VITE_APP_NAME || 'Laravel';
createServer((page) =>
createInertiaApp({
page,
render: ReactDOMServer.renderToString,
title: (title) => `${title} - ${appName}`,
resolve: (name) =>
resolvePageComponent(
`./Pages/${name}.tsx`,
import.meta.glob('./Pages/**/*.tsx'),
),
setup: ({ App, props }) => {
/* eslint-disable */
// @ts-expect-error
global.route<RouteName> = (name, params, absolute) =>
route(name, params as any, absolute, {
...page.props.ziggy,
location: new URL(page.props.ziggy.location),
});
/* eslint-enable */
return (
<App {...props}>
{({ Component, key, props }) => (
<TranslationsProvider>
<ToastProvider>
<Component key={key} {...props} />
</ToastProvider>
</TranslationsProvider>
)}
</App>
);
},
}),
);
How to hide such sensitive information about admin routes?
Level 80
@trav1s By not sending any data to the page. Inertia is client-side. If you don’t want data to be visible there, don’t send it in the first place.
Please or to participate in this conversation.