Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

Tarasovych's avatar

How can I hide admin routes?

In my project I have some admin routes.

Route::group(['as' => 'admin.', 'prefix' => 'admin', 'middleware' => ['auth', 'role:admin']], function () {
    ...
});

If non-auth user tries to go site/admin, he'll get 302 Found and redirect due to vendor/laravel/framework/src/Illuminate/Foundation/Exceptions/Handler.php:

protected function unauthenticated($request, AuthenticationException $exception)
    {
        return $request->expectsJson()
                    ? response()->json(['message' => $exception->getMessage()], 401)
                    : redirect()->guest(route('login'));
    }

I want to hide admin routes somehow. Because if user get 302 not 200 response, he'd know that site/admin has some content. Bad user might start to hack. What's the best practice? Move admin functionality to other domain?

0 likes
7 replies
gregrobson's avatar
gregrobson
8 years ago
Best Answer
Level 6

Github's approach is to throw a 404 if you try using the API to guess repositories that you don't have access do - which makes it harder for hackers to know if there is even something to attack.

A possible solution is to use a middleware to check route and authentication status. If they are accessing admin but does not have privileges (not logged in or not admin) return a 404 response.

2 likes
Cronix's avatar

I suppose you can always abort(404); instead of returning a redirect.

2 likes
Helmchen's avatar

I would probably be on the phone all day and have to explain to the customer why the site suddenly no longer exists

that's no fun :-/

What's so bad about seeing the backend? I would just make it harder to hack ;)

If it's just for one person, you can do that - but for customer projects, I'd forget the '404' idea, they make bookmarks from every single page, excluding the login :P

but to answer the question: maybe a not so common prefix is a start - any string except 'backend' or 'admin' or 'secure'

1 like
biishmar's avatar

@Tarasovych

Create middleware, check that user have admin access or not and redirect to home page with message and display it.. apply that middleware in admin access route

Note: Use route group for admin..

1 like
JayD's avatar

I also have a different question (after reading this replies) do you mean that if a user (not allowed) goes to the path /admin they get a 404 back???

If yes, is this also working for /login route.

I would love to make a front-end with articles and information, but only want a select few be able to login (without noticing my readers they can login or not).

Hope you understand what i mean!!

1 like
Helmchen's avatar

@JayD

You don't know WHO the user is, unless he authenticates - so hiding the login is kind of "problematic"

1 . Use a unique uri /login89a7wd8a9wd9aw7da7wd0 and share it

2 . LDAP / Kerberos Single-Sign-On (requires a ActiveDirectory/Domain Controller) https://danieljamesscott.org/10-articles/configuration-guides/9-apache-kerberos-and-ldap-integration.html

3 . Subdomain

4 . Implement some "Konami Code" like Keyboard-Shortcuts in JS to trigger the login page =)

<- <- <- ^ ^ L -> O -> G -> I -> N lol

i need some sleep

2 likes
ricardovigatti's avatar

just block by ip, unique url or use a mehod that can authenticate the user in a separated url.

2 likes

Please or to participate in this conversation.