Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.
Hi, When we use Ziggy in our Laravel Vue app, it list all routs and show it to users as a public information in source code. but what if I don't want user see my Admin section routs?
For example, I dont want user see I have a /admin/newadmin/create route for any reason. How I should prevent that?
How I should config Ziggy to list all my guest and user regestered areas but don't list (or list but don't show to users) admin part of my web.php file?
Thank you.
It could effectively be a security problem if you let any user know all the existing routes of your application.
You can customize which routes are shared via Ziggy.
https://github.com/tighten/ziggy#filtering-routes
I suggest you to filter the routes using groups.
A user can always guess a route, and try to do something they shouldn't be allowed to do. It's your job as the developer to secure both front end and back end so that unauthorized users can't do those things.
Regardless if the routes are in plain text or not.
Thank you both.
I think your both answers are correct.
I should filter the routes AND consider that any one can guess it.
Please or to participate in this conversation.