Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

warpig's avatar
warpig
OP
5 years ago
Level 12

Making routes secure and providing safety

I am about to finally upload my blog/website into a shared hosting server, and in terms of securing my routes, what's the recommendation for doing this? For instance I have a lot of routes like this one (ending in ->middleware('auth'):

Route::get('/home/create', 'DashboardController@create')->middleware('auth');

And I have 2 like this one (ending like "->name('home');"

Route::get('/home', [App\Http\Controllers\HomeController::class, 'index'])->name('home');

On the latter one, is it wise to change the name 'home' to something else? Something not that obvious? I am aware that by using a name on a route you have to also change it in the "href" portion, but other than that, do they require something else to be changed?

Also I would like to receive comments from guests in my posts and since im not providing a service or anything like that (at least for now) I don't want other people registering into the website I just find it pointless, is there a way to "hide" or make that route unavailable? Thanks, anything helps!

0 likes
6 replies
Snapey's avatar

middleware('auth') means that the user must be logged in to access the route. Note that this says nothing about who they are, only that they must be known and be logged in.

name('foo') just means that the route has an internal name, simplifying references to the route in your own code and making it possible to change external URLs without changing references to the route in your code.

Named routes have NO effect on the security of your application.

You can remove the registration route. You just need some basic training.

2 likes
jlrdw's avatar

To add, you need authorization to determine what the logged in user can or cannot do.

Like: Can Robert edit something that belongs to Billy?

Also look at query scopes.

1 like
warpig's avatar
warpig
OP
5 years ago
Level 12

Thanks, I think you mean roles and permissions/abilities?

Snapey's avatar

Authentication is proving who someone is

Authorization is deciding what they are allowed to do (which you can only do once you know who they are)

1 like
warpig's avatar
warpig
OP
5 years ago
Level 12

Thanks, I did a bit of searching and found out that by including this:

Auth::routes(['register' => false]);

The /register path no longer works, but throws a QueryExceptionError, so I found through here https://stackoverflow.com/questions/64383602/disable-auth-register-route-in-laravel-8, had to disable the "registration" feature from Fortify, by commenting. Hope to hear from you and hope this is correct or close to it because I do agree on the basic training part :)

warpig's avatar
warpig
OP
5 years ago
Level 12

Tried the same with "/login" but that just makes it throw a QueryException error, so I wonder if its as easy as by commenting the route somewhere. Thanks.

Please or to participate in this conversation.