#Debugbar routes still showing in production mode.

1 messages · Page 1 of 1 (latest)

kind compass Jul 21, 2023, 4:17 PM

Hello everyone. I uploaded my Laravel + Inertiajs app to production but when viewing the source code of the app in production (a simple View Source in chrome) I see this -

"routes":{"debugbar.openhandler":{"uri":"_debugbar\/open","methods":["GET","HEAD"]},"debugbar.clockwork":{"uri":"_debugbar\/clockwork\/{id}","methods":["GET","HEAD"]},"debugbar.assets.css":{"uri":"_debugbar\/assets\/stylesheets","methods":["GET","HEAD"]},"debugbar.assets.js":{"uri":"_debugbar\/assets\/javascript","methods":["GET","HEAD"]},"debugbar.cache.delete":{"uri":"_debugbar\/cache\/{key}\/{tags?}","methods":["DELETE"]},"sanctum.csrf-cookie":{"uri":"sanctum\/csrf-cookie","methods":["GET","HEAD"]},"ignition.healthCheck":{"uri":"_ignition\/health-check","methods":["GET","HEAD"]},"ignition.executeSolution":{"uri":"_ignition\/execute-solution","methods":["POST"]},"ignition.updateConfig":{"uri":"_ignition\/update-config"

Why does Ziggy register these routes?

i made sure APP_ENV is production
i made sure APP_DEBUG is false

kind compass Jul 21, 2023, 4:41 PM

yes, you are correct, they are indeed 404. but it still feels kinda bad security practice to keep them listed there.

thanks for that github link. it feels like its the right solution

it didn't help :\

already did.. and still i see this part in the source..

const Ziggy = {"url":"https:\/\/myappdomain.net","port":null,"defaults":{},"routes":{"debugbar.openhandler":{"uri":"_debugbar\/open","methods":["GET","HEAD"]},"debugbar.clockwork":{"uri":"_debugbar\/clockwork\/{id}","methods":["GET","HEAD"]},"debugbar.assets.css":{"uri":"_debugbar\/assets\/stylesheets","methods":["GET","HEAD"]},"debugbar.assets.js":{"uri":"_debugbar\/assets\/javascript","methods":["GET","HEAD"]},"debugbar.cache.delete":{"uri":"_debugbar\/cache\/{key}\/{tags?}","methods":["DELETE"]},"sanctum.csrf-cookie":{"uri":"sanctum\/csrf-cookie","methods":["GET","HEAD"]},"ignition.healthCheck":{"uri":"_ignition\/health-check","methods":["GET","HEAD"]},"ignition.executeSolution":{"uri":"_ignition\/execute-solution","methods":["POST"]},"ignition.updateConfig":{"uri":"_ignition\/update-config","methods":["POST"]}

array:3 [ // vendor/psy/psysh/src/ExecutionLoopClosure.php(53) : eval()'d code:1
  0 => "_debugbar.*"
  1 => "horizon.*"
  2 => "admin.*"
]

but now i noticed something weird.. i only get this output locally, but on the production server its null, even though config/ziggy.php is definitely there.

BUT, dd(config('ziggy.except')); on production returns -

array:3 [ // 
vendor/psy/psysh/src/ExecutionLoopClosure.php(53) : eval()'d code:1
  0 => "_debugbar.*"
  1 => "horizon.*"
  2 => "admin.*"
]```

i even tried to explicitly put this in AppServiceProvider's boot method with no success -

        if ($this->app->environment('production')) {
            config(['ziggy.except' => ['_debugbar.*', 'horizon.*', 'admin.*']]);
        }

nope :\ even when defining app_debug to false and app_env to production..

maybe im missing some specific cache i need to clear?

php artisan cache:clear ?

none of those helped.. neither composer dump-autoload.. wtf.

mind elaborating please?

oh yeah, did this as well, as part of the url u sent me

yup.. it drives me crazy.