CodeIgniter Forums
Let's make auto routes disable - Printable Version

+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: CodeIgniter 4 (https://forum.codeigniter.com/forumdisplay.php?fid=28)
+--- Forum: CodeIgniter 4 Discussion (https://forum.codeigniter.com/forumdisplay.php?fid=31)
+--- Thread: Let's make auto routes disable (/showthread.php?tid=81379)

Pages: 1 2 3


Let's make auto routes disable - kenjis - 02-21-2022

Auto routes are really dangerous. It could make vulnerabilities in your app very easily.
I strongly recommend you disable auto routes.

For example, see this tutorial:
https://www.binaryboxtuts.com/php-tutorials/codeigniter-4-json-web-tokenjwt-authentication/
If you build the tutorial app, an attacker could get list of users without token.

How to disable auto routes:
app/Config/Routes.php
PHP Code:
$routes->setAutoRoute(false); 
See https://codeigniter4.github.io/userguide/incoming/routing.html#use-defined-routes-only


RE: Let's make auto routes disable - iRedds - 02-21-2022

Maybe disable auto routes by default?
protected $autoRoute = true;


And this can also be removed from the default config.
PHP Code:
$routes->setDefaultController('Home');
$routes->setDefaultMethod('index');
$routes->setTranslateURIDashes(false);
$routes->set404Override();
$routes->setAutoRoute(true); 



RE: Let's make auto routes disable - kenjis - 02-21-2022

(02-21-2022, 09:54 PM)iRedds Wrote: Maybe disable auto routes by default?

I would like to disable it by default in v5.0.


RE: Let's make auto routes disable - InsiteFX - 02-22-2022

I agree remove it in version 5.0. I always run with it false.


RE: Let's make auto routes disable - iRedds - 02-22-2022

If we talk about version 5, then it seems to me that it is better to move auto routes out of the framework into a separate package.


RE: Let's make auto routes disable - luckmoshy - 02-22-2022

(02-21-2022, 07:45 PM)kenjis Wrote: Auto routes are really dangerous. It could make vulnerabilities in your app very easily.
I strongly recommend you disable auto routes.

For example, see this tutorial:
https://www.binaryboxtuts.com/php-tutorials/codeigniter-4-json-web-tokenjwt-authentication/
If you build the tutorial app, an attacker could get list of users without token.

How to disable auto routes:
app/Config/Routes.php
PHP Code:
$routes->setAutoRoute(false); 
See https://codeigniter4.github.io/userguide/incoming/routing.html#use-defined-routes-only

I thought was my self been asking this issue oooh we are many???? C_i needs to sort this by alternating this autoroute


RE: Let's make auto routes disable - kilishan - 02-22-2022

I think having them disabled by default is a good setting for the next release.


RE: Let's make auto routes disable - kenjis - 02-22-2022

@kilishan Do you mean in v4.2.0?


RE: Let's make auto routes disable - kilishan - 02-22-2022

@kenjis yes, 4.2


RE: Let's make auto routes disable - seunex - 02-22-2022

Awesome