+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: CodeIgniter 4 (https://forum.codeigniter.com/forumdisplay.php?fid=28)
+--- Forum: CodeIgniter 4 Discussion (https://forum.codeigniter.com/forumdisplay.php?fid=31)
+--- Thread: Let's make auto routes disable (/showthread.php?tid=81379)
Let's make auto routes disable - kenjis - 02-21-2022
Auto routes are really dangerous. It could make vulnerabilities in your app very easily.
I strongly recommend you disable auto routes.
For example, see this tutorial:
https://www.binaryboxtuts.com/php-tutorials/codeigniter-4-json-web-tokenjwt-authentication/
If you build the tutorial app, an attacker could get list of users without token.
How to disable auto routes:
app/Config/Routes.php
PHP Code:
$routes->setAutoRoute(false);
RE: Let's make auto routes disable - iRedds - 02-21-2022
Maybe disable auto routes by default?
protected $autoRoute = true;
And this can also be removed from the default config.
PHP Code:
$routes->setDefaultController('Home');
$routes->setDefaultMethod('index');
$routes->setTranslateURIDashes(false);
$routes->set404Override();
$routes->setAutoRoute(true);
RE: Let's make auto routes disable - kenjis - 02-21-2022
(02-21-2022, 09:54 PM)iRedds Wrote: Maybe disable auto routes by default?
I would like to disable it by default in v5.0.
RE: Let's make auto routes disable - InsiteFX - 02-22-2022
I agree remove it in version 5.0. I always run with it false.
RE: Let's make auto routes disable - iRedds - 02-22-2022
If we talk about version 5, then it seems to me that it is better to move auto routes out of the framework into a separate package.
RE: Let's make auto routes disable - luckmoshy - 02-22-2022
(02-21-2022, 07:45 PM)kenjis Wrote: Auto routes are really dangerous. It could make vulnerabilities in your app very easily.
I strongly recommend you disable auto routes.
For example, see this tutorial:
https://www.binaryboxtuts.com/php-tutorials/codeigniter-4-json-web-tokenjwt-authentication/
If you build the tutorial app, an attacker could get list of users without token.
How to disable auto routes:
app/Config/Routes.php
See https://codeigniter4.github.io/userguide/incoming/routing.html#use-defined-routes-onlyPHP Code:$routes->setAutoRoute(false);
I thought was my self been asking this issue oooh we are many???? C_i needs to sort this by alternating this autoroute
RE: Let's make auto routes disable - kilishan - 02-22-2022
I think having them disabled by default is a good setting for the next release.
RE: Let's make auto routes disable - kenjis - 02-22-2022
@kilishan Do you mean in v4.2.0?
RE: Let's make auto routes disable - kilishan - 02-22-2022
@kenjis yes, 4.2
RE: Let's make auto routes disable - seunex - 02-22-2022
Awesome