Back to blog
Laraveltechnicalvulnerabilities

Laravel: when Ziggy exposes the complete map of your application

Published on 2026-03-105 min readFlorian

Ziggy: the useful tool turned vulnerability

Ziggy generates a JavaScript object containing ALL your Laravel routes. On unauthenticated pages, this exposes your entire architecture.

What an attacker learns

  • All admin and API routes
  • Expected parameters for each endpoint
  • Controller and resource structure
  • Debug and maintenance routes

    • Related articles

    Three adjacent analyses to keep exploring the same attack surface.

    WordPresstechnical

    WordPress REST API: 7 dangerous endpoints enabled by default

    Your WordPress exposes sensitive data via REST API without you knowing. Here are 7 endpoints to check now.

    2026-04-03 · 6 min read
    Supabasetechnical

    Supabase RLS: 5 configuration mistakes we find every week

    Supabase Row Level Security policies are your first line of defense. Here are the 5 most common mistakes.

    2026-03-28 · 7 min read
    Firebasetechnical

    Firebase Firestore: why 'allow read, write: if request.auth != null' is not security

    The basic Firestore authentication rule doesn't protect your data. Here's why and how to fix it.

    2026-03-25 · 6 min read

    Sources

    Written by Florian
    Reviewed on 2026-03-10

    Editorial analysis based on official vendor, project, and regulator documentation.

    Related services

    If this topic maps to a real risk in your stack, these are the most relevant CleanIssue audits.

    External Review

    Get a fast, clear read on your product’s real external exposure.

    Full Audit

    Document all priority flaws and get a real remediation plan.

    Ongoing Review

    Track new exposure as your stack changes over time.

    Need an external review of your HR SaaS?

    Share your product, stack, and client context. We will come back with the right review scope.

    Discuss your audit