[{"data":1,"prerenderedAt":474},["ShallowReactive",2],{"blog-prompts/protect-admin-routes":3},{"id":4,"title":5,"body":6,"category":453,"date":454,"dateModified":455,"description":456,"draft":457,"extension":458,"faq":459,"featured":457,"headerVariant":460,"image":459,"keywords":459,"meta":461,"navigation":462,"ogDescription":463,"ogTitle":459,"path":464,"readTime":459,"schemaOrg":465,"schemaType":466,"seo":467,"sitemap":468,"stem":469,"tags":470,"twitterCard":472,"__hash__":473},"blog/blog/prompts/protect-admin-routes.md","Protect Admin Routes with AI Prompts",{"type":7,"value":8,"toc":443},"minimark",[9,16,21,33,107,111,121,188,198,202,205,276,280,287,364,373,389,393,396,417,431],[10,11,12],"tldr",{},[13,14,15],"p",{},"Admin routes need extra protection beyond basic auth. Implement role-based access control, require re-authentication for sensitive actions, add audit logging, and consider IP restrictions. These prompts help you lock down your admin functionality.",[17,18,20],"h2",{"id":19},"role-based-access-control","Role-Based Access Control",[13,22,23,24,28,29,32],{},"Copy this prompt to generate a complete RBAC system with role definitions, permission checks, and reusable middleware. Your AI will create ",[25,26,27],"code",{},"requireRole()"," and ",[25,30,31],{},"hasPermission()"," helpers for your framework with proper 403 handling and access logging.",[34,35,37,40,43,59,66,69,84,87,104],"prompt-box",{"title":36},"Implement RBAC",[13,38,39],{},"Implement role-based access control for my application.",[13,41,42],{},"Roles needed:",[44,45,46,50,53,56],"ul",{},[47,48,49],"li",{},"user: basic access",[47,51,52],{},"moderator: can manage content",[47,54,55],{},"admin: full access",[47,57,58],{},"super_admin: can manage admins",[13,60,61,62],{},"Framework: ",[63,64,65],"span",{},"Next.js/Express/Django",[13,67,68],{},"Implementation:",[70,71,72,75,78,81],"ol",{},[47,73,74],{},"Add role column to users table",[47,76,77],{},"Create middleware to check role",[47,79,80],{},"Define permissions per role",[47,82,83],{},"Apply to routes/endpoints",[13,85,86],{},"Middleware should:",[44,88,89,92,95,98,101],{},[47,90,91],{},"Check user is authenticated",[47,93,94],{},"Fetch user's role from session/token",[47,96,97],{},"Verify role has required permission",[47,99,100],{},"Return 403 if insufficient permissions",[47,102,103],{},"Log access attempts",[13,105,106],{},"Create helper: requireRole('admin') middleware\nCreate helper: hasPermission(user, 'manage_users')",[17,108,110],{"id":109},"admin-route-protection","Admin Route Protection",[13,112,113,114,28,117,120],{},"Use this prompt to add layered protection to all ",[25,115,116],{},"/admin/*",[25,118,119],{},"/api/admin/*"," routes. You'll get middleware that chains authentication, role checks, stricter rate limiting, CSRF protection, audit logging, and optional IP allowlisting.",[34,122,124,127,134,137,154,157,171,174],{"title":123},"Protect Admin Endpoints",[13,125,126],{},"Add comprehensive protection to all admin routes.",[13,128,129,130],{},"Admin routes: /admin/",[131,132,133],"em",{},", /api/admin/",[13,135,136],{},"Protection layers:",[70,138,139,142,145,148,151],{},[47,140,141],{},"Authentication required",[47,143,144],{},"Admin role required",[47,146,147],{},"Rate limiting (stricter than normal)",[47,149,150],{},"Audit logging for all actions",[47,152,153],{},"CSRF protection on mutations",[13,155,156],{},"Additional security:",[44,158,159,162,165,168],{},[47,160,161],{},"Separate admin session with shorter timeout",[47,163,164],{},"Re-authenticate for destructive actions",[47,166,167],{},"IP allowlist option for admin access",[47,169,170],{},"2FA required for admin accounts",[13,172,173],{},"Implement:",[44,175,176,179,182,185],{},[47,177,178],{},"adminAuthMiddleware that chains all checks",[47,180,181],{},"Audit log: who, what, when, from where",[47,183,184],{},"Alert on suspicious admin activity",[47,186,187],{},"Admin action requires confirmation for bulk operations",[189,190,191],"warning-box",{},[13,192,193,197],{},[194,195,196],"strong",{},"Don't rely on URL hiding:"," Putting admin at /admin-secret-panel-xyz doesn't protect it. Attackers will find it. Always enforce server-side authorization checks.",[17,199,201],{"id":200},"sensitive-action-confirmation","Sensitive Action Confirmation",[13,203,204],{},"This prompt asks your AI to build a re-authentication flow for destructive admin actions. You'll get a password confirmation modal, backend verification endpoint, and short-lived elevated session logic with proper logging.",[34,206,208,211,214,231,233,250,253,273],{"title":207},"Re-authentication for Sensitive Actions",[13,209,210],{},"Require password re-entry for sensitive admin actions.",[13,212,213],{},"Sensitive actions:",[44,215,216,219,222,225,228],{},[47,217,218],{},"Deleting users",[47,220,221],{},"Changing user roles",[47,223,224],{},"Accessing payment data",[47,226,227],{},"Modifying security settings",[47,229,230],{},"Bulk operations",[13,232,68],{},[70,234,235,238,241,244,247],{},[47,236,237],{},"Check if action is sensitive",[47,239,240],{},"Check if user recently authenticated (within 5 min)",[47,242,243],{},"If not, prompt for password",[47,245,246],{},"Verify password before proceeding",[47,248,249],{},"Create short-lived \"elevated\" session",[13,251,252],{},"Flow:",[44,254,255,258,261,264,267,270],{},[47,256,257],{},"User clicks \"Delete User\"",[47,259,260],{},"Modal asks for password",[47,262,263],{},"Backend verifies password",[47,265,266],{},"Creates elevatedUntil timestamp",[47,268,269],{},"Allows action if within window",[47,271,272],{},"Logs the elevation event",[13,274,275],{},"Don't: Trust client-side confirmation alone",[17,277,279],{"id":278},"admin-audit-logging","Admin Audit Logging",[13,281,282,283,286],{},"Copy this prompt to generate an immutable audit logging system for all admin actions. Your AI will create the ",[25,284,285],{},"audit_logs"," table, logging middleware, real-time alerting for suspicious activity, and a searchable admin log interface.",[34,288,290,293,296,313,316,333,336,350,353],{"title":289},"Complete Admin Audit Trail",[13,291,292],{},"Implement comprehensive audit logging for admin actions.",[13,294,295],{},"Log every admin action:",[44,297,298,301,304,307,310],{},[47,299,300],{},"Who: admin user ID and email",[47,302,303],{},"What: action type and details",[47,305,306],{},"When: timestamp (UTC)",[47,308,309],{},"Where: IP address, user agent",[47,311,312],{},"Result: success or failure",[13,314,315],{},"Actions to log:",[44,317,318,321,324,327,330],{},[47,319,320],{},"User management (create, update, delete, role change)",[47,322,323],{},"Content moderation",[47,325,326],{},"Settings changes",[47,328,329],{},"Data exports",[47,331,332],{},"Failed access attempts",[13,334,335],{},"Storage:",[44,337,338,341,344,347],{},[47,339,340],{},"Separate audit_logs table",[47,342,343],{},"Immutable (no updates/deletes)",[47,345,346],{},"Indexed for querying",[47,348,349],{},"Retention policy (keep 2+ years)",[13,351,352],{},"Also implement:",[44,354,355,358,361],{},[47,356,357],{},"Real-time alerts for suspicious activity",[47,359,360],{},"Regular audit report generation",[47,362,363],{},"Search/filter interface for audit logs",[365,366,367],"tip-box",{},[13,368,369,372],{},[194,370,371],{},"Pro tip:"," Consider separate admin accounts from regular accounts. Admins should log in with dedicated admin credentials, not their personal user accounts with elevated privileges.",[374,375,376,383],"faq-section",{},[377,378,380],"faq-item",{"question":379},"Should admin routes be on a separate subdomain?",[13,381,382],{},"It's a good practice. admin.example.com can have stricter CSP, separate cookies, and IP restrictions without affecting the main app. But it's not a substitute for proper auth checks.",[377,384,386],{"question":385},"How do I handle the first admin user?",[13,387,388],{},"Create the first admin via database seed or CLI command, never through the web UI. Some apps auto-promote the first registered user, but this is risky if registration is open.",[17,390,392],{"id":391},"further-reading","Further Reading",[13,394,395],{},"Want to understand the vulnerability before fixing it? These guides explain what's happening and why.",[44,397,398,405,411],{},[47,399,400],{},[401,402,404],"a",{"href":403},"/blog/vulnerabilities/exposed-api-keys","Understanding exposed API keys",[47,406,407],{},[401,408,410],{"href":409},"/blog/how-to/hide-api-keys","How to hide API keys step-by-step",[47,412,413],{},[401,414,416],{"href":415},"/blog/best-practices/secrets","Secret management best practices",[418,419,420,426],"related-articles",{},[421,422],"related-card",{"description":423,"href":424,"title":425},"Protect all routes","/blog/prompts/add-auth-middleware","Add Auth Middleware",[421,427],{"description":428,"href":429,"title":430},"Find unprotected routes","/blog/prompts/fix-auth-bypass","Fix Auth Bypass",[432,433,436,440],"cta-box",{"href":434,"label":435},"/","Start Free Scan",[17,437,439],{"id":438},"check-your-admin-security","Check Your Admin Security",[13,441,442],{},"Scan your admin routes for access control issues.",{"title":444,"searchDepth":445,"depth":445,"links":446},"",2,[447,448,449,450,451,452],{"id":19,"depth":445,"text":20},{"id":109,"depth":445,"text":110},{"id":200,"depth":445,"text":201},{"id":278,"depth":445,"text":279},{"id":391,"depth":445,"text":392},{"id":438,"depth":445,"text":439},"prompts","2026-02-23","2026-03-06","AI prompts to protect admin routes and implement role-based access control. Secure your admin panels, dashboards, and privileged endpoints.",false,"md",null,"cyan",{},true,"AI prompts to implement role-based access control for admin areas.","/blog/prompts/protect-admin-routes","[object Object]","BlogPosting",{"title":5,"description":456},{"loc":464},"blog/prompts/protect-admin-routes",[471],"Critical","summary_large_image","NIgeBTITejFAp5ycNdPIB9M3pQs8jjtuA6czBluZZB8",1775843938413]