In the auth routes example, secret.vue uses auth middleware to throw an error when someone visits the page without being logged in. This all works very nicely for browsing the site normally. However, in the <head> of the home page; whether you're logged in or out, there are multiple <link> elements prefetching the code-split JS files, including the file for the secret page:
<link rel="prefetch" href="/_nuxt/pages/secret.5ed12eb7c8cee6045aff.js">This JS file contains all the "Super secret page" content which kindof negates the secrecy of it.
I'm not sure what the perfect solution is but I guess the simplest is to hide the prefetching with resourceHints: false. The knock-on is prefetching will be disabled for the whole site, logged in or out - which seems a shame. And this wouldn't stop anyone finding the (albeit obscurely named) file and get the secret content.
Is it possible to only hide prefetching for logged-out users, stop some files being prefetched or better still, prevent the JS files from being served (although I'm guessing this is more of a server issue and could probably be solved inelegantly by searching for middleware:"auth" in the JS files before serving them)?