Hiding an administration URL is pretty easy.

“Joe, how are we protecting the admin urls?”

“Well, I put it on a very long secret url that nobody will ever guess”

There's a few problems with Joe's approach that might allow others to find the Admin url easily:

  • Browser crashes will pass URL information to developers.

  • URL history often stays in shared browsers, like at public libraries.

  • Some browser toolbars send copies of URLs to marketing organisations for analysis. Toolbars tend to be dodgy.

  • Proxies and their logs can keep records of your URLs.

  • Other public wifi users can see your URLs, even if you are using HTTPS or if you all have the same wifi access key.

There are so many ways for the “secret” URL to accidentally leak.

Instead Joe should have required a username and password for login, locking the account after a number of incorrect attempts.

blog comments powered by Disqus