Hiding an administration URL is pretty easy.

“Joe, how are we protecting the admin urls?”

“Well, I put it on a very long secret url that nobody will ever guess”

There's a few problems with Joe's approach that might allow others to find the Admin url easily:

  • Browser crashes will pass URL information to developers.

  • URL history often stays in shared browsers, like at public libraries.

  • Some browser toolbars send copies of URLs to marketing organisations for analysis. Toolbars tend to be dodgy so there is a good chance the wrong people will see the URL.

  • Proxies and their logs can keep records of your URLs.

  • Other public wifi users can see your URLs, even if you are using HTTPS or if you all have the same wifi access key.

  • If you mistype the URL, some browsers feed it into search engines to have another go at it. The might end up displaying in someone's auto-complete.

There are so many ways for the “secret” URL to accidentally leak.

Instead Joe should have required a username and password for login, locking the account after a number of incorrect attempts.

blog comments powered by Disqus