2

If I set up a simple web server online (eg nginx), and generate a very large random string (such that it is unguessable), and host that endpoint on my domain, eg

example.com/<very-large-random-string>

would I be safe in say, hosting a webapp at that endpoint with no authentication to store my personal information (like a scratch-pad or notes kind of thing)?

I know google docs does this, is there anything special one has to do (again, eg for nginx) to prevent someone from getting a list of all available pages?

I guess I'm asking is there any way for a malicious actor to find out about the existence of such a page, preferably irrespective of what web-server I used.

crackpotHouseplant
  • 380
  • 1
  • 3
  • 12

1 Answers1

4

I'd be pretty alarmed if my online bank started using this system, but it should give you a basic level of security. Bear in mind that this is security through obscurity, which is rather frowned upon and will immediately turn into no security whatsoever the moment someone discovers the hidden URL.

To prevent this from happening, you will need to take a few precautions:

  1. Install an SSL certificate on your server, and always access the url via https, never via http (otherwise the URL path will be sent in plain view and visible to everyone along the way).

  2. Make sure your secure document contains no outgoing links. This includes not only hyperlinks (<a href="...">) but also embedded images, stylesheets, scripts, media files and so on. Otherwise the URL will be leaked to other domains via the Referer request headers.*1

  3. (A bit of a no-brainer, but) make sure there are also no inbound links to this page. Although they aren't so common now, web hosts used to generate automatic "web stats" pages showing the traffic to each web domain. Some content management systems generate a site map automatically. This would be just as bad.

  4. Disable directory browsing on your server. In other words, make sure that someone who visits the directory level above your hidden directory isn't presented with a list of subdirectories.

  5. Bear in mind that the URL will always be visible in your address bar and browser history, and possibly in other places like your browser's cookie jar. Your browser will probably provide the rest of the URL by auto-complete when someone types the domain into your address bar.

*1: Actually, your browser will only send a Referer header when you access other https pages, but still...

r3mainer
  • 23,981
  • 3
  • 51
  • 88
  • Thanks! More of a hypothetical than anything. Just wanted to see what others had to say about it. . . Wondering now about generating these numbers and expiring them after a given amount of time :) – crackpotHouseplant Mar 06 '18 at 21:50