-1

I have a flask application. If I create a route, say, '/some_super_random_long_and_unguessable_route' and don't mention this route (url) anywhere in my website, will the people be able to find this route?

raunasur
  • 128
  • 11
  • I don't really think SO is for this type of questions but the answer for your question is yes. They can access that route but if you haven't mentioned anywhere that route then they will not know that you have this route. – imxitiz Aug 03 '21 at 11:01
  • Thanks for answering. But, what's wrong with the question? – raunasur Aug 03 '21 at 11:03
  • Since file are saved in serve and not rendered in the browser, url will not be available to users except some attacks. It will depend on how you protect the server – Rinshan Kolayil Aug 03 '21 at 11:03
  • **Except some attacks** please tell me what type of attack so that I can search it on google. – raunasur Aug 03 '21 at 11:05
  • Attacker can inject some codes into your server, if you have less security or if you some untructed opensource libraries – Rinshan Kolayil Aug 03 '21 at 11:07
  • Search google like how to protect servers, cyber security (If you are interested to know security loop holes), or refer https://phoenixnap.com/kb/server-security-tips, https://geekflare.com/network-firewall-intro-and-products/ etc or you can read articles in https://medium.com/topic/cybersecurity – Rinshan Kolayil Aug 03 '21 at 11:15
  • I think I have stepped into a more complex topic than I can comprehend. So, the summary of the answers and comments posted here is that I should not use `/some_super_random_long_and_unguessable_route` method because it is unsafe. Am I right? – raunasur Aug 03 '21 at 11:19
  • No, It is safe but it will all depends how you protect server. – Rinshan Kolayil Aug 03 '21 at 11:21
  • As the anwer suggests, you can try some authentication and Please refer https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-http-basic-authentication/ – Rinshan Kolayil Aug 03 '21 at 11:45
  • Ok, Sure i can send email – Rinshan Kolayil Aug 03 '21 at 13:42

1 Answers1

2

The chances are low, but it is possible. Someone with enough time and effort can try to brute force all paths. With some monitoring, you could probably catch it, but even then it is not really safe.

As a general rule Security-by-Obscurity is not a strong form of security. It only takes one mistake for it to be completely invalidated. Or as soon as someone else works on it as well, it's not only trusting yourself, it also requires trusting them not to make a mistake. Or even beyond mistakes, if their requests are being monitored through some security breach, your secret endpoint will be exposed.

If you want something not accessible to others, you need actual authentication. By far the easiest, is using HTTP authentication. You are using Flask, so obviously there is a library for that, called flask-HTTPAuth. It should allow you to set a username and password, which you have to produce to access the site.

tituszban
  • 4,797
  • 2
  • 19
  • 30