什么时候可以故意混淆URL? [英] When is it OK to intentionally obfuscate URLs?
问题描述
拥有友好的URL通常是一件好事.但是,有时候有时候这似乎是个坏主意.你的经验法则是什么?
Having friendly URLs is generally a good thing. However, there are sometimes when it seems like a bad idea. What is your rule of thumb?
例如,考虑一种情况,我想显示注册成功"页面.我希望所有基本逻辑都相同.但是,根据他们的注册方式,我可能想向以某种角色注册的人显示不同的消息.
For instance, consider a situation where I want to show a Registration Success page. I want all of the underlying logic to be the same. However, depending on how they registered, I may want to display a different message for someone who registered under a certain type of role.
以下是可破解" 的一些现成示例. (如链接中所述)URL:
Here are a few, off-the-cuff examples of "hackable" (as described in link) URLs:
- http://www.example.com/RegistrationSuccess.aspx?IsCertainRole=true
- http://www.example.com/RegistrationSuccess.aspx?role=CertainRole
- http://www.example.com/RegistrationSuccess.aspx?r=2876
- http://www.example.com/RegistrationSuccess.aspx?IsCertainRole=true
- http://www.example.com/RegistrationSuccess.aspx?role=CertainRole
- http://www.example.com/RegistrationSuccess.aspx?r=2876
所有这些似乎都很糟糕,因为我不希望这些URL被发现.另一方面,我讨厌做一些更复杂的事情,只是稍微修改成功消息.
All of these seem bad since I don't want the URLs to be discoverable. On the other hand, I hate to do something more complex just to modify the success message slightly.
您将如何处理?
推荐答案
请记住,混淆URL 不是是一项安全措施.您永远不应信任外部输入-过滤,清理和实现限制性逻辑.无论您认为混淆方案多么聪明,人们都相对容易地破解了更为复杂的安全方案.
Bear in mind that obfuscating URLs is NOT a security measure. You should never trust outside input - filter, sanitize and implement restrictive logic. No matter how clever you believe your obfuscation scheme to be, people have cracked much more complicated security schemes with relative ease.
作为一般的经验法则-没有充分的理由有意地混淆URL.使用URL传达读取操作(资源的路径).使用POST请求传达写操作(添加/修改数据).如果用户不能通过URL进行操作,则应在服务器端和request方法中对它进行管理.
As a general rule of thumb - there is no good reason to obfuscate URLs intentionally. Use URLs to communicate read operations (a path to a resource). Use POST requests to communicate write operations (adding/modifying data). If a user isn't supposed to be able to do something through the URL, it should be regulated server side and through the request method.
这篇关于什么时候可以故意混淆URL?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
