[Nitro] Security problems
rainhead at gmail.com
Sun Nov 13 16:17:42 EST 2005
Another simple solution would be to look up by name, not number. As
long as you don't expect project names to change often, URIs like /
project/bills-project are far more user friendly, and make it harder
for someone with no knowledge of a project to stumble upon it.
This isn't real security, of course -- the other replies have covered
that. But I appreciate that sometimes you don't really want to put
strict access controls on something, but don't want to advertise its
presence, either. I do this when I need to give someone a large file
- I put it on a web server in a place where it won't be indexed, and
give the person the URL. It wouldn't be a huge problem if someone
found one of those files, but I'd just as soon nobody rifle through
all my stuff. Meanwhile, I don't have to worry about creating a user,
a password, or an ACL.
> I am not sure if this can be done already, but I would like the
> path to be
> hidden. I would like to show only the main page URI. I think it is a
> security problem if a user sees things like http://myhost.com/
> The users might type /2 by himself...
More information about the Nitro-general