Forum Discussion
Hide uri on client side
Hi,
Need irule or policy to hide uri from client side
Example:
User press on icon on the website which point him to -> https://web.com/abc/def
I need that the user will see in his browser only https://web.com without /abc/def but the content page will be from https://web.com/abc/def,
The goal is to hide "/abc/def"
I saw several questions like this in devcentral but none of them fit
Thanks in advanced
Rafi1 That is definitely possible but keep in mind that while the client sees path "/abc/def" the server will see only "/" which is the root of the website. So if you decide to change all paths that the client sees to "/" just make sure that the path "/" has all the content that you're looking for. Again, this is another reason why obfuscating the path really isn't the path to go down to provide security for your website over something such as a login token or any other security measure you can take over obfuscation.
Rafi1 As long as you will always change HTTP Path "/" to "/abc/def" this would work but purely based on how most websites function it seems like "/" is the default web page for the website so this will most likely cause issues for you. This would be easier to achieve if you had lets say path "/button" the hidden path for "/abc/def" and could be achieved using string map. What is the reason to hide the HTTP path from the end user?
- Rafi1Cirrus
Hi Pailus,
Are you mean that "/button" will hide ""/abc/def" ? some kind of alias ?
Ithink it will be fine
The reason is security of course, the the web site is very sensitive and we need to "hide" some uri so attacker will not try to manipulate the site with the uri changes (The goal is to hide the web site paths)
I tried some irules like:
when HTTP_REQUEST {
# Define your public path and your hidden path
set public_path "/#ArchNew3"
set hidden_path "/architecture-info/#ArchNew3"# Check if the user is requesting the public path
if { [HTTP::uri] contains $public_path } {
# Internally rewrite the request to use the hidden path
HTTP::uri $hidden_path
}
}But it didnt work
Rafi1 If your intent is to require a user to follow button pushes on a website rather than skipping through by specifying the path themselves then this is not the way to achieve security on your site. If the end user has to check certain boxes or provide some sort of login before they can proceed to a different path you should be able to generate a login token that the F5 can then validate exists before sending them to the path in question. Typically when you have to perform a string map it's because the server is unable be configured to correct the path itself and you then have to make the correction on the F5 but not to obfuscate the path. You will achieve far better security with a token rather than obfuscation.
- Rafi1Cirrus
Hi,
I'm talking abot Information site, the inforamtion site located on very importent and sensitive system and they can't be sapareted,
So the ciso demand is to hide the uri's in such case the end users cant see all the path
when HTTP_REQUEST {
if { [string tolower [HTTP::uri]] contains "/architecture-info" } {
HTTP::uri [string map -nocase {"/architecture-info" "/hide-uri-test/check/"} [HTTP::uri]]
}
}This is te resault:
https://admon.siteqa.xxxx.com/architecture-info/#ArchNew3 -> https://admon.siteqa.xxxx.com/hide-uri-test/check/#ArchNew3
The issue now is that, there is no hide-uri-test/check/ uri, so i thinking about ask the site developer to create alias
/architecture-info/ = /hide-uri-test/check/
Do you think it could work?
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com