Forum Discussion
refra_151287
Cirrus
CirrusURL Hashing OR URL decoding
I've an issue, and we want to hash the URI (or encoding) in other words I don't want the user to see the original URL that the server sent, we want the user to see just decoded value, is there any wa...
Brad_ParkerCirrus
CirrusYou understand that this will require you to rewrite every resource on the site that the server sends in its responses. This will not be an easy task. Any particular reason you want to do this? Would it be easier to sanitize specific data?
refra_151287it's a customer request, I offered all changes he can use to protect the parameter, or the url such as dynamic parameter tampering, url flow, login enforcement, but he want to encode the url, till now i don't know the reason for security reasons at the info sec team, and it's a financial firm . so i'm trying to encode the uri in the response and decode the request form the client, but i'm still in the beginning, so i'm asking if there's any irule to accelerate the progress, even if it did an issues, just to convince them :)- Brad_ParkerSecurity through obscurity is not security, it is just obscurity. With that said, I guess the customer is always right even when they aren't. Hashing the URL in and of itself provides no security as you can still replay the hashed url. One thing you could do that will provide security and hash the url would be to use APM portal access. The will enforce logon and mask the "real" URL. Granted, it will still only be a base64 encoded url, Maybe this will satisfy your customer's requirements.
- refra_151287Thanks Brad you're totally right, I shouldn't go in the wrong way :)
