I am developing a web app which currently does not have authentication/authorization mechanism. But I still want to add an admin url from which I can add content. The admin url is not revealed to users and is hard to guess (a url like /mysupersecretadmin) but it does not have any authentication. So anyone who has the url, can post stuff to the app.The app uses https exclusively.
I'm wondering how insecure is this practice?
Asked
Active
Viewed 71 times
1
Karlom
- 135
- 1
- 6
-
There's only one answer to this and that's "very!" – Jeroen Sep 01 '17 at 11:52
-
what you described is called "security by obscurity" - if you search that term here, you will find that it has been answered multiple times – schroeder Sep 01 '17 at 11:52
-
3it's as secure as keeping your key under your doormat - as soon as someone knows where it is (or looks for it), there is no security anymore - there is no graceful failure, it's all or nothing – schroeder Sep 01 '17 at 11:54
-
1Whatever web application container you are running this webapp in, has some basic authentication features built-in. Well, literally it is called Basic Authentication. At a minimum, please learn how to enable basic auth and require basic auth to that admin URL. That wouldn't be great security, but if the sensitivity of the page is such that you are pondering no real security then basic auth is likely appropriate. – Thomas Carlisle Sep 01 '17 at 12:54
-
1Why don't you try it? Use some tools that look for this kind of thing and see if you can discover it. Read this post for some ideas on how to start https://security.stackexchange.com/questions/39930/automated-url-discovering – iainpb Sep 01 '17 at 13:09