Visible admin urls?

Hi all,

I was looking at my logs today and noticed a bunch of hits like this: - - [20/Mar/2006:08:41:01 -0800] “GET
/articles/tag/credit HTTP/1.1” 200 9386 “-” “Java/1.5.0_06” “-” - - [20/Mar/2006:08:41:29 -0800] “GET
/admin/content/edit/38 HTTP/1.1” 302 119 “-” “Java/1.5.0_06” “-” - - [20/Mar/2006:08:41:32 -0800] “GET
/admin/content/edit/39 HTTP/1.1” 302 119 “-” “Java/1.5.0_06” “-” - - [20/Mar/2006:08:41:35 -0800] “GET
/admin/content/edit/34 HTTP/1.1” 302 119 “-” “Java/1.5.0_06” “-” - - [20/Mar/2006:08:41:37 -0800] “GET
/admin/content/edit/37 HTTP/1.1” 302 119 “-” “Java/1.5.0_06” “-”

(Nevermind that this particular bot doesn’t seem to follow robots.txt)

It kind of freaked me out, so I looked into the issue a little bit
more and noticed this in the code:


Is there any reason this stuff should be visible to someone who isn’t
even logged in? Can’t we hide it server side or something? OK - bad
idea because of the caching - but how about at least obscuring the
link with javascript or something? I don’t mean something spammy with
lots of string concatenation, but how about just a function in a
peripheral .js file that does a document.write of the link?

I realize that the link won’t do anything without authentication (as
shown in the redirect from the logs), but it still makes me a little
bit paranoid that it’s there. Why show all of your houseguests the
exact location of the floor safe if you don’t have to?

OK. That’s all - sorry, I’m going to take a deep breath and calm down.
Am I overreacting, or does anyone else find this a bit scary?

Thanks for listening.


Well, anybody who’s ever looked at typo will be able to figure out
the path pretty easily anyhow. If your login is secure, trying to
obscure the path here isn’t going to do anything at all. That would
be like closing the window while the door is wide open.

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs