0

How do i encrypt a certain part of the URL in a Restful web services? Eg.

 `www.xyz.com?q=23223`

Should convert to 

www.xyz.com?q=dn894ru4j5j49i8t5jt49t89jn

Can this be implemented on the server side? The pages are scripted using Javascript.

gforce91
  • 161
  • 8
  • Why do you want to "encrypt the URL"? Are you talking about transmitting a transaction token or some other kind of authentication? – nameless912 Jul 31 '15 at 15:38
  • It contains parameters like empid. The URL is a link for a Kibana Dashboard. www.xyz.com?empid=123 will open a dashboard relating to emp=123. So if someone changes the link to www.xyz.com?empid=222 , he can see 222's data. The dashboard is in Kibana and has data about 100+users. Therefore 100+URL's – gforce91 Jul 31 '15 at 15:50
  • If you encrypt the URL using javascript... anyone can copy your encrypt mechanism and encrypt similar URLs. You need to create a hash for every id to include and using in your REST Services instead the secuencial id. – Danyel Cabello Jul 31 '15 at 16:11
  • It sounds an awful lot like you should require your users to authenticate and be authorized to access a URI. You're opening yourself up to attacks where malicious clients generate query strings and send them to your API to see what they get back. – Eric Stein Aug 03 '15 at 14:13
  • There is a authentication in place to login to access the dashboard. But i want that specific logged in user to see only his dashboard and nothing else. How can i solve that problem? If the URL is encrypted then even a malicious client has to try to guess the encryption key for the server to understand which sounds a lot like impossible. – gforce91 Aug 04 '15 at 13:48
  • Why can't you filter the response from the back end based on what dashboard data the logged in user can see? As far as encryption, are you talking about the client encrypting the URL itself, or receiving encrypted URLs from the server that it can follow? As @DanyelDarkcloud said, any kind of client-side encryption is vulnerable. – Eric Stein Aug 04 '15 at 16:49
  • Also, if you want a timely response, make sure to tag your comment with the userid of the person it's directed at, as I did with Danyel in the comment above. – Eric Stein Aug 04 '15 at 16:50
  • The encryption will be on the server side. There is no client side encryption . The server will know the original URL and the encrypted URL. – gforce91 Aug 05 '15 at 18:24

0 Answers0