Is it safe to use a UUID in a URL for semi-private data?

924 views security
6

I run a landscaping company and have multiple crews. I want to provide each one with a custom URL (like mysite.com/xxxx-xxxx-xxxx) that shows their daily schedule. Going to the page will list the name, address and phone number of 5-10 customers for the day.

Is it safe/wise to use a UUID in a URL for semi-private data?

answered question

1 Answer

0

Depends on how safe you want it to be.

Are the UUIDs used for anything else? If not, they are fine for creating random URLs.

But, browser history would allow anyone using the same machine to find the URLs. Also, unless using https, a network sniffer could easily see the requested URLs and go to the same page.

Another concern is spider bots. Make sure nothing links to those pages, use a robots.txt to prevent indexing the site, but you still might find that some of the pages show up on search engines. It might be better to have the UUID set in a cookie and check that for determining which employee it is, lest your semi-private pages start showing up on google.

posted this

Have an answer?

JD

Please login first before posting an answer.