views:

625

answers:

4

Is it dangerous to have your admin interface in a Django app accessible by using just a plain old admin url? For security should it be hidden under an obfuscated url that is like a 64 bit unique uuid?

Also, if you create such an obfuscated link to your admin interface, how can you avoid having anyone find out where it is? Does the google-bot know how to find that url if there is no link to that url anywhere on your site or the internet?

+1  A: 

Assuming you've picked a good password, no, it's not dangerous. People may see the page, but they won't be able to get in anyway.

If you don't want Google to index a directory, you can use a robots.txt file to control that.

mipadi
+3  A: 

Whilst there is no harm in adding an extra layer of protection (an obfuscated url) enforcing good password choice (checking password strength and checking it's not in a large list of common passwords) would be a much better use of your time.

andybak
+14  A: 

You might want to watch out for dictionary attacks. The safest thing to do is IP restrict access to that URL using your web server configuration. You could also rate limit access to that URL - I posted an article about this last week.

Simon Willison
+4  A: 

If a URL is nowhere on the internet "the googlebot" can't know about it ... unless somebody tells it about it. Unfortunately many users have toolbars installed in their browser, which submit all URLs visited by the browser to various Servers (e.g. Alexa, Google).

So keeping an URL secret will not work in the long run.

Also an uuid is hard to remember and to type - leading to additional support ("What was the URL again?").

But I still strongly suggest to change the URL (e.g. to /myadmin/). This will foil automatic scanning and attack tools. So If one day an "great Django worm" hits the Internet, you have a much lower chance of being hit.

People using PHPmyAdmin had this experience for the last few years: changing the default URL avoids most attacks.

mdorseif