Running Local Development Servers

Beginner Tutorial: Hello World

Beginner Tutorial: Hello Database

Tutorial: Wheels, AJAX, and You

Frameworks and Wheels

Requirements

Manual Installation

Upgrading

Screencasts

CLI Overview

Quick Start Guide

wheels info

wheels reload

wheels deps

wheels destroy

wheels watch

wheels generate app

wheels generate app-wizard

wheels generate controller

wheels generate model

wheels generate view

wheels generate property

wheels generate route

wheels generate resource

wheels generate api-resource

wheels generate frontend

wheels generate test

wheels generate snippets

wheels scaffold

wheels db create

wheels db drop

wheels db setup

wheels db reset

wheels db status

wheels db version

wheels db rollback

wheels db seed

wheels db dump

wheels db restore

wheels db shell

wheels db schema

wheels dbmigrate info

wheels dbmigrate latest

wheels dbmigrate up

wheels dbmigrate down

wheels dbmigrate reset

wheels dbmigrate exec

wheels dbmigrate create blank

wheels dbmigrate create table

wheels dbmigrate create column

wheels dbmigrate remove table

wheels test

wheels test run

wheels test coverage

wheels test debug

wheels config list

wheels config set

wheels config env

wheels env

wheels env setup

wheels env list

wheels env switch

wheels environment

wheels console

wheels runner

wheels server

wheels server start

wheels server stop

wheels server restart

wheels server status

wheels server log

wheels server open

wheels plugins

wheels plugins list

wheels plugins install

wheels plugins remove

wheels analyze

wheels analyze code

wheels analyze performance

wheels analyze security

wheels security

wheels security scan

wheels optimize

wheels optimize performance

wheels docs

wheels docs generate

wheels docs serve

wheels ci init

wheels docker init

wheels docker deploy

wheels deploy

wheels deploy audit

wheels deploy exec

wheels deploy hooks

wheels deploy init

wheels deploy lock

wheels deploy logs

wheels deploy proxy

wheels deploy push

wheels deploy rollback

wheels deploy secrets

wheels deploy setup

wheels deploy status

wheels deploy stop

Configuration Management

Creating Commands

Service Architecture

Migrations Guide

Testing Guide

Conventions

Configuration and Defaults

Directory Structure

Switching Environments

Testing Your Application

Using the Test Environment

Contributing to Wheels

Submitting Pull Requests

Documenting your Code

Request Handling

Rendering Content

Redirecting Users

Sending Files

Sending Email

Responding with Multiple Formats

Using the Flash

Using Filters

Verification

Event Handlers

Routing

Apache

IIS

Tomcat

Nginx

Obfuscating URLs

Caching

Nesting Controllers

CORS Requests

Pages

Partials

Linking Pages

Layouts

Form Helpers and Showing Errors

Displaying Links for Pagination

Date, Media, and Text Helpers

Creating Custom View Helpers

Localization

Object Relational Mapping

Creating Records

Reading Records

Updating Records

Deleting Records

Column Statistics

Dynamic Finders

Getting Paginated Data

Associations

Nested Properties

Object Validation

Object Callbacks

Calculated Properties

Transactions

Dirty Records

Soft Delete

Automatic Time Stamps

Migrations in Production

Using Multiple Data Sources

Installing and Using Plugins

Developing Plugins

Publishing Plugins

Overview

Source Code

Issue Tracker

Sponsor Us

Community
Ask or search...
Ctrl K

description: Hide your primary key values from nosy users.

Obfuscating URLs

The Wheels convention of using an auto-incrementing integer value as the primary key in your database tables will lead to a lot of URLs on your website exposing this value. Using the built-in URL obfuscation functionality in Wheels, you can hide this value from nosy users.

What URL Obfuscation Does

When URL obfuscation is turned off (which is the default setting in Wheels), this is how a lot of your URLs will end up looking:

{% code title="HTTP" %}

http://localhost:8080/user/profile/99

{% endcode %}

Here, 99 is the primary key value of a record in your users table.

After enabling URL obfuscation, this is how those URLs will look instead:

{% code title="HTTP" %}

http://localhost:8080/user/profile/b7ab9a50

{% endcode %}

The value 99 has now been obfuscated by Wheels to b7ab9a50. This makes it harder for nosy users to substitute the value to see how many records are in your users table, to name just one example.

How to Use It

To turn on URL obfuscation, all you have to do is call set(obfuscateURLs=true) in the /config/settings.cfm file.

Once you do that, Wheels will handle everything else. Obviously, the main things Wheels does is obfuscate the primary key value when using the linkTo() function and deobfuscate it on the receiving end. Wheels will also obfuscate all other params sent in to linkTo() as well as any value in a form sent using a get request.

In some circumstances, you will need to obfuscate and deobfuscate values yourself if you link to pages without using the linkTo() function, for example. In these cases, you can use the obfuscateParam() and deObfuscateParam()functions to do the job for you.

Is This Really Secure?

No, this is not meant to add a high level of security to your application. It just obfuscates the values, making casual observation harder. It does not encrypt values, so keep that in mind when using this approach.

For instance, unless you specify it in your /config/routes.cfm file, you can still directly access numeric keys in the URL, e.g. /users/view/99; However, there is a small work around you can implement to prevent this at least, using the routes constraints argument.

mapper()
  .resources(name = "users", constraints = { key = "\w+\d+" } )
  .root( to="home##index", method="get")
.end();

This uses Regex to ensure the params.key argument is an alpha numeric key and not just purely numeric: otherwise the route won't match.