DEV Community

aurel kurtula
aurel kurtula

Posted on

How do "public but secret" URLs work

Draft posts here have the warning

Unpublished Post. This URL is public but secret, so share at your own discretion. Click to edit.

Quick questions:

  1. How private are they if I do not share the url?
  2. How could I implement my own public but private pages?

I'm not questioning dev.to's security or anything like that, not important. Just, say a client comes to me and says "hey Aurel we want that feature", I wouldn't have a clue where to start.

And, could I create such a feature in github pages for example, or is this a host/server configuration thing? Long a go I wanted to be able to host jekyll in github pages but as a private diary. Would this technique have worked?

Top comments (8)

Collapse
 
nektro profile image
Meghan (she/her)

There are a number of ways to hide content but what I believe dev.to does is that when you save a post but don’t publish it generates a proper post url but it doesn’t add it to the homepage queue of posts. So people can still view the post if you give them the direct url but it won’t show up in any feeds

Collapse
 
ben profile image
Ben Halpern

Yep, the obfuscated URL is basically the password. It's completely private if you never give it out. Otyer services do this. If I recall correctly, Craigslist even let's you edit posts this way.

Collapse
 
aurelkurtula profile image
aurel kurtula

But would it not be visible to search engine crawler and found that way? Is there something stoping the crawlers, or that's not how they work.

Thread Thread
 
nektro profile image
Meghan (she/her) • Edited

1) Search engine crawlers only follow links, which there are none unless the OP puts them out there,

2) and you could also have server code that is something along the lines of

if (header('User-Agent').indexOf('Bot') > 0) {
    // respond with blank or 404
}
Collapse
 
kataras profile image
Gerasimos (Makis) Maropoulos

I believe that they have a field somewhere like "public" 0 for false(private) 1 for true(public) and on internal fetch of the articles if '0' then just skip that and don't add it to the list, whatever article list is that, except when the user sees his own profile, so the author_id is the same as the logged in user, then it fetches it and client-side can generate a url based on the title, the time and the author, no need to be a true URL link if not published. However I don't know how dev.to works internally but I assume this is a good and secure solution, so no one can see the link of private/unpublished article because it doesn't exists yet.

 
nitzanav profile image
Nitzan Aviram

I am not sure that those URLs are 100% secret. Browser extensions and desktop applications can technically record the visited URLs and hand them off to sesrch engine robots. I don't have an idea at all if it is happening in practice.
It is just an idea that is technically possible, so don't panic:). But I wouldn't be surprised if it does happen, whould you?

Have you seen that SimilarWeb that lists Domains that the users of the website also visited. This is how people can know the internal dashboards of companies, cause they workers surf to the dasboards just after visiting the external sites.

Collapse
 
aurelkurtula profile image
aurel kurtula

Yes, that's what I meant.

Regardless of the unique and hard to guess URL, would it not be indexed by search engines, hence found that way?

 
aurelkurtula profile image
aurel kurtula

Great.

Now I get it.

Thanks