Skip to content
loading...

How do "public but secret" URLs work

aurelkurtula profile image aurel kurtula twitter logo github logo ・1 min read  

Draft posts here have the warning

Unpublished Post. This URL is public but secret, so share at your own discretion. Click to edit.

Quick questions:

  1. How private are they if I do not share the url?
  2. How could I implement my own public but private pages?

I'm not questioning dev.to's security or anything like that, not important. Just, say a client comes to me and says "hey Aurel we want that feature", I wouldn't have a clue where to start.

And, could I create such a feature in github pages for example, or is this a host/server configuration thing? Long a go I wanted to be able to host jekyll in github pages but as a private diary. Would this technique have worked?

twitter logo DISCUSS (11)
Discussion
markdown guide
 

There are a number of ways to hide content but what I believe dev.to does is that when you save a post but don’t publish it generates a proper post url but it doesn’t add it to the homepage queue of posts. So people can still view the post if you give them the direct url but it won’t show up in any feeds

 

Yep, the obfuscated URL is basically the password. It's completely private if you never give it out. Otyer services do this. If I recall correctly, Craigslist even let's you edit posts this way.

 

But would it not be visible to search engine crawler and found that way? Is there something stoping the crawlers, or that's not how they work.

1) Search engine crawlers only follow links, which there are none unless the OP puts them out there,

2) and you could also have server code that is something along the lines of

if (header('User-Agent').indexOf('Bot') > 0) {
    // respond with blank or 404
}
 

I believe that they have a field somewhere like "public" 0 for false(private) 1 for true(public) and on internal fetch of the articles if '0' then just skip that and don't add it to the list, whatever article list is that, except when the user sees his own profile, so the author_id is the same as the logged in user, then it fetches it and client-side can generate a url based on the title, the time and the author, no need to be a true URL link if not published. However I don't know how dev.to works internally but I assume this is a good and secure solution, so no one can see the link of private/unpublished article because it doesn't exists yet.

I am not sure that those URLs are 100% secret. Browser extensions and desktop applications can technically record the visited URLs and hand them off to sesrch engine robots. I don't have an idea at all if it is happening in practice.
It is just an idea that is technically possible, so don't panic:). But I wouldn't be surprised if it does happen, whould you?

Have you seen that SimilarWeb that lists Domains that the users of the website also visited. This is how people can know the internal dashboards of companies, cause they workers surf to the dasboards just after visiting the external sites.

 

Yes, that's what I meant.

Regardless of the unique and hard to guess URL, would it not be indexed by search engines, hence found that way?

Classic DEV Post from Jul 26 '19

🎩 JavaScript Enhanced Scss mixins! 🎩 concepts explained

In the next post we are going to explore CSS @apply to supercharge what we talk about here....

aurel kurtula profile image
I love JavaScript, reading books, drinking coffee and taking notes.