A warning to webmasters: don’t rely on secret URLsMarch 26, 2009 | 6:52 pm
I’m sure I’m not alone in creating administration pages for websites that under development, and relying on the fact the URL is unknown to keep them private (until the site is launched of course).
I currently have a large project under development, which has a number of administration functions that are executed by visting a certain URL (in this case refreshing product information and wiping cache tables). I got a call from the customer telling me that the cache kept disapearing without him running the function, and I knew I hadn’t.
After checking my code, and looking at the data to check if the data really was missing, I decided to check the Apache access logs.
A quick grep told me that the admin URL had been accessed, not by me or the customer, but by Alexa! This had caused the cache to be wiped (correctly as it turns out, since that was what it was meant to do).
I have a firefox plugin on my main office PC that tells me the Alexa ratiung of any sites I visit. Clearly they also spider any URLs they don’t know about!
I quickly added password protection to the admin pages, and will make sure it’s the first thing I do in future. I don’t think (I hope) that they are publicising these private URLs, but visiting them is bad enough. I will of course be removing the Alexa plugin when I get back to the office.