Are secret URLs truly secure?

Question

I never leave backdoors in my system, but out of curiosity I was wondering if I left a secret URL like /x52d23r that allowed to bypass some sort of security, and this was on

Answer 1

The reason using a "secret URL" is usually insecure is not because it is "security through obscurity". In information theory, a secret URL is no different than a password or private key. Are passwords and private keys considered a poor practice because they are "security through obscurity"? No.

So what's the difference between a hard-to-guess URL and a hard-to-guess password?

The difference is in the myriad of insecure places and ways that URLs are stored, displayed, and transmitted. Examples:

1. In web browser address bars, histories, and caches*
2. HTTP Referer headers sent to other sites*
3. In web server access logs*
4. In proxy and layer 7 firewall access logs
5. In packet dumps
6. In web stats traffic reports (e.g. AWStats, Google Analytics)*

HTTPS can protect some of these, but not all of them (items marked with a * are not protected against by using HTTPS.)

In a highly controlled environment, hard-to-guess URLs can be secure. But when using common web browsers, web servers and web frameworks, hard-to-guess URLs should not be relied upon unless no other option exists (and even then you should consider carefully).