Hide uri on client side

Question

Hi,Need irule or policy to hide uri from client sideExample:User press on icon on the website which point him to -&gt; https://web.com/abc/defI need that the user will see in his browser only&nbsp;https://web.com&nbsp;without /abc/def but the content page will be from&nbsp;https://web.com/abc/def,The goal is to hide "/abc/def"I saw several questions like this in devcentral but none of them fit&nbsp;Thanks in advanced

paulius · Accepted Answer

Rafi1 That is definitely possible but keep in mind that while the client sees path "/abc/def" the server will see only "/" which is the root of the website. So if you decide to change all paths that the client sees to "/" just make sure that the path "/" has all the content that you're looking for. Again, this is another reason why obfuscating the path really isn't the path to go down to provide security for your website over something such as a login token or any other security measure you can take over obfuscation.

paulius · Answer

Rafi1 As long as you will always change HTTP Path "/" to "/abc/def" this would work but purely based on how most websites function it seems like "/" is the default web page for the website so this will most likely cause issues for you. This would be easier to achieve if you had lets say path "/button" the hidden path for "/abc/def" and could be achieved using string map. What is the reason to hide the HTTP path from the end user?

rafi1 · Answer

Hi Pailus,Are you mean that "/button" will hide ""/abc/def"&nbsp; ? some kind of alias ?&nbsp;Ithink it will be fineThe reason is security of course, the the web site is very sensitive and we need to "hide" some uri so attacker will not try to manipulate the site with the uri changes (The goal is to hide the web site&nbsp; paths)I tried some irules like:when HTTP_REQUEST {# Define your public path and your hidden pathset public_path "/#ArchNew3"set hidden_path "/architecture-info/#ArchNew3"# Check if the user is requesting the public pathif { [HTTP::uri] contains $public_path } {# Internally rewrite the request to use the hidden pathHTTP::uri $hidden_path}}But it didnt work

paulius · Answer

Rafi1 If your intent is to require a user to follow button pushes on a website rather than skipping through by specifying the path themselves then this is not the way to achieve security on your site. If the end user has to check certain boxes or provide some sort of login before they can proceed to a different path you should be able to generate a login token that the F5 can then validate exists before sending them to the path in question. Typically when you have to perform a string map it's because the server is unable be configured to correct the path itself and you then have to make the correction on the F5 but not to obfuscate the path. You will achieve far better security with a token rather than obfuscation.

rafi1 · Answer

Hi,I'm talking abot&nbsp;Information site, the inforamtion site located on very importent and sensitive system and they can't be sapareted,So the ciso demand is to hide the uri's in such case the end users cant see all the pathwhen HTTP_REQUEST {if { [string tolower [HTTP::uri]] contains "/architecture-info" } {HTTP::uri [string map -nocase {"/architecture-info" "/hide-uri-test/check/"} [HTTP::uri]]}}This is te resault:https://admon.siteqa.xxxx.com/architecture-info/#ArchNew3 -&gt; https://admon.siteqa.xxxx.com/hide-uri-test/check/#ArchNew3&nbsp;The issue now is that, there is no&nbsp;&nbsp;hide-uri-test/check/ uri, so i thinking about ask the site developer to create&nbsp; alias&nbsp;/architecture-info/ =&nbsp;/hide-uri-test/check/&nbsp;Do you think it could work?

paulius · Answer

Rafi1 Even with an alias you would still have an instance where they user can still get to the destination just using a different path. In this instance you are better off obfuscating this on the server side rather than the F5. I would be interested in knowing what CISO has listed as the policy that you are attempting to solve for. I can see stripping local device name or IP address if it's provided in the response to the client but other than that obfuscating the response rather than implementing security features such as login tokens and the like is not a superior security stance.

Forum Discussion

Hide uri on client side

8 Replies

Recent Discussions

Disk space full - what files, folders are safe to delete?

ASM instance creation

BIG-IP DNS: Check Status Of Multiple Monitors Against Pool Member

Open Redirection Mitigation

F5Access | MacOS Sonoma

Related Content

Enhance your Application Security using Client-side signals

Configuring APM Client Side NTLM Authentication

SSL 3.0.7 - Unsafe legacy renegotiation disabled on client side

Automation of F5 Distributed Cloud Platform Client-Side Defense feature - Part I

iRule to hide URI from client side