Forum Discussion

Rafi1's avatar
Rafi1
Icon for Cirrus rankCirrus
Aug 15, 2023

Hide uri on client side

Hi,

Need irule or policy to hide uri from client side

Example:

User press on icon on the website which point him to -> https://web.com/abc/def

I need that the user will see in his browser only https://web.com without /abc/def but the content page will be from https://web.com/abc/def,

The goal is to hide "/abc/def"

I saw several questions like this in devcentral but none of them fit

 

Thanks in advanced

  • Rafi1 That is definitely possible but keep in mind that while the client sees path "/abc/def" the server will see only "/" which is the root of the website. So if you decide to change all paths that the client sees to "/" just make sure that the path "/" has all the content that you're looking for. Again, this is another reason why obfuscating the path really isn't the path to go down to provide security for your website over something such as a login token or any other security measure you can take over obfuscation.

8 Replies

  • Rafi1 As long as you will always change HTTP Path "/" to "/abc/def" this would work but purely based on how most websites function it seems like "/" is the default web page for the website so this will most likely cause issues for you. This would be easier to achieve if you had lets say path "/button" the hidden path for "/abc/def" and could be achieved using string map. What is the reason to hide the HTTP path from the end user?

  • Hi Pailus,

    Are you mean that "/button" will hide ""/abc/def"  ? some kind of alias ? 

    Ithink it will be fine

    The reason is security of course, the the web site is very sensitive and we need to "hide" some uri so attacker will not try to manipulate the site with the uri changes (The goal is to hide the web site  paths)

    I tried some irules like:

    when HTTP_REQUEST {
    # Define your public path and your hidden path
    set public_path "/#ArchNew3"
    set hidden_path "/architecture-info/#ArchNew3"

    # Check if the user is requesting the public path
    if { [HTTP::uri] contains $public_path } {
    # Internally rewrite the request to use the hidden path
    HTTP::uri $hidden_path
    }
    }

    But it didnt work

    • Rafi1 If your intent is to require a user to follow button pushes on a website rather than skipping through by specifying the path themselves then this is not the way to achieve security on your site. If the end user has to check certain boxes or provide some sort of login before they can proceed to a different path you should be able to generate a login token that the F5 can then validate exists before sending them to the path in question. Typically when you have to perform a string map it's because the server is unable be configured to correct the path itself and you then have to make the correction on the F5 but not to obfuscate the path. You will achieve far better security with a token rather than obfuscation.

      • Rafi1's avatar
        Rafi1
        Icon for Cirrus rankCirrus

        Hi,

        I'm talking abot Information site, the inforamtion site located on very importent and sensitive system and they can't be sapareted,

        So the ciso demand is to hide the uri's in such case the end users cant see all the path

        when HTTP_REQUEST {
        if { [string tolower [HTTP::uri]] contains "/architecture-info" } {
        HTTP::uri [string map -nocase {"/architecture-info" "/hide-uri-test/check/"} [HTTP::uri]]
        }
        }

        This is te resault:

        https://admon.siteqa.xxxx.com/architecture-info/#ArchNew3 -> https://admon.siteqa.xxxx.com/hide-uri-test/check/#ArchNew3

         

        The issue now is that, there is no  hide-uri-test/check/ uri, so i thinking about ask the site developer to create  alias 

        /architecture-info/ = /hide-uri-test/check/

         

        Do you think it could work?