What is a practice approach to hide the private UR

2019-08-20 18:06发布

问题:

I haven't found a good solution to this problem and hope somebody has already done something similar.

I wrote a javascript program to load a list of images stored on my server, but I don't want a user to know the directory of my images.

var img1 = new Image();
img1.src = "my_img_directory/img1.png";

var img2 = new Image();
img1.src = "my_img_directory/img2.png";

In this example, the user will know where I store img1 and img2 on my webserver. Is there a way to prevent them from seeing the URL?

I am thinking about replace the URL with some random string. For example, I can do something like this:

var img1 = new Image();
img1.src = decode_URL("auiopjlnad103k");

But then I still have to map that random string with an absolute path. A user can look at how decode_URL translates the random string to the absolute URL.

If decrypt the random string on the client, a user will figure out a private key and be able to figure out the URL.

Look like I ran out of idea. Is this something that can't be done on client-side alone? Any tip or help will be greatly appreciate!

Thank you.

回答1:

There is nothing stopping people from simply sniffing the incoming HTML in a tool like Firebug and seeing the entire conversation with your server.

One alternative it to have a proxy send out the images by sending out a mine header and streaming the image contents from server-side code. Then images look like they're coming from imageserver.php?id=349857348975 or something.

You'd use: <img src="imageserver.php?id=349857348975" /> in your HTML



回答2:

There really should be no reason to hide the directory path on your server. If you are using direct URLs to your images, then you can't hide that fact. Anyone who runs any sort of network sniffer or browser developer tool (Firebug, Chrome inspector, etc...) or any type of network proxy like Fiddler can see what the browser is fetching: path, filename and all. I'd say it really isn't worth hiding what requests are being made.

The server can be configured to not permit directory listings so nobody can see what else might be in that directory.

As Diodeus mentioned, you can hide any notion of a path by having a server-side script serve up your images. But, I don't know what you're gaining. The request has to have identifying information in it which will fetch the images which is really no different than path/filename info in what it reveals on a properly protected server.

If you only want "authenticated" users to have access to this information then you will need to enforce that on the server-side by checking for authentication credentials (probably a login cookie) before you grant access to the images. In any case, this is mostly server-side work.