Sometimes I use things like /controlpanel/ or similar, and sometimes /admin/ or /_admin/, it doesn't hurt to use something hard to guess, but your security should not in any way rely on that.
A little bit of security by obscurity can at least stop a few attacks, but it doesn't take long for a half way competant attacker to find out where it is, not to mention the disgruntled ex-employee factor etc. At best it will only stop the attackers that shouldn't be a problem in the first place.
I prefer not to maintain a separate admin area in addition to the main site at all. I rather display different options and actions available depending on the role/level and ACLs of the logged in user.
And yes, security through obscurity is a bad idea!
I call mine Administrator, as I typically map up folders to the various user roles within the application. I realize that isn't obscure, but the folder (and code behind pages for that matter) are properly locked down so anonymous users or those without proper authorization cannot view them.
I stick the admin pages in the same directory as the normal user pages. If they guess the URLs, so what? They just get an Access Denied message and waste their time since it's open source anyway.
发布评论
评论(9)
如果您有真正的安全措施来保护管理区域,那么您称呼它是什么并不重要。 通过默默无闻来确保安全是一个坏主意。
If you have real security protecting the admin area, it should not matter what you call it. Security through obscurity is a bad idea.
默默无闻的安全是虚假的安全。
我将我的命名为 /HackTheSiteHere。
Security by Obscurity is false security.
I call mine /HackTheSiteHere.
有时我使用 /controlpanel/ 或类似的东西,有时使用 /admin/ 或 /_admin/ ,使用难以猜测的东西并没有什么坏处,但你的安全不应该以任何方式依赖于此。
一点点隐蔽的安全措施至少可以阻止一些攻击,但半途而废的攻击者不需要很长时间就能找出它在哪里,更不用说心怀不满的前雇员因素等。 充其量它会只阻止那些本来就不应该成为问题的攻击者。
Sometimes I use things like /controlpanel/ or similar, and sometimes /admin/ or /_admin/, it doesn't hurt to use something hard to guess, but your security should not in any way rely on that.
A little bit of security by obscurity can at least stop a few attacks, but it doesn't take long for a half way competant attacker to find out where it is, not to mention the disgruntled ex-employee factor etc. At best it will only stop the attackers that shouldn't be a problem in the first place.
我喜欢用“超级”
I like to use "super"
除了主站点之外,我根本不想维护单独的管理区域。
我宁愿根据登录用户的角色/级别和 ACL 显示不同的可用选项和操作。
是的,通过默默无闻来确保安全是一个坏主意!
I prefer not to maintain a separate admin area in addition to the main site at all.
I rather display different options and actions available depending on the role/level and ACLs of the logged in user.
And yes, security through obscurity is a bad idea!
我不会使用 /admin/ 因为它太明显了,但我真的不明白为什么你叫它什么很重要。
我做的一件事是确保它可以随时通过更改一个配置变量来更改该 url。
我不想让人们知道我使用什么,因为当你甚至不知道后端区域在哪里时,访问它会变得更加困难:)
I won't use /admin/ because it is too obvious, but I don't really see why it matter what you call it.
The one thing I do though is make sure it can change that url anytime just by changing one config variable.
I'd rather not have people know what I use, because it's a lot harder to gain access to a backend area when you don't even know where it is :)
我称我为管理员,因为我通常将文件夹映射到应用程序中的各种用户角色。 我意识到这并不晦涩,但是该文件夹(以及与此相关的页面后面的代码)已被正确锁定,因此匿名用户或未经适当授权的用户无法查看它们。
I call mine Administrator, as I typically map up folders to the various user roles within the application. I realize that isn't obscure, but the folder (and code behind pages for that matter) are properly locked down so anonymous users or those without proper authorization cannot view them.
我坚持使用管理员。 为什么会没有安全感呢? 无论如何我都会对用户进行身份验证。
I stick with admin. Why would that be insecure? I authenticate the user anyway.
我将管理页面粘贴在与普通用户页面相同的目录中。 如果他们猜到了 URL,那又怎样? 他们只是收到拒绝访问消息并浪费时间,因为无论如何它都是开源的。
I stick the admin pages in the same directory as the normal user pages. If they guess the URLs, so what? They just get an Access Denied message and waste their time since it's open source anyway.