So I’ll say right up front, obviously I know this is not actually secure, don’t beat me up over that. I’m just interested in the question from a lazyness standpoint.
I have a website that has some information that I’d like to “hide” from the general public. Nothing important or vulnerable; I just don’t really want people to find it and mess with it. I’ve already got a robots.txt file disallowing all crawling. There are no links on the page (or will be no links from other sites to this one).
The setup
example.com takes you to a “You are not allowed access” page, while example.com?real=fun actually gets you the content. PHP will not actually run the page unless the query key/value pair is correct. So is it reasonable for me to assume that no one will find this page by accident, and on the offchance they do, that they won’t be able to get into the content?
Yes, I’m lazy, but I’d still like to know.
• edit •
I’m not looking for “how to do this”. I’ve already done it. The correct answer would address if there are other basic ways for a person to get into the page which uses this technique.
It’d certainly be a better way of “hiding” something than putting on a password. A password protected site obviously implies there’s something hiding behind the fence, while the secret query string essentially gives away nothing.
On the other hand, if the secret string leaks, then your security system is torpedoed. I’d suggest doubling-down and triggering a regular login page if the secret query is provided. Then you can work away without having to keep the query string in view in the URL (and wouldn’t show up in other sites’ referer logs if you link to anything external).
This way you get the security of a required login, with the extra security of not even having obvious in-your-face “there is secured content here”.