Encrypt URL Params, such as the id

Is there any easy way to encrypt the URL params that is seen in the URL.
I dont feel comfortable exposing the id of the models to the external

Use :method=>POST instead of GET.
It does not encrypt them, but at least they are not seen in the url.

I would say that this kind of security by obfuscation is normally
unnecessary. If you encrypt the url values, what's to stop me from
noting the encrypted values and spoofing a form to send the encrypted

Surely the security should be in the application in that only methods
that should be exposed are exposed to general users.


This won’t be much use if you want to avoid ids being used in links. You could go about it in a number of ways: in your models, hash a certain field before_save and save it in a seperate field, you can then use this field to search the record.

E.g. id, name, value, hashed_id (hash of id with a certain salt)

In routes, map /:controller/:action/:hashed_id.

But in general, this doesn’t provide anymore security than exposing the id does.

You could also use a reversible encryption algorithm such as DES combined with Base64 and encrypt the ID with it.

All of this is adding an overhead to your application which could prove as useful as filling the ocean with buckets of water.

Best regards

Peter De Berdt