Is there any easy way to encrypt the URL params that is seen in the URL. I dont feel comfortable exposing the id of the models to the external user.
Use :method=>POST instead of GET. It does not encrypt them, but at least they are not seen in the url.
I would say that this kind of security by obfuscation is normally unnecessary. If you encrypt the url values, what's to stop me from noting the encrypted values and spoofing a form to send the encrypted values.
Surely the security should be in the application in that only methods that should be exposed are exposed to general users.
Ross
This won’t be much use if you want to avoid ids being used in links. You could go about it in a number of ways: in your models, hash a certain field before_save and save it in a seperate field, you can then use this field to search the record.
E.g. id, name, value, hashed_id (hash of id with a certain salt)
In routes, map /:controller/:action/:hashed_id.
But in general, this doesn’t provide anymore security than exposing the id does.
You could also use a reversible encryption algorithm such as DES combined with Base64 and encrypt the ID with it.
All of this is adding an overhead to your application which could prove as useful as filling the ocean with buckets of water.
Best regards
Peter De Berdt