You are viewing documentation for v1.0.x. Change

Obfuscating URLs

Hide your primary key values from nosy users.

The Wheels convention of using an auto-incrementing integer value as the primary key in your database tables will lead to a lot of URLs on your website exposing this value. Using the built-in URL obfuscation functionality in Wheels, you can hide this value from nosy users.

What URL Obfuscation Does

When URL obfuscation is turned off (which is the default setting in Wheels), this is how a lot of your URLs will end up looking:


Here, 99 is the primary key value of a record in your users table.

After enabling URL obfuscation, this is how those URLs will look instead:


The value 99 has now been obfuscated by Wheels to b7ab9a50. This makes it harder for nosy users to substitute the value to see how many records are in your users table, to name just one example.

How to Use It

To turn on URL obfuscation, all you have to do is call set(obfuscateURLs=true) in the config/settings.cfm file.

Once you do that, Wheels will handle everything else. Obviously, the main things Wheels does is obfuscate the primary key value when using the linkTo() function and deobfuscate it on the receiving end. Wheels will also obfuscate all other params sent in to linkTo() as well as any value in a form sent using a get request.

In some circumstances, you will need to obfuscate and deobfuscate values yourself if you link to pages without using the linkTo() function, for example. In these cases, you can use the obfuscateParam() and deObfuscateParam() functions to do the job for you.

Is This Really Secure?

No, this is not meant to add a high level of security to your application. It just obfuscates the values, making casual observation harder. It does not encrypt values, so keep that in mind when using this approach.

^ Top
Table of Contents


Read and submit questions, clarifications, and corrections about this chapter.

There are no comments for this chapter. Be the first to comment!

Add Comment