You cannot simply publicly access private secure links, can you?

Security model of “private” links

  • Many commenters argue that links with unguessable tokens but no access control are just “security by obscurity.” They’re not inherently private; they’re only hard to brute-force.
  • Others stress that obscurity can be acceptable as one layer in “security with obscurity,” but must not be the only protection.

Why secrets in URLs leak

  • URLs get logged in browser history, server access logs, reverse proxies, CDNs, firewall/IDS logs, and link scanners. Password fields and POST bodies often don’t.
  • Messaging and email platforms, security gateways, and URL-scanning services automatically fetch links for previews or malware checks, unintentionally exposing “magic links” and even downloaded files.
  • Non-E2EE channels mean the platform sees all links; users often don’t realize this.

Comparing links vs passwords

  • Theoretically a long random URL token can have far more entropy than a password and is effectively unbrute-forceable.
  • Practically, passwords are treated as sensitive by tools and users; URLs are routinely stored, shared, and indexed.
  • Links are “something you have” and are easily copied; passwords are “something you know,” at least in principle.

Legitimate uses of tokens in URLs

  • Short-lived, single-use tokens for password resets, email verification, S3 presigned URLs, and similar flows are widely accepted.
  • Some media access patterns (CDN-hosted images, WebSockets without cookies, binary caches) often rely on URL tokens out of necessity or convenience.

Mitigations and better patterns

  • Recommended mitigations: very short expiry, single use, per-user tokens, revocation, rate limiting, and avoiding long-lived “infinite use” magic links.
  • Prefer auth in headers/cookies or POST bodies; avoid persistent secrets in query strings or paths.
  • Using URL fragments for secrets keeps them off the wire, but only works with client-side logic and still risks JS exfiltration and browser history leakage.
  • Some suggest schemes or headers to tag URLs as “private,” but others note attackers and some scanners would simply ignore such tags.

Scanning tools, UX, and responsibility

  • Debate over who’s responsible: services that publicly index scanned URLs, email/messaging platforms that auto-submit links, or developers who encode auth into URLs.
  • Several call out poor UX: scan tools that default to public results without clearly warning users, or ambiguous labels like “public scan” and “report.”