Will my URL stay secret if I never link to it?
Solution 1:
Nobody's mentioned logging yet. If you are using plain HTTP, then any proxy / firewall device in between your server and your end user can log your URL and administrators of those devices will be able to see the "supposedly private" URL being accessed.
If you want to be sure your URL won't be leaked even to intermediate devices like proxies and firewalls, then you ought to protect your resources with SSL. Of course, you still need to trust the end-user's PC in that scenario. But, assuming you trust their PC, and you trust your own server, then you need to use SSL to make sure nobody in between can sniff the URL, either off the network or from a proxy / firewall log file.
IMHO, if you use SSL, then your URL could be as secure as a username/password combination, since in both cases the "secret" is transmitted encrypted. The drawback with a URL as opposed to username/password, though, is the risk that your users accidentally type in the URL without the https:// prefix ... the minute they type in http://, then the secret is out. Username/password wouldn't have that problem since your server could be configured to not challenge for username/password on an insecure connection, and instead redirect first.
Solution 2:
If you're mostly concerned with it being indexed by Google, et al., then you could use a robots.txt file. That said, if you tell robots not to index it, you're also tipping your hand to its existence. ("Ignore the man behind the curtain.")
Two people so far have commented that if you put the directory in robots.txt
, it becomes obvious that there's something there. Which is what I devoted half of that first paragraph to. But maybe my idioms are opaque. So, to be clear: Having a file that says what not to look at can lead disreputable entities to look there.
Actually, as Cristian Ciupitu says in a comment:
But if he stores it in a subdirectory, the "curtain" won't be visible. He could use for example
public_html/nobots/secret23/index.html
.
What this means is that you can combine the use of robots.txt
with the other suggestion of not having any links to it. You can also add some sort of authentication scheme.
Solution 3:
It is unlikely that it will be found, but you can't trust it. If you don't want the world to see it, put some kind of authentication on it so your friend has to at least log in. Even then, once you share it with your friend you can't be sure he hasn't leaked the secret to someone else. If you must do this, take it down once you no longer need to share it.