Skip to main content

Obscure numerical IDs in URLs

Project description


.. currentmodule:: flask_obscure

.. toctree::
:maxdepth: 2


Showing a steadily increasing sequence of integer IDs leaks information to customers, competitors, or malicious entities about the number and frequency of customers, orders, etc. Some URL example include::


This module impliments routing variable converters in `Flask`_ and `Jinja2`_ filters to obscure sequential integer IDs.
This is based on the `Obscure`_ python module, which is installed automagically when you install this module.


* Automatically obscures sequential integer IDs in the variable
part of a URL when using :func:`flask.url_for`
* Automatically converts obscured IDs back to your sequential
integer IDs in the parameter of the function bound to the URL.
* Jinja filters automatically available.
* Provide five different converters and filters.

Converters and Filters

There are five new converters: ``num``, ``hex``, ``b32``, ``b64``, and ``tame``.
Lets assume we are using :func:`flask.url_for` to create the URLs for two sequential customer IDs.

Non-sequential numbers::


Hexadecimal displays in eight characters::


Base32 displays in seven characters::


Base64 URL safe displays in six cahracters::


Is a Base32 with a rotated, alternate alphabet.
The letters 'I', 'O', and 'U' are replaced with the numbers '8', '9', and '0' to avoid common offensive words.
Otherwise, it performs just like Base32.


Pip is our friend. It will also install the `Obscure`_ module as well. ::

$ pip install flask_obscure


The :class:`Obscure` class needs a ``salt`` or random number to make your obscured number sequence unique. Pick any 32-bit number or use the following snippit to generate one for you::

python -c "import os; print(int(os.urandom(4).encode('hex'),16))"

:class:`Obscure` uses the value ``OBSCURE_SALT`` in the flask configuration file if not given as the second parameter to either the constructor or :meth:`Obscure.init_app`.

.. warning::
If your source goes to a public repository, you will want
to place ``OBSCURE_SALT`` in the :class:`flask.Flask` instance path.


Import the class :class:`Obscure` and initialize the with the :class:`flask.Flask` appliation by either using the constructor

.. code-block:: python
:emphasize-lines: 5

from flask import Flask
from flask.ext.obscure import Obscure

app = Flask(app)
obscure = Obscure(app)

or by using delayed initialization with :meth:`Obscure.init_app`

.. code-block:: python
:emphasize-lines: 2

obscure = Obscure()

URL Routing Variables

When creating your routes with variables, you have five converters.
The converter is similar to any of the other built in coverters.
It takes the obscured ID given in the variable portion of the URL and converts it to your sequential ID in the callable bound to the URL.

Lets look at an example using ``num`` as the converter in the route.

.. code-block:: python

@app.route('/customers/<num:cust_id>', endpoint='get-cust')
def get(cust_id):
# flask.request.url is '/customers/3303953358'
# cust_id is the sequential ID of 1
customer = get_customer_by_id(cust_it)

url = flask.url_for('get-cust', cust_id=customer.customer_id)
# when you create the URL, it is automatically obscured
# /customers/3303953358

Jinja2 Filters

The URL is not the only place you can have leaking interger IDs. It can
also happen in the data returned from your routing function. If you are
using Jinja2 for templating, those same converters are available as filters.

.. code-block:: html+jinja

<h1>Invoice #{{ invoice_number|tame }}</h1>

Within Code

To obscure numbers within your code, use the methods of the :class:`flask_obscure.Obscure` instance object, which in turn is inherited from the python module `Obscure`_. Assuming we used one of the code blocks from `configure`

.. code-block:: python

visible_customer_id = obscure.encode_tame(customer_id)


| Issue Tracker: ``
| Source Code: ``

.. Indices and tables

* :ref:`genindex`
* :ref:`modindex`
* :ref:`search`

.. _Obscure:
.. _Flask:
.. _Jinja2:

Project details

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Files for Flask-Obscure, version 1.0
Filename, size File type Python version Upload date Hashes
Filename, size Flask_Obscure-1.0-py2-none-any.whl (8.1 kB) File type Wheel Python version 2.7 Upload date Hashes View
Filename, size Flask-Obscure-1.0.tar.gz (5.3 kB) File type Source Python version None Upload date Hashes View

Supported by

AWS AWS Cloud computing Datadog Datadog Monitoring Facebook / Instagram Facebook / Instagram PSF Sponsor Fastly Fastly CDN Google Google Object Storage and Download Analytics Huawei Huawei PSF Sponsor Microsoft Microsoft PSF Sponsor NVIDIA NVIDIA PSF Sponsor Pingdom Pingdom Monitoring Salesforce Salesforce PSF Sponsor Sentry Sentry Error logging StatusPage StatusPage Status page