Secure Token URL - How secure is it? Proxy authentication as alternative?

Question

I know it as secure-token URL, maby there is another name out there. But I think you all know it.

Its a teqniuque mostly applied if you want to restrict content delivery

Answer 1

You could basically reformulate your question to: How long a secret token is needed to be safe.

To answer this consider the number of possible characters (alphanumeric + uppercase is is already 62 options per character). Secondly ensure that the secret token is random, and not in a dictionary or something. Then for instance if you would take a secret token of 10 characters long, it would take 62^10 (= 839.299.365.868.340.224 )attempts to bruteforce (worstcase; average case would be half of that of course). I wouldn't really be scared of that, but if you are, you could always ensure that the secret token is at least 100 chars long, in which case it takes 62^100 attempts to bruteforce (which is a number of three lines in my terminal).

In conclusion: just take a token big enough, and it should suffice.

Of course proxy authentication does offer your clients extra control, since they can way more directly control who can look and not, and this would for instance defeat emailsniffing as well. But I don't think the bruteforcing needs to be a concern given a long enough token.