Hold on!

In less than 60 seconds…

Find the best product for your business

Start my quiz

Slug-based URL masking: why it matters and how we improved it

URL masking is crucial to protecting your business from unauthorised access…

Rajneesh Sharma

Associate Technical Lead at Builder.ai
· 5 minute read
The image shows a computer screen displaying colorful lines of code, with gears and a globe icon, symbolising software development outsourcing and global connectivity.

Who is Builder.ai?

We are on a mission to unlock everyone’s potential with the power of software! Our combined approach of AI, automation and talented humans means that your background, tech knowledge or budget will never hold you back.

Learn more about us

Every URL tells a story. And for any business, creating the right URLs is crucial, as they help with SEO, branding, search engine traffic‌ and enhancing users' experience.

So, a natural question may arise: if URLs are this important, why would any business want to mask them?

Well, because not all stories are meant to be shared. URLs that contain sensitive information like order numbers, user IDs or internal references can become an easy target for data breaches.

For instance, imagine an ecommerce platform that assigns sequential order numbers. It sends out an order confirmation link to a customer with the URL: https://example.com/order/72

Now, a malicious user could simply tweak the number in the URL to access the data of another customer: https://example.com/order/73 or https://example.com/order/74

This is where URL masking comes in. Instead of exposing raw identifiers, it replaces them with unique, non-guessable identifiers.

In this blog, we’ll talk about why slug-based URL masking is important, the challenges in implementing it and how we at Builder.ai have devised a unique approach to slug-based URL masking to protect our platform and our customers.

Let’s dive in 👇

What is slug-based URL masking?

A slug is a URL-friendly identifier, typically derived from a title or keyword, making web addresses more readable and SEO-friendly. Slug-based URL masking keeps sensitive information hidden by replacing sensitive identifiers with unique, non-sequential slugs while keeping URLs user-friendly. This makes it nearly impossible for users to manipulate URLs and gain unauthorised access.

For example, instead of: https://example.com/order/72

A first attempt at a slug-based URL might look like: https://example.com/order/accounting

Advantages of slug-based URL masking

Slug-based URLs are a powerful tool that offers multiple benefits. Here’s how implementing slugs-based URL masking can benefit your business: 👇

User-friendly URLs

Slugs create clean, readable URLs that improve the user experience. For instance, a URL like https://example.com/blog/seo-tips-for-beginners is far more intuitive and informative than: https://example.com/blog/12345.

This makes it easier for users to understand the page’s content at a glance and improves engagement.

Helps with SEO

Including relevant keywords in a URL helps search engines better understand the content of a page. This is especially important for SEO, as it signals to search engines that your content is relevant.

Plus, slugs help create a well-structured website and logical categorisation of webpages, making it easier for search engines to crawl and rank your website.

Enhanced security

By using slugs instead of numerical IDs, you prevent users from accessing databases, making it much harder for attackers to guess or manipulate other resource IDs.

For example, sequential IDs could not only expose sensitive customer information, but they might also reveal insights like the total number of orders placed in a day.

Slugs ensure that internal system details remain private. This is particularly important for applications handling sensitive user data, where revealing internal metrics could compromise security, privacy or business operations.

Prevention of broken links

Unlike numeric IDs that may change due to database restructuring, slugs can be designed to remain stable over time. This provides:

  • Consistency in URLs, even if backend data changes
  • Prevention of broken links
  • A seamless user experience

Challenges in implementing slug-based URL masking

While there are numerous advantages to slug-based URL masking, implementing it comes with its own set of challenges.

The traditional way of implementing this approach relies heavily on the attributes of the resource. This means that while creating slugs, developers use common attributes like product names, titles and categories to develop friendly IDs.

For instance, a standard numeric URL, https://example.com/order/72, can be transformed into a friendly ID: https://example.com/order/accounting

While this approach makes the URL more readable, it has some serious flaws:

  • Dependency on attributes – what if a resource doesn't have a name or title? If a resource lacks a meaningful label, generating a slug becomes challenging.
  • Collision risk – what if 2 resources have the same name (2 products named “Accounting”)? This can result in duplicate slugs, causing collisions.
  • Predictability – slugs based on common attributes follow a recognisable path and make them more predictable, potentially weakening security.

This challenge calls for a more robust masking approach that's completely unpredictable.

Builder’s approach: a more secure slug generation method

At Builder.ai, we prioritise the security of our customers before anything else. As we continue to grow, we require a URL structure that doesn’t rely on predictable attributes and, at the same time, improves ‌scalability by ensuring URLs remain manageable.

Therefore, we went a step further and created a truly random, encrypted slug system that:

  • Generates completely random, non-sequential slugs that aren’t tied to any visible attributes.
  • Uses timestamp-based encoding to ensure uniqueness and randomness, ensuring no 2 entities with similar attributes have the same slug.
  • Provides a custom module called Sluggable that can be included in any model to generate and use slugs.
  • Uses UID fields instead of names or titles to ensure consistency and security.

For example, instead of generating a slug based on a product name (like Accounting), we create a fully random identifier: https://example.com/products/xA91Zb3Y

Even if there are 2 users named "Helen," their slugs will be different and randomly generated, such as www.example.com/user/xyz123 and www.example.com/user/abc456

This method provides a more secure and flexible solution. Even if a user tries altering the slug, they can't infer valid entries.

Future plans

Though we’ve successfully implemented this approach across Builder.ai’s enterprise platform, we’re not stopping there. We’re planning to develop a reusable library to make this solution accessible for a wider range of products. We’re also exploring options to make our library open-source so others can implement secure slugs into their systems effortlessly.

Conclusion

In an age where cybersecurity threats are constantly evolving, leaving URLs exposed with predictable identifiers is a risk no business should take. Slug-based masking is more than just a technical update – it’s a fundamental shift towards making your platform more secure and scalable.

At Builder.ai, we believe in staying ahead of security challenges and slug-based masking is just one of the many ways we continuously improve our security architecture.

Want to learn more about how we build secure, scalable applications? Click the link below 👇

Create robust custom software today

100s of businesses trust us to help them scale.

Book a demo

By proceeding you agree to Builder.ai’s privacy policy
and terms and conditions

Rajneesh Sharma

Associate Technical Lead at Builder.ai

Rajneesh Sharma is an Associate Technical Lead at Builder.ai with 8 years of experience in software development and leadership. He specializes in backend optimization, CI/CD pipelines, and building scalable solutions with a strong product mindset. Rajneesh’s expertise in streamlining processes and enhancing system performance, combined with his leadership skills, makes him a key driver in delivering high-quality and efficient software solutions.

Your apps made to order

Trusted by the world's leading brands

BBC logoMakro logoVirgin Unite logoNBC logoFujitsu logo
Your apps made to order

Real success stories from real customers

See how companies like yours used Builder.ai’s app platform to help them achieve their business goals

How we helped the BBC run a world-class event experience

BBC Click producers needed an app that enabled their live audience to interact with polls and questions, which Builder.ai delivered in double-quick time.

How we saved Makro 98.3% on order management software costs

Asia’s largest cash and carry needed software that could scale with their rapid growth, so we built them something that allowed them to onboard new customers without technical hiccups.

How we helped Moodit’s users “crowdsource” positivity

With our help, Dr Hassan Yasin created a mental health app designed to help children and adolescents express their worries and improve their social connectedness.

Got questions?

Head to our FAQ page for in-depth answers

Read FAQs