Every URL tells a story. And for any business, creating the right URLs is crucial, as they help with SEO, branding, search engine traffic and enhancing users' experience.
So, a natural question may arise: if URLs are this important, why would any business want to mask them?
Well, because not all stories are meant to be shared. URLs that contain sensitive information like order numbers, user IDs or internal references can become an easy target for data breaches.
For instance, imagine an ecommerce platform that assigns sequential order numbers. It sends out an order confirmation link to a customer with the URL: https://example.com/order/72
Now, a malicious user could simply tweak the number in the URL to access the data of another customer: https://example.com/order/73 or https://example.com/order/74
This is where URL masking comes in. Instead of exposing raw identifiers, it replaces them with unique, non-guessable identifiers.
In this blog, we’ll talk about why slug-based URL masking is important, the challenges in implementing it and how we at Builder.ai have devised a unique approach to slug-based URL masking to protect our platform and our customers.
Let’s dive in 👇
What is slug-based URL masking?
A slug is a URL-friendly identifier, typically derived from a title or keyword, making web addresses more readable and SEO-friendly. Slug-based URL masking keeps sensitive information hidden by replacing sensitive identifiers with unique, non-sequential slugs while keeping URLs user-friendly. This makes it nearly impossible for users to manipulate URLs and gain unauthorised access.
For example, instead of: https://example.com/order/72
A first attempt at a slug-based URL might look like: https://example.com/order/accounting
Advantages of slug-based URL masking
Slug-based URLs are a powerful tool that offers multiple benefits. Here’s how implementing slugs-based URL masking can benefit your business: 👇
User-friendly URLs
Slugs create clean, readable URLs that improve the user experience. For instance, a URL like https://example.com/blog/seo-tips-for-beginners is far more intuitive and informative than: https://example.com/blog/12345.
This makes it easier for users to understand the page’s content at a glance and improves engagement.
Helps with SEO
Including relevant keywords in a URL helps search engines better understand the content of a page. This is especially important for SEO, as it signals to search engines that your content is relevant.
Plus, slugs help create a well-structured website and logical categorisation of webpages, making it easier for search engines to crawl and rank your website.
Enhanced security
By using slugs instead of numerical IDs, you prevent users from accessing databases, making it much harder for attackers to guess or manipulate other resource IDs.
For example, sequential IDs could not only expose sensitive customer information, but they might also reveal insights like the total number of orders placed in a day.
Slugs ensure that internal system details remain private. This is particularly important for applications handling sensitive user data, where revealing internal metrics could compromise security, privacy or business operations.
Prevention of broken links
Unlike numeric IDs that may change due to database restructuring, slugs can be designed to remain stable over time. This provides:
- Consistency in URLs, even if backend data changes
- Prevention of broken links
- A seamless user experience
Challenges in implementing slug-based URL masking
While there are numerous advantages to slug-based URL masking, implementing it comes with its own set of challenges.
The traditional way of implementing this approach relies heavily on the attributes of the resource. This means that while creating slugs, developers use common attributes like product names, titles and categories to develop friendly IDs.
For instance, a standard numeric URL, https://example.com/order/72, can be transformed into a friendly ID: https://example.com/order/accounting
While this approach makes the URL more readable, it has some serious flaws:
- Dependency on attributes – what if a resource doesn't have a name or title? If a resource lacks a meaningful label, generating a slug becomes challenging.
- Collision risk – what if 2 resources have the same name (2 products named “Accounting”)? This can result in duplicate slugs, causing collisions.
- Predictability – slugs based on common attributes follow a recognisable path and make them more predictable, potentially weakening security.
This challenge calls for a more robust masking approach that's completely unpredictable.
Builder’s approach: a more secure slug generation method
At Builder.ai, we prioritise the security of our customers before anything else. As we continue to grow, we require a URL structure that doesn’t rely on predictable attributes and, at the same time, improves scalability by ensuring URLs remain manageable.
Therefore, we went a step further and created a truly random, encrypted slug system that:
- Generates completely random, non-sequential slugs that aren’t tied to any visible attributes.
- Uses timestamp-based encoding to ensure uniqueness and randomness, ensuring no 2 entities with similar attributes have the same slug.
- Provides a custom module called Sluggable that can be included in any model to generate and use slugs.
- Uses UID fields instead of names or titles to ensure consistency and security.
For example, instead of generating a slug based on a product name (like Accounting), we create a fully random identifier: https://example.com/products/xA91Zb3Y
Even if there are 2 users named "Helen," their slugs will be different and randomly generated, such as www.example.com/user/xyz123 and www.example.com/user/abc456
This method provides a more secure and flexible solution. Even if a user tries altering the slug, they can't infer valid entries.
Future plans
Though we’ve successfully implemented this approach across Builder.ai’s enterprise platform, we’re not stopping there. We’re planning to develop a reusable library to make this solution accessible for a wider range of products. We’re also exploring options to make our library open-source so others can implement secure slugs into their systems effortlessly.
Conclusion
In an age where cybersecurity threats are constantly evolving, leaving URLs exposed with predictable identifiers is a risk no business should take. Slug-based masking is more than just a technical update – it’s a fundamental shift towards making your platform more secure and scalable.
At Builder.ai, we believe in staying ahead of security challenges and slug-based masking is just one of the many ways we continuously improve our security architecture.
Want to learn more about how we build secure, scalable applications? Click the link below 👇
Create robust custom software today
100s of businesses trust us to help them scale.
Book a demoBy proceeding you agree to Builder.ai’s privacy policy
and terms and conditions
Rajneesh Sharma is an Associate Technical Lead at Builder.ai with 8 years of experience in software development and leadership. He specializes in backend optimization, CI/CD pipelines, and building scalable solutions with a strong product mindset. Rajneesh’s expertise in streamlining processes and enhancing system performance, combined with his leadership skills, makes him a key driver in delivering high-quality and efficient software solutions.
Facebook
X
LinkedIn
YouTube
Instagram
RSS
