-
Notifications
You must be signed in to change notification settings - Fork 0
Open
Description
Feature Request
Description
Add a command-line option that generates a random string segment in the URL path on each startup to reduce the risk of unauthorized access when the address is publicly exposed.
Motivation
When Markon is exposed on public networks (e.g., via reverse proxy or 0.0.0.0 binding), using predictable URLs makes it easy for unintended users to discover and access the content. A random URL prefix would add a layer of obscurity.
Proposed Solution
Add a new command-line flag:
markon --random-prefix README.md
# or
markon --enable-random-path README.mdBehavior:
- Generate a random string (e.g., 8-12 characters, alphanumeric) on each startup
- Prefix all routes with this random segment
- Example URL:
http://localhost:6419/a7f3k9x2/README.md - Update QR code and browser URL to include the random prefix
- Display the random prefix in console output
Console Output Example:
Indexing markdown files in "/path/to/docs"...
Indexing complete!
Random URL prefix: a7f3k9x2
listening on http://127.0.0.1:6419/a7f3k9x2
Implementation Considerations
-
Route Handling
- Wrap all existing routes with the random prefix
- Ensure static assets (CSS, JS) are still accessible
- WebSocket path should also use the prefix
-
URL Generation
- Update
--qrand--open-browserto include prefix - Console output should show full URL with prefix
- Directory listings should maintain prefix in links
- Update
-
Security Note
- This is security through obscurity, not true authentication
- Should not be relied upon as the sole security measure
- Consider adding a note in documentation about proper security practices
Alternative Approaches
-
Static prefix option:
markon --url-prefix myproject README.md # URL: http://localhost:6419/myproject/README.md -
Session-based tokens:
- More complex but potentially more secure
- Could expire after a certain time
Related Issues
- Similar to reverse proxy path prefix functionality
- Complements
--shared-annotationfor team usage
Labels
enhancement, security
Reactions are currently unavailable
Metadata
Metadata
Assignees
Labels
No labels