Skip to content

feat: Add random URL prefix option for privacy protection #20

New issue
New issue
Open
Open
feat: Add random URL prefix option for privacy protection#20
@kookyleo

Description

@kookyleo
kookyleo
opened on Nov 20, 2025

Feature Request

Description

Add a command-line option that generates a random string segment in the URL path on each startup to reduce the risk of unauthorized access when the address is publicly exposed.

Motivation

When Markon is exposed on public networks (e.g., via reverse proxy or 0.0.0.0 binding), using predictable URLs makes it easy for unintended users to discover and access the content. A random URL prefix would add a layer of obscurity.

Proposed Solution

Add a new command-line flag:

markon --random-prefix README.md
# or
markon --enable-random-path README.md

Behavior:

  • Generate a random string (e.g., 8-12 characters, alphanumeric) on each startup
  • Prefix all routes with this random segment
  • Example URL: http://localhost:6419/a7f3k9x2/README.md
  • Update QR code and browser URL to include the random prefix
  • Display the random prefix in console output

Console Output Example:

Indexing markdown files in "/path/to/docs"...
Indexing complete!
Random URL prefix: a7f3k9x2
listening on http://127.0.0.1:6419/a7f3k9x2

Implementation Considerations

  1. Route Handling

    • Wrap all existing routes with the random prefix
    • Ensure static assets (CSS, JS) are still accessible
    • WebSocket path should also use the prefix

  2. URL Generation

    • Update --qr and --open-browser to include prefix
    • Console output should show full URL with prefix
    • Directory listings should maintain prefix in links

  3. Security Note

    • This is security through obscurity, not true authentication
    • Should not be relied upon as the sole security measure
    • Consider adding a note in documentation about proper security practices

Alternative Approaches

  1. Static prefix option:

    markon --url-prefix myproject README.md
# URL: http://localhost:6419/myproject/README.md

  2. Session-based tokens:

    • More complex but potentially more secure
    • Could expire after a certain time

Related Issues

  • Similar to reverse proxy path prefix functionality
  • Complements --shared-annotation for team usage

Labels

enhancement, security

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions