Please consider making Sonarr hide the content that is being browsed in the URL. After the hostname/port, Sonarr doesn’t try to hide or id-map anything,
Today, even with HTTPS it is possible to proxy server or ISP to watch urls and understand clearly everything that is being used when you connect from Internet. Even our bosses can follow what are you doing :-))
Activating HTTPS ensures that the data content is secured. OK very good.
But writing info inside URL is a form of breaking user’s privacy.
Example of softwares that hide it very well today: CouchPotato, Emby…
Wow I haven’t noticed the API problem. But without the password, it’s kinda useless, right?
What I’m telling about is: when you browse inside a show in Sonnar, an example of url that appears exactly: https://server_external_address:port/series/breaking-bad
I’m using a reverse proxy to intermediate all HTTPS from external access and allowing http from internal only (and from the proxy). So this should be secure enough.
I think that the choice between privacy and user-friendliness is very dependent on the user, and don’t think most users care that much,
most users probably care more about a friendlier, nicer looking URL than a cryptic one, take a look at pretty much any side, forums or discussion group and you’ll see most put the title in the URL.
Thats the point of the API key, it gives access without requiring a password. For Sonarr the API is used for everything done in the UI, so gaining access would give you limitless power (unless it was reset), I can’t say for certain that CP has the same power with just the API key, but I wouldn’t be surprised if it did.
@anderbytes What in the name of sanity are you talking about?
Utterly and totally wrong, https encrypts all data… url, header and content, only thing it doesn’t encrypt is domain name that gets resolved through the dns system. Also, any https-busting proxy that can read the url can read the content as well. (Easily protected against by using the right root-certificates to prevent https man-in-the-middle attacks)
You should stop visiting Sonarr from work, at least I’m assuming that’s what we’re talking about coz that’s the only place where an unwanted third part could check the url (in your browser history).
If you still want to do that, use https in a incognito window coz your boss might be checking your browser history.
Also check for any vnc-like software, coz he might be watching.
… he standing behind me, isn’t he?
Adding human readable bits of information (called ‘slugs’ btw) in the url is actually pretty standard for fluent sites. Look at reddit, tvmaze, trakt.tv and plenty of the news sites.