0

Can I secure a website using a simple whitelist system?

My idea is to port forward a website www.example.com on my pc. To secure it, I want to add a whitelist system. It will work like this:

When the server receives a request, it will read a file containing a list of allowed IPs and check if it contains the requester's IP. If it does, the user can access the website. If it doesn't, the server will not send any response. (meaning the page won't load).

To be whitelisted, users will have to browse to a specific URL, like www.example.com/super-secret-url. When the server receives a request from this URL, it will add its IP to the whitelist.

I should point out that I am not expecting any targeted attacks since I will only be sharing this website with a few people.

This system seems quite safe to me. Is it? If not, why not? What can I do to improve it?

As you probably noticed, I am not an expert on this topic. So I'll try to clarify my question.

When I was researching the topic (port forwarding from my pc), People were talking about security risks: people being able to access my pc and/or network through my website. I want to know how this works and if I can prevent it like this.

Gies
  • 1
  • 2
  • "Safe" from what? To limit access? It's fine, unless an unauthorised person discovers the super secret URL. You are trusting your whole system on the idea that the secret URL will not be found/ – schroeder Jul 05 '21 at 13:39
  • Your edit changes the question considerably. Dynamically updating an allowlist is not relevant to your question or your security concerns. You don't want to secure your site. You want to secure your computer and your network. – schroeder Jul 06 '21 at 06:41

1 Answers1

1

The normal way to limit access is with a User Account. That way approved users are not limited to particular IP addresses, which is impractical in most cases.

If you're thinking that white listing the IP will Prevent Brute force or DoS, it won't. As a minimum the port has to be open to allow access to www.example.com/super-secret-url for your proposed method to work, so you can't block unknown IPs.

Implement a vanilla sign-in account system along with a brute force choking mechanism. This has the added advantage of allowing you to correlate activities with accounts if needed instead of unattributible IPs.

If for whatever reason you still want IPs, you can invisibly capture and track them at sign-in.

Your subsequent edit of

"... people being able to access my pc and/or network through my website. I want to know how this works and if I can prevent it like this ..."

Is an entirely different question!

Nothing in your proposed methodology would have any direct bearing pro or con regarding unintended back-end access. I will suggest that deviating from standard methodologies without substantial expertise is far more likely to create problems than solve them.

user10216038
  • 7,552
  • 2
  • 16
  • 19