So, I am learning the hard way that it is advantageous to hide your agent URL from end users. The mistake on my first project was to embed the agent URL in a Jquery that is visible if you view the page source. The mistake on my second project was even worse creating the HTML page within the agent code and creating a simple redirect to the agent URL.
What is the best practice for hiding agent URLs? Is there a way to change the agent URL without replacing the hardware? I found the following advice on an Instructable using an Electric Imp device. Are there other options besides PHP?
“The purpose of the PHP script for POST is to hide the imp agent URL from the user. If you code the POST using JQuery, the user will be able to see the URL in the HTML source. With PHP (server-side), that URL is kept secret.”
If a page needs to communicate directly with an agent, it needs the URL. There’s no way around this. Sending to another server, which then sends to the agent, hides the agent URL but can be exploited in exactly the same way as a user can look at your page source and just hit the intermediate server which will dutifully forward requests.
You’ll get a different agent URL if you create a new user account and re-blinkup the imp to that; commercial users get a new URL for every blinkup.
If you want to allow people to access the agent (which sounds like is the case), but be able to shut them out at a moment’s notice, then you can add a password or token to the agent so that requests without this are immediately rejected.
I use PHP CURL to do the posting. CURL is a library of functions to handle posting without using forms. Also hides URL. PHP is also easy with JSON, which fits nicely with the imp. Finally, with PHP SESSION you can require a login to execute scripts. That adds to security.