Date: 2024-09-17
Even if you're not familiar with the concept of Capability URLs, there is a pretty good chance that you are using them. A Capability URL at its most basic is a Uniform Resource Locator that provides the permission to take some action based on possession of the URL. Typically, the capability URL will by virtue of the URL's path or parameters have enough entropy that it can't be easily guessed making it secure in temporary contexts where the URL is only used over encrypted connections, and is only valid for a single or otherwise limited period of time.
Here are some examples of common applications for Capability URLs:
- Password Reset Links
- Email Verification Links
- File or Document Sharing Links (downloads)
- Magic Links (passwordless authentication)
- Temporary Collaboration Links
- Self-Destructing Message Links
- Delegated Permissions Links
- Webhooks
- "Presigned URLs" in services like AWS
Given the broad software engineering implications of Capability URLs, it's clear that many product developers are going to gravitate towards using Capability URLs, but because these URLs are known by so many names, it's a challenge for software developers to get good guidance on how to design systems and processes with Capability URLs. I recommend "Good Practices for Capability URLs" by Jeni Tennison (and W3.org generally). It's a very thorough exploration of the different use-cases for Capability URLs with requirements in an RFC style format.
Capability URLs are ever-present in SaaS offerings, IT professionals will also encounter a variety of these scenarios in the products they are managing and using, and for these professionals, it's more important to understand the operational security necessary to safely use a Capability URL than the above guidance for how to properly engineer with them. For this, I recommend the follow list of operational security controls:
- Only transmit Capability URLs over HTTPS (including using the capability URL itself)
- Do not use Capability URLs for scenarios where the Capability URL is accessible to multiple parties (e.g. a Service Account Mailbox)
- Treat Capability URLs like security Credentials (because they are)