Hacker News new | past | comments | ask | show | jobs | submit login

Just as a warning, it was pretty trivial to be able to look at your java script and get the csv file that you described.

I doubt that you care that much since the data isn't sensitive but just a heads up.

The best way to prevent the theft of sensitive data, is to not have any in the first place.

The GP commenter makes it clear that the CSV file is written to on the server-side (using PHP) as a consequence of request handling, not on the client side. There is no place that the CSV URL is visible, other than in the PHP source (that clients cannot access) and in the Google Sheet (which is presumably internal to the GP's GSuite domain.)

It's security-by-obscurity, maybe (as all public "secret token" URLs are) but it's better than what you're implying.

fwiw I was able to find the csv as well.

EDIT: You are right in theory though.

As a learning exercise, I tried to find it too, but I wasn't able to get it from the domain in the js file, could you explain how you got to the final file?

This is strictly as a learning exercise, no malicious intent on my part.

I was able to quickly get the CSV file as well.

The javascript is located at SITE/counter.js

My first guess for the CSV was SITE/counter.csv

It worked.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact