I'm using security tokens to create not guessable URLs like this (16 bytes, hex)
http://example.com/something/private/b5f8c21a628e12b39786fb8ef9561d31
The token is something like a shared passwords: Who knows the URL is allowed to access the resource.
How many bytes should a secure random value have to be appropriate for secure URLs?
I've ended up with a 64 Bit random value which is encoded as url-safe Base64. The possibility to guess the correct token is 1 / 2^64
what is equal to 1 / 18446744073709551616
. This is a pretty impressive number and it would be nearly impossible for an attacker to find the correct token with http requests.
URLs look like this now: http://example.com/private/1oWYPiqO81k/