This article assumes you are already familiar with shortened links and understand what they are used for.
Why password-protect a link?
The majority of short links on the Internet simply redirect the visitor to the target address (URL). They do that regardless of who (or what) clicked them, for any human, bot or crawler.
Sometimes you, however, want to protect the information it links to so that only the intended audience will get access to it.
Another reason for restricting access to a link might be avoiding leaking the target URL to search engines. As we all know, once something becomes public on the Internet, it will likely stay there forever.
For that reason, once.to offers our users the feature of protecting links with a password of your choice.
How does a password-protected link work?
A password-protected link looks exactly like any other shortened link. In fact, you can turn any of your links into a password-protected one, and the appearance of the link won’t change.
The behaviour of the link will be different though.
Instead of immediately redirecting the visitor who clicked it, they will first be presented with the Password required screen:
At this point no bot or crawler can go any further. This will also cut off any person who doesn’t know the correct password.
And if they do happen to enter the correct password, they will finally be redirected to the destination URL.
The password for a link must be 4 to 63 characters long, and is otherwise not restricted at all. You can select any password you like, weak or strong (contrary to your account password).
The link’s password is saved in the service without encryption, so you can always see it back in the link’s properties by clicking on the button.
Impact on click statistics
The password setting has an effect on the way clicks are counted for this link.
Only the actual redirects — i.e. those happening after the correct password is provided — will increase the click counter and register other relevant data of the visitor.
once.to uses the
302 Found HTTP status for password-protected links, which prevents the redirect from being cached by the browser (but the target page may be cached).
Although the actual destination URL is not directly visible without supplying a password, we discourage using this feature for restricting access to sensitive data, because the protection it provides is quite limited.
The destination address only stays secret as long as it’s not compromised.
Anyone can still share your “secret URL” somewhere on the Internet, in which case it can also be indexed by a search engine and eventually become public knowledge.