DisableFindContentByIdPath - Should this be false by default?

[AndyBoot]

Hi!

Something we discovered today that pages were accessible upon entering in their ID at the root of the URL path (i.e. website.com/123). This was originally highlighted as we were expecting the 404 page when instead it was another page in the tree (with an ID of 123).

We found that this was switched on by default within Umbraco via the Umbraco:CMS:WebRouting:DisableFindContentByIdPath setting which is set to false by default. Setting this to true via appsettings.json of course prevents URL's such as /123 from working.

Documentation: https://docs.umbraco.com/umbraco-cms/13.latest/reference/configuration/webroutingsettings

My question is, should this be something which all sites are exposed to out of the box, or should this be switched off and the site owner decides if they need it enabled?

Technically speaking, if somebody knew your site was Umbraco, they could write a not so sophisticated crawler to attempt each potential URL starting from /1 and stumble upon pages which you didn't want others to find (such as ones with noindex or hidden from the xml sitemap).

Just thought I'd get a conversation started and see if it leads to anything. If there's reason behind it being enabled then I'll happily learn and move on.

Cheers,

Andy 🙂

[nul800sebastiaan]

AFAIK it's just backwards compatibility as this was the default behavior in v4/6/7 and probably 8.

[nul800sebastiaan]

Personally, I don't see a real need to preserve this legacy behavior though, I'd be happy if this was set to true by default and listed as a breaking behavioral change. Setting it to true by default should preserve previous behavior when upgrading where it was false (if possible). New installs should start with this being true.