TIP: Hiding and Showing Admin Links

Publicly visible links to site admin/staff functionality is bad practice that is surprisingly common even today. Besides being harmful security-wise, it’s also bad for usability as it adds unnecessary navigation possibilities to non-admin users.

Thing is, it’s also very easy to fix. Here’s an oneliner that I’ve used in many projects:

const adminLinksVisible = localStorage.getItem('admin-links') === 'true'

Then just set this localstorage item on the admin index page and/or manually add the storage item from developer tools for those who need it (and document the practise so everyone can do it). In most cases most of the admin users aren’t so called expert users so you should make sure to have links to the admin functionality visible in multiple places throughout the organisation infra (such as Slack or intranet).

Lastly, DO NOT RELY on hidden admin links as a security measure. It’s useful layer of security by obscurity but it should be just that; an additional layer on top of normal security measures.