Web server accepts the users’ request over Internet. However, this may allow malicious hackers to exploit security holes in the web server by using the same path info. Malicious hackers may exploit software bugs in the web server, operating system or web application to gain unauthorized access to the web server. Although web application security is one of the main security concerns of web server, network administrators usually only pay attention to the web server and operating system. They do not consider that software bugs in the web application may also make the entire system insecure. The mechanism proposed encodes all the web application files by replacing the URLs in the web page with randomly generated and hashed URL. Every time the authorized users visit the website governed by this mechanism will use different URLs to acquire system service. The unauthorized users, however, will not obtain the initial URL to be admitted to the system service. Therefore, the mechanism proposed will effectively defend web application systems.