Talk:REST Security Cheat Sheet
Revision as of 00:53, 20 December 2011 by Will Stranathan (Added discussion about Direct Object Reference details)
My point with the Check Authorization for User-Specific Entities section is to avoid Direct Object Reference. There are really two underlying potential pitfalls here:
- Giving access to objects simply by the key value in the URL rather than checking proper authorization for that entity. (i.e., this user doesn't have access to object 1235, but we allow the method simply because 1235 was in the URL rather than checking to see if this user is allowed to modify/view it)
- Giving away sensitive information simply by including the object ID in the URL. Users tend to copy/paste URL's and they get cached in many different places and included in the history (even if the response gives the right Expires, Cache-control, and Pragma headers), so the URL shouldn't directly include anything sensitive like account number. http://some.service/account/128420482 should be a no-no.