Is using database ids in urls (e.g. example.com/users/35/details) an acceptable practice or should it be avoided? Is it more vulnerable to security threats by exposing it?
Asked
Active
Viewed 464 times
-1
Glide
- 20,235
- 26
- 86
- 135
-
i think that depends on the `ids` you are going to expose to the outer world. from the example you shared i think it should be good to make it random id rather than the database ones. this https://github.com/namick/obfuscate_id will help you acheive it in ruby on rails – Athar Aug 30 '15 at 19:03
-
Like you couldn't find the answer using search... – Neil McGuigan Aug 30 '15 at 21:30
1 Answers
1
Exposing internal details, such as ids, is a security risk. However, exposing this detail is likely a low risk.
If you are limiting the actions which are possible for a user based on their role, it is unlikely that an attacker can do anything beyond what a user could normally do.
If an attacker has an angle that allows them to run script against your database then knowing ids based on URLs is not your biggest problem.
Beyond security concerns may be a business concern, you may not want to let everyone know approximately how many users are in the system. Sequential ids are a good way of finding out.
In the end though, in my opinion, the effort and performance hits that come from obscuring object ids is just not worth it in most cases. If you have a good reason to obscure it then by all means do it. Otherwise the time and effort can probably be spent better elsewhere.
Kevin DeVrou
- 41
- 2