Insecure Direct Object Reference

API resources' identifiers should be unpredictable.

For instance, MongoDB identifiers are not unpredictable and can be guessed.

An unpredictable identifier is not enough to secure the access to the resources.

The API should verify access permissions for each resource.

PreviousDOM XSSNextCross-Site Request Forgery

Last updated