Security misconception: “We can’t put a primary key in the URL because a malicious user may change the URL to request a record they aren’t supposed to access.”

Solution: Validate on the server.

Never trust the client.

This applies to localStorage, hidden fields, cookies, client-side validation, hidden buttons, etc.

Assume the user will maliciously change all these things. Because they can.

So, validate on the server.

Never trust the client.

Note: There are reasons you may want to avoid putting an integer primary key in the URL:

1. It "leaks" info about how many records you have.

2. It's easy for an attacker to guess other values, so if the server has a security bug, this makes their job easier than with a GUID/UUID/etc.

3. An integer isn't human readable or SEO friendly. So you may prefer to use a kebab case slug instead.

View original on X