Some of my clients try to "hide" primary keys in the UI
Some of my clients try to "hide" primary keys in the UI.
They consider using primary keys in the URL/links a security risk.
But the primary keys are sent to the browser in JSON, and referenced in UI code. Thus, they're still easy to find.
So why bother? Am I missing something?
"Something is better than nothing"
Every measure is a tradeoff.
I could put the lock high on my door so it's hard to pick, but then I have to deal with the hassle every time I use it. And it's easily circumvented via a stool.
The question: Does the benefit outweigh the cost?
Also, it's important to make a distinction between auto incrementing ids and GUIDs.
Auto incrementing ids have downsides:
1. They're easy to guess, which encourages people to try random values to find holes in backend authorization.
2. They expose info about how many records are in your DB.
So GUIDs are preferable.
But "hiding" any id by keeping it out of the URL doesn't actually hide it. If it's sent to the client, it's readable.
In summary:
Secure your endpoints.
Authorize every request.
Never trust the client.