You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/security_guidelines.md
+15Lines changed: 15 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -220,3 +220,18 @@ Implementing a code review process helps catch potential security issues before
220
220
### Lock down your server configuration
221
221
222
222
Ensure that configuration files for your web server are not publicly accessible.
223
+
224
+
### Verify access to objects
225
+
226
+
Insufficient access control and insecure exposure of object identifiers, such as database keys or file paths can lead to [Insecure Direct Object Reference (IDOR)](https://developer.mozilla.org/en-US/docs/Web/Security/Attacks/IDOR) attacks.
227
+
228
+
To mitigate this:
229
+
230
+
- Always verify that the authenticated user is authorized to access or modify the object.
231
+
- Avoid exposing predictable, sequential, or sensitive object identifiers (like user IDs or email addresses).
232
+
- Use more complex IDs that are harder to predict (for example, UUIDs).
233
+
234
+
#### Learn more
235
+
236
+
-[Insecure Direct Object Reference Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Insecure_Direct_Object_Reference_Prevention_Cheat_Sheet.html) (OWASP)
237
+
-[Insecure Direct Object Reference (IDOR)](https://developer.mozilla.org/en-US/docs/Web/Security/Attacks/IDOR) (MDN)
0 commit comments