Closed orubel closed 1 month ago
orubel
commented
1 month ago Ok so... nice idea BUT while this should in theory work within a limited frame of a document serve, it is not for a 'framework' to enforce. PLUS, we do not deal with the RESOURCE... only COMMUNICATION LAYER (hence API)
So definitely closing this as being irrelevant.
orubel
commented
1 month ago NOTE: this is more an issue for PUBLIC API's in file stores (ie MongoDB). They should be refreshed regulkarly with different UUIDs (based on keys) so that even if other sites try to mine with CURL (or something), the keys won't match previous entries in their system.
PLUS UUID's would be hashed based on different server/DB architectures so depending on how the load balancer routes them, they may not get the same set of keys/relationships... making it nearly impossible to mine.
UUIDs cannot be easily rotated but rotating them keeps people from mining data and adds an extra security layer to you API's
So to do this, we simple generate UUIDs on INITIAL REQUEST and store in CACHE
Searches by NAME can then populate cache and return UUIDs for objects
for example, if I am Amazon and I search for Books by Rowling, we
And caching scheme must stay LOCALIZED BECAUSE 'secretGenerator' is randomized per server deploy
Also this is not problematic as sessions are maintained by embedded tomcat so is horizontally and vertically scalable