Open StefanSchubert opened 7 years ago
This involves converting the long id to string in the To-Objects, and to adapt the mapper for the required conversion step.
Would this really tighten the security? In which cases?
Though I currently doubt that the possible attack vectors would happen and that an open science project would not be of any interest to a hacker, this measure would tighten the security level an additional bit.
Providing internal objects database IDs as resource IDs are a potential security risk. To minimize this risk all ResourceIDs that will be published to the clients needs to be obfuscated, such that a client won't be able to access a different object just by incrementing the ID. In addition any invalid ID provided by the client should be logged in a special fraud-detection log with the clients IP.