Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

API design and security: Why hide internal ids?

I've heard a few people say that you should never expose your internal ids to the outside world (for instance an auto_increment'ng primary key).

Some suggest having some sort of uuid column that you use instead for lookups.

I'm wondering really why this would be suggested and if it's truly important.

Using a uuid instead is basically just obfuscating the id. What's the point? The only thing I can think of is that auto_incrementing integers obviously point out the ordering of my db objects. Does it matter if an outside user knows that one thing was created before/after another?

Or is it purely that obfuscating the ids would prevent "guessing" at different operations on specific objects?

Is this even an issue I should thinking about when designing an external facing API?

like image 673
brad Avatar asked Sep 11 '12 21:09

brad


People also ask

What are the three security schemes by which API security can be implemented?

Many API management platforms support three types of security schemes. These are: An API key that is a single token string (i.e. a small hardware device that provides unique authentication information). Basic Authentication (APP ID / APP Key) that is a two token string solution (i.e. username and password).

Why API security is important?

Why is API security important? API security is important because businesses use APIs to connect services and to transfer data, and so a hacked API can lead to a data breach. API abuse issues have roughly doubled over the past 4 years, according to the 2019 Application Security Risk Report by Micro Focus Fortify.

Can you encrypt secure when you are doing REST API integration?

Since REST APIs use HTTP, encryption can be achieved by using the Transport Layer Security (TLS) protocol or its previous iteration, the Secure Sockets Layer (SSL) protocol. These protocols supply the S in “HTTPS” (“S” meaning “secure'') and are the standard for encrypting web pages and REST API communications.

How do I protect REST API?

Use HTTPS/TLS for REST APIs HTTPS and Transport Layer Security (TLS) offer a secured protocol to transfer encrypted data between web browsers and servers. Apart from other forms of information, HTTPS also helps to protect authentication credentials in transit.


1 Answers

Great answers, I'll add another reason to why you don't want to expose your internal auto incremented ID.
As a competitive company I can easily instrument how many new users/orders/etc you get every week/day/hour. I just need to create a user and/or order and subtract the new ID from what I got last time.
So not only for security reasons, it's business reasons as well.

like image 155
MyGGaN Avatar answered Sep 28 '22 21:09

MyGGaN