DEV Community

Discussion on: Building Consistent RESTful APIs

kevinhch profile image

Hey, why did you accept :id in a DELETE transaction, I mean, this is secure? Imagine I have the token to send a request to your server, and now I can delete all the users using a simple ID from my browser, is this good? I prefer to use :id just in GET request

richardigbiriki profile image
Richard Igbiriki Author

Yes, I think DELETE /transaction/:id is the best way to delete a particular record. You are not deleting the entire table but only a particular record if it exists.

Another thing to keep in mind, you can have authorization checks to prevent certain users from being able to perform certain actions. You can also prevent certain action types (DELETE) from a resource.

So in your case, if you don't want Users to be deleted, you can prevent any access to DELETE users/:id.