QQ. While I understand the "hiding" how many customers we have via not exposing auto-incrementing PKs may be important to business people, don't these two statements directly conflict?
Security through obscurity is the idea that something hidden is therefore secure.
If your IDs are simply sequential, then you are at best inadvertently leaking information about your business that you might not want people to know and at worst creating a security incident in waiting.
Given you have secured your Api isn't that a moot point about exposing PKs? Any special knowledge of a system is as you first pointed out inconsequential in a well-built/designed/implemented Api right? Our security makes special knowledge about a system DOA?
The non-autoincrementing PKs only seem to be useful in an insecure Api strictly, almost like a crutch?
Thanks for the article and tips!
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
QQ. While I understand the "hiding" how many customers we have via not exposing auto-incrementing PKs may be important to business people, don't these two statements directly conflict?
Given you have secured your Api isn't that a moot point about exposing PKs? Any special knowledge of a system is as you first pointed out inconsequential in a well-built/designed/implemented Api right? Our security makes special knowledge about a system DOA?
The non-autoincrementing PKs only seem to be useful in an insecure Api strictly, almost like a crutch?
Thanks for the article and tips!