1

I am developing a RESTful API for my company, but a couple of people have some issues regarding the exposure of the entity id's, which I can definitely see as a problem regarding securing our data.

My data is scoped, meaning, you cannot see data that doesn't belong to you in the first place.

I am using Web API and EF6. What have you done about this issue? is this even an issue (why/why not)?

If it is an issue;

  • Do I encrypt or otherwise obfuscate the id's?
  • Do I internally map to different id's? - any good frameworks for this?
  • Do I add a column to all my tables with an uuid and expose that instead?

What is deemed "good practice" or "secure" in this manner?

The edit of this answer seems like a good solution, but I would still like to see what is considered good/bad/great and maybe other solutions to the 'problem'

Not an issue according to this, I can see why it shouldn't be a problem, as long as

  1. The data is securely scoped
Community
  • 1
  • 1
VisualBean
  • 4,908
  • 2
  • 28
  • 57
  • If you are locking down data with access tokens or some such, why does it matter if ids are obvious and visible? – Kirk Woll Sep 04 '15 at 14:09
  • 1
    [Should I obscure database primary keys (IDs) in application front end?](http://security.stackexchange.com/questions/56357/), [Exposing database IDs - security risk?](http://stackoverflow.com/questions/396164/), [Is it a bad practice to expose DB internal IDs in URLs?](http://stackoverflow.com/questions/9904396/), [Is exposing database auto increment id considered a bad practice?](https://www.quora.com/Is-exposing-database-auto-increment-id-considered-a-bad-practice), ... – CodeCaster Sep 04 '15 at 14:10
  • 1
    ... [Is obscuring/obfuscating public-facing database ids really a “best practice”?](http://programmers.stackexchange.com/questions/139450/), [Why not expose a primary key](http://programmers.stackexchange.com/questions/218306/). – CodeCaster Sep 04 '15 at 14:10

1 Answers1

0

"Do I encrypt or otherwise obfuscate the id's?"

If you have to do this then you probably shouldn't be returning them.

"Do I internally map to different id's? - any good frameworks for this?"

This seems like it would add a high level of complication to your app.

"Do I add a column to all my tables with an uuid and expose that instead?"

Some thing to remember when exposing id's is if you have a certain permission to view something at endpoint: /api/user/1 what is to stop you from "walking" the url and changing that to /api/user/2 to view someone else's data. One thing you can do is use Guids as id's to prevent walking the url, but in general if you do not need to return the id's then don't. If you have to return any data at all that is sensitive then it should ALWAYS be over SSL.

Stephen Brickner
  • 2,584
  • 1
  • 11
  • 19