Encrypt IDs in URL variables

by

oh ok, so for sensitive information best to use sessions then, are table Ids etc safe to throw in the GET var?

Yes, sensitive information must not leave your server in the first place. Use sessions.

As for “are table ids safe in the URL”: I don’t know, is there anything bad a user could do knowing a table id? If so, you need to fix that. Usually you need to pass some kind of id around though, whether that’s the “native table id” or some other random id you dream up usually doesn’t matter. There’s nothing inherently insecure about showing the id of a record in the URL, that by itself means absolutely nothing. It’s how your app uses this id that may or may not open up security holes.
Additionally think about whether a user can easily guess other ids he’s not supposed to know and whether that means anything bad for your security.

Security isn’t a one-off thing, you need to think about it in every single line of code you write.

More Related Contents:

  1. What is the maximum length of a URL in different browsers?
  2. What is the difference between a URI, a URL and a URN?
  3. Can I change all my http:// links to just //?
  4. Escaping ampersand in URL
  5. Can I use an at symbol (@) inside URLs?
  6. URL matrix parameters vs. query parameters
  7. Spaces in URLs? [duplicate]
  8. Is there any downside for using a leading double slash to inherit the protocol in a URL? i.e. src=”//domain.com”
  9. URL: Username with @
  10. What is the difference between URI, URL and URN? [duplicate]
  11. How to send password securely over HTTP?
  12. URL without “http|https”
  13. Is a slash (“/”) equivalent to an encoded slash (“%2F”) in the path portion of an HTTP URL
  14. URL hash is persisting between redirects
  15. Add subdomain to localhost URL
  16. Semicolon as URL query separator
  17. What is a safe maximum length a segment in a URL path should be?
  18. Is a URL with // in the path-section valid?
  19. Uses of content-disposition in an HTTP response header
  20. How to detect server-side whether cookies are disabled
  21. Easy HTTP requests with gzip/deflate compression
  22. CORS request with Preflight and redirect: disallowed. Workarounds?
  23. How to redirect user’s browser URL to a different page in Nodejs?
  24. Detect end of HTTP request body
  25. How to correctly set Http Request Header in Angular 2
  26. Using “transfer-encoding: chunked”, how much data must be sent before browsers start rendering it?
  27. Do web browsers always send a trailing slash after a domain name?
  28. Chunked transfer encoding – browser behavior
  29. Domain set cookie for subdomain
  30. Chunked encoding and content-length header

Leave a Comment