> Den 6. apr. 2016 kl. 07.29 skrev Anssi Kääriäinen <akaar...@gmail.com>: > > It is notable that if the number of items is a secret (say, you don't > want to reveal how many sales items you have), just having information > about sequential numbers is bad. In that case you should use UUID, > which the documentation could point out.
If anything about your data is sensitive, then there are a pile of side channels that putting your data online could expose. URLs are just one. For an entertaining read, google "German tank problem". Giving specific security advice in the documentation that doesn't strictly refer to Django features could IMO lead to the false expectation that you're magically secure if you follow the advice. I would prefer that the documentation simply pointed to further reading, e.g. OWASP. Erik -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To post to this group, send email to django-developers@googlegroups.com. Visit this group at https://groups.google.com/group/django-developers. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/D9FBFA53-1053-4389-A192-3FA44606C82D%40cederstrand.dk. For more options, visit https://groups.google.com/d/optout.
