On Oct 22, 2018, at 12:29, Matthew Pava <matthew.p...@iss.com> wrote: > I am curious why you think it is anti-practice to expose primary keys for > user-visible purposes. > My URLs all have the PK to the object in them, and any advanced user would be > able to “reverse engineer” a URL if they guess the PK of an object—and that’s > okay.
https://www.owasp.org/index.php/Top_10_2013-A4-Insecure_Direct_Object_References https://www.owasp.org/index.php/Insecure_Direct_Object_Reference_Prevention_Cheat_Sheet > Even Django tutorials suggest using the PK in the URL of an object. That's an interesting point, and I might argue is a shortcoming in the tutorial. PRs welcome! -- You received this message because you are subscribed to the Google Groups "Django users" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscr...@googlegroups.com. To post to this group, send email to django-users@googlegroups.com. Visit this group at https://groups.google.com/group/django-users. To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/79D86944-B1A3-479B-8959-9477144EBA6F%40andrewsforge.com. For more options, visit https://groups.google.com/d/optout.
