You see an API endpoint GET /invoices/{invoice_id} that returns invoice data. Which additional check would a security-minded reviewer insist on to catch IDORs (beyond authentication)?

Last Updated :

Discuss

Comments

You see an API endpoint GET /invoices/{invoice_id} that returns invoice data. Which additional check would a security-minded reviewer insist on to catch IDORs (beyond authentication)?

Validate the invoice_id format uses UUID only

Ensure responses are compressed to reduce bandwidth

Rate-limit the endpoint to 10 requests/minute

Verify the authenticated user is authorized to view that specific invoice_id resource

This question is part of this quiz :

Cyber Quiz Day 34

Tags:

Ethical Hacking

Share your thoughts in the comments

GeeksforGeeks