How bad is revealing ids really?
Hey, I am currently not using DTOs or sth similar. And I was wondering how bad it really is if i expose my primary keys of a table in my frontend by giving over the whole object returned by the prisma client.
I know it's bad practice and seen as a security breach ... but I never fully understood why. If I send a DTO with the same values but some uuid instead of the id (primary key) i still have to persist the uuid in the table and although it is not the primary key ... it is still an identifier that i have to use and a "hacker" could use too.
4 Replies
I don't think it's a problem if the id is an UUID
I mean, a hacker technically could try to reverse engineer the algorithm to know how your UUIDs are generated, and that's usually why we don't expose
i mean, i dont see why that would matter
so what if they know how id's are generated
But for a lot of applications, even if a hacker did waste time on that, it wouldn't matter if no sensitive data is being compromised
then the website could be data mined for every users information, I think that happened to linkedin in the past
but yeah, if no sensitive data can be queried from that id, no problem exposing it
alright, thank you