Timeline for How to approach user related resources on a REST API?
Current License: CC BY-SA 3.0
3 events
| when toggle format | what | by | license | comment | |
|---|---|---|---|---|---|
| Jun 3, 2020 at 6:57 | comment | added | Puce | Also, sending both userId and a Authentication header are prone to spoofing attacks, if the developers did not carefully check any mismatch. | |
| Oct 25, 2017 at 11:23 | comment | added | dadasign | The cache point seems interesting, but on the other side it mostly reminds me that (at least if we are considering browser cache) no resources which require authorization should use cache headers. Accidentally opening a cached /profile URL makes the issue obvious, but having a cached /profile/user_x when user_y starts using the browser is not much better from a security perspective. | |
| Oct 24, 2017 at 15:08 | history | answered | Esben Skov Pedersen | CC BY-SA 3.0 |