
REST lesson learned: Avoid hackable URLs - restlessmedia
http://blog.ploeh.dk/2013/05/01/rest-lesson-learned-avoid-hackable-urls/
======
joosters
Dumb idea, IMO. If people can access stuff that they shouldn't, by guessing
URLs, then your problem is _access controls_ , not the URLs.

Switching to opaque, meaningless strings for your URLs does not solve your
problem. URLs leak, they risk being recorded and published (e.g. Referer:
headers on weblogs), and so people will find them anyway.

You still need access controls and all you have achieved by making your URLs
complicated is to create more work for you and your users.

------
DoubleCluster
You should be glad your urls are so intuitive that they are easily hackable.
Keep it that way and don't change them (breaking stuff is bad). Nobody really
ever follows links with REST anyway. That idea is nice in theory but it's just
too much work in practice.

