Thanks for this great list!
Shannon McDonald

Glad you liked it.

Regarding enumerable APIs:

For example: if you have customers and have an API:

GET /customer/ID

and ID is your database ID for the customer and starts at 0, then you can enumerate the records via:

GET /customer/0
GET /customer/1
GET /customer/2

etc. If the API has authentication, then the problem does not immediately manifest. If your API does not, then a hacker can enumerate all your customers.

Even if you have authentication, apps often give a different message for “not-authorized” and “invalid-customer”. Hackers even without auth on some apps, can get the list of customer IDs.

Best approach is to not expose database IDs in your API like this. And if you do, always:

  1. Use authentication
  2. Only emit an authentication failed message and don’t leak info via the error message.