IDs in APIs and applications might be exploited to gain unauthorised access to other data or otherwise disclose information by means of various attacks, such as timing attacks and enumeration attacks. For instance, an attacker can use sequential IDs to guess the existence of IDs and perform enumeration attacks. Authenticated Encryption with Associated Data (AEAD) encryption and opaque IDs can be used as a means of neutralising these attacks.
The principles of progressive enhancement can be applied to client-side rendered pages (or any pages with client-side scripts) to ensure that no matter the capabilities of users’ browsers, an appropriate baseline interactivity is present.
Cross-Site Request Forgery (CSRF) is an attack in which an external site makes a request to another site on behalf of a user without consent. This attack often relies on an existing session on the target site, which the attacker hijacks for their own purposes. Various CSRF prevention and mitigation techniques exist such as the SameSite attribute, CSRF tokens and header validation.
Exact Realty have become a W3C member. The World Wide Web Consortium (W3C) is one of the chief international standard organisations for the web. We plan on bringing our experience to the table to help produce high-quality standards and gain insights that can help us deliver even better services.
Hotlinking refers to the practice of third-party web properties loading resources directly from your server. Unauthorised hotlinks are generally undesirable, not only because they can facilitate reproducing your content without permission. Web standards and browsers have come a long way in the last few decades, and they now include all of the tools needed for effective protection against hotlinking.
