| ▲ | sedatk 5 days ago | |
> "protect" against the "attack" If it's not a real attack, it's not worth protecting against even in the slightest. If it's a real attack, it doesn't matter if it's trivial or not, does it? | ||
| ▲ | 9rx 5 days ago | parent [-] | |
It very much can be worth protecting so that your users don't become dependent on thinking that increment IDs is a feature. It's not a security concern in that context, but it is a future maintainability concern where you don't intend to provide that as a feature in environments where you don't have a tight leash on how users are using your APIs. | ||