What it is#
is the pattern where an API endpoint accepts an object ID from the caller and returns the object without confirming the caller is entitled to it. The distinction from is contextual: emphasises the API surface, where object-scoped routes are the norm and authorisation checks frequently live at the wrong layer or are duplicated inconsistently across handlers.
Why it matters#
APIs power mobile apps, partner integrations, and internal microservice traffic. A single in a shared endpoint can leak data across tenants, roles, or even account boundaries. Because APIs are often consumed programmatically, exploits at scale extract tens or hundreds of thousands of records before detection.
Mitigation direction#
Move authorisation out of handler code and into middleware, a policy engine, or a declarative route annotation. Every object-scoped route must assert the caller has access to the referenced object. Build an authorization matrix that replays reference requests under every role and alerts when a forbidden role still gets a success response.
