Is it a bad practice to expose the database ID to the client in your REST API?

I don't see any security reasons to expose the plain database ID in your API. If your database is exposed you have lost anyways. Security through obscurity is never a solution.

However, there are some other reasons to consider:

  • Exposing the database ID creates a coupling to your database. Imagine merging data from different databases (sharing the same schema), or applying backup data to an already in use database. There will be no guarantee that the same ID's will still be available.

  • Designing a proper Resource based API requires you to expose universally unique ids (UUID) or a technical composite key for the simple reason that there is no other way to ensure uniqueness across different systems/databases.


Not a security issue, but it let the user know some information about the size of your data as a company. and some companies don't prefer to expose this kind of information


There are a few issues with sequential primary keys:

  1. They show your volume (for example: if you create an object and the API returns ID 10,001, it gives a rough estimate of how many objects of that kind you have on your DB, which might be interesting to hackers or to the competition)
  2. Hackers could exploit "Insecure Direct Object References" (link)
  3. Hackers could use it for XSS attacks (link)

Source: adapted from Two Scoops of Django 1.11

Tags:

Security

Rest