Hacker News new | past | comments | ask | show | jobs | submit login

I don't think the problem is in architecture. API might be sometimes easier to analyze because it usually has a detailed description, often even in machine-readable form.

> It's also easy to use marshalling tools/framework features that serialize entire domain objects, which contain sensitive IDs/data that is then inadvertently leaked.

This is just poor code quality. Sensitive data can be hidden in HTML attributes and inline scripts too.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: