I like the idea of addressing the OWASP top 10. Further, I think the advice of obscuring keys is wrong. The problem is actually addressed in the OWASP Top 10[0]
*4 Insecure Direct Object References:* A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, *or database key*. Without an access control check or other protection, attackers can manipulate these references to access unauthorized data. The proper solution is *Access Controls* like the Permissions system provides. If you're going to rely on obscurity (one time file downloads for example), then you want to do so with a UUID or some kind of cryptohash (I haven't verified the particulars, don't take my this comment as security advice). That's not appropriate for something like a comments system. [0] https://www.owasp.org/index.php/Top10#OWASP_Top_10_for_2013 -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To post to this group, send email to django-developers@googlegroups.com. Visit this group at https://groups.google.com/group/django-developers. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/0ca48548-6c6f-4d80-b166-ff49487ff3cb%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
