Secure a CC Webtask via hyperlinks

Hi Forums

I want to expose a CC webtask that will accessed via hyperlinks. I am going to require the hyperlinks to include a DB object ID as a URL param and was wondering if the UUID is “secure” enough against brute force attacks to suffice as a security layer.

In other words, an attacker will only be able to access my webtask service if they can guess a valid DB object ID.

I know that ideally I would actually send an authorization header, but since my service needs to be accessible via hyperlink my options seems limited, at least to me - unless there is a way to add / change the headers that get sent when accessing a hyperlink?

Would it be better to add another security vector like a pre-shared key that is also passed in as a URL param, or does that not really help since it’s just another URL parameter? Two things to brute force are probably better than one thing, especially if I never disclose which one of the two were incorrect.

Finally, I also understand that the security risk is based on the level of exposure, i.e. what data is potentially going to be exposed. So for the sake of this post let’s assume I don’t think the data is particularly sensitive, but I do want to add reasonable / prudent security mechanisms that work within the confines of my “must be accessible via hyperlink” requirement.

Thoughts and comments welcome

Interesting questions @forumfred

UUIDs, as generated by the runtime and backend, do use cryptographically strong random number generators, with 122 random bits, so are secure in that sense.

That said, once an object is saved, the UUIDs are not treated as particularly sensive in the platform itself. It is replicated to many places, and may end up in platform logs.

So if you only need a basic safeguard, the UUIDs should be sufficient. But if you want to protect sensitive data, rather generate a random key that you store inside the object, or elsewhere, and add that additional check to your “security / authentication workflow”.