I want to expose a CC webtask that will accessed via hyperlinks. I am going to require the hyperlinks to include a DB object ID as a URL param and was wondering if the UUID is “secure” enough against brute force attacks to suffice as a security layer.
In other words, an attacker will only be able to access my webtask service if they can guess a valid DB object ID.
I know that ideally I would actually send an authorization header, but since my service needs to be accessible via hyperlink my options seems limited, at least to me - unless there is a way to add / change the headers that get sent when accessing a hyperlink?
Would it be better to add another security vector like a pre-shared key that is also passed in as a URL param, or does that not really help since it’s just another URL parameter? Two things to brute force are probably better than one thing, especially if I never disclose which one of the two were incorrect.
Finally, I also understand that the security risk is based on the level of exposure, i.e. what data is potentially going to be exposed. So for the sake of this post let’s assume I don’t think the data is particularly sensitive, but I do want to add reasonable / prudent security mechanisms that work within the confines of my “must be accessible via hyperlink” requirement.
Thoughts and comments welcome