API endpoints return other users' data when the resource ID is changed (e.g., /api/bookings/1 → /api/bookings/2).
Add authorization middleware: verify the requesting user owns the resource before returning it.
Security Scanner automatically checks for this issue as part of its 70+ module scan. Try it free — no signup needed for the quick scan.
Check your app now →