Authenticate and Authorize Every Non-Public Endpoint

Authenticate and Authorize Every Non-Public Endpoint | BeforeMerge Rules | BeforeMerge

Why this matters

Broken object-level authorization tops the OWASP API Security risks. Authenticating is not enough; you must verify the caller may access the specific resource.

Bad

GET /invoices/1001   # any logged-in user can read any invoice

Good

GET /invoices/1001
# server checks invoice.owner_id == current_user.id

Why This Matters

Related Rules

Catch this automatically on every PR

Why this matters