During my IT school years, I was told that including rows identifiers from a database in the resource URL, in the context of a REST API, is a bad practice. To my understanding, the rationale behind this statement is that exposing technical database identifiers is a security breach.
For instance, say I have a table
USER_ACCOUNTS(id, username) in my database. Say I’m using a REST API to expose the user accounts data.
How would I expose the URL without using the real column ID ?
If the user ID is
3 in my database and I want to access his profile, how would I design the URL without having something like
Is it true that exposing database IDs in the URL is a bad practice ?
If so, what are the alternatives ?
I thought of using a hash & salt value instead of the real, plain ID, but I can already see many drawbacks to this solution.
How do you deal with exposing database identifiers in your URLs ?
What are the some of the best practices to deal with this issue ?