handbook/tools/3.Web-Hacking/3.Business-Logic/Access-Control-Vulnerabilities/Notes/4.How-to-Prevent-Access-Control.md

How to Prevent Access Control

• Do not rely on obfuscation alone
• Deny access by default
• Use single application-wide mechanism for enforcing access controls
• Make it mandatory for developers to declare access allowed for each resource
• Audit and test access controls to ensure they are working