Add a guideline about managing access to objects (IDOR)

Author: Elchi3

docs/security_guidelines.md

@@ -157,6 +157,21 @@ To mitigate this:
 - [Server-Side Request Forgery Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html) (OWASP)
 - [SSRF](https://developer.mozilla.org/en-US/docs/Web/Security/Attacks/SSRF) (MDN)
 
+### Verify access to objects
+
+Insufficient access control and insecure exposure of object identifiers, such as database keys or file paths can lead to [Insecure Direct Object Reference (IDOR)](https://developer.mozilla.org/en-US/docs/Web/Security/Attacks/IDOR) attacks.
+
+To mitigate this:
+
+- Always verify that the authenticated user is authorized to access or modify the object.
+- Avoid exposing predictable, sequential, or sensitive object identifiers (like user IDs or email addresses).
+- Use more complex IDs that are harder to predict (for example, UUIDs).
+
+#### Learn more
+
+- [Insecure Direct Object Reference Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Insecure_Direct_Object_Reference_Prevention_Cheat_Sheet.html) (OWASP)
+- [Insecure Direct Object Reference (IDOR)](https://developer.mozilla.org/en-US/docs/Web/Security/Attacks/IDOR) (MDN)
+
 ## Security practices
 
 This category lists practices you can follow, which help reduce the risk of introducing security vulnerabilities into your web application, or help you respond to vulnerabilities.