[Ndymium]

In fact users did get other users' data just by using the app normally, so it likely didn't happen the way you describe it.

[q3k]

Right, what probably happened is that an `/accounts/me` endpoint got cached.

But what GP seems to be asking about is: “Would having your app always encode a user ID into the endpoint have helped?”.

[new_here]

Yeah, I've just realised they've probably accidentally included a generic URL in the cache rules that they actually didn't intend to cache.

I originally thought they were trying to cache account data responses and so wondered why they wouldn't just use unique query parameters in that case. Definitely risky business though.

Out of interest, it looks like Cloudflare offers some sort of token authentication to authenticate at the edge: https://blog.cloudflare.com/token-authentication-for-cached-...