A file-sharing portal uses a download URL like /download?file=12345. A tester changes the value to 12346 and can access another department's document without logging in again. Which control most directly prevents this issue?

Make the identifier longer so users cannot guess nearby values.

Longer identifiers may reduce guessing, but they do not fix the missing access control decision.

Move the portal to HTTPS so request parameters cannot be intercepted.

HTTPS protects data in transit, but it does not stop an authenticated user from changing object IDs.

Store the document name in a hidden field and validate it in JavaScript.

Client-side checks are easy to bypass and should not be trusted for authorization decisions.

What does this SY0-701 question test?

Authentication checks who the user is.

What is the correct answer to this question?

The correct answer is: Implement server-side authorization checks for every object request. — The core problem is that the application trusts a user-controlled object identifier without checking whether the requesting user is authorized to access that object. Server-side authorization on every request fixes the flaw by binding access to the authenticated user's permissions. Guess-resistant identifiers help only a little, and browser-side controls are not a security boundary. Why others are wrong: Making the identifier longer only reduces predictability; it does not enforce authorization. HTTPS protects against interception but does not stop object swapping by a logged-in user. Hidden fields and JavaScript validation are client-side controls, which attackers can manipulate before the request reaches the server. The missing server-side access check is the real issue.

What should I do if I get this SY0-701 question wrong?

Then try more questions from the same exam bank and focus on understanding why the wrong options are tempting.