Add client-side JavaScript to hide document IDs from the user interface.

Client-side hiding may reduce casual browsing, but it does not stop direct request tampering or automated attacks.

Require users to change passwords more frequently to prevent unauthorized document access.

Password rotation does not address the core issue, which is missing authorization on object retrieval.

Place the document server behind a load balancer to prevent direct access to the application.

A load balancer does not fix broken access control logic inside the application and would not stop parameter tampering.

What does this SY0-701 question test?

Authentication checks who the user is.

What is the correct answer to this question?

The correct answer is: Enforce server-side object-level authorization checks before returning any document. — The exhibit shows a classic object access control failure: the application returns documents based on a user-controlled identifier without verifying ownership or entitlement. The best fix is to enforce server-side authorization checks for every document request. In practice, the app should confirm that the authenticated session is allowed to access the requested object, and it may also use opaque indirect references to reduce enumeration risk. The key point is that the decision must happen on the server, not in the browser. Why others are wrong: Client-side hiding only obscures values and is easy to bypass by editing requests directly. Password changes do not address broken authorization logic. A load balancer improves availability and can hide internal topology, but it does not validate whether a user may view a specific file. The problem is missing access control after object lookup, so the fix must be enforced in application logic.

What should I do if I get this SY0-701 question wrong?

Then try more questions from the same exam bank and focus on understanding why the wrong options are tempting.