What is IDOR / BOLA and how do you prevent it?

Insecure Direct Object Reference (a.k.a. Broken Object-Level Authorization) is when an app exposes a reference to an object (e.g. /invoice/123) and fails to check the requester is allowed to access that object. Prevention: enforce per-object authorization on every access using the authenticated principal; don't rely on unguessable IDs as a control.