Always favor the use of indirect references. Use nonconsecutive numeric identifiers to reference a table of allowed objects instead of allowing the user to use the object's name directly.

Proper input validation and sanitization of data received from the browser will prevent a path traversal attack. The developer of the application should be careful about taking user input when making filesystem calls. If possible, this should be avoided. A chroot jail involves isolating the application's root directory from the rest of the operating system, and it is a good mitigation technique, but it may be difficult to implement.

For other types of direct object references, the principle of least privilege must be followed. Users should have access only to that information which is required for them to operate properly, and authorization must be validated for every request a user makes. They should receive an error message or unauthorized response when requesting any information that their profile or role is not supposed to see or access.

WAFs can also stop such attacks, but they should be used along with other mitigation techniques.