I was recently editing the html code for invoice templates and then generating pdf previews, I found that these previews are actually still accessible even when I am logged out.
These previews use real data from previous invoices, inc names, addresses and my bank details.
I realise that the URLs are unlikely to be guessed, but with enough automated tries from malicious computers programmed to keep looking, sooner or later they could be found.
I obviously have to send bank details to clients, but I feel they shouldn't be accessible to the public.
Securing the PDF previews so they are not available unless logged in would solve the issue.