Let's say I operate a website where you can create cat pictures. I give every cat picture a unique identifier so that it can be shared on social media with http://catpictures.com/base62Identifier
.
I could give the cat pictures sequential identifiers such as 1,2,3, etc, but then it would be possible to easily discover how many new cat pictures the users create per day (by the largest identifier that returns HTTP 200 each day). This exposes me to the common strategy of ordering a product from your competitors once a month and noting the invoice number. Website traffic figures are well-correlated to business revenue so I obviously want to keep this information secret.
What I'm considering trying:
This sounds like a job for a hashing algorithm, right? The trouble is by observing a hash it's pretty easy to tell which algorithm created it (md5, crc32, etc). Someone with a rainbow table would make short work of that idea. I could salt the identifier [hash("salt"+1), hash("salt"+2), ...], but would then have to worry about the security associated with the salt. And collision checking.
Another idea I had was to generate a random string of characters and use that as the cat picture's primary key in the database (or just I could hash the first n bits of the cat picture data). This way I would only have to check for collisions.
Is there a standard, best-practice way avoiding exposing your traffic volumes through your unique identifier URLs?
Edit: I'm specifically looking for a solution that is a good combination of security and suitability as a database primary key or indexable column.