Input validation and sanitization
It sounds easy and trivial, but input validation is one of the most essential parts of the security of your API. Most of the time, the first thing an attacker will try to do is send you data you are not prepared to handle. Sometimes, it will be something that makes your system crash. Sometimes, it will be something that will allow the attacker to access or destroy your data, and other times, it is just an intermediate step from a more complex attack. So, the rule of thumb is: never trust the input.
Never trust the input. This is a great phrase, but what is the input? Some people think that the input is, for example, the query parameters and the body of the request, and that’s input, for sure, but it is not the only input. The input is everything that the user can modify in any way. For example, any HTTP header is input, cookies are input, and a URL is input. Anything from the HTTP request in our API should be considered input, and we should...
