Securing APIs Using Input Validation

Introduction

Input validation is the process of validating the data being processed by our API against a defined standard. It's essential to examine whether the data inputted into our API is correct and consistent, without which our API could falter and break due to the lack of scrutiny. APIs are our first line of defense against potentially problematic input data. We need to catch issues early on instead of pushing them toward our services. User inputs, in general, are untrustworthy and have to be verified. We implement these checks and regulations not only to handle careless consumers but also to prevent malicious users from exploiting flaws in our system. This can be done by entering inputs that defy our assumptions about how our code will execute. Several attacks (given below) are dependent on the inputs not being validated, letting attackers manipulate the back-end code.

In this lesson, we'll explore two types of input validations: client validation and server validation. Before we learn about these validation techniques, let's define the threats we aim to defend our APIs against. The most common API attacks are specified in the table below: