API centric web application and input validations

[Sheldon Dsouza]

Hi,

We have an api that we built internally and it currently used within our mobile apps, we are planning a web application upgrade soon.

As part of this we are planning to make the web application API centric so all out clients browsers and mobile will hit a single API code base.

I had a question on validations

For the web application, should i keep the validations within the web application before hitting the api or just move all validations within our api calls. 

[Steven Goff]

Is your web applicaiton javascript based?  I recommend doing basic validation at the client layer so you don't make unnecessary HTTP requests.  For example why submit a request if the user left a required field blank?  You always need to re-implement any client validation on the server, there is no guarantee the request came through your app.  Leave the business logic to the server but any basic validation that can be added to the client to reduce unnecessary HTTP requests is great.   

You probably can get away with a little extra client side validation in a web app compared to a mobile app as you can update the web validation whenever you want (i.e. just deploy an update javascript file) vs having to deal with deploying a new mobile app for all your customers to download.

This is the approach I have taken.

[Francois Lascelles]

Yes, validation of input fields in the web app makes sense, however if you think of validation as part of threat protection, you need to have proper controls regardless of whether the client is web or mobile app. Some API traffic is inline of the web app, some will not. Therefore, sanitizing must be applied at the API (e.g. API infrastructure) level.

-fl