--
You received this message because you are subscribed to the Google Groups "API Craft" group.
To unsubscribe from this group and stop receiving emails from it, send an email to api-craft+unsubscribe@googlegroups.com.
Visit this group at https://groups.google.com/group/api-craft.
For more options, visit https://groups.google.com/d/optout.
1. Don't assume any incoming data is valid or doesn't intend malicious intent. This includes http headers. This means we need some protection and validation closer to the http layer
2. ORM validation ensures data consistency. API validation rules should enforce intent and business rules, which often go beyond what the ORM context is capable
3. Use a WAF and or API gateway to protect against malicious attacks, including some that target XML and other kinds of parsers, SQL injection, etc
Hope that helps provide some guidance on how you may want to approach it in your solution.
James
On Fri, Apr 28, 2017 at 6:36 PM, Hypernikao <florian...@gmail.com> wrote:
Hello,In simple case, when an Api is public and my users can post stuff,Where is the best to place data validation? Are they complementary ?I see some developers who use Joi to validate api side and others only validate ORM side.thanks in advance,
--
You received this message because you are subscribed to the Google Groups "API Craft" group.
To unsubscribe from this group and stop receiving emails from it, send an email to api-craft+...@googlegroups.com.