best place to check data validation
79 views
Skip to first unread message
Hypernikao
Apr 28, 2017, 12:36:56 PM4/28/17
to API Craft
Hello,
In simple case, when an Api is public and my users can post stuff,
Where is the best to place data validation? Are they complementary ?
I see some developers who use Joi to validate api side and others only validate ORM side.
thanks in advance,
Jørn Wildt
Apr 28, 2017, 2:39:08 PM4/28/17
to api-...@googlegroups.com
--
You received this message because you are subscribed to the Google Groups "API Craft" group.
To unsubscribe from this group and stop receiving emails from it, send an email to api-craft+unsubscribe@googlegroups.com.
Visit this group at https://groups.google.com/group/api-craft.
For more options, visit https://groups.google.com/d/optout.
James Higginbotham
Apr 29, 2017, 11:06:27 AM4/29/17
to API Craft
I personally adopt the following approach:
1. Don't assume any incoming data is valid or doesn't intend malicious intent. This includes http headers. This means we need some protection and validation closer to the http layer
2. ORM validation ensures data consistency. API validation rules should enforce intent and business rules, which often go beyond what the ORM context is capable
3. Use a WAF and or API gateway to protect against malicious attacks, including some that target XML and other kinds of parsers, SQL injection, etc
Hope that helps provide some guidance on how you may want to approach it in your solution.
James
Hypernikao
May 30, 2017, 6:03:17 AM5/30/17
to API Craft
Hello,
Thank you for your help, it has been helpful.
Flo
Flo
Le vendredi 28 avril 2017 20:39:08 UTC+2, Jørn Wildt a écrit :
On Fri, Apr 28, 2017 at 6:36 PM, Hypernikao <florian...@gmail.com> wrote:
Hello,In simple case, when an Api is public and my users can post stuff,Where is the best to place data validation? Are they complementary ?I see some developers who use Joi to validate api side and others only validate ORM side.thanks in advance,
--
You received this message because you are subscribed to the Google Groups "API Craft" group.
To unsubscribe from this group and stop receiving emails from it, send an email to api-craft+...@googlegroups.com.
Hypernikao
May 30, 2017, 6:07:04 AM5/30/17
to API Craft
Hey,
I've found your explanation very clear.
With your permission i will share it with my team in a BBL
I've found your explanation very clear.
With your permission i will share it with my team in a BBL
Thanks a lot.
Flo
Flo
Reply all
Reply to author
Forward
0 new messages