|API centric web application and input validations||Sheldon Dsouza||10/8/12 2:24 AM|
We have an api that we built internally and it currently used within our mobile apps, we are planning a web application upgrade soon.
As part of this we are planning to make the web application API centric so all out clients browsers and mobile will hit a single API code base.
I had a question on validations
For the web application, should i keep the validations within the web application before hitting the api or just move all validations within our api calls.
|Re: API centric web application and input validations||Steven Goff||10/8/12 12:22 PM|
This is the approach I have taken.
|Re: API centric web application and input validations||Francois Lascelles||10/8/12 4:36 PM|
Yes, validation of input fields in the web app makes sense, however if you think of validation as part of threat protection, you need to have proper controls regardless of whether the client is web or mobile app. Some API traffic is inline of the web app, some will not. Therefore, sanitizing must be applied at the API (e.g. API infrastructure) level.