0

Any thoughts on how specific API response messages should be? I'm looking at this from a Security perspective related to validating on data types.

Say my API requires string for an id and that my server validates the type - if not a string, should I response with something like.."Field must be of type string?". This can be convenient to users who brushed by the documentation as it'll be a simple fix on their client code, but what about hackers?

They can kinda fish for information through these responses to learn more about the API inputs. I.e. they can input any random data and then find out the API only takes string which can help them even further.

Any thoughts on this?

user2402616
  • 1,434
  • 4
  • 22
  • 38
  • 3
    Uh, the API documentation should be considered public anyway. – Bergi Apr 07 '20 at 13:22
  • 4
    Assume that any attacker knows every detail of your API and its implementation. – Pointy Apr 07 '20 at 13:24
  • 2
    If you are validating user credentials, you do not need to disclose what specific rule was violated. If it's a business API, provide enough details for the opposite side to understand the problem. – PM 77-1 Apr 07 '20 at 13:32

1 Answers1

1

Hiding things is never a good way to provide security.

You should provide as many details as possible about errors so you can help people work with your API. Your implementation should do every needed checks to ensure input data are safe.

Only specific point : do not throw errors like "Email does not exist in db" as it leaks information about your data.

Will
  • 899
  • 8
  • 15