Never Trust Your Frontend When Developing API
Why you shouldn’t trust the data validation that is conducted by your frontend folks? The reason is that you never know how people use your system. They can have some tricks to bypass the frontend validation or even skip the frontend and request your API directly.
If you trust the frontend data validation and skip the backend data validation, there might have a potential security risk in your system. That said, if the attacker skips the frontend, there is nothing to stop the attacker because you don’t have backend data validation.
Therefore, we should add the backend data validation even frontend did the data validation. Before we process the data from the frontend, we must do data validation and sanitization to enhance security protection.
Apart from that, we should avoid leaking sensitive data to the frontend. When developing backend API, we should take care of the data that we are going to return to frontend and also exception messages.
The return data shouldn’t contain any sensitive data. If any, you might need to consider a better approach to design your API.
When throwing exceptions, we need to avoid leaking backend implementation details because attackers can leverage that information to attempt to attack your system. Therefore, you need to design a good error boundary for your system to catch the exceptions and return custom error messages to the frontend.
Keep'em coming Ray!