REST API: Input Validations & Output Encoding

If you are implementing micro services in your organization, one of the basic defenses you need to implement is validating un-trusted inputs from users and escaping the data for the data sink such as a Database, reflected back to the browser, passed as inputs to other systems.

If your micro-services are being invoked from a Browser based application, do not rely up on the input validations performed on the client side. This may sound like dah, I have seen many smart Developers rely upon client side validations and skipped implementing server side validation. Input validations on the client side improves user experience, and the input validations and output escaping on the server side provide your application security defense against injection attacks. Client side is usability, server side is security.

Input validations are easy to implement in your micro-services if you are using any of the modern frameworks such as Jersey, Spring etc., to implement micro-services. These frameworks support JSR 303 and JSR 349 Bean Validation Annotations, making it very easy by simply decorating input fields with Bean Validation Annotations. For e.g., if you are taking user input for his/her address, you could enforce input validations as follows:


public class Address {
    @NotNull @Size(max = 50)
    private String street1;

    @NotNull @ZipCode
    private String zipcode;

    @NotNull @Size(max = 30)
    private String city;

Refer to JSR 303 Specification for full list of capabilities such as custom validations, fail fast with ordering of input validations, error messages to return to the client app etc.

Most of the frameworks automatically encode data for XML or JSON based on the format of the data returned to the client. So, there is not much you need to do. Refer to the Jersey user guide on output encoding.


Author: appsecfordevs

I am an Application Security professional helping organizations secure their Applications, and Data from internal and external threats. I have expertise in Application Architecture & Development, providing me the insights in to developing controls to defend applications against security vulnerabilities. Disclaimer: The opinions expressed here are my personal opinions and do not reflect those of my current or former employers and clients!

One thought on “REST API: Input Validations & Output Encoding”

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s