If you are implementing micro services in your organization, one of the basic defenses you need to implement is validating un-trusted inputs from users and escaping the data for the data sink such as a Database, reflected back to the browser, passed as inputs to other systems.
If your micro-services are being invoked from a Browser based application, do not rely up on the input validations performed on the client side. This may sound like dah, I have seen many smart Developers rely upon client side validations and skipped implementing server side validation. Input validations on the client side improves user experience, and the input validations and output escaping on the server side provide your application security defense against injection attacks. Client side is usability, server side is security.
Input validations are easy to implement in your micro-services if you are using any of the modern frameworks such as Jersey, Spring etc., to implement micro-services. These frameworks support JSR 303 and JSR 349 Bean Validation Annotations, making it very easy by simply decorating input fields with Bean Validation Annotations. For e.g., if you are taking user input for his/her address, you could enforce input validations as follows:
Ref: http://beanvalidation.org/1.0/spec/#example-groupsequence
public class Address {
@NotNull @Size(max = 50)
private String street1;
@NotNull @ZipCode
private String zipcode;
@NotNull @Size(max = 30)
private String city;
Refer to JSR 303 Specification for full list of capabilities such as custom validations, fail fast with ordering of input validations, error messages to return to the client app etc.
Most of the frameworks automatically encode data for XML or JSON based on the format of the data returned to the client. So, there is not much you need to do. Refer to the Jersey user guide on output encoding.
One thought on “REST API: Input Validations & Output Encoding”