Secure Input Validation Best Practices

Questions and Answers

Where should input validation be conducted?

Server side

What is the purpose of canonicalization in input validation?

To address obfuscation attacks

What should happen when input validation fails?

Input rejection should occur

What is the recommended approach for validating data types?

Using an 'allow' list to permit specific types

What should be validated in addition to request data?

Request data and protocol header values

What should be done when hazardous input must be allowed?

Implement additional controls to mitigate the risk

What is the primary benefit of using a centralized input validation routine for the whole application?

To ensure consistency in input validation across the application

Why is it important to specify character sets for all input sources?

To prevent encoding errors and ensure consistency in input validation

What is the purpose of encoding input to a common character set before validating?

To prevent encoding errors and ensure consistency in input validation

What is the recommended approach for validating protocol header values in both requests and responses?

Validating them to contain only ASCII characters

What is the benefit of using an 'allow' list rather than a 'deny' list for data type validation?

It reduces the risk of allowing malicious input

What is the purpose of validating data from untrusted sources, such as databases and file streams?

To prevent malicious input from being processed

What is the purpose of validating data range and length?

To prevent malicious input from being processed