Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

In the browser all user input, API responses, and application state is validated and sanitized before it ever gets to the application logic.

On the backend all requests and database values are similarly validated and sanitized before any logic occurs.

Anything less is bad code regardless of what languages are used.



> In the browser all user input, API responses, and application state is validated and sanitized before it ever gets to the application logic.

Good thing there are never any bugs in validation and sanitization code!


You shouldn't roll your own for this. From what I've had to do web-wise, here's a few tools.

First, for the APIs, you need documentation: https://swagger.io/

From which you can generate JSON schemas and use those to validate in the browser and on the backend. https://www.npmjs.com/package/jsonschema

As well you should be writing a few more schemas for your application state and leverage the regex validation of your input components...

Speaking of which, you also need to sanitize out some potentially nasty input. https://www.npmjs.com/package/dompurify

Obviously this isn't everything and not perfect, but a lot of this tedium can be automated away if you have a few good examples of the happy path and some basic tests in place to prevent quick and dirty changes from poking holes in these layers.


Sigh. I hate this type of "conversation". Go back to reddit.


Sounds like you never make any mistakes. If that's the case, I'm hiring.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: