Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Including the people like myself doing security checks as part of SecDevOps workflows.

99% of the time, not great, everyone codes their connection points as if their beloved JavaScript function is the only caller.



What is the recommended way to not code like this?

I always take care to not trust raw user input, and add rate limiting and request size limits. I'm sure there is more I can be doing, but this is not my area of expertise.


- Never trust any kind of input without validation.

- Assume that the caller might not be a browser, so don't assume anything regardling workflows between calls.

- Keep up to date with OWASP, https://owasp.org/




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: