Home > Blockchain >  What's a better best practice - allow all query params on an API? Or use a whitelist?
What's a better best practice - allow all query params on an API? Or use a whitelist?

Time:05-17

We have a REST API that obfuscates downstream API's.

Would it be better practice to allow all query parameters through on the original request (and forward them to downstream API's in case they consume them)? Or would it be better to provide a query param whitelist, and only allowed specific white-listed params through?

I'm thinking the whitelisted approach may be ever so slightly better in terms of security. However, for maintenance, passing all query params that were sent in the original request would be better.

I'm leaning towards passing all along, but wanted to see what others thought would be the best practice.

Thank you,

My assumption is it could be very slightly better security to provide a whitelist of allowed query params. However, it would be easier to maintain by allowing all query params through

CodePudding user response:

The best and recommended way is to use the filter on parameters and only allow what you need, eg. params.require(:user).permit(:name, :age). More on this on rubydoc.

  • Related