Input Validation

Input validation is a core defensive technique that acts as the first line of defence against a wide range of web application attacks. Every point where an application accepts external data represents a potential attack vector, including form fields, URL parameters, HTTP headers, cookies, file uploads, and API request bodies. Proper validation ensures that only expected, well-formed data enters the application.

There are two primary approaches to input validation. Allowlist (positive) validation defines exactly what is permitted and rejects everything else. This is the preferred approach because it is more secure by default. Denylist (negative) validation attempts to identify and block known malicious patterns, but it is inherently weaker because attackers constantly find new ways to bypass filters.

Effective input validation should be applied on both the client side (for user experience and immediate feedback) and the server side (for actual security enforcement, since client-side validation can be easily bypassed). Validation should check data type, length, range, format, and business logic constraints.

It is important to note that input validation alone is not sufficient to prevent all injection attacks. It must be combined with output encoding, parameterised queries, and other context-specific defences. A defence-in-depth strategy ensures that if one layer of protection fails, others will still prevent exploitation.