Never trust any part of the request to be safe. Make sure that the URI, header and body are properly https://www.owasp.org/index.php/Input_Validation_Cheat_Sheet[sanitized] before being used. Their content, length, encoding, name (ex: name of URL query parameters) should be checked. Validate that the values are in a predefined whitelist. The opposite, i.e. searching for dangerous values in a given input, can easily miss some of them.
Do not rely solely on cookies when you implement your authentication and permission logic. Use additional protections such as {link-with-uscores1}[CSRF] tokens when possible.
Do not expose sensitive information in your response. If the endpoint serves files, limit the access to a dedicated directory. https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html#cookies[Protect your sensitive cookies] so that client-side javascript cannot read or modify them.
Sanitize all values before returning them in a response, be it in the body, header or status code. Special care should be taken to avoid the following attacks:
* https://www.owasp.org/index.php/Unvalidated_Redirects_and_Forwards_Cheat_Sheet[Unvalidated redirects] which can happen when the ``++Location++`` header is compromised.
Be careful when errors are returned to the client, as they can provide sensitive information. Use 404 (Not Found) instead of 403 (Forbidden) when the existence of a resource is sensitive.
