Comprehensive API validation: Ensuring Security, Accuracy, and Clarity

API input validation is one of the key elements that affect the security, quality and efficiency of an application. Validation is not limited to checking whether fields are required but also includes a number of other criteria that should be taken into account when testing the API. Care should be taken to ensure that the data is correct, secure, and that the API gives the user clear information about errors.  

In addition to checking whether fields are required, it is also worth paying attention to additional aspects of validation. 

Are error messages clear and specific?  

Proper error messages are the foundation of a good interaction with the user (or the system that integrates with your API). If the API returns a generic message such as “Validation error,” the user may feel lost, not knowing what exactly is wrong with their data. Proper validation isn’t just about checking that the data is present, but also indicating precisely which data is wrong and how to correct it.  

Example:  

The expected API response when a user enters an incorrect email and/or phone number:  

The standard server response in such a case is as follows: 

{ 

  "status": 400, 

  "message": "Bad Request" 

} 

Why it’s not enough: Such a message does not provide any indication of a specific error. In the case of a form with multiple fields, the user does not know which field was filled in incorrectly. Without additional information, such as error details for each field, the user has to guess what’s wrong, which increases the troubleshooting time. 

That’s why instead of default answers it’s a good idea to design one that clearly indicates the problem to be fixed. 

{ 

  "error": "Validation Errors", 

  "fields": [ 

    { 

      "field": "email", 

      "message": "Email address is invalid. Please enter a valid email format, e.g., [email protected]" 

    }, 

    { 

      "field": "phone_number", 

      "message": "Phone number must be 10 digits long and include only numbers." 

    } 

  ] 

} 

What are the advantages of this approach?  

The API should not return generic error messages that only indicate a general problem but should indicate exactly which field failed and why.  

The message contains a list of all the erroneous fields in the form, along with detailed instructions on how to fix the problem. This way the user knows exactly which data is incorrect and what he needs to do to make the query correct.   

Are there format validations (e.g., email, date, identifiers)?  

Data format validation is necessary to make sure that the data sent has the correct structure. Without it, the API may receive data that doesn’t make sense, and the server won’t be able to process it correctly.  

Example 1: Email validation   

If a user enters an email in the wrong format, the API should reject it and indicate an error. 

{ 

  "error": "Invalid input", 

  "details": { 

    "email": "Invalid email format. Example: [email protected]" 

  } 

} 

Example 2: Date validation  

If the API expects a date in the format YYYY-MM-DD, and the user enters DD-MM-YYYY, the API should reject such a format: 

{ 

  "error": "Invalid date format", 

  "message": "Please use the format YYYY-MM-DD" 

} 

Why it’s important? 

• Format validation ensures that internal application data will be consistent and easy to process. 
• It protects against errors associated with incompatible data that could cause crashes or improper processing of information. 

Maximum character length 

Validation of field lengths is very important to prevent excessive load on the system and incorrect data that can lead to errors in subsequent processing. It is important that the API returns an error when the data exceeds the specified maximum length.  

Example:  

If the API requires the username field to not exceed 20 characters, and the user enters a name that is 25 characters long, the API response should look like this: 

{ 

  "error": "Validation Error", 

  "message": "Username cannot be longer than 20 characters", 

  "field": "username" 

} 

Why it’s important? 

• Protecting against data entry that is too long, which can lead to problems in storing or displaying information.  
• Ensuring consistency and predictability of data in the system. 

Does the application reject redundant fields that it does not expect? 

The API should be strongly specified, that is, it should reject any fields that are not expected in a given request. This prevents sending unnecessary information that can lead to excessive load on the system.  

Example:  

If a user sends an additional, unexpected nickname field, the API should return an error: 

{ 

  "error": "Unexpected field", 

  "message": "The 'nickname' field is not allowed", 

  "field": "nickname" 

} 

Why it’s important? 

• To protect against the injection of unwanted data that can be used to manipulate the system. 
• To ensure that only the data specified in the API documentation is processed.  

Are there no duplicate keys in the query?  

The API should reject queries with duplicate keys. Two identical keys in the same query can lead to ambiguous data and processing errors.  

Example:  

If a query contains a duplicate email key: 

{ 

  "id": 123, 

  "email": "[email protected]", 

  "email": "[email protected]" 

} 

The API should return an error:

{ 

  "error": "Validation Error", 

  "message": "Duplicate key detected: 'email'", 

  "field": "email" 

} 

Why it’s important? 

• Two identical keys can cause data processing problems and introduce ambiguity.  
• Prevents misuse and unauthorized modification of data. 

Aren’t there unexpected fields in the body that are sent as parameters?  

Some data may be requested as query parameters or in the body, but the API should not allow parameters to be sent in two places. For example, if an email field has already been passed as a query parameter, it should not be in the body of the request.  

Example:  

Sending user data through the body and as a query parameter: 

// Parameters in the URL 

GET /[email protected] 

// query 

{ 

  "email": "[email protected]", 

  "name": "John" 

} 

The API should return an error: 

{ 

  "error": "Validation Error", 

  "message": "The 'email' field cannot be passed in both the URL and body.", 

  "field": "email" 

} 

Why it’s important? 

• Prevents data ambiguity in the system, where the same parameter can be interpreted differently from place to place.  
• Maintains compliance with API documentation and prevents errors due to inconsistencies. 

Checking the required fields and the correctness of the 400 (Bad Request) response 

If the user does not submit all the required fields, the API should return a 400 Bad Request error, not a 500 Internal Server Error. In the case of missing data (e.g., missing name, email address), the response should detail the missing fields.  

Example: If a user fails to provide required fields such as email in a registration request: 

{ 

  "error": "Bad Request", 

  "message": "The 'email' field is required", 

  "field": "email" 

} 

Why it’s important? 

• Error 400 informs the user of a problem with his query, allowing him to quickly correct the data.  
• Error 500 indicates a problem with the server, which in this case is untrue and can make debugging the problem much longer.

Does the API reject requests using unsupported HTTP methods?

The API (the interface for communicating with the application) should respond appropriately if a user tries to perform an operation that cannot be performed on a given resource. For example, if a request is sent using a method that the endpoint does not support, the API should return an error. 

Example:  

If the API for users (/users) only supports the GET method (for retrieving data), and the user sends a query with the POST method (for creating data), the API should respond as follows: 

{ 

  "error": "Method Not Allowed", 

  "message": "POST method is not allowed for this endpoint" 

}  

In this way, the API ensures that the user does not perform operations that are not allowed. Queries with unsupported methods are blocked, preventing accidental or unauthorized changes to the system.  

Conclusion: Why Field Validation Is Essential for Secure and Accurate API Testing 

Testing the validation of fields in the API is a key part of ensuring that the application works properly. Validation should not just be limited to checking that fields are required, but should also include other aspects, such as controlling the maximum character length of fields, eliminating duplicate keys, verifying the validity of the data format (e.g., email or date), and checking the content of parameters and fields in the query body to ensure that we are not sending redundant data or the same data in both the URL and body.

It’s also important that the API correctly verifies the presence of the required fields and returns a response with a code 400 for missing data, rather than generating server errors (500). Performing accurate data validation allows you to manage information accurately, protect your application from unauthorized manipulation, and improve the user experience by providing clear and helpful error messages.  

TIP: The following checklist can be helpful in testing API validation: 

Checklist: Testing data validation  

Checking the required fields  

• Are the relevant fields marked as required?  
• Does the API return an appropriate response (e.g. 400 Bad Request) for missing required fields?  
• Does the error message indicate the missing field and is it readable?  

Validation of length, numeric values and data format  

• Do fields have a defined minimum and/or maximum length (e.g., first name, email)?  
• Does the API reject data that exceeds the maximum allowed length or does not meet the minimum length?  
• Does the API validate numeric values, such as prices, ages, number of products available?  
• Does the API validate data formats such as email, date, phone number?  
• Does the API return an appropriate error (e.g., 400) for data with an incorrect format?  
• Does the error message indicate the specific field and problem that is occurring?  

Validation of duplicate and redundant fields  

• Does the API reject queries with duplicate keys in the body or parameters?  
• Does it return an appropriate response (e.g. 400 Bad Request) for duplicate data?  
• Does the error message accurately indicate which field was duplicated?  
• Does the API reject requests containing unexpected or redundant fields?  
• Does the error message point to an unexpected field and indicate that the field is prohibited?  

Checking the consistency of parameters in the URL and body  

• Does the API reject requests in which the same parameters are sent in both the URL and body?  
• Does the response provide a clear error message when duplicate data is sent?  

Checking the availability of methods  

• Does the API block the possibility of using an inappropriate method?  
• Does the API return an appropriate response when using an invalid method?  

Checking default values  

• Does the API correctly handle default values for optional fields?  
• Are default values correctly interpreted by the system?  

Checking for server errors  

• Does the API return a 400 Bad Request error rather than a 500 Internal Server Error in the case of an invalid request?  
• Are the error responses consistent and responsive to the type of problem? 

Interested? Check out the next parts in this series:

What The API Says & What It Shouldn’t – The Hidden Dangers of Excess Data

API Testing Security Aspects – More Than Just Login Protection