Input Validation and Output Encoding

APIs must validate all input data to prevent injection attacks and ensure data integrity. Input validation should occur at multiple layers—client-side for user experience, API gateway for early rejection, and application layer for business logic validation. Whitelisting acceptable input patterns provides stronger security than blacklisting known bad patterns.

Output encoding prevents injection attacks when API responses are consumed by different clients. JSON encoding must handle special characters properly, XML responses require entity encoding, and error messages need sanitization to prevent information disclosure. Context-aware encoding ensures data remains safe regardless of how clients process it.