I have a simple Golang application with a HTTP API that controls the app, the api has a frontend over it powered by a React.js app. The frontend allows users to change settings and POSTS a json object called settings directly to the API /api/settings endpoint (which has simple JWT authentication builtin). I take that object unmarshal it into a struct for the application to use, in case of an error the application uses the default struct and sends an error to the client. My question is; am I doing this correctly or is this insecure; sending the json directly to the app, without any server side validation, but a simple json.unmarshal?
PS:I come from a PHP+MySQL web apps background, where accepting client input for the DB without escaping it was a very dangerous thing to do.
Aucun commentaire:
Enregistrer un commentaire