2

I was looking at different ways to secure .Net RESTful Web API When I came across this OWASP link.

One of the recommendation under Input Validation:

  • Validate input: length / range / format and type

I start thinking about adding a constraint to all string attributes in view models. But, one of the requirement from customers is to have no limit for string lengths.
To face this trade-off, I need to figure out a number (string length maximum) that could be:

  • Secure: does not make Web APIs fail or make backend code run out of memory.
  • Unlimited: looks like unlimited string to end user.

I know that there is no such a thing "unlimited string", but I'm really looking for number here that is commonly used by developers in such a scenario.

Mhd
  • 2,778
  • 5
  • 22
  • 59
  • That is a great question, but unfortunately there is no 'right answer'. Your customers are literally asking for the impossible. You can't achieve it. You need to pick a length that is reasonable given your business and communicate it to them. – mjwills Jun 05 '18 at 02:27
  • Side comment: have a look at [this article](https://enterprisecraftsmanship.com/2015/03/07/functional-c-primitive-obsession/) on how you could implement a safe application-wide constraint on all your strings. – Spotted Jun 05 '18 at 05:33

1 Answers1

0

Figure out what your longest possible JSON string is and then limit it to that

Nick Gallimore
  • 1,222
  • 13
  • 31
  • I saw an article somewhere saying emails cannot be longer than 254 characters, if this helps for email fields. It all depends on the field. – Nick Gallimore Jun 05 '18 at 23:23