Django REST Framework: Is the top-level JSON array on an empty ListView a security risk?

Question

Django REST Framework returns what appears to be an empty array when querying a ListView that does not have any objects. Is this a security risk?

Well what else should it return? There are two scenarios that make sense: an empty list, or a 404, but both actually tell exactly the same thing. — Willem Van Onsem, Jul 29 '18 at 20:56
I'm not asking what makes sense. I'm asking whether the top-level JSON array returned by the ListView is a security risk. I'm asking because I think an empty array makes sense and I want to make sure I don't get hacked. — user606006, Jul 29 '18 at 21:43

Oscar Chen · Accepted Answer · 2021-05-12T17:37:08.233

Based on OWASP recommendation, you should always return a list with an object on the outside, but this appears to be only a vulnerability in older browsers as discussed in this post.

Nevertheless, it's better to adhere to the OWASP security recommendations to return the list nested inside an object if possible.

With Django DRF's generic ListModelMixin views, if you include all pagination settings, it will return an object with pagination attributes with the list under the results attribute.

# settings.py
REST_FRAMEWORK = {
    ...
    'DEFAULT_PAGINATION_CLASS': 'rest_framework.pagination.PageNumberPagination',
    'PAGE_SIZE': 20,
}

# API response body

{
    "count": 12,
    "next": null,
    "previous": null,
    "results": [
        ...
    ]
}

Django REST Framework: Is the top-level JSON array on an empty ListView a security risk?

1 Answers1