input-validation
Safeguard articles tagged "input-validation" — guides, analysis, and best practices for software supply chain and application security.
22 articles
NoSQL injection prevention in MongoDB and Mongoose
A single unsanitized query key like $ne can bypass authentication in MongoDB apps — two 2024-2025 Mongoose CVEs show the fix is harder than one middleware package.
Secure Coding Fundamentals: A No-Jargon Checklist for New Developers
Three habits — validating input, managing secrets, and pinning dependencies — sit behind most preventable breaches, from Log4Shell to the event-stream hack.
Using Jakarta Bean Validation correctly: a defensive walkthrough
Jakarta Bean Validation stops malformed input, not attackers — a 2025 Hibernate Validator EL-injection flaw (CVSS 7.3) shows what goes wrong when teams conflate the two.
Preventing SMTP injection vulnerabilities in email-sending code
A crafted From address turned PHPMailer into a remote code execution bug in 2016 — here's how header injection works and how to stop it.
Safely Parsing Untrusted URLs in Node.js
Node's legacy url.parse() is deprecated (DEP0169), and parser mismatches between it, the WHATWG URL API, and fetchers are a documented root cause of SSRF and open redirects.
XPath injection: how it happens and how to stop it in Java, .NET, and PHP
A 2024 GeoServer flaw showed unsanitized input reaching an XPath evaluator can mean remote code execution, not just data leakage. Here's how to prevent it.
Writing your first Jest unit tests for security-critical JavaScript
Jest ships to ~41M weekly npm installs with assertions, mocking, and coverage built in — here's how to structure your first tests around security logic.
Robust URL Validation in Python: Stopping SSRF and Open Redirects
One misparsed IP string cost Capital One 106 million records. Here's how to validate URLs in Python without repeating that mistake.
LDAP injection: a technical primer and defense guide
LDAP injection is CWE-90, dates to the same root cause as SQL injection, and still shipped in production software as recently as CVE-2023-0476.
A practical REST API hardening checklist
OWASP's 2023 API Security Top 10 still ranks broken object-level authorization as the #1 risk — here's a concrete checklist for authn, rate limiting, and input validation.
Secure URL Encoding and Decoding in Java
Java's URLEncoder turns spaces into + instead of %20 — a form-encoding quirk that, mixed with double-decoding, still causes path-traversal bugs like CVE-2025-41242 in 2025.
Robust input validation in Spring Boot: Bean Validation and its bypasses
Bean Validation (JSR-380) looks like a solved problem in Spring Boot, but nested DTOs, list elements, and unannotated service methods routinely skip validation silently.