| ▲ | saimiam an hour ago | |
> other parts of the stack As a web developer, you’re the like the guy standing with a clipboard outside a fancy club checking if people requesting entry are allowed or not. Basically, level 1 security. If someone is not on the list, your job is to default to declining them access, not granting them access assuming level 2 security will handle them at a deeper layer. It’s possible that the teams you work with expect fuzzy behaviour from the website but that’s a choice, not a practice. | ||
| ▲ | nofriend an hour ago | parent [-] | |
>It’s possible that the teams you work with expect fuzzy behaviour from the website but that’s a choice, not a practice. This is how the vast majority of websites work. The practical reason is obvious: when we model the behaviour our code depends on, we want to create the simplest possible model that allows our code to work as expected. Placing requirements on it that our code doesn't actually depend on is useless, unneeded, complexity. > As a web developer, you’re the like the guy standing with a clipboard outside a fancy club checking if people requesting entry are allowed or not. Basically, level 1 security. there is no security benefit to filtering out unneeded url parameters. | ||