← Lessons

quiz vs the machine

Platinum1760

Security

Input Validation And Allowlists

Defining what good input looks like instead of chasing every bad case.

5 min read · advanced · beat Platinum to climb

Allowlist Over Blocklist

Robust input validation defines exactly what valid data looks like and rejects everything else. An allowlist specifies permitted values, while a blocklist tries to enumerate bad ones and inevitably misses novel attacks.

What To Validate

  • Check type, length, format, and range against a strict specification.
  • Constrain choices to a known set, such as a fixed list of country codes.
  • Validate at the trust boundary where untrusted data enters the system.
  • Canonicalize input first so encoding tricks do not bypass checks.

Where It Fits

  • Validation reduces attack surface but does not replace context aware encoding or parameterized queries.
  • Treat it as one layer of defense in depth, not the sole barrier.
  • Reject and log invalid input rather than silently sanitizing it where possible.

Key idea

Allowlist validation defines what good input is and rejects the rest, applied at trust boundaries as one layer alongside encoding and parameterization.

Check yourself

Answer to earn rating on the learn ladder.

1. Why prefer an allowlist over a blocklist?

2. Why canonicalize input before validating it?

3. Does input validation replace parameterized queries?