Timeline for Is it ok to have validation layer before access control layer
Current License: CC BY-SA 4.0
17 events
| when toggle format | what | by | license | comment | |
|---|---|---|---|---|---|
| May 9, 2018 at 4:25 | history | tweeted | twitter.com/StackSoftEng/status/994070789812051969 | ||
| May 7, 2018 at 15:45 | comment | added | Zibbobz | @Muhammad My point is that, in a secure system, if a user doesn't have the permission to perform an action, then they shouldn't be able to get to that action in the first place. And even if they can somehow, you should still be checking whether they should have access as the first step - it should never come after validation. | |
| May 5, 2018 at 12:31 | comment | added | Muhammad | @GregBurghardt actually no data can be accessed from an unknown person, so if same user send data simultaneously we can counter that by rate limiting them or blocking the account altogether, so I don't think the protected data is simply open to ddos, let me know if I am wrong, thanks | |
| May 5, 2018 at 12:29 | comment | added | Muhammad | @Zibbobz validation is simple like checking if user is sending correct schema, like the parameter which should be integer is integer or something else | |
| May 4, 2018 at 14:47 | answer | added | Cubic | timeline score: 2 | |
| May 4, 2018 at 14:31 | comment | added | Zibbobz | From a practical standpoint, access control should come before validation anyway - how are you going to validate the correctness of a user's request if they can't access the request in the first place? | |
| May 4, 2018 at 14:24 | comment | added | Greg Burghardt | That's true. During a DDoS that layer will still hit your data store. With running that layer first you won't hit your data store for validations AND access control - you'll just hit it for access control. It reduces the size of the tsunami, but doesn't prevent it from hitting the beach. It gives you or your server team a fighting chance to respond to an attack before the whole system becomes bogged down. | |
| May 4, 2018 at 13:49 | comment | added | Muhammad | In my case the same goes for Access Control Middleware, it checks a resource and see if the type of resource is accessible by user, if it's accessible I allow access otherwise don't | |
| May 4, 2018 at 13:14 | review | Close votes | |||
| May 9, 2018 at 3:04 | |||||
| May 4, 2018 at 13:06 | answer | added | Ewan | timeline score: 1 | |
| May 4, 2018 at 13:04 | answer | added | Deduplicator | timeline score: 25 | |
| May 4, 2018 at 12:29 | answer | added | Sebastian Redl | timeline score: 15 | |
| May 4, 2018 at 11:54 | comment | added | Greg Burghardt | It's also worth mentioning that validations often must reach out to the database to do their job, or a file store. If you do this before checking for access control violations, you essentially allow attackers to DDoS your database or file system by throwing massive amounts of traffic at that particular URL. | |
| May 4, 2018 at 11:32 | answer | added | simurg | timeline score: 6 | |
| May 4, 2018 at 11:24 | answer | added | Caleth | timeline score: 59 | |
| May 4, 2018 at 11:18 | review | First posts | |||
| May 4, 2018 at 15:45 | |||||
| May 4, 2018 at 11:13 | history | asked | Muhammad | CC BY-SA 4.0 |