Secure Your ASP.Net Web API with Request Validation: Best Practices and Techniques

#coding #codingbootcamp #softwaredeveloper
Enter to win free tuition! Enter below!

First approach
A very common scenario is to use the controller’s layers to validate the code, most people do that to avoid spending resources and calling methods if we still have invalid fields, so let’s create the simplest validation approach.
The simple Person class, has purposely a few properties just to test how we can validate them.
This validation approach of the PersonController class works, but there are a few problems we can highlight:
1 — We are not returning to the client the validation problems
2 — There is a big chance of duplicating the validation code in other methods.
3 — There is no separation of concerns.
4 — The errors will be reported one by one to the caller and not at the same time

Data Annotations
Even though you can create custom classes and inherit from ValidationAtrribute there is plenty of built-in classes that will solve a big part of your validation logic such as RequiredAttribute , MaxLengthAttribute , RangeAttribute , EmailAttribute, CreditCardAttribute , and many many others. This basic validation will be enough for now, notice that we can multiple annotations for a single property.
The next step will be validating the class once the data it will be provided by the caller, and we can do that using the Asp.Net Model Binding validation.

Model Binding validation

Action Filters
To create an Action Filter we just need to create a new class, and implement the IActionFilter interface, which allows us to implement the methods OnActionExecuting and OnActionExecuted so moving the validation code from the controllers to the OnActionExecuting will have the same effect.
By doing this we solve one more issue and clean all validation code from all controllers, which is awesome.
But what if we have a very complicated validation logic and the current DataAnnotations are not enough for my project?
For sure this is a very common need and most of us already have this requirement in our project, which brings us to the initial approach, create a class with a custom validation code and use it across the application.
As an example imagine that we need to run a lot of checks against the VAT person’s number provided by the client, such as checking if the code is valid against a database, or checking if the VAT is forbidden, denied, of whatever.
Luckily we can use our current approach and extend the behavior to customize all our validation logic, and even use an existent validation library to help.

Custom Attributes
As I mentioned before, the classes from the DataAnnotationnamespace inherit from ValidationAttribute , so to create the custom attributes we just need to create a new class, inherit from ValidationAttribute override the IsValid property and write a custom validation code there
In this custom logic, I am just checking if the VAT contains the number 1111 but in this class, we can do all the checking that we need, and we can use this validation exactly how we already use all from DataAnnotation namespace.
I think this is a great validation approach, of course, it could be customized as you wish, you do not need to follow it 100% as explained here since it opens lots of additional options and ways of use.