Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
Ask HN: Let users wreak their own havoc?
1 point by katzgrau on Jan 31, 2013 | hide | past | favorite | 2 comments
Have you ever written a webapp where a more sophisticated end-user could basically edit the DOM and submit some invalid data?

I'm curious how far other developers go to prevent users from "wreaking their own havoc," as a friend of mine called it, as long as it doesn't pose any security threat.

For example, I'm writing an app that integrates with an API. I have a form where I take an API key. Based on that API key, there is a selection of entity IDs that they are supposed to choose from (pulled via the API).

Any non-malicious user wouldn't ever have a chance to enter invalid data. But a potentially malicious user might edit the DOM and enter an ID they don't have permission to access with the given API key.

Of course, the API permission checks won't allow for any future API calls, and the app basically won't work. I'm not for cutting corners, but I also don't want to replicate a bunch of validation checks client-side for users who are trying to game the system.

Thoughts?



Do it right, and use proper validation on both the client-side and the server-side.


Thanks - I know. I think there's always the possibility that the 'malicious' user in question could edit db/configuration files anyway, but it's definitely the correct thing to do.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: