2

I want to whitelist only valid URL-patterns on our RESTful webserver / API, using regexs or something. But when googling for some examples I get a little bit suspicious since there is not much documentation on that.

Is it uncommon to do this?

Seems to me it is a very essential part of any webserver script.

What am I overlooking here? :)

Patrick Savalle
  • 161
  • 2
  • 6
  • How many valid URLS are you going to have to accept, how many variable things are going to be in them, how long do you think this will take.. and will it really increase security (what if you miss something)? Also, most importantly what happens if your API changes.. – NickW Jan 21 '14 at 13:01
  • Yes, it can be maintenance hell :) But seems to me if security is very important, it is a must have. – Patrick Savalle Jan 21 '14 at 13:18
  • But why is it never done? Just because of maintenance issues? – Patrick Savalle Jan 21 '14 at 13:20
  • It might be that people do it, but don't share examples, maybe for security through obscurity? – NickW Jan 21 '14 at 14:45
  • What behaviour are you looking for when an invalid URL is hit? – Chris Montanaro Jan 21 '14 at 15:16
  • When an invalid URL is hit, the server just needs to return a 404. Maybe if the error is in the argument of the URL a 400. – Patrick Savalle Jan 22 '14 at 22:28

1 Answers1

1

You aren't providing any example of where you're falling short in your exercise, or what's the whole purpose of your supposed whitelisting.

How many URLs do you have? Static web-site, or dynamic? What are you trying to accomplish?

You could easily do the whitelisting through a set of several specific location directives, and then return 404; within a general catch-all location / (which would match all other locations not described otherwise).

cnst
  • 12,948
  • 7
  • 51
  • 75
  • It is for security purposes. I am wondering why this apparently not common practice. Our current solution is using locations indeed, using regex's. Also there is a performance gain not having to instantiate the application server, only to have it report the error. – Patrick Savalle Jan 22 '14 at 22:25