Input Validation
What is Input Validation?
Input ValidationThe server-side check that every untrusted input matches an expected type, length, range, format and value set before being processed by the application.
Input validation defends an application against malformed or malicious data from users, APIs, files and upstream services. The recommended approach is allow-listing — declaring exactly what is acceptable (data type, length, character set, regex, business range) and rejecting everything else — rather than trying to block bad patterns. Validation must be performed server-side because client-side checks can be bypassed; it is best combined with context-specific output encoding and parameterized queries. Many high-impact vulnerabilities (SQL injection, XSS, SSRF, deserialization issues, path traversal) trace back to weak or missing input validation at trust boundaries.
● Examples
- 01
Rejecting a 'quantity' parameter that is not a positive integer between 1 and 100.
- 02
Allow-listing UUID v4 for an 'orderId' path parameter so SQLi payloads never reach the data layer.
● Frequently asked questions
What is Input Validation?
The server-side check that every untrusted input matches an expected type, length, range, format and value set before being processed by the application. It belongs to the Application Security category of cybersecurity.
What does Input Validation mean?
The server-side check that every untrusted input matches an expected type, length, range, format and value set before being processed by the application.
How do you defend against Input Validation?
Defences for Input Validation typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Input Validation?
Common alternative names include: Data validation, Server-side validation.