Request Validation: Schemas, Sanitization & Security

Request Validation

Why Engineers Care About This

Request validation is how you ensure API inputs are correct before processing. Without validation, invalid inputs cause errors, security vulnerabilities, and data corruption. Good validation rejects bad inputs early (at API layer) with clear error messages. Bad validation allows bad inputs through, causing problems downstream.

When your API accepts invalid inputs, or validation errors are cryptic, or injection attacks succeed, you're hitting validation problems. These problems compound. Without validation, invalid inputs cause database errors, security vulnerabilities, and data corruption. Poor validation (cryptic errors, late validation) frustrates developers and makes debugging hard. Good validation prevents these problems by catching errors early.

In interviews, when someone asks "How would you validate this input?", they're really asking: "Do you understand validation strategies? Do you know how to prevent injection attacks? Do you understand that validation is about security, not just correctness?" Most engineers don't. They validate inputs inconsistently, or validate too late, or don't validate at all.

Core Intuitions You Must Build

• Validate early, at the API layer. Validate inputs as soon as they arrive (at API layer), before business logic. This rejects bad inputs early, preventing unnecessary processing and clear error messages. Don't validate in business logic—by then, it's too late (processing has started, errors are harder to trace). Also, validate all inputs—required fields, types, formats, ranges. Don't assume inputs are valid.

• Schema validation enables structured, reusable validation. Schema validation (JSON Schema, Zod, Joi) defines validation rules in a structured format. This enables reusable validation, clear error messages, and automatic documentation. Use schema validation for structured inputs (JSON, form data). Don't validate manually with if/else—it's error-prone and hard to maintain.

• Validation and sanitization prevent injection attacks. Validation checks if input is correct (format, type, range). Sanitization removes or escapes dangerous characters (SQL injection, XSS). Both are needed—validation ensures correctness, sanitization ensures security. Don't just validate—also sanitize inputs that are used in queries, commands, or HTML.

• Validation error messages should be clear and actionable. When validation fails, return clear error messages that explain what's wrong and how to fix it. Include field names, expected formats, and examples. Don't return cryptic errors ("Invalid input") or generic errors ("Validation failed"). Good error messages help developers fix issues quickly.

• Validation should be consistent across endpoints. Use consistent validation rules and error formats across endpoints. This makes APIs easier to learn and use—developers can predict validation behavior. Also, use shared validation schemas (reusable across endpoints) to ensure consistency. Don't validate differently for each endpoint—it creates confusion.

• Type validation prevents type errors. Validate input types (string, number, boolean, array, object) before processing. Type mismatches cause runtime errors that are hard to debug. Use schema validation to enforce types—it catches type errors early with clear messages. Don't assume inputs are the right type—validate types explicitly.

Subtopics (Taught Through Real Scenarios)

Schema Validation

What people usually get wrong:

Engineers often validate inputs manually with if/else statements. This works but is error-prone and hard to maintain. Schema validation (JSON Schema, Zod, Joi) defines validation rules in a structured format, enabling reusable validation, clear error messages, and automatic documentation. Use schema validation for structured inputs—it's more maintainable and less error-prone.

How this breaks systems in the real world:

A service validated inputs manually with if/else statements. Validation logic was duplicated across endpoints, making it hard to maintain. When validation rules changed, multiple places had to be updated, causing inconsistencies. Also, validation errors were inconsistent (different formats, different messages). The fix? Use schema validation (Zod)—define validation schemas once, reuse across endpoints. Now validation is consistent and maintainable. But the real lesson is: schema validation enables structured, reusable validation. Don't validate manually.

What interviewers are really listening for:

They want to hear you talk about schema validation, structured validation, and reusable schemas. Junior engineers say "just validate with if/else." Senior engineers say "use schema validation (JSON Schema, Zod, Joi) for structured validation—it enables reusable validation, clear error messages, and automatic documentation." They're testing whether you understand that validation is about structure, not just "checking values."

Validation and Security

What people usually get wrong:

Engineers often validate inputs for correctness but not security. But validation and sanitization prevent injection attacks. Validation checks if input is correct (format, type, range). Sanitization removes or escapes dangerous characters (SQL injection, XSS). Both are needed—validation ensures correctness, sanitization ensures security. Don't just validate—also sanitize inputs that are used in queries, commands, or HTML.

How this breaks systems in the real world:

A service validated email format but didn't sanitize email inputs used in SQL queries. An attacker sent a malicious email (containing SQL injection code). Validation passed (email format was correct), but the email was used in a SQL query without sanitization, causing SQL injection. The fix? Sanitize inputs used in queries (use parameterized queries, escape special characters). But the real lesson is: validation ensures correctness, sanitization ensures security. Both are needed.

What interviewers are really listening for:

They want to hear you talk about validation vs sanitization, injection attacks, and security. Junior engineers say "just validate inputs." Senior engineers say "validate inputs for correctness (format, type, range) and sanitize inputs for security (remove/escape dangerous characters)—both are needed to prevent injection attacks." They're testing whether you understand that validation is about security, not just correctness.

Validation Error Messages

What people usually get wrong:

Engineers often return cryptic validation errors ("Invalid input" or "Validation failed"). But validation error messages should be clear and actionable—explain what's wrong and how to fix it. Include field names, expected formats, and examples. Good error messages help developers fix issues quickly. Bad error messages frustrate developers and increase support requests.

How this breaks systems in the real world:

An API returned validation errors like "Invalid input" or "Validation failed" without details. Developers couldn't figure out what was wrong—which field failed, what format was expected, how to fix it. Integration was slow and frustrating. The fix? Return detailed validation errors—field names, expected formats, examples. Now developers can fix issues quickly. But the real lesson is: validation error messages are user-facing. Make them clear and actionable.

What interviewers are really listening for:

They want to hear you talk about validation error messages, clarity, and actionability. Junior engineers say "just return 'Invalid input'." Senior engineers say "return clear validation error messages that explain what's wrong and how to fix it—include field names, expected formats, and examples." They're testing whether you understand that error messages are about helping developers, not just "reporting errors."

---

• Validate early, at the API layer—reject bad inputs before business logic
• Schema validation enables structured, reusable validation—use JSON Schema, Zod, or Joi
• Validation and sanitization prevent injection attacks—validate correctness, sanitize security
• Validation error messages should be clear and actionable—explain what's wrong and how to fix it
• Validation should be consistent across endpoints—use shared validation schemas
• Type validation prevents type errors—validate types explicitly, don't assume
• Good validation prevents errors, security vulnerabilities, and data corruption

---

• API Design - Designing APIs with proper validation
• Error Handling & Logging - Returning validation errors
• Authentication & Authorization - Validating authentication inputs