|
|
|
|
|
|
by userbinator
3270 days ago
|
|
|
The attack surface is the same whether the API is officially open/documented or not --- if you think that data received through a web API is somehow more trustworthy/less demanding of validation just because you haven't documented it and only release an app which uses it, you are doing it wrong. Conceptually, it's just a listening server on the public Internet, and will be subject to arbitrary data anyone willing to connect to it can send. |
|
|