49. Secure Input and Output Design in Web Contexts

Web apps must handle all inputs and outputs as untrusted, regardless of source.

Example

from flask import Flask, request, jsonify
app = Flask(__name__)

@app.route("/api", methods=["POST"])
def api():
    data = request.get_json()
    if not isinstance(data, dict) or "name" not in data:
        return jsonify({"error": "Invalid data"}), 400
    safe_name = data["name"].replace("<", "&lt;").replace(">", "&gt;")
    return jsonify({"message": f"Hello {safe_name}"})

✅ Lesson: Validate every incoming field, encode all outgoing data, and never trust client input.