I've noticed that sending random junk to the API endpoint can trigger an internal server error (500). I think the correct thing to do in this case is return a code in 4xx range such as "Bad Request" . Generally 4xx means "you messed up" whereas 5xx means "we messed up".
Example:
curl -d "foo=%22%22" -X POST https://camcops.example.com
I think if the request looks like a random attacker rather than a confused client, we should just return "Bad Request" with no further explanation. For genuine mistakes such as wrong credentials, we can be more helpful.
I've noticed that sending random junk to the API endpoint can trigger an internal server error (500). I think the correct thing to do in this case is return a code in 4xx range such as "Bad Request" . Generally 4xx means "you messed up" whereas 5xx means "we messed up".
Example:
curl -d "foo=%22%22" -X POST https://camcops.example.com
I think if the request looks like a random attacker rather than a confused client, we should just return "Bad Request" with no further explanation. For genuine mistakes such as wrong credentials, we can be more helpful.