Let's assume we have a required attribute
foo for an API call. This can have valid values of
1 and 2 which denote some valid option in the system.
Since this field accepts an integer, if we provide other integers like 3, 4, 5 we get a 406 code with a message like
foo cannot be XXXX in response header.
Now, XXXX is another valid payment type in the system. Just not valid for the current use case.
Should this (i.e. other valid values in the system) be hidden from the client with a generic error like
Invalid payment type or this is acceptable behavior.
What could be valid security concerns with this approach?