Hiding other configuration values from the consumer of an API

by Gaurav Singh   Last Updated September 11, 2019 07:05 AM

Let's assume we have a required attribute foo for an API call. This can have valid values of 1 and 2 which denote some valid option in the system.

Since this field accepts an integer, if we provide other integers like 3, 4, 5 we get a 406 code with a message like foo cannot be XXXX in response header.

Now, XXXX is another valid payment type in the system. Just not valid for the current use case.

Should this (i.e. other valid values in the system) be hidden from the client with a generic error like Invalid payment type or this is acceptable behavior.

What could be valid security concerns with this approach?

Tags : api-design

Related Questions

Updated April 29, 2015 23:02 PM

Updated April 29, 2016 08:02 AM

Updated December 17, 2017 20:05 PM

Updated March 29, 2018 08:05 AM