All user-controlled inputs must be validated and sanitized before use to prevent injection attacks, unauthorized access, and other security vulnerabilities. This includes query parameters, environment variables, URLs, and database values.
All user-controlled inputs must be validated and sanitized before use to prevent injection attacks, unauthorized access, and other security vulnerabilities. This includes query parameters, environment variables, URLs, and database values.
When handling user inputs:
// Validate URL parameters
baseUrl: z.string().url(),
// Validate security-related environment variables
LANGFUSE_S3_EVENT_UPLOAD_SSE: z.enum(["AES256", "aws:kms"]).optional(),
// INSECURE: Using string interpolation
Prisma.sql`AND ${model} ~ match_pattern`
// SECURE: Using parameterized queries
Prisma.sql`AND $1 ~ match_pattern`, model
// Validate query parameters
if (!id || typeof id !== 'string') {
return res.status(400).json({ error: 'Valid ID required' });
}
Proper input validation is your first line of defense against many common security vulnerabilities including SQL injection, XSS, CSRF, and path traversal attacks.
Enter the URL of a public GitHub repository