Server API defensive design?
For a service REST API, for example, http://service_host/stores/count=30,
will return 30 stores extracted from DB.
If someone put count=99999999, the service will spend quite a while to
return all the stores. Shall I put a limit on the count parameter from the
service side? Or shall I leave it to the client to enforce any limit they
need?
Also, is it better to implement the validation of this count parameter
(like valid type, positive value etc) on the service side? I tend to make
the service strong and safe, but hesitate to put too much checking in it.
Is there any design convention to follow here?
No comments:
Post a Comment