ASVS Requirement 4.2.5

• Level: 3
• Chapter: V4 API and Web Service
• Section: V4.2 HTTP Message Structure Validation
• Source: 0x13-V4-API-and-Web-Service.md

Description

Verify that, if the application (backend or frontend) builds and sends requests, it uses validation, sanitization, or other mechanisms to avoid creating URIs (such as for API calls) or HTTP request header fields (such as Authorization or Cookie), which are too long to be accepted by the receiving component. This could cause a denial of service, such as when sending an overly long request (e.g., a long cookie header field), which results in the server always responding with an error status.