Hiding other configuration values from the consumer of an API

by Gaurav Singh   Last Updated September 11, 2019 07:05 AM - source

Let's assume we have a required attribute foo for an API call. This can have valid values of 1 and 2 which denote some valid option in the system.

Since this field accepts an integer, if we provide other integers like 3, 4, 5 we get a 406 code with a message like foo cannot be XXXX in response header.

Now, XXXX is another valid payment type in the system. Just not valid for the current use case.

Should this (i.e. other valid values in the system) be hidden from the client with a generic error like Invalid payment type or this is acceptable behavior.

What could be valid security concerns with this approach?

Tags : api-design


Related Questions