Data Validation

Validating user input is the basis of application security. Data validation ensures that it is exactly the kind of data that an application expects. Invalid requests are generally rejected outright and an error is returned to users. You can choose where to perform data validation, but we focus on client- and server-side validation.

Basic data sanity checks using client-side validation can give storefront users immediate feedback. Whereas using robust server-side validation can stop malicious requests.

After the request is sent, validate the data again. If the data is invalid, B2C Commerce halts processing and informs the user via an error message. As a result, accidental, mistyped data is reported to legitimate users via client-side validation, while malicious users sending requests directly to servers are stopped by server-side validation.

Protect Against Injection Attacks

Proper validation protects against injection attacks. When used with output encoding, it provides an even more robust defense against injection attacks. Here are some considerations.

Don’t use too much internal logic with client-side checks when validating data. This risks exposing lists of expected values or potentially valid data to the client to check against. Doing this can give away valuable data to all clients, including malicious attackers searching for vulnerabilities.

Avoid relying too heavily on validation for security. Validation steps are just one piece of a larger, in-depth security control that promotes multiple stages of security checks. This practice is a common problem, especially with regular expressions because they are difficult to verify exhaustively.

You can validate user input in the following ways.

Validate User Input Via... Description

Allowlisting is the most strict validation strategy. You define what an acceptable input is and reject everything else. For example, if the input is for a day of the week, only seven known values are expected.

You can also allowlist the format of input. For example, dates and Social Security numbers have a specific format.


When the input can take too many forms to be allowlisted, blocklisting is an effective option. Use blocklisting to block certain types of input that are known to be inadmissible. You can't identify all potentially bad input, but consider the following questions when you implement blocklisting.

  • What is the appropriate length of the input?
  • What character sets should we allow or disallow?
  • Is supporting only numeric, alphabetic, or alphanumeric an option?
X Privacy Update: We use cookies to make interactions with our websites and services easy and meaningful, to better understand how they are used. By continuing to use this site you are giving us your consent to do this. Privacy Policy.