JSON Security
JSON is ubiquitous across web and mobile apps. While the format is simple, insecure handling can lead to critical vulnerabilities. This guide summarizes real‑world risks and pragmatic mitigations you can adopt today. Keep in mind that security is layered: validate inputs, constrain parsers, lock down transport, and minimize data exposure.
Common Risks
- JSON injection: Concatenating untrusted input into JSON strings can break syntax or smuggle data. Always parse, never string‑build.
- Oversized payloads: Very large or deeply nested JSON can exhaust memory or CPU. Attackers abuse this to trigger DoS conditions.
- Leaky CORS: Overly broad origins and headers expose APIs to browsers from hostile sites.
- Deserialization pitfalls: In some stacks, polymorphic JSON deserialization can instantiate unexpected types.
- Sensitive data exposure: Returning secrets (tokens, PII) in verbose responses increases risk.
Mitigations
- Validate with JSON Schema; reject unknown properties when strict schemas are required.
- Apply maximum body size, depth, and time limits on parsers; cap array lengths and object key counts.
- Use allow‑listed CORS origins; restrict credentials, headers, and methods.
- Avoid
eval
and unsafe deserializers; prefer nativeJSON.parse
and known libraries. - Minimize data: omit secrets, mask PII, and log carefully. Encrypt transport with HTTPS and consider response signing for sensitive workflows.
Testing Checklist
- Fuzz deeply nested objects and huge arrays
- Try unexpected types (strings vs numbers vs objects)
- Verify strict schema enforcement and helpful error messages
- Confirm CORS denies unwanted origins and private network requests