Robustness

Historical meaning

There are many possible applications of the robustness principle, and its original context (as highlighted by Martin Thomson's dissent) is not applicable to new API design:

While the goal of this specification is to be explicit about the protocol there is the possibility of differing interpretations. In general, an implementation should be conservative in its sending behavior, and liberal in its receiving behavior.

Paraphrased, the narrower, original definition of the robustness principle states that if a protocol's specification exists apart from sundry implementations, a defensive implementor should react to ambiguity (which is a defect of the specification) with:

• A broad interpretation of what constitutes valid input (but still only within the confines of what the specification leaves open to interpretation)
• A narrow interpretation of what constitutes valid output

Specificity of validity

The formal definition and documentation for a service API SHOULD be as explicit as possible about what constitutes valid input.

A client developer shouldn't have to guess at the boundaries of valid input. Armed with explicit knowledge of input validity, developers can write client applications which are more resistant to unexpected failure (and, in this way, are more robust). This specificity also allows quality and security testing to employ boundary-value analysis.

A service implementation SHOULD NOT be liberal in accepting input where the API definition is ambiguous about validity. Instead, the definition SHOULD be updated to remove such ambiguity.

Input canonicalization

The formal definition for a service API SHOULD NOT allow a broad range of semantically equivalent inputs without strong justification or mitigation of the inherent problems.

There are usability benefits to accepting various forms of input. It can be more convenient for a developer — and lower an API's barrier to entry — if a client application doesn't have to canonicalize input before sending it.

But the downsides of accepting noncanonical input can be significant:

• Canonicalization can be a complicated procedure with many corner cases and ambiguities that significantly increase the complexity of an API. The additional complexity of transforming noncanonical input makes the service harder to develop and maintain. It also expands the testing and attack surfaces.
• If canonicalization decisions are tied to specific libraries used by the service, it could be significantly harder to transition a service implementation to a new technology.
• If canonicalization is done lazily^[1], the burden falls on clients to compute equivalency of values. Also, collection sorting behavior might surprise some client developers regardless of how order is computed for noncanonical values.
• If canonicalization is done eagerly^[2], some clients — declarative orchestration engines in particular — could experience undesired behavior if a value the client sets is silently transformed. The client might erroneously assume that a canonicalizing transformation it observes is a conflicting update (from another client in a race) and repeatedly attempt to reset the value.
• Besides increasing overall attack surface, certain classes of attacks specifically depend on bugs where different code paths disagree on canonicalization logic.

Sanitation and validation

Definitively invalid or ambiguous input MUST NOT be ignored and therefore MUST result in an error. Validation is better than sanitation.

There are several reasons ignoring invalid input is dangerous and ill-advised. The following are hazards of a service that ignores invalid input:

• Client developers could be confused as to why a feature is not working as expected, when in reality their request is inadvertently malformed in a way that's hard to spot.
• Subtle bugs in client applications could result in dangerous unintentional consequences. For example, if a filter parameter on a list operation is ignored because a malformed value is unintentionally provided, a client might misconfigure or delete the wrong set of resources. In extreme cases such bugs could result in outages of dependent services, loss of data, or accidental access grants to resources.
• Subtle bugs in service code that fail to fully discard invalid input in all contexts could result in attack vectors.

Extraneous input

Except where required by an industry standard or convention^[3], extraneous input, such as unrecognized properties in JSON request bodies and unrecognized query parameters, SHOULD NOT be ignored and SHOULD result in an error.

All of the downsides listed for silently ignoring invalid input also apply to ignoring extraneous input.

Additionally, ignoring extraneous input causes particular hazards for evolving a service in a backward-compatible way. Specifically, if a client is sending a property or parameter that is unsupported and ignored, then the client application could experience a failure or an outage if and when support is added to the service for a property or parameter of the same name.