JSON Security Checklist

1. Input Validation

• Validate JSON structure: Use strict schemas (JSON Schema, OpenAPI, protobuf). Reject unknown fields.
• Enforce types: Ensure all fields match expected types; avoid implicit type coercion.
• Size limits: Set max body size to prevent DoS via large payloads.
• Depth and recursion limits: Limit nesting depth to prevent parser abuse or stack overflows.

2. Parsing Safety

• Safe parsers only: Use secure JSON parsers; never use eval() or unsafe parsing.
• Disable or sanitize special tokens: Block keys such as __proto__, constructor, and prototype to prevent prototype pollution.
• UTF-8 normalization: Normalize Unicode to avoid homoglyph or invisible character attacks.

3. Injection Protection

• Avoid dynamic code execution: Never evaluate JSON values as code.
• Sanitize text fields: When embedding JSON into SQL, logs, HTML, or command contexts, sanitize properly.
• NoSQL injection prevention: Whitelist operators and fields when JSON is used to build NoSQL queries.

4. Access Control & Authentication

• Validate authorization: Never trust roles, permissions, or identity fields from JSON clients.
• Remove sensitive fields from client input: Strip values such as isAdmin, role, or priceOverride.

5. Data Sanitization

• Strip unexpected fields: Use allowlists; reject or drop extras.
• Output sanitization: Escape JSON when embedding inside HTML.
• Canonicalize before processing: Normalize the JSON prior to business logic validation.

6. Security Headers & Transport

• HTTPS required: Enforce TLS for all JSON API communication.
• Content-Type header: Require application/json for requests.
• Accept header strictness: Reject ambiguous or multipart request types.

7. Logging & Telemetry

• Avoid sensitive data in logs: Do not log secrets, tokens, or PII in JSON bodies.
• Log rejections: Record schema validation errors and malformed JSON attempts.

8. Protection Against Common Attacks

• Prototype pollution mitigation: Block __proto__, prototype, and constructor keys.
• XXE prevention: Do not parse JSON using XML-based libraries.
• CORS controls: Apply strict CORS policies to JSON endpoints.
• CSRF prevention: Use CSRF tokens or SameSite cookies for authenticated JSON APIs.
• Rate limiting: Throttle requests by IP, user, or token to prevent brute-force attacks.

9. Sensitive Data Handling

• Encrypt at rest: Encrypt systems storing JSON with sensitive data.
• Token/secrets hygiene: Reject JSON that includes secrets unless required.
• Response filtering: Return minimal fields to the client (least privilege).

10. Output Encoding

• Escape for HTML contexts: Prevent XSS by escaping JSON before placing it in HTML.
• Avoid JSONP: Disable JSONP endpoints as they are inherently unsafe.