Inadequate validation of input and output is the most common security risk in an API definition. If you do not restrict what your API accepts as input, you are opening the door for attacks like SQL injections and buffer overflow. If you do not restrict what your API can include in the responses it sends, the API may leak out information that can be used to target attacks to the possible weak spots.
For complete picture on how secure the API is, data validation is done on several levels:
- Response definitions
- Response headers
Each level also checks that both primitive and JSON object parameters are adequately defined.