Web Security Workbook

# Use Whitelisting instead of Blacklisting

Allowing only certain inputs is more secure than only disallowing certain inputs.

# Background

Whitelisting describes the definition of a list of inputs that are allowed. Blacklisting on the other hand, defines a list of inputs which are not allowed. Consequently, blacklisting can open the system to input that were not thought of in the first place. The selection of whitelisting will remove this threat by generally disallowing everything that is not required and therefore not in the list.

TIP

Generate a regular expression or an enumeration of valid values to whitelist data

Following example demonstrated the problem with blacklisting. Even though its if contains a lot more constraints, the whitelisting approach still is more restrictive.

// Only red, blue and yellow allowed

// User selected color
let color = "red"

// Whitelisting
if(["red", "blue", "yellow"].includes(color))
console.log("Valid")

//Whitelisting with RegEx
if(color.match("^(red|blue|yellow)$"))
console.log("Valid")

//Blacklisting
if(!["green", "pink", "purple", 
    "orange", "turquoise", "brown",
    ...].includes(color))
console.log("Valid")
Last Updated: 7/3/2022, 3:51:46 PM