Powerful Expose Only The Data Needed By The Frontend

With the astronomical rise of vibe coding and non-technical folks shipping software, it's become apparent that now more then ever, we need to be aware of very insecure software flooding the market.

One of the mistakes I'm seeing now and again is developers exposing too much data (than what's required in the frontend).

There's no excuse for having a record's updated_at, deleted_at and created_at fields in your API responses if the frontend doesn't need them.

Response from a blogging platform's API showing unnecessary fields exposed

This is a very common mistake that can lead to security vulnerabilities and performance issues.

APIs are doorways to the data and ultimately to your client's business as well. They are a description of the client's business processes, as well.

How does business xyz handle my data when I sign up? How do they process payments? How do they handle refunds?

For example, by looking at a certain fintech startup's API responses, I was able to map at the different processes and verifications they have in place while handling a payment.

Take an instance of the image above (it is from a vibe codded blogging platform's API). The API response contains data in this format:

Suppose I'm a malicious user and I want to read a premium article without paying for it. What could I do?

Source: Dev.to