Validation
Input validation is your last line of defense before untrusted data reaches your database. Arkos provides several mechanisms to ensure only expected, well-shaped data gets through.
Unknown Field Rejection
By default Arkos rejects unknown fields on all validated inputs. This prevents mass assignment — a class of vulnerability where an attacker sends extra fields (like isAdmin: true) that slip through into a database write.
Both resolvers ship with forbidNonWhitelisted: true by default:
import { defineConfig } from "arkos/config";
export default defineConfig({
validation: {
resolver: "zod",
validationOptions: {
forbidNonWhitelisted: true, // default — shown for clarity
},
},
});import { defineConfig } from "arkos/config";
export default defineConfig({
validation: {
resolver: "class-validator",
validationOptions: {
whitelist: true, // strips unknown fields
forbidNonWhitelisted: true, // throws instead of stripping
},
},
});Avoid forbidNonWhitelisted: false in your applications at all costs. Silently ignoring unknown fields might seem harmless but creates a surface for mass assignment attacks.
Class Validator — Full ValidatorOptions
When using class-validator, validationOptions accepts the full ValidatorOptions interface. Beyond forbidNonWhitelisted, useful security-relevant options include:
| Option | Default | Effect |
|---|---|---|
whitelist | true | Strips properties not decorated with any validator |
forbidNonWhitelisted | true | Throws instead of stripping unknown properties |
forbidUnknownValues | — | Throws when validating unknown object types |
skipMissingProperties | false | When false, missing required properties fail validation |
Strict Route Validation
Strict mode requires every route to explicitly declare its validation intent. Without it, routes with no validation config silently accept any input.
import { defineConfig } from "arkos/config";
export default defineConfig({
validation: {
resolver: "zod",
strict: true,
},
});In strict mode each of body, query, and params must be explicitly declared:
| Value | Behavior |
|---|---|
ZodSchema | ClassConstructor | Validates input |
false | Allows input through without validation |
null | undefined | not set | Not allowed — returns 400 |
See Validation — Setup for the full strict mode behavior.
Disabling Unused Endpoints
Arkos auto-generates CRUD endpoints for every Prisma model. In production, exposing endpoints you don't use — especially bulk operations like deleteMany — is an unnecessary attack surface.
Use routers.strict to control this:
import { defineConfig } from "arkos/config";
export default defineConfig({
routers: {
strict: "no-bulk", // disables createMany, updateMany, deleteMany globally
// strict: true, // disables ALL auto-generated endpoints
},
});import { ArkosConfig } from "arkos";
const arkosConfig: ArkosConfig = {
routers: {
strict: "no-bulk",
},
};
export default arkosConfig;| Value | Effect |
|---|---|
false | All endpoints enabled (default) |
"no-bulk" | Bulk operations disabled globally |
true | All auto-generated endpoints disabled — must enable per model via RouteHook |
routers.strict: true combined with explicit RouteHook configuration per model gives you the principle of least privilege — no endpoint exists unless you deliberately enabled it.
For full details on enabling endpoints per model see Route Hook.