Quiz Entry - updated: 2026.07.05
Why is it important that an API defines a contract without exposing implementation details?
An API should expose WHAT it does, not HOW — hiding internals shrinks the attack surface and lets you patch without breaking clients.
APIs should specify WHAT they do, not HOW they work internally.
Why this matters for security:
- Information hiding — Attackers can't exploit details they don't know (e.g., MySQL vs PostgreSQL → different attack vectors)
- Flexibility to patch — Proper abstraction lets you fix vulnerabilities without breaking clients
- Reduced attack surface — Internal data structures, processing logic, and detailed errors stay hidden
- Defense in depth — Even with API access, attackers learn nothing about backend systems
Anti-pattern: Detailed error messages like MySQL error 1064: syntax error near 'DROP TABLE' reveal your database engine AND confirm SQL injection works.