LOGBOOK

HELP

Quiz Entry - updated: 2026.07.05

Why is it important that an API defines a contract without exposing implementation details?

An API should expose WHAT it does, not HOW — hiding internals shrinks the attack surface and lets you patch without breaking clients.

APIs should specify WHAT they do, not HOW they work internally.

Why this matters for security:

  1. Information hiding — Attackers can't exploit details they don't know (e.g., MySQL vs PostgreSQL → different attack vectors)
  2. Flexibility to patch — Proper abstraction lets you fix vulnerabilities without breaking clients
  3. Reduced attack surface — Internal data structures, processing logic, and detailed errors stay hidden
  4. Defense in depth — Even with API access, attackers learn nothing about backend systems

Anti-pattern: Detailed error messages like MySQL error 1064: syntax error near 'DROP TABLE' reveal your database engine AND confirm SQL injection works.

From Quiz: SPRG / Secure Architecture & Design | Updated: Jul 05, 2026