What is a trust boundary?
Any point where trust level changes.
- Browser → Server - user controls browser. Everything from client is untrusted.
- Server → Database - you trust DB, but what if attacker already wrote there via another path?
- Your service → Another microservice - does downstream validate, or trust you already did?
- Your code → Third-party library - you trust it. What if it has a vuln?
- User A → User B - one user's data should never leak to another's.
Tracing data flow
Pick any user action. Follow the data:
- Originates - user input, API, job, DB read
- Travels - HTTP, queue, internal API, WebSocket
- Stored - DB, cache, object storage, log
- Used - HTML, SQL, email, PDF, shell
At every step: has this data been validated for the context it's entering?
Context matters
Same data, different context:
O'Brien- fine in HTML (with encoding), breaks SQL (without params)<b>bold</b>- harmless in log, dangerous as HTMLjavascript:alert(1)- fine stored, dangerous inhref
Generic "sanitise all input" doesn't work. You need output encoding for specific context.
Data flow diagrams
- External entities (users, third parties) - rectangles
- Processes (your code, APIs) - circles
- Data stores (DBs, caches) - parallel lines
- Data flows - arrows
- Trust boundaries - dashed lines
Example: comment system
[User Browser] --HTTP POST--> [API Server] --SQL INSERT--> [Database]
|
[Other Users] <--HTML Response-- [API Server] <--SQL SELECT--+
Controls needed:
- Input validation at API
- Parameterised queries at DB
- Output encoding at render
Miss any one = vulnerability.
Common mistakes
Trusting your own database. If attacker wrote malicious data there via another path, every page rendering without encoding becomes a vuln.
Trusting internal services. "It's internal, no auth needed." Any compromised machine = all unauthenticated APIs exposed.
Trusting client-side validation. HTML5 validation, JS checks, disabled buttons = UX features, not security.
Trusting file metadata. photo.jpg with image/jpeg might be HTML. Validate actual bytes.
Data classification
| Classification | Examples | Handling |
|---|---|---|
| Public | Marketing, docs | Minimal |
| Internal | Dashboards, team data | Auth required |
| Confidential | PII, emails, usernames | Encryption, access control, audit |
| Restricted | Passwords, keys, financial, health | Encryption at rest/transit, strict access, minimal retention |
Know classification → proportionate security decisions.
The takeaway
Trace data flow. Identify boundaries. Validate or encode for context. Including your own database.