I am creating an API proxy that acts as a bridge between our frontend application and an AWS opensearch server. This proxy has additional features such as retries and timeouts.
One of the features I'm considering is request body validation. This API accepts 2 types of data: JSON when Content-Type is set to application/json and NDJSON when Content-Type is set to application/ndjson. I am wondering if it is a good idea to validate the request payload before it gets to the opensearch endpoint (I.E. validate that the request payload is valid JSON when Content-Type is application/json).
Arguments for request body validation:
- The opensearch server won't get overloaded easily because the API proxy can fail requests without calling the opensearch endpoint in case of malformed data.
- In case of very large NDJSON payloads with malformed JSON (I.E. _bulk requests), not all data needs to be loaded in memory at once due to streaming requests.
Arguments for non validation:
- Since no validation occurs on the proxy side, the payload get sent directly to opensearch (which has its own validation), giving potentially better overall performance.
- If another content type is added, no additional change is needed, the proxy will work as expected.
So now, I am unsure as to what approach to use. What do you suggest? Are there anything I missed regarding validation or lack of it? What is the better approach? Or is there a better way I haven't considered?