Step 3: Writing rules
This is where we actually begin writing rules. This step consists of examining each action and creating rules that allow legitimate requests through, while blocking anything else. Using the information gathered in the previous step, this should be straightforward.
Some of the typical checks that should be done for each action:
Making sure only allowed arguments are present
Verifying that each argument contains only acceptable characters (for example by making sure that variables that represent a number only contain digits and not anything else)
Preventing requests with overly long arguments by limiting the length of argument values
Verifying that the request body conforms to a pre-determined format
There is also the additional step of checking the request headers. Since these will be very similar for the different actions, it makes sense to perform the header check separately, which means we will be able to check the headers using the same rules, no matter what action the...
