Any thoughts on how specific API response messages should be? I'm looking at this from a Security perspective related to validating on data types.
Say my API requires string for an id and that my server validates the type - if not a string, should I response with something like.."Field must be of type string?".
This can be convenient to users who brushed by the documentation as it'll be a simple fix on their client code, but what about hackers?
They can kinda fish for information through these responses to learn more about the API inputs. I.e. they can input any random data and then find out the API only takes string which can help them even further.
Any thoughts on this?
Hiding things is never a good way to provide security.
You should provide as many details as possible about errors so you can help people work with your API. Your implementation should do every needed checks to ensure input data are safe.
Only specific point : do not throw errors like "Email does not exist in db" as it leaks information about your data.