A potential threat was discovered during automated system testing when a PATCH request sent to...

The issue described involves a PATCH request causing an unhandled server exception because the API does not support this method. The most direct and effective way to prevent such exceptions is to ensure that the API is configured to accept only the supported request methods: GET, POST, PUT, and DELETE. This can be achieved by implementing strict input validation to reject any requests that do not conform to the defined API specifications, including the request method. By doing so, any requests using unsupported methods like PATCH will be immediately rejected, thus preventing the server from reaching an exception state.

References:

OWASP’s guidance on error and exception handling emphasizes the importance of managing exceptions in a centralized manner and ensuring that all unexpected behavior is correctly handled within the application1.

Additional best practices for error handling in software development suggest the significance of input validation and the implementation of defensive programming techniques to prevent errors2.

The OWASP Foundation also highlights the principle that all security mechanisms should deny access until specifically granted, which supports the approach of configuring acceptable API requests3.