Input validation
Validation strategy for the SHOPin storefront accelerator: Zod schemas live primarily in @core/contracts; each layer validates what it receives before trusting it. See Maintain contracts for package layout and builds.
| Layer | Validate incoming | Validate outgoing | Guide |
|---|---|---|---|
| Presentation | BFF responses, search params, storage, etc. | User input before BFF calls (UX; not a security boundary) | Presentation input validation |
| BFF | Request params, query, body | Responses you send to the client (recommended on critical routes) | BFF input validation |
| Integrations | External API responses | Outbound requests per vendor SDK | Integration validation |
Principles: validate at boundaries; treat @core/contracts as the shared shape and runtime rules where the codebase imports them. Use General workflow rules for contract changes and checks.
Back to Validation & resilience · Back to How to work with SHOPin