# Security Best Practices

When writing custom endpoints, it is important to ensure they are secure and don't expose sensitive data.

Always restrict endpoints to logged-in or admin users unless there is a specific reason for them to be public.

Do not trust the contents of Body. Always validate and sanitize inputs before using them in graph queries or business logic.

When using Endpoint Tokens, scope them to only the specific endpoints they need to access.

Use try-catch blocks to handle potential errors and return meaningful, yet secure, error messages. Avoid leaking stack traces or internal database details to the caller.

try {
    // logic
} catch (Exception ex) {
    Logger.LogError(ex, "Error in endpoint");
    return new { error = "An internal error occurred" };
}