NESTJS
Configure a strict global ValidationPipe to strip unknown fields and coerce DTOs
src/main.ts
typescriptapp.useGlobalPipes(
new ValidationPipe({
whitelist: true, // strip properties not in the DTO
forbidNonWhitelisted: true, // 400 if extra properties are sent
transform: true, // coerce payload into DTO instances
}),
);`whitelist: true` removes any property not declared with a validation decorator — your defense against mass-assignment, since it drops fields a client shouldn't be setting. `forbidNonWhitelisted` upgrades that to a rejection so callers learn they sent junk. `transform: true` turns the plain request body into a real DTO instance and coerces primitive types (e.g. numeric route params). Set it once globally so every endpoint inherits the contract.
nestjsvalidationsecuritydto