Both strip unknown properties but they operate at different stages and in opposite directions. ValidationPipe whitelist strips unknown properties from the incoming request body during deserialization. excludeExtraneousValues strips properties without @Expose() from the result during serialization. One filters input, the other filters output.
ValidationPipe whitelist — runs during deserialization (JSON to DTO); strips unknown input.
excludeExtraneousValues — runs during serialization (class to plain); strips unexposed output.
whitelist does not require @Expose() on DTO properties — it uses the declared class shape.
excludeExtraneousValues requires every included property to have @Expose() explicitly.
Use both together for full control: whitelist on input, excludeExtraneousValues on output.