Professional Documents
Culture Documents
A Quick Rundown
API overview
API methodologies
Security methodologies
Best practices
Thursday, May 26, 2011
Popular Methodologies
REST
XML-RPC
SOAP
REST Service
Representational State Transfer
Architecture, not a standard
HTTP-based
RESTful
Client-Server
Self-contained Requests (Stateless)
Cacheable
Named, Layered Resources
http://brewerydb.com/api/breweries/2324
http://brewerydb.com/api/beers/435
REST Security
None built in
Encryption over HTTPS
Left to the implementer
Error handling left to implementer
Thursday, May 26, 2011
SOAP Service
Simple Object Access Protocol
XML-based
Uses GET for read, POST for write
W3C Specification for sending and
receiving messages
SOAP Security
Nothing provided in spec
WS-Security
Extension to SOAP spec
Provided as a guide for securing SOAP
services
WS-Security
Guidelines for solving 3 problems
Identify and authenticate a client
Ensure integrity of the message
Curtail eavesdropping while in transit
Defines mechanisms as opposed to actual
protocols
http://www.oasis-open.org/committees/wss/
XML-RPC Service
XML Remote Procedure Call
XML-based
Uses HTTP-POST
Spec published by UserLand Software in
~1998
XML-RPC
Uses XML to specify a method and
parameters
XML-RPC Security
None in the spec
Encryption over HTTPS
Security left to the implementer
Error handling - <fault> base response
element
Security Mechanisms
OAuth
BasicAuth
API Keys
OAuth 1.0
Think of it as a valet key for
your internet accounts...
Open standard for API
access delegation
RFC 5849 - The OAuth 1.0
Protocol
Published April 2010
Requires SSL
Single security token, no signature required
Guidelines for use with Javascript and
applications with no web browser
http://oauth.net/2/
http://www.lornajane.net/
BasicAuth
BasicAuth Dos
SSL is a must
Username / Password is transmitted in
cleartext
BasicAuth Pros
Client requests are easy
Part of nearly every HTTP request
library
BasicAuth Cons
Requires a username and password for a
user
Access Keys
Implementation
requirements are up to
the service provider
in URL
Signed Request
Workflow
Client
?key=val
sign
?key=val&signature=23kcwej323
vje48hvn4
?key=val&signature=23kcwej323
Server
?key=val
sign
vje48hvn4
23kcwej323
==
23kcwej323
Signed
Encryption is scary....ish
Thursday, May 26, 2011
Rate Limiting
Access Control
Error Handling
SSL Layer
API Domain
Stupid is as Stupid Does - Gump
Rate-Limiting
Keeps API access in check
Authenticated and Unauthenticated calls
should be subject to rate limiting
Best practice
Have a standard, application wide rate
limit
Unauthenticated
Based on domain or IP address
Allow limit to be overridden as well
Thursday, May 26, 2011
Access Control
Treat API endpoints just as service
endpoints in your application
Error Handling
Set appropriate HTTP headers
Provide viable, valid error messages
Log errors for the API too
Have a standard error response object for
all methods, including authentication
SSL Layer
Encrypts all traffic to and from your API
Can cause performance hit
~10-15% in trials
Depending on protocol, should be a
requirement
API Domain
Use sub-domain
Can move to separate webserver
Handle traffic requirements
Questions?
Jason Austin - @jason_austin - jfaustin@gmail.com
http://joind.in/3427