Security4:20 with Alena Holligan
Very few REST APIs are open for unlimited public consumption. Let's see what steps we can take to make our API strong and safer.
A cache is a service that holds onto data that you need to be able to retrieve quickly. This is very useful when your data takes awhile to retrieve or calculate. Some common caches you might use are memcached, TimesTen if you use Oracle products, or HazelCast for the Java world. For caching compiled pages, Varnish is a very common and powerful choice.
More About Security
Security is such an important concept, we have a whole Security Track you can take to learn more. Two of the most important courses concerning APIs are Introduction to Data Security and Introduction to Application Security
An API that can't keep up with the demand is almost worse than no API at all. 0:00 Users won't always stick around until your service comes back up in off-hours. 0:05 The first step towards making sure that your API is available for 0:09 clients is usually caching. 0:13 A cache is usually a service that runs in memory to hold recently requested results, 0:16 like a newly created record, or a large data set. 0:23 This helps to prevent database calls and even costly calculations on your data. 0:26 Maybe your data is spread across several databases, or tables in your database. 0:32 And gathering up all of that information, sorting it, 0:37 and presenting it to the user, takes several seconds. 0:40 Putting that final calculated data into a cache means that subsequent lookups 0:44 only take as long as required for your cache to find and return the right key. 0:50 Memcached is a very popular cache, but 0:56 there are many different pieces of software available to handle this. 0:59 You may have to experiment to find the one that's right for your API. 1:03 All include links to some common caches in the teacher's note. 1:07 Also keep in mind that third party APIs that you may be using 1:11 are probably implementing some sort of caching. 1:14 This can sometimes cause unexpected results 1:18 if the caches is not working properly. 1:21 All the cashing in the world won't save you from a large enough 1:24 deluge of requests. 1:27 The second step on our path to having a resilient API is rate limiting. 1:29 Rate limiting is a pretty simple idea. 1:34 Each user is allowed a certain number of requests to your API 1:38 in a given time period. 1:42 Once a user exhausts their allotment, 1:44 they'll have to wait until the timer runs out so they can get more. 1:46 This helps to prevent users from just flooding you with requests. 1:51 And also helps to prevent distributed denial of service or DDOS attacks. 1:55 And out final step is authentication. 2:01 It's a little hard to rate limit users when you don't have any idea which request 2:04 is from which user. 2:09 That whole state listing, remember. 2:11 And what if we need to restrict certain information to certain users? 2:14 Again, we need some way to verify that a user is who they say they are. 2:17 Different APIs handle authentication differently. 2:22 When building an API, how your user gets accounts is up to you, and 2:26 whatever tools you're using. 2:30 Let's go over a few ways that authentication requests can be handled. 2:32 The most common way you'll encounter is the use of API tokens. 2:37 When setting up an API account, a user is given a token and a secret pair. 2:42 The user will pass those credentials when making a request to the server. 2:48 This allows the API's server to verify the communication. 2:53 The server takes the pair of credentials and checks that they're active, 2:57 proper users in the database. 3:01 It's a lot like including a user name and password when you log into a site. 3:03 [SOUND] Users need to include their token with every 3:07 request because of the statelessness of HTTP. 3:11 Which means authentication happens with each request. 3:15 Most of the time, the token and secret are included as keys in the JSON or 3:19 XML data that a client will send. 3:25 But it is possible for 3:28 them to be included in the authentication headers in the HTTP request. 3:29 Make sure you understand where this information will be included when 3:34 consuming or building an API. 3:39 There are other method of handling authentication, 3:41 like cross realm authentication, HTTP Digest and others. 3:44 But a lot of them will be specific to be API or tools that you're using. 3:48 Postman, the tool that we've been using to test out our API, 3:52 should allow you to send any type of authentication request that you encounter. 3:56 When building an API, a lot of what we've covered so far, 4:00 caching, parsing requests, and preparing responses, authentication and more, 4:04 will depend on your framework, language, and tools of choice. 4:09 Be sure to research the best approach to building an API 4:13 with your language of choice before diving in. 4:16
You need to sign up for Treehouse in order to download course files.Sign up