API/HTTP Flashcards

1
Q

What is a URL?

A

subset of URI that includes explicit reference of how to access resource i.e (ftp vs http protocol).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What is a URI?

A

Way of identifying a resource

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is a URN?

A

Everything after the //
Consists of host with dedicated IP,then resource path and finally optional url query to transfer other info.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What are the useful HTTP methods?

A

GET- request resource from server
POST - submit resource to a server (like submitting a form)
PUT - Replace resource on server
PATCH - Update/modify resource on the server
DELETE - delete resource from server
OPTIONS - Get options for the resource
TRACE- traceback loop

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What are the HTTP response categories?

A

100: Info
200: success
300: Redirection
400: Client Error
500: Server Error

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What is REST vs SOAP?

A

Rest: Is an architecture that allows use of JSON or XML, lightweight for mobile applications.

SOAP: Relies on SOAP protocol and only can use XML for transfer, heavyweight for enterprise applications.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What are the 6 constraints of REST?

A

Client-server architecture: Client manages UI, server manages data storage
Statelessness: No client information is stored on server between requests, client responsible for maintaining states
Cacheability: All REST responses must explicitly be marked as cacheable or not cacheable.
Layered System: Client shouldn’t know/care if connected to server or middleman like CDN.
Code on Demand: Servers can transfer executable and compiled code to clients.
Uniform Interface:
1. Resource identification in requests - URI request must specify where the resource is and what format the response should use.
2. Resource manipulation through representation - client can modify resource on the server once given a copy.
3. Self-descriptive messages: Data type must be specified from server and client.
4. Hypermedia as engine of application state: REST usage is described with every returned resource (via hyperlinks). Like choose your own adventure novel

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What is an API?

A

Application Programming Interface, allows different softwares to communicate with each other.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What is the Bolt on strategy for developing APIs?

A

Add on API to existing system/code, makes easy to develop but bad decisions in existing infrastructure leak through to the API

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What is the Greenfield Strategy for developing APIs?

A

API or mobile first mindset for new systems
Leverages new tech and architectures for best results but is also the most difficult.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What is the Facade strategy for API dev?

A

Mix of the previous strategies by replacing code piece by piece.
Ideal for legacy systems as the app is functional but leaves too many different mindsets in the system at the same time.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What are the API Relationships?

A

Independent: Can exist on its own
Dependent: Can only exist if another resource already exists
Associative: Can be dependent or independent but needs additional information

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What is an API Key?

A

Method of authn/authz where the API provider issues a long string appended to the url or as a header in the request. It is simple to implement and language/framework agnostic.

Drawbacks :URLS aren’t secret, difficult to update/rotate if compromised.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What is OAuth?

A

OAuth 2.0 is an authorization framework. Uses access token to establish what actions are permitted. OpenID Connect is a special instance of OAuth2.0.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

How does API versioning work?

A

Using the accept header: Establish the markup or notation, Establish the media type and Establish the version of the media type and resource.

Using the URL: API version is clear and explicit, nothing is lost with copy/paste.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is content negotiation?

A

Mechanism which allow multiple versino of a document to exists a single URL so the clinet-server can determine which version to use

17
Q

What are the OAuth main concepts?

A

Scopes: Permission scope
Access Token: Current authorization instance
Refresh Token: Next authorization instance
Grant Type/Flow: Mechanism for retrieving tokens. Includes Authorization Code Flow, Implicit or authorization code with PKCE, Client credential, Resource owned password.

18
Q

What is an Opaque Token?

A

Unique string acting as an authorization string, nothing to decode/decrypt.

19
Q

What is a JSON Web Token?

A

A JWT consists of authorization and profile data.

20
Q

How are JWT’s validated?

A
  1. Retrieve keys document that represent the public key the token was signed with.
  2. Decode the token header and compare the KID against the keys document to make sure they match. If they don’t either the key doc is out of date or the token is not for you.
  3. Use Key and payload to generate a signature and compare it against the token, if they don’t match the token has been tampered with.
  4. Then the payload of the token is decoded and the iss (issuer), aud (audience), cid(client id), and exp (expiration) are checked.
21
Q

What is the authorization Code Flow?

A

User gets Auth code and then the server uses the client id, and client secret to retrieve access and refresh tokens.

Can only be used when only a user is involved and app has backend component.

22
Q

What is PKCE?

A

RFC 7636 Proof Key for Code Exchange. For Mobile apps and Single page apps (public clients) that cannot store secrets. No client secret, instead use local code verifier and code challenge for authorization.

23
Q

What are the security considerations for Auth Code Flow and PKCE?

A
  • Always use TLS/SSL
  • Validate tokens
  • Protect the Auth Code
  • Don’t worry about the access code
  • Protect your redirect_uri
24
Q

What are the security practices for the Implicit Flow?

A
  • Always use TLS/SSL
  • Validate tokens
  • Protect your redirect_uri
  • Don’t use GET
25
Q

When to use Implicit Flow?

A

App maintenance as it was deprecated in favour of Auth code + PKCE.

26
Q

When to use Resource Owner Password?

A

Too bridge legacy systems to OAuth/last resort.

27
Q

What is the Implicit Flow?

A

Client authorizes with authorization server since client and dev do not trust each other. Access token is exposed to the end user.

28
Q

What is the resource owner password flow?

A

User submits credentials directly to the app which then submits to the auth server.

29
Q

What is the Client Credential Flow?

A

Client app needs access to a private resource so it submits its id and secret to the auth server.

30
Q

When should the client credential flow be used?

A

Should be used when there is no user involved, for example backend/microservices only.

31
Q

What are the security practices for the client credential Flow?

A
  • Always use TLS/SSL
  • Validate tokens
  • Log and Track usage
32
Q

What is the Device Grant Type?

A

Uses device ID + Verification URI (such as a QR) code to authorize credentials against auth server.

33
Q

When should the Device Grant Type be used?

A
  • NOT for mobile devices or most IoT devices.
  • Must meet 4 reqs:
    Device already connected to the internet
    device can make HTTPS requests
    device must be able to communicate URI to end user
    user has a device available to visit the URI
34
Q

What are the security considerations for the Device Grant Type?

A
  • Always use TLS/SSL
  • Validate tokens
  • pass user code along user URL parameters
  • use rate limiting on the auth server side
  • Don’t trust devices