CDL Section 5 - Consuming REST-based APIs Flashcards
What is “Offset Pagination” with API requests? Why are these used?
→ Offset Pagination is all about breaking up content requested by a client by using URL parameters by setting the page size/limit + the page number as an offset to get either more specific data or less data per each request.
The limiting factor for how much data a server will return is the parameters set on that server. Large requests = takes more time and is more resource intensive.
What is Rate Limiting an API?
When there is a sudden increase in an API usage, or someone is intentionally trying to make the API misbehave – Rate Limiting can be used to effectively limit the number of specific requests that can be fulfilled by an API.
When performing API Rate Limiting, is it more efficient to do it on the Client side or the Server side?
Server Side - Limiting API calls on the server side can prevent denial of service (DoS) attacks that intend to disable the API by flooding it with a huge number of requests.
Client Side - limits the client from performing a large number of tasks that are costly for the API itself.
With client-side rate limiting, you limit the rate of API requests, while with Server Side/payload limiting, you limit the size of the API request bodies.
What are 2 methods of Security that protect backend API Endpoints?
Authentication & Authorization
What are the 3 main API Auth Mechanisms? Which is strongest?
Basic HTTP Auth - Weakest
API Key Auth - better than basic, but still passes auth details into every API call
Custom Token Auth (Strongest) - if server validates credentials, a custom, time-limited, signed auth token is sent to client for use. Typically a 3rd party Auth server is used for this method.
RECAP:
HTTP provides a framework for basic authentication and access control, which is often a good enough solution for simple APIs.
→ When a client sends an HTTP request, the web server/API will respond with a 404 Error Code and prompt the client to use an Authorization Header for accessing the service
○ If the credentials in the Auth Header are deemed valid, the server will respond with 200 OK code
○ no HTTP authentication schema is secure by itself. At the very least, Transport Layer Security (TLS) should be used to encrypt the connection (forming an HTTPS connection) –> this requirement gets removed when using HTTPS which encrypts the comms between client and server.
EX) Authorization:
- The Authorization header is used by the client when sending an authentication request
- the authentication type is defined, and then the Base64-encoded credentials
Is HTTPS Symmetric or Asymmetric encryption?
Asymmetric - public & private keys (versus symmetric where both parties have the public and private keys)
EX) box with two keys:
§ One key (public key) can only close the lock, while the other (private) key can only open it.
§ If someone with a public key puts something in that box and then locks it, only the person with the private key can then open it and retrieve the contents.
What are the trusted 3rd party public key/certificate exchanges called?
Certificate Authorities or CA’s
They specialize in issuing digital certificates.
Digital certificates provide identity for a digital entity. They are similar to what passports are for people and certify that a public key really belongs to a specified entity.
What is “soft-coding” ?
Soft-coding is a technique of obtaining variable values from external resources; makes your code less domain-specific.
Versus hard-coding, where you include credentials/data in the API source code.
Is encryption-at-rest Symmetric or Asymmetric?
Encryption at rest is Symmetric Encryption - The same encryption key encrypts and decrypts the data as it is written to storage.