⛳️ Votre API passe-t-elle le contrôle technique ?

⛳️ Votre API passe-t-elle le contrôle technique ?
Votre API passe-t-elle le contrôle technique ?
François-Guillaume RIBREAU @FGRibreau
François-Guillaume RIBREAU @FGRibreau Architect & Head of development @Ouest-France ! Available for consulting
François-Guillaume RIBREAU @FGRibreau Architect & Head of development @Ouest-France 🌟 SaaS founder of ! Available for consulting
<quick> <history>
https://bit.ly/2pMI7aJ “ ” — Christopher Strachey, 1969 (50 yrs ago)
I am quite convinced that in fact computing will become a very important science. https://bit.ly/2pMI7aJ “ ” — Christopher Strachey, 1969 (50 yrs ago)
I am quite convinced that in fact computing will become a very important science. But at the moment we are in a very primitive state of development; we don't know the basic principles yet and we must learn them first. https://bit.ly/2pMI7aJ “ ” — Christopher Strachey, 1969 (50 yrs ago)
I am quite convinced that in fact computing will become a very important science. But at the moment we are in a very primitive state of development; we don't know the basic principles yet and we must learn them first.   If universities spend their time teaching the state of the art, they will not discover these principles and that, surely, is what academics should be doing. https://bit.ly/2pMI7aJ “ ” — Christopher Strachey, 1969 (50 yrs ago)
http://bit.ly/2CenmM7 Application Programming Interface (API)
'60s API (only) for libraries http://bit.ly/2CenmM7 Application Programming Interface (API)
'60s API (only) for libraries '80-90s Remote access to procedural API (MoM/Queuing emerges) http://bit.ly/2CenmM7 Application Programming Interface (API)
'60s API (only) for libraries '80-90s Remote access to procedural API (MoM/Queuing emerges) '00s REpresentational State Transfer (REST, Roy Fielding) http://bit.ly/2CenmM7 Application Programming Interface (API)
'60s API (only) for libraries '80-90s Remote access to procedural API (MoM/Queuing emerges) '00s REpresentational State Transfer (REST, Roy Fielding) '10s Public APIs, platforms emerge, hipster RPC protocols... http://bit.ly/2CenmM7 Application Programming Interface (API)
</history> </quick>
Votre API passe-t-elle le contrôle technique ?
Contrôle Technique (kɔ̃.tʁol tɛk.nik) “Porte sur 9 fonctions déclinées en 131 points de contrôle et 410 défaillances.”
“A type of job aid used to reduce failure by compensating for potential limits of human memory and attention.” Checklist (/ˈtʃɛklɪst/) Contrôle Technique (kɔ̃.tʁol tɛk.nik) “Porte sur 9 fonctions déclinées en 131 points de contrôle et 410 défaillances.”
control points70+
control points BUSINESS REQUIREMENTS ON-CALL RESPONSABILITY RISKS CRITICITY DATA-PRIVACY (PIA/AIDP) DEFINE SERVICE NAME HTTPS HSTS HEADER IAM AUTHORIZATION ACCESS VERSIONING CHANGELOG BACKWARD-COMPATIBILITY MAX SIMULTANEOUS CONNECTIONS LIMIT RATE-LIMITING QUOTA TIMEOUTS/RETRIES/CIRCUIT- BREAKERS FOR EVERY CALL CONFIGURE CORS X-CONTENT-TYPE: NOSNIFF X-FRAME-OPTIONS: DENY CONTENT-SECURITY-POLICIES FINGERPRINT PAGINATION SEARCH, SORTING AND FILTERING SUPPORT FIELD SELECTION SUPPORT FIELD EXPANSION UUID INSTEAD OF AUTO-INC USE SEMANTIC SHORTCUTS USE ASYNC HANDLING WHEN NECESSARY SUPPORT PUSH OVERALL CONSISTENCY OVERALL ERROR CONSISTENCY REMOVE SENSITIVE DATA RETURN MINIMUM OUTPUT DEFINE INDIRECTIONS MODEL WITH USAGE IN MIND SUPPORT I18N/G11N FUNCTIONAL ERRORS USE CDN HMAC SPLIT STATE AND LOGIC IMMUTABLE DATA AUDITABILITY SUPPORT PROD/TEST MODE SUPPORT MULTI-TENANT LEVERAGE TESTS POST-DEPLOY TESTS SMOKE-TESTS GENERATE DOCUMENTATION TEST DOCUMENTATION SDK/CLIENTS COST-EFFICIENCY CONTINUOUS DEPLOYMENT MULTI-REGION & GEO-DNS CACHING LOG SYSTEM USAGE MONITORING API USAGE MONITORING BUSINESS USAGE MONITORING PROFILING ERROR REPORTING ALERTING, WRITE RUNBOOKS HEALTH-CHECK TRACING STATUS PAGE BUG-BOUNTY SECURITY.TXT PORTAIL 70+
“Mettre le plus de contraintes en amont”
# Français “C'est en forgeant que l ’on devient forgeron.” “Mettre le plus de contraintes en amont”
# Français “C'est en forgeant que l ’on devient forgeron.” $ Finnois kukaan ei ole seppä syntyessään (personne n'est né forgeron) “Mettre le plus de contraintes en amont”
# Français “C'est en forgeant que l ’on devient forgeron.” % Allemand Übung macht den Meister (L’exercice/habitude fait le maître) $ Finnois kukaan ei ole seppä syntyessään (personne n'est né forgeron) “Mettre le plus de contraintes en amont”
# Français “C'est en forgeant que l ’on devient forgeron.” % Allemand Übung macht den Meister (L’exercice/habitude fait le maître) $ Finnois kukaan ei ole seppä syntyessään (personne n'est né forgeron) & Japonais NaraWaNu Kyô Ha YoMeNu (Il est impossible de réciter un soûtra sans l'apprendre auparavant) “Mettre le plus de contraintes en amont”
Before development
What are your goals?
What are your goals?
Define business requirements
Define business requirements
https://landing.google.com/sre/sre-book/chapters/service-level-objectives/ https://engineering.bitnami.com/articles/implementing-slos-using-prometheus.html Service Level Objectives (SLO) Define business requirements
https://landing.google.com/sre/sre-book/chapters/service-level-objectives/ https://engineering.bitnami.com/articles/implementing-slos-using-prometheus.html Service Level Objectives (SLO) “Must be measurable, with a time period and specify where and how to measure it. Define business requirements
https://landing.google.com/sre/sre-book/chapters/service-level-objectives/ https://engineering.bitnami.com/articles/implementing-slos-using-prometheus.html Service Level Objectives (SLO) “Must be measurable, with a time period and specify where and how to measure it. Drives your dashboards and alerts.” Define business requirements
https://landing.google.com/sre/sre-book/chapters/service-level-objectives/ https://engineering.bitnami.com/articles/implementing-slos-using-prometheus.html Service Level Objectives (SLO) “Must be measurable, with a time period and specify where and how to measure it. Drives your dashboards and alerts.” Define business requirements “95% of chart generation requests latency will be lower than 400ms over the month”
https://landing.google.com/sre/sre-book/chapters/service-level-objectives/ https://engineering.bitnami.com/articles/implementing-slos-using-prometheus.html Service Level Indicators (SLI) Define business requirements
https://landing.google.com/sre/sre-book/chapters/service-level-objectives/ https://engineering.bitnami.com/articles/implementing-slos-using-prometheus.html Service Level Indicators (SLI) Define business requirements Metrics. e.g. error ratios, latency, query per seconds, response time, uptime
https://landing.google.com/sre/sre-book/chapters/service-level-objectives/ https://engineering.bitnami.com/articles/implementing-slos-using-prometheus.html Service Level Agreements 💰 (SLA) Define business requirements
https://landing.google.com/sre/sre-book/chapters/service-level-objectives/ https://engineering.bitnami.com/articles/implementing-slos-using-prometheus.html Service Level Agreements 💰 (SLA) Define business requirements "an explicit or implicit contract with your users that includes consequences of meeting (or missing) the SLOs they contain" — SRE Book
Consider risks, data-privacy
Risks Consider illegitimate access to data. What risks? Likelihood? Consider illegitimate data change. What risks? Likelihood? Consider data disappearance. What risks? Likelihood?
Risks Consider illegitimate access to data. What risks? Likelihood? Consider illegitimate data change. What risks? Likelihood? Consider data disappearance. What risks? Likelihood? Data-Privacy (e.g. PIA - Privacy Impact Assessment) Does the API collect sensitive data? (e.g. political opinion, sexual orientation…) Does the API evaluate or note people? Does the API handle data about vulnerable people? ...
Define service name
“There are only two hard things in CS: cache invalidation and naming things” — Phil Karlton Define service name
Define service name
ups ( Define service name
ups ( rcpu 🤷 Define service name
ups ( rcpu 🤷 ghostbusters * Define service name
ups ( rcpu 🤷 ghostbusters * thanos-service 🙎 Define service name
ups ( rcpu 🤷 ghostbusters * thanos-service 🙎 user-preference ✅ Define service name
“Le nommage doit être ennuyeux” ✅ Descriptive & unambiguous ✅ Transparent ✅ Respect SSoT/SoC
During development
Use an Identity & Access Management service (IAM)
IAM 🎭 Authentication 👮 Authorization 🗂 Audit #SSoT #SoC
http://bit.ly/2TW4s6Q
http://bit.ly/2TW4s6Q Charts Product Team CMS Product Team BP-Editorial Product Team BP-Services Product Team
http://bit.ly/2TW4s6Q “L'entreprise est une plateforme sur laquelle reposent les équipes” Charts Product Team CMS Product Team BP-Editorial Product Team BP-Services Product Team
#SSoT #SoC http://bit.ly/2FdJk2v API IAM Policy Administration Point
http://bit.ly/2UFvPPZ
http://bit.ly/2UFvPPZ SaaS tools (outside perimeter) 🕳
http://bit.ly/2UFvPPZ SaaS tools (outside perimeter) 🕳 Employee 💻 malware/trojans
We don't live in the '90s anymore. Build with untrusted network in mind. Forget the unsafe trusted network paradigm. You do want Application Segmentation (zero trust). http://bit.ly/2UFvPPZ SaaS tools (outside perimeter) 🕳 Employee 💻 malware/trojans
Set versioning Update changelog
Use semver
Use conventional commits
client api https://blog.fgribreau.com/2015/03/braindump-versioning-http-api.html Version your API accept: application/vnd.github.v3+json ...through mime headers (standard)
client api https://blog.fgribreau.com/2015/03/braindump-versioning-http-api.html ... sub-domain {version}.domain.com Version your API accept: application/vnd.github.v3+json ...through mime headers (standard)
client api https://blog.fgribreau.com/2015/03/braindump-versioning-http-api.html ... sub-domain {version}.domain.com ... path (mainly RPC over HTTP) api.twitter.com/v1/ api.twitter.com/1.1/ api.twilio.com/2010-04-01/ Version your API accept: application/vnd.github.v3+json ...through mime headers (standard)
client api https://blog.fgribreau.com/2015/03/braindump-versioning-http-api.html ... sub-domain {version}.domain.com ... path (mainly RPC over HTTP) api.twitter.com/v1/ api.twitter.com/1.1/ api.twilio.com/2010-04-01/ Version your API ... query-string /?v={version} accept: application/vnd.github.v3+json ...through mime headers (standard)
client api https://blog.fgribreau.com/2015/03/braindump-versioning-http-api.html Version your API
client api https://blog.fgribreau.com/2015/03/braindump-versioning-http-api.html Version your API ...and then there is
https://blog.fgribreau.com/2015/03/braindump-versioning-http-api.html client api 1) authenticated api request API reverse-engineered
https://blog.fgribreau.com/2015/03/braindump-versioning-http-api.html client api IAM 2) authenticate app request 1) authenticated api request API reverse-engineered
https://blog.fgribreau.com/2015/03/braindump-versioning-http-api.html client api IAM 2) authenticate app request 3) get active app version 1) authenticated api request API reverse-engineered
https://blog.fgribreau.com/2015/03/braindump-versioning-http-api.html client api IAM 2) authenticate app request 3) get active app version 4) down-migration middlewares 1) authenticated api request API reverse-engineered
https://blog.fgribreau.com/2015/03/braindump-versioning-http-api.html client api IAM 2) authenticate app request 3) get active app version 4) down-migration middlewares 5) execute request 1) authenticated api request API reverse-engineered
https://blog.fgribreau.com/2015/03/braindump-versioning-http-api.html client api IAM 2) authenticate app request 3) get active app version 4) down-migration middlewares 5) execute request 6) up-migration middlewares 1) authenticated api request API reverse-engineered
https://stripe.com/blog/api-versioning Version your API
Define backward-compatibility
https://stripe.com/docs/upgrades Define backward-compatibility
Ensure backward-compatibility
“Be conservative in what you send, be liberal in what you accept” — Postel's law (the Robustness Principle) Ensure backward-compatibility
Ensure backward-compatibility
Ensure backward-compatibility API = Application Programming Interface
Ensure backward-compatibility API = Application Programming Interface Interface ∈ Contract
Ensure backward-compatibility API = Application Programming Interface Interface ∈ Contract Find a way to test contracts
Ensure backward-compatibility Twitter "Diffy [...] catch bugs without requiring developers to write many tests" https://github.com/twitter/diffy
Ensure backward-compatibility https://pact.io
Support pagination Support search Support sorting Support filtering Support field selection Support field expansion
Support pagination
Support pagination ⚠ "yeah... maybe later" ⚠ O(n) 3
Support pagination “Tout limiter dans l'espace et dans le temps” ⚠ "yeah... maybe later" ⚠ O(n) 3
https://www.youtube.com/watch?v=UKrS_eXZfHw “Choisir entre une API RPC, SOAP, REST, GraphQL et si le problème était ailleurs ?”
“Mettre le plus de contraintes en amont”
(HTTP specific headers)
Access-Control-Allow-Origin: ... (HTTP specific headers)
Access-Control-Allow-Origin: ... x-content-type: no-sniff (HTTP specific headers)
Access-Control-Allow-Origin: ... x-content-type: no-sniff x-frame-options: deny (HTTP specific headers)
Access-Control-Allow-Origin: ... x-content-type: no-sniff x-frame-options: deny Content-Security-Policy: ... (HTTP specific headers)
Remove fingerprints 👁 - nginx/apache/framework name & versions - load-balancer/proxy/CDN
Split state & logic
Split state & logic Save data as immutable
Split state & logic Save data as immutable Support auditability
Leverage an object storage for files (AWS S3 / GCP Storage / Riak S2 / Minio) Split state & logic
Support multi-tenant
dev api-talks Talks
dev api-talks staging IAM Talks IAM
dev api-talks staging IAM Talks IAM
dev api-talks staging IAM Talks IAM Twitter API Twitter
dev api-talks staging IAM Talks IAM Twitter API Twitter talks- dev (app)
dev api-talks staging IAM Talks IAM Twitter API Twitter talks- dev (app)
dev staging api-talks api-talks staging IAM Talks IAM Twitter API Twitter talks- dev (app)
dev staging api-talks api-talks staging IAM Talks IAM Twitter API Twitter talks- dev (app)
dev staging api-talks api-talks staging IAM Talks IAM Twitter API Twitter talks- dev (app) talks- staging (app)
dev staging api-talks api-talks staging IAM Talks IAM Twitter API Twitter talks- dev (app) talks- staging (app)
production dev staging api-talks api-talks api-talks staging IAM Talks IAM Twitter API Twitter talks- dev (app) talks- staging (app)
production dev staging api-talks api-talks api-talks production staging IAM IAM Talks IAM Twitter API Twitter talks- dev (app) talks- staging (app)
production dev staging api-talks api-talks api-talks production staging IAM IAM Talks IAM Twitter API Twitter talks- dev (app) talks- staging (app) talks- production (app)
production dev staging api-talks api-talks api-talks production staging IAM IAM Talks IAM Twitter API Twitter talks- dev (app) talks- staging (app) talks- production (app)
production dev staging api-talks api-talks api-talks production staging IAM IAM Talks IAM Twitter API Twitter talks- dev (app) talks- staging (app) talks- production (app) 🤔
production dev staging IAM IAM production dev staging api-talks api-talks api-talks production dev staging IAM IAM IAM Talks IAM Twitter API Twitter TeamTeam talks- dev (app) talks- staging (app) talks- production (app) Team
production dev staging IAM IAM production dev staging api-talks api-talks api-talks production dev staging IAM IAM IAM Talks IAM Twitter API Twitter TeamTeam talks- dev (app) talks- staging (app) talks- production (app) Team
production dev staging IAM IAM production dev staging api-talks api-talks api-talks production dev staging IAM IAM IAM Talks IAM Twitter API Twitter TeamTeam talks- dev (app) talks- staging (app) talks- production (app) Team PrivatePublic
production dev staging IAM IAM production dev staging api-talks api-talks api-talks production dev staging IAM IAM IAM Talks IAM Twitter API Twitter TeamTeam talks- dev (app) talks- staging (app) talks- production (app) Team PrivatePublic
production dev staging IAM IAM production dev staging api-talks api-talks api-talks production dev staging IAM IAM IAM Talks IAM Twitter API Twitter TeamTeam talks- dev (app) talks- staging (app) talks- production (app) Team “Les équipes pointent sur la production des autres” PrivatePublic
production dev staging IAM IAM production dev staging api-talks api-talks api-talks production dev staging IAM IAM IAM Talks IAM Twitter API Twitter TeamTeam talks- dev (app) talks- staging (app) talks- production (app) Team “Les équipes pointent sur la production des autres” production (realm) talks- staging (realm) talks- dev (realm)
production dev staging IAM IAM production dev staging api-talks api-talks api-talks production dev staging IAM IAM IAM Talks IAM Twitter API Twitter TeamTeam talks- dev (app) talks- staging (app) talks- production (app) Team “Les équipes pointent sur la production des autres” production (realm) talks- staging (realm) talks- dev (realm) production (????)
dev staging production api-talks production (organization) api-talks api-talks Support multi-tenant
dev staging production api-talks production (organization) api-talks api-talks Design primitives (e.g. realm, app, organization, website) to unleash your teams productivity 😇 and business opportunities 💵 Support multi-tenant
Your company is a platform, everything can be sold.
Your company is a platform, everything can be sold. Your company is a user — like anyone else — of your API.
Your company is a platform, everything can be sold. Your company is a user — like anyone else — of your API. Use your IAM Luke! Morpheus (not sure about this one)
https://amzn.to/2TfqaOI
"How do I run my system/e2e tests?" https://amzn.to/2TfqaOI
"How do I run performance tests?" "How do I run my system/e2e tests?" https://amzn.to/2TfqaOI
"How do I run performance tests?" "How do I run my system/e2e tests?" https://amzn.to/2TfqaOI
Support test/prod mode
https://blog.fgribreau.com/2015/03/braindump-versioning-http-api.html Support test/prod mode
https://blog.fgribreau.com/2015/03/braindump-versioning-http-api.html Support test/prod mode
IAM
Hash-based Message Authentication Code HMAC
Media server https://media.my-website.com/images/{uuid}.{png|webp} ?width=700 &height=300 Job done? 🍾
Media server https://media.my-website.com/images/{uuid}.{png|webp} ?width=700 &height=300 Nope. 🦹
Media server https://media.my-website.com/images/{uuid}.{png|webp} ?width=700 &height=300 &sign={signature} Job done? 🍾
Media server https://media.my-website.com/images/{uuid}.{png|webp} ?width=700 &height=300 &sign={signature} Nope. #multi-tenant
Media server https://media.my-website.com/images/{uuid}.{png|webp} ?width=700 &height=300 &client_id={tenant_id} &sign={signature} Job done.
Verifying webhooks X-Shopify-Hmac-SHA256 HTTP header Stripe-Signature HTTP headersigned_request HTTP POST variable
https://image-charts.com/chart ?chs=700x300 &chxt=x,y &chl=2018|2017|2015 &chd=t:60,40,20 &cht=pa &chdl=Image|Charts|Rocks &chf=ps0-0,lg,45,ffeb3b,0.2,f443367C,1|ps0-1,lg,45,8bc34a, 0.2,0096887C,1|ps0-2,lg,45,EA469E,0.2,03A9F47C,1 &chan How to protect my API monetization model?
https://image-charts.com/chart ?chs=700x300 &chxt=x,y &chl=2018|2017|2015 &chd=t:60,40,20 &cht=pa &chdl=Image|Charts|Rocks &chf=ps0-0,lg,45,ffeb3b,0.2,f443367C,1|ps0-1,lg,45,8bc34a, 0.2,0096887C,1|ps0-2,lg,45,EA469E,0.2,03A9F47C,1 &chan How to protect my API monetization model?
https://image-charts.com/chart ?chs=700x300 &chxt=x,y &chl=2018|2017|2015 &chd=t:60,40,20 &cht=pa &chdl=Image|Charts|Rocks &chf=ps0-0,lg,45,ffeb3b,0.2,f443367C,1|ps0-1,lg,45,8bc34a, 0.2,0096887C,1|ps0-2,lg,45,EA469E,0.2,03A9F47C,1 &chan &icac=fgribreau &ichm=68c82618eccc2f0a861473ef93e978beb0b018a3ce2c2b4b609aec1b27
https://image-charts.com/chart ?chs=700x300 &chxt=x,y &chl=2018|2017|2015 &chd=t:60,40,20 &cht=pa &chdl=Image|Charts|Rocks &chf=ps0-0,lg,45,ffeb3b,0.2,f443367C,1|ps0-1,lg,45,8bc34a, 0.2,0096887C,1|ps0-2,lg,45,EA469E,0.2,03A9F47C,1 &chan &icac=fgribreau &ichm=68c82618eccc2f0a861473ef93e978beb0b018a3ce2c2b4b609aec1b27
https://image-charts.com/chart ?chs=700x300 &chxt=x,y &chl=2018|2017|2015 &chd=t:60,40,20 &cht=pa &chdl=Image|Charts|Rocks &chf=ps0-0,lg,45,ffeb3b,0.2,f443367C,1|ps0-1,lg,45,8bc34a, 0.2,0096887C,1|ps0-2,lg,45,EA469E,0.2,03A9F47C,1 &chan &icac=fgribreau &ichm=68c82618eccc2f0a861473ef93e978beb0b018a3ce2c2b4b609aec1b27 ✅ Signed URL
https://image-charts.com/chart ?chs=700x300 &chxt=x,y &chl=2018|2017|2015 &chd=t:60,40,20 &cht=pa &chdl=Image|Charts|Rocks &chf=ps0-0,lg,45,ffeb3b,0.2,f443367C,1|ps0-1,lg,45,8bc34a, 0.2,0096887C,1|ps0-2,lg,45,EA469E,0.2,03A9F47C,1 &chan &icac=fgribreau &ichm=68c82618eccc2f0a861473ef93e978beb0b018a3ce2c2b4b609aec1b27 ✅ Signed URL ✅ Removed watermark
https://image-charts.com/chart ?chs=700x300 &chxt=x,y &chl=2018|2017|2015 &chd=t:60,40,20 &cht=pa &chdl=Image|Charts|Rocks &chf=ps0-0,lg,45,ffeb3b,0.2,f443367C,1|ps0-1,lg,45,8bc34a, 0.2,0096887C,1|ps0-2,lg,45,EA469E,0.2,03A9F47C,1 &chan &icac=fgribreau &ichm=68c82618eccc2f0a861473ef93e978beb0b018a3ce2c2b4b609aec1b27 ✅ Signed URL ✅ Removed watermark ✅ Available extra-features
https://image-charts.com/chart ?chs=700x300 &chxt=x,y &chl=2018|2017|2015 &chd=t:60,40,20 &cht=pa &chdl=Image|Charts|Rocks &chf=ps0-0,lg,45,ffeb3b,0.2,f443367C,1|ps0-1,lg,45,8bc34a, 0.2,0096887C,1|ps0-2,lg,45,EA469E,0.2,03A9F47C,1 &chan &icac=fgribreau &ichm=68c82618eccc2f0a861473ef93e978beb0b018a3ce2c2b4b609aec1b27 ✅ Signed URL ✅ Removed watermark ✅ Available extra-features ⚠ Caching
Define timeouts for every call (pg: statement_timeout) Implement retries (e.g. exponential-backoff) Define circuit-breakers
Define timeouts for every call (pg: statement_timeout) Implement retries (e.g. exponential-backoff) Define circuit-breakers “Tout limiter dans l'espace et dans le temps”
Leverage tests Write post-deploy tests Write smoke-tests (black-box testing)
Before production
Set max simultaneous connections limit Set rate-limiting
Set max simultaneous connections limit Set rate-limiting “Tout limiter dans l'espace et dans le temps”
https://amzn.to/2HHlq2phttp://bit.ly/2HFZSTO Define quota
Configure alerting, write runbooks
http://bit.ly/2JlncJ1
“Monitoring sans alerting ne sert à rien” http://bit.ly/2JlncJ1
https://gitlab.com/gitlab-com/runbooks
Generate documentation Generate SDK/clients Test documentation 😑
https://www.youtube.com/watch?v=g6Yg2e1cDe8 “Construire et automatiser son SaaS grâce à une spécification OpenAPI/Swagger”
https://github.com/apiaryio/dredd
Leverage CI/CD 😑
"Restart" deployment
"Restart" deployment Blue/green deployment
"Restart" deployment Blue/green deployment Rolling-updates deployment (req. n-1 backward-compat) (commodity: PaaS & CaaS)
"Restart" deployment Blue/green deployment Rolling-updates deployment (req. n-1 backward-compat) (commodity: PaaS & CaaS) Dark-launch + Canarying + rolling-updates (req. n-1 backward-compat) (commodity: GoReplay, Istio)
After production
Ensure cost-efficiency
Expose api in status page Promote bug-bounty Expose .well-known/security.txt Expose .well-known/dnt-policy.txt Expose in portail
control points BUSINESS REQUIREMENTS ON-CALL RESPONSABILITY RISKS CRITICITY DATA-PRIVACY (PIA/AIDP) DEFINE SERVICE NAME HTTPS HSTS HEADER IAM AUTHORIZATION ACCESS VERSIONING CHANGELOG BACKWARD-COMPATIBILITY MAX SIMULTANEOUS CONNECTIONS LIMIT RATE-LIMITING QUOTA TIMEOUTS/RETRIES/CIRCUIT- BREAKERS FOR EVERY CALL CONFIGURE CORS X-CONTENT-TYPE: NOSNIFF X-FRAME-OPTIONS: DENY CONTENT-SECURITY-POLICIES FINGERPRINT PAGINATION SEARCH, SORTING AND FILTERING SUPPORT FIELD SELECTION SUPPORT FIELD EXPANSION UUID INSTEAD OF AUTO-INC USE SEMANTIC SHORTCUTS USE ASYNC HANDLING WHEN NECESSARY SUPPORT PUSH OVERALL CONSISTENCY OVERALL ERROR CONSISTENCY REMOVE SENSITIVE DATA RETURN MINIMUM OUTPUT DEFINE INDIRECTIONS MODEL WITH USAGE IN MIND SUPPORT I18N/G11N FUNCTIONAL ERRORS USE CDN HMAC SPLIT STATE AND LOGIC IMMUTABLE DATA AUDITABILITY SUPPORT PROD/TEST MODE SUPPORT MULTI-TENANT LEVERAGE TESTS POST-DEPLOY TESTS SMOKE-TESTS GENERATE DOCUMENTATION TEST DOCUMENTATION SDK/CLIENTS COST-EFFICIENCY CONTINUOUS DEPLOYMENT MULTI-REGION & GEO-DNS CACHING LOG SYSTEM USAGE MONITORING API USAGE MONITORING BUSINESS USAGE MONITORING PROFILING ERROR REPORTING ALERTING, WRITE RUNBOOKS HEALTH-CHECK TRACING STATUS PAGE BUG-BOUNTY SECURITY.TXT PORTAIL 70+
Questions? @FGRibreau image-charts.com No more server-side rendering pain, 1 url = 1 chart redsmin.com Free plans for Redis administration & monitoring getnobullshit.com (Receive the 70+ points API checklist) 60 principes pratiques fondamentaux, applicables quotidiennement de la petite à la grande entreprise du développeur au CTO du tech-lead à l'architecte.
categories13
modeling performance scalability security recoverability backward compatibility deployment monitoring reporting system health troubleshooting reliability availability documenting categories13
BONUS
Define indirections
Use UUID instead of auto-increment Use semantic shortcuts Model with usage in mind
Configure health-check Log everything Configure system monitoring Configure API monitoring Configure business usage monitoring Configure profiling Implement error reporting Setup tracing 😑
Add server-side caching Leverage defensive-caching (grace mode) Support client-side caching 😑
Expose functional errors http://bit.ly/2uf53Cr
⚠ How do I let my S3 API users securely expose files/data?
✅ Control data access ✅ (optional) url expiration https://s3.amazonaws.com/{S3_BUCKET}/{path} ?Expires={expire_date} &AWSAccessKeyId={S3_ACCESS_KEY_ID} &Signature={signature} Note: signature through query string or Authorization header
Add HTTPS Add HSTS header
https://mzl.la/2T863Cl add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; Add HTTPS Add HSTS header
Questions? @FGRibreau image-charts.com No more server-side rendering pain, 1 url = 1 chart redsmin.com Free plans for Redis administration & monitoring getnobullshit.com (Receive the 70+ points API checklist) 60 principes pratiques fondamentaux, applicables quotidiennement de la petite à la grande entreprise du développeur au CTO du tech-lead à l'architecte.

Check these out next

⛳️ Votre API passe-t-elle le contrôle technique ?

Recommended

More Related Content

Slideshows for you(20)

Similar to ⛳️ Votre API passe-t-elle le contrôle technique ?(20)

More from François-Guillaume Ribreau(12)

Recently uploaded(20)

⛳️ Votre API passe-t-elle le contrôle technique ?