⛳️ Votre API passe-t-elle le contrôle technique ?

Votre API passe-t-elle
le contrôle technique ?

François-Guillaume RIBREAU
@FGRibreau

@FGRibreau
Architect & Head of development @Ouest-France
! Available for consulting

@FGRibreau
Architect & Head of development @Ouest-France
🌟 SaaS founder of
! Available for consulting

https://bit.ly/2pMI7aJ
“
”
— Christopher Strachey, 1969 (50 yrs ago)

I am quite convinced that in fact computing will
become a very important science.
“
”

But at the moment we are in a very
primitive state of development; we don't
know the basic principles yet and we must
learn them ﬁrst.
“
”

But at the moment we are in a very
primitive state of development; we don't
know the basic principles yet and we must
learn them ﬁrst.
 
If universities spend their time teaching the
state of the art, they will not discover
these principles and that, surely, is what
academics should be doing.
“
”

http://bit.ly/2CenmM7
Application Programming Interface (API)

'60s
API (only) for libraries

'60s
'80-90s
Remote access to procedural API (MoM/Queuing emerges)

'60s
'80-90s
'00s
REpresentational State Transfer (REST, Roy Fielding)

'60s
'80-90s
'00s
REpresentational State Transfer (REST, Roy Fielding)
'10s
Public APIs, platforms emerge, hipster RPC protocols...

Contrôle Technique (kɔ̃.tʁol tɛk.nik)
“Porte sur 9 fonctions déclinées en
131 points de contrôle et 410 défaillances.”

“A type of job aid used to reduce failure by
compensating for potential
limits of human memory and attention.”
Checklist (/ˈtʃɛklɪst/)
Contrôle Technique (kɔ̃.tʁol tɛk.nik)
“Porte sur 9 fonctions déclinées en
131 points de contrôle et 410 défaillances.”

control points
BUSINESS REQUIREMENTS
ON-CALL RESPONSABILITY
RISKS
CRITICITY
DATA-PRIVACY (PIA/AIDP)
DEFINE SERVICE NAME
HTTPS
HSTS HEADER
IAM
AUTHORIZATION
ACCESS
VERSIONING
CHANGELOG
BACKWARD-COMPATIBILITY
MAX SIMULTANEOUS
CONNECTIONS LIMIT
RATE-LIMITING
QUOTA
TIMEOUTS/RETRIES/CIRCUIT-
BREAKERS FOR EVERY CALL
CONFIGURE CORS
X-CONTENT-TYPE: NOSNIFF
X-FRAME-OPTIONS: DENY
CONTENT-SECURITY-POLICIES
FINGERPRINT
PAGINATION
SEARCH, SORTING AND
FILTERING
SUPPORT FIELD SELECTION
SUPPORT FIELD EXPANSION
UUID INSTEAD OF AUTO-INC
USE SEMANTIC SHORTCUTS
USE ASYNC HANDLING WHEN
NECESSARY
SUPPORT PUSH
OVERALL CONSISTENCY
OVERALL ERROR
CONSISTENCY
REMOVE SENSITIVE DATA
RETURN MINIMUM OUTPUT
DEFINE INDIRECTIONS
MODEL WITH USAGE IN MIND
SUPPORT I18N/G11N
FUNCTIONAL ERRORS
USE CDN
HMAC
SPLIT STATE AND LOGIC
IMMUTABLE DATA
AUDITABILITY
SUPPORT PROD/TEST MODE
SUPPORT MULTI-TENANT
LEVERAGE TESTS
POST-DEPLOY TESTS
SMOKE-TESTS
GENERATE DOCUMENTATION
TEST DOCUMENTATION
SDK/CLIENTS
COST-EFFICIENCY
CONTINUOUS DEPLOYMENT
MULTI-REGION & GEO-DNS
CACHING
LOG
SYSTEM USAGE MONITORING
API USAGE MONITORING
BUSINESS USAGE
MONITORING
PROFILING
ERROR REPORTING
ALERTING, WRITE RUNBOOKS
HEALTH-CHECK
TRACING
STATUS PAGE
BUG-BOUNTY
SECURITY.TXT
PORTAIL
70+

“Mettre le plus
de contraintes en amont”

# Français “C'est en forgeant que l ’on devient forgeron.”
“Mettre le plus

$ Finnois kukaan ei ole seppä syntyessään
(personne n'est né forgeron)
“Mettre le plus

% Allemand Übung macht den Meister
(L’exercice/habitude fait le maître)
“Mettre le plus

% Allemand Übung macht den Meister
(L’exercice/habitude fait le maître)
& Japonais NaraWaNu Kyô Ha YoMeNu
(Il est impossible de réciter un soûtra sans l'apprendre auparavant)
“Mettre le plus

https://landing.google.com/sre/sre-book/chapters/service-level-objectives/
https://engineering.bitnami.com/articles/implementing-slos-using-prometheus.html
Service Level Objectives (SLO)
Deﬁne business requirements

“Must be measurable, with a time period and specify where and how to
measure it.

measure it.
Drives your dashboards and alerts.”

measure it.
Drives your dashboards and alerts.”
“95% of chart generation requests
latency will be lower than 400ms
over the month”

Service Level Indicators (SLI)

Service Level Indicators (SLI)
Metrics.
e.g. error ratios, latency, query per
seconds, response time, uptime

Service Level Agreements 💰 (SLA)

Service Level Agreements 💰 (SLA)
"an explicit or implicit contract with your users
that includes consequences of meeting (or
missing) the SLOs they contain"
— SRE Book

Risks
Consider illegitimate access to data. What risks? Likelihood?
Consider illegitimate data change. What risks? Likelihood?
Consider data disappearance. What risks? Likelihood?

Risks
Consider illegitimate access to data. What risks? Likelihood?
Consider illegitimate data change. What risks? Likelihood?
Consider data disappearance. What risks? Likelihood?
Data-Privacy (e.g. PIA - Privacy Impact Assessment)
Does the API collect sensitive data?
(e.g. political opinion, sexual orientation…)
Does the API evaluate or note people?
Does the API handle data about vulnerable people?
...

“There are only two hard things in CS:
cache invalidation and naming things”
— Phil Karlton
Deﬁne service name

ups (
rcpu 🤷

ups (
rcpu 🤷
ghostbusters *

ups (
rcpu 🤷
ghostbusters *
thanos-service 🙎

ups (
rcpu 🤷
ghostbusters *
thanos-service 🙎
user-preference ✅

“Le nommage doit être ennuyeux”
✅ Descriptive & unambiguous
✅ Transparent
✅ Respect SSoT/SoC

Use an
Identity & Access
Management service
(IAM)

IAM
🎭 Authentication
👮 Authorization
🗂 Audit
#SSoT #SoC

http://bit.ly/2TW4s6Q
Charts
Product Team
CMS
Product Team
BP-Editorial
Product Team
BP-Services
Product Team

http://bit.ly/2TW4s6Q
“L'entreprise est une plateforme
sur laquelle reposent les équipes”
Charts
Product Team
CMS
Product Team
BP-Editorial
Product Team
BP-Services
Product Team

#SSoT #SoC
http://bit.ly/2FdJk2v
API
IAM
Policy Administration Point

http://bit.ly/2UFvPPZ
SaaS tools (outside perimeter) 🕳

Employee 💻 malware/trojans

We don't live in the '90s anymore.
Build with untrusted network in mind.
Forget the unsafe trusted network paradigm.
You do want Application Segmentation (zero trust).
Employee 💻 malware/trojans

Set versioning
Update changelog

client api
https://blog.fgribreau.com/2015/03/braindump-versioning-http-api.html
Version your API
accept: application/vnd.github.v3+json
...through mime headers (standard)

client api
... sub-domain
{version}.domain.com
Version your API

client api
... sub-domain
{version}.domain.com ... path (mainly RPC over HTTP)
api.twitter.com/v1/
api.twitter.com/1.1/
api.twilio.com/2010-04-01/
Version your API

client api
... sub-domain
{version}.domain.com ... path (mainly RPC over HTTP)
api.twitter.com/v1/
api.twitter.com/1.1/
api.twilio.com/2010-04-01/
Version your API
... query-string
/?v={version}

client api
Version your API

client api
Version your API
...and then there is

client api
1) authenticated
api request
API reverse-engineered

client api
IAM
2) authenticate
app request
1) authenticated
api request

client api
IAM
2) authenticate
app request
3) get active
app version
1) authenticated
api request

client api
IAM
2) authenticate
app request
3) get active
app version
4) down-migration middlewares
1) authenticated
api request

client api
IAM
2) authenticate
app request
3) get active
app version
5) execute request
1) authenticated
api request

client api
IAM
2) authenticate
app request
3) get active
app version
5) execute request
6) up-migration middlewares
1) authenticated
api request

https://stripe.com/blog/api-versioning
Version your API

Deﬁne backward-compatibility

https://stripe.com/docs/upgrades
Deﬁne backward-compatibility

“Be conservative in what you send, be
liberal in what you accept”
— Postel's law
(the Robustness Principle)
Ensure backward-compatibility

API = Application Programming Interface

Interface ∈ Contract

Interface ∈ Contract
Find a way to test contracts

Twitter
"Diffy [...] catch bugs without requiring developers to write many tests"
https://github.com/twitter/diffy

https://pact.io

Support pagination
Support search
Support sorting
Support filtering
Support field selection
Support field expansion

Support pagination
⚠ "yeah... maybe later" ⚠ O(n) 3

Support pagination
“Tout limiter dans l'espace et
dans le temps”
⚠ "yeah... maybe later" ⚠ O(n) 3

https://www.youtube.com/watch?v=UKrS_eXZfHw
“Choisir entre une API RPC, SOAP, REST, GraphQL
et si le problème était ailleurs ?”

Access-Control-Allow-Origin: ...
(HTTP speciﬁc headers)

x-content-type: no-sniff

x-frame-options: deny

x-frame-options: deny
Content-Security-Policy: ...

Remove ﬁngerprints 👁
- nginx/apache/framework name & versions
- load-balancer/proxy/CDN

Split state & logic
Save data as immutable

Split state & logic
Save data as immutable
Support auditability

Leverage an
object storage for ﬁles
(AWS S3 / GCP Storage / Riak S2 / Minio)
Split state & logic

dev
api-talks
staging
IAM
Talks IAM

dev
api-talks
staging
IAM
Talks IAM
Twitter
API
Twitter

dev
api-talks
staging
IAM
Talks IAM
Twitter
API
Twitter
talks-
dev
(app)

dev
staging
api-talks
api-talks
staging
IAM
Talks IAM
Twitter
API
Twitter
talks-
dev
(app)

dev
staging
api-talks
api-talks
staging
IAM
Talks IAM
Twitter
API
Twitter
talks-
dev
(app)
talks-
staging
(app)

production
dev
staging
api-talks
api-talks
api-talks
staging
IAM
Talks IAM
Twitter
API
Twitter
talks-
dev
(app)
talks-
staging
(app)

production
dev
staging
api-talks
api-talks
api-talks
production
staging
IAM
IAM
Talks IAM
Twitter
API
Twitter
talks-
dev
(app)
talks-
staging
(app)

production
dev
staging
api-talks
api-talks
api-talks
production
staging
IAM
IAM
Talks IAM
Twitter
API
Twitter
talks-
dev
(app)
talks-
staging
(app)
talks-
production
(app)

production
dev
staging
api-talks
api-talks
api-talks
production
staging
IAM
IAM
Talks IAM
Twitter
API
Twitter
talks-
dev
(app)
talks-
staging
(app)
talks-
production
(app)
🤔

production
dev
staging
IAM
IAM
production
dev
staging
api-talks
api-talks
api-talks
production
dev
staging
IAM
IAM
IAM
Talks IAM
Twitter
API
Twitter
TeamTeam
talks-
dev
(app)
talks-
staging
(app)
talks-
production
(app)
Team

production
dev
staging
IAM
IAM
production
dev
staging
api-talks
api-talks
api-talks
production
dev
staging
IAM
IAM
IAM
Talks IAM
Twitter
API
Twitter
TeamTeam
talks-
dev
(app)
talks-
staging
(app)
talks-
production
(app)
Team
PrivatePublic

production
dev
staging
IAM
IAM
production
dev
staging
api-talks
api-talks
api-talks
production
dev
staging
IAM
IAM
IAM
Talks IAM
Twitter
API
Twitter
TeamTeam
talks-
dev
(app)
talks-
staging
(app)
talks-
production
(app)
Team
“Les équipes pointent sur la
production des autres”
PrivatePublic

production
dev
staging
IAM
IAM
production
dev
staging
api-talks
api-talks
api-talks
production
dev
staging
IAM
IAM
IAM
Talks IAM
Twitter
API
Twitter
TeamTeam
talks-
dev
(app)
talks-
staging
(app)
talks-
production
(app)
Team
production
(realm)
talks-
staging
(realm)
talks-
dev
(realm)

production
dev
staging
IAM
IAM
production
dev
staging
api-talks
api-talks
api-talks
production
dev
staging
IAM
IAM
IAM
Talks IAM
Twitter
API
Twitter
TeamTeam
talks-
dev
(app)
talks-
staging
(app)
talks-
production
(app)
Team
production
(realm)
talks-
staging
(realm)
talks-
dev
(realm)
production
(????)

dev
staging
production
api-talks
production
(organization)
api-talks
api-talks
Support multi-tenant

dev
staging
production
api-talks
production
(organization)
api-talks
api-talks
Design primitives
(e.g. realm, app, organization, website)
to unleash your teams productivity 😇
and business opportunities 💵
Support multi-tenant

Your company is a platform, everything can be sold.

Your company is a user — like anyone else — of your API.

Your company is a user — like anyone else — of your API.
Use your IAM Luke!
Morpheus
(not sure about this one)

"How do I run my system/e2e tests?"
https://amzn.to/2TfqaOI

"How do I run performance tests?"
"How do I run my system/e2e tests?"
https://amzn.to/2TfqaOI

Support test/prod mode

Hash-based
Message
Authentication
Code HMAC

Media server
https://media.my-website.com/images/{uuid}.{png|webp}
?width=700
&height=300
Job done? 🍾

Media server
?width=700
&height=300
Nope. 🦹

Media server
?width=700
&height=300
&sign={signature}
Job done? 🍾

Media server
?width=700
&height=300
&sign={signature}
Nope. #multi-tenant

Media server
?width=700
&height=300
&client_id={tenant_id}
&sign={signature}
Job done.

Verifying webhooks
X-Shopify-Hmac-SHA256 HTTP header
Stripe-Signature HTTP headersigned_request HTTP POST variable

?chs=700x300
&chxt=x,y
&chl=2018|2017|2015
&chd=t:60,40,20
&cht=pa
0.2,0096887C,1|ps0-2,lg,45,EA469E,0.2,03A9F47C,1
&chan
&icac=fgribreau
&ichm=68c82618eccc2f0a861473ef93e978beb0b018a3ce2c2b4b609aec1b27

?chs=700x300
&chxt=x,y
&chl=2018|2017|2015
&chd=t:60,40,20
&cht=pa
0.2,0096887C,1|ps0-2,lg,45,EA469E,0.2,03A9F47C,1
&chan
&icac=fgribreau
✅ Signed URL

?chs=700x300
&chxt=x,y
&chl=2018|2017|2015
&chd=t:60,40,20
&cht=pa
0.2,0096887C,1|ps0-2,lg,45,EA469E,0.2,03A9F47C,1
&chan
&icac=fgribreau
✅ Signed URL
✅ Removed watermark

?chs=700x300
&chxt=x,y
&chl=2018|2017|2015
&chd=t:60,40,20
&cht=pa
0.2,0096887C,1|ps0-2,lg,45,EA469E,0.2,03A9F47C,1
&chan
&icac=fgribreau
✅ Signed URL
✅ Available extra-features

?chs=700x300
&chxt=x,y
&chl=2018|2017|2015
&chd=t:60,40,20
&cht=pa
0.2,0096887C,1|ps0-2,lg,45,EA469E,0.2,03A9F47C,1
&chan
&icac=fgribreau
✅ Signed URL
✅ Available extra-features
⚠ Caching

Deﬁne timeouts for every call (pg: statement_timeout)
Implement retries (e.g. exponential-backoff)
Deﬁne circuit-breakers

Deﬁne timeouts for every call (pg: statement_timeout)
Implement retries (e.g. exponential-backoff)
Deﬁne circuit-breakers
dans le temps”

Leverage tests
Write post-deploy tests
Write smoke-tests (black-box testing)

Set max simultaneous connections limit
Set rate-limiting

Set max simultaneous connections limit
Set rate-limiting
dans le temps”

https://amzn.to/2HHlq2phttp://bit.ly/2HFZSTO
Deﬁne quota

Conﬁgure alerting,
write runbooks

“Monitoring sans alerting
ne sert à rien”
http://bit.ly/2JlncJ1

https://gitlab.com/gitlab-com/runbooks

Generate documentation
Generate SDK/clients
Test documentation
😑

https://www.youtube.com/watch?v=g6Yg2e1cDe8
“Construire et automatiser son SaaS grâce à une
spéciﬁcation OpenAPI/Swagger”

https://github.com/apiaryio/dredd

"Restart" deployment
Blue/green deployment

Rolling-updates deployment
(req. n-1 backward-compat)
(commodity: PaaS & CaaS)

Rolling-updates deployment
(commodity: PaaS & CaaS)
Dark-launch + Canarying + rolling-updates
(commodity: GoReplay, Istio)

Expose api in status page
Promote bug-bounty
Expose .well-known/security.txt
Expose .well-known/dnt-policy.txt
Expose in portail

Questions?
@FGRibreau
image-charts.com
No more server-side rendering pain,
1 url = 1 chart
redsmin.com
Free plans for Redis
administration & monitoring
getnobullshit.com
(Receive the 70+ points API
checklist)
60 principes pratiques
fondamentaux,
applicables quotidiennement
de la petite à la grande entreprise
du développeur au CTO
du tech-lead à l'architecte.

modeling
performance
scalability
security
recoverability
backward compatibility
deployment
monitoring
reporting system health
troubleshooting
reliability
availability
documenting
categories13

Use UUID instead of auto-increment
Use semantic shortcuts
Model with usage in mind

Configure health-check
Log everything
Configure system monitoring
Configure API monitoring
Configure business usage monitoring
Configure profiling
Implement error reporting
Setup tracing
😑

Add server-side caching
Leverage defensive-caching (grace mode)
Support client-side caching
😑

Expose functional errors
http://bit.ly/2uf53Cr

⚠
How do I let my S3 API users
securely expose ﬁles/data?

✅ Control data access
✅ (optional) url expiration
https://s3.amazonaws.com/{S3_BUCKET}/{path}
?Expires={expire_date}
&AWSAccessKeyId={S3_ACCESS_KEY_ID}
&Signature={signature}
Note: signature through query string or Authorization header

https://mzl.la/2T863Cl
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
Add HTTPS
Add HSTS header

⛳️ Votre API passe-t-elle le contrôle technique ?

More Related Content

What's hot

Similar to ⛳️ Votre API passe-t-elle le contrôle technique ?

More from François-Guillaume Ribreau

Recently uploaded

⛳️ Votre API passe-t-elle le contrôle technique ?