Successfully reported this slideshow.

⛳️ Votre API passe-t-elle le contrôle technique ?

7

Share

Apr. 10, 2019
7 likes 3,063 views
Upcoming SlideShare
Docker, how to use it. organize a meeting with IBM products...
Docker, how to use it. organize a meeting with IBM products...
Loading in …3
×
1 of 204
1 of 204

⛳️ Votre API passe-t-elle le contrôle technique ?

Apr. 10, 2019
7 likes 3,063 views

7

Share

Download to read offline

Engineering

https://getnobullshit.com/

Nous savons tous développer une API mais avons-nous bien intégré toutes les problématiques?

Son aspect organisationnel et humain, sa gouvernance, ses contraintes business et d'opérabilité (SLA, SLO, SLI), son release management, ses méthodes de requêtage, sa sécurité (ses performances, sa mise à l'échelle), ses différents types de test, sa documentation, son versioning (compatibilité, changelog), son monitoring — et bien plus encore — de cette API une fois en production ?

Durant ce talk, c'est plus de 30 points d'attentions rarement évoqué que je vous propose d'aborder, à la lumière de retours d'expériences provenant de tech-leader comme Uber, Stripe, Facebook et Google mais aussi d'entreprise française de la petite startup à la PME.

https://getnobullshit.com/

Nous savons tous développer une API mais avons-nous bien intégré toutes les problématiques?

Son aspect organisationnel et humain, sa gouvernance, ses contraintes business et d'opérabilité (SLA, SLO, SLI), son release management, ses méthodes de requêtage, sa sécurité (ses performances, sa mise à l'échelle), ses différents types de test, sa documentation, son versioning (compatibilité, changelog), son monitoring — et bien plus encore — de cette API une fois en production ?

Durant ce talk, c'est plus de 30 points d'attentions rarement évoqué que je vous propose d'aborder, à la lumière de retours d'expériences provenant de tech-leader comme Uber, Stripe, Facebook et Google mais aussi d'entreprise française de la petite startup à la PME.

Engineering

Recommended

More Related Content

Similar to ⛳️ Votre API passe-t-elle le contrôle technique ?

docker : how to deploy Digital Experience in a container drinking a cup of co...
Matteo Bisi
To Russia with Love: Deploying Kubernetes in Exotic Locations On Prem
CloudOps2005
10 tips for Cloud Native Security
Karthik Gaekwad
Amazon API Gateway
Mark Bate
Serverless Security: A How-to Guide @ SnowFROC 2019
James Wickett
Spinnaker Summit 2018: CI/CD Patterns for Kubernetes with Spinnaker
Andrew Phillips
Guidelines to protect your APIs from threats
Isabelle Mauny
Steve Sfartz - How to embed Messaging and Video in your apps - Codemotion Mil...
Codemotion
Container microservices
Tsuyoshi Ushio
You got a couple Microservices, now what? - Adding SRE to DevOps
Gonzalo Maldonado
Deep Dive into Docker Swarm Mode
Ajeet Singh Raina
Effective Platform Building with Kubernetes. Is K8S new Linux?
Wojciech Barczyński
Deep dive into Kubernetes Networking
Sreenivas Makam
Nginx Deep Dive Kubernetes Ingress
Knoldus Inc.
(RivieraDev 2018) #serverless - 2 ans de retourS d'expérience
Ludovic Piot
60分鐘完送百萬edm,背後雲端ci/cd實戰大公開
KAI CHU CHUNG
OpenStack Day 2 Operations (Toronto)
Dirk Wallerstorfer
DevOps for the DBA- Jax Style!
Kellyn Pot'Vin-Gorman
Microservices , Docker , CI/CD , Kubernetes Seminar - Sri Lanka
Mario Ishara Fernando
Introduction to DevOps
Dmitry Buzdin

More from François-Guillaume Ribreau

Choisir entre une API RPC, SOAP, REST, GraphQL? 
Et si le problème était ai...
François-Guillaume Ribreau
He stopped using for/while loops, you won't believe what happened next!
François-Guillaume Ribreau
Une plateforme moderne pour le groupe SIPA/Ouest-France 
François-Guillaume Ribreau
[BreizhCamp, format 15min] Construire et automatiser l'ecosystème de son Saa...
François-Guillaume Ribreau
[BreizhCamp, format 15min] Une api rest et GraphQL sans code grâce à PostgR...
François-Guillaume Ribreau
RedisConf 2016 - Redis usage and ecosystem
François-Guillaume Ribreau
Implementing pattern-matching in JavaScript (full version)
François-Guillaume Ribreau
Implementing pattern-matching in JavaScript (short version)
François-Guillaume Ribreau
Automatic constraints as a team maturity accelerator for startups
François-Guillaume Ribreau
Development Principles & Philosophy
François-Guillaume Ribreau
Les enjeux de l'information et de l'algorithmique dans notre société
François-Guillaume Ribreau
How I monitor SaaS products
François-Guillaume Ribreau
Continous Integration of (JS) projects & check-build philosophy
François-Guillaume Ribreau
Introduction to Redis
François-Guillaume Ribreau
Approfondissement CSS3
François-Guillaume Ribreau
Découverte HTML5/CSS3
François-Guillaume Ribreau

Featured

What to Upload to SlideShare
SlideShare
Be A Great Product Leader (Amplify, Oct 2019)
Adam Nash
Trillion Dollar Coach Book (Bill Campbell)
Eric Schmidt
APIdays Paris 2019 - Innovation @ scale, APIs as Digital Factories' New Machi...
apidays
A few thoughts on work life-balance
Wim Vanderbauwhede
Is vc still a thing final
Mark Suster
The GaryVee Content Model
Gary Vaynerchuk
Mammalian Brain Chemistry Explains Everything
Loretta Breuning, PhD
Blockchain + AI + Crypto Economics Are We Creating a Code Tsunami?
Dinis Guarda
The AI Rush
Jean-Baptiste Dumont
AI and Machine Learning Demystified by Carol Smith at Midwest UX 2017
Carol Smith
10 facts about jobs in the future
Pew Research Center's Internet & American Life Project
Harry Surden - Artificial Intelligence and Law Overview
Harry Surden
Inside Google's Numbers in 2017
Rand Fishkin
Pinot: Realtime Distributed OLAP datastore
Kishore Gopalakrishna
How to Become a Thought Leader in Your Niche
Leslie Samuel
Visual Design with Data
Seth Familian
Designing Teams for Emerging Challenges
Aaron Irizarry
UX, ethnography and possibilities: for Libraries, Museums and Archives
Ned Potter
Winners and Losers - All the (Russian) President's Men
Ian Bremmer

Related Books

Free with a 14 day trial from Scribd

See all
So You Want to Start a Podcast: Finding Your Voice, Telling Your Story, and Building a Community That Will Listen Kristen Meinzer
(3.5/5)
Free
Talk to Me: How Voice Computing Will Transform the Way We Live, Work, and Think James Vlahos
(4/5)
Free
From Gutenberg to Google: The History of Our Future Tom Wheeler
(3.5/5)
Free
SAM: One Robot, a Dozen Engineers, and the Race to Revolutionize the Way We Build Jonathan Waldman
(5/5)
Free
The Future Is Faster Than You Think: How Converging Technologies Are Transforming Business, Industries, and Our Lives Peter H. Diamandis
(4.5/5)
Free
Autonomy: The Quest to Build the Driverless Car—And How It Will Reshape Our World Lawrence D. Burns
(5/5)
Free
No Filter: The Inside Story of Instagram Sarah Frier
(4.5/5)
Free
Bezonomics: How Amazon Is Changing Our Lives and What the World's Best Companies Are Learning from It Brian Dumaine
(4/5)
Free
Live Work Work Work Die: A Journey into the Savage Heart of Silicon Valley Corey Pein
(4.5/5)
Free
Future Presence: How Virtual Reality Is Changing Human Connection, Intimacy, and the Limits of Ordinary Life Peter Rubin
(4/5)
Free
Life After Google: The Fall of Big Data and the Rise of the Blockchain Economy George Gilder
(4/5)
Free
Everybody Lies: Big Data, New Data, and What the Internet Can Tell Us About Who We Really Are Seth Stephens-Davidowitz
(4.5/5)
Free
Understanding Media: The Extensions of Man Marshall McLuhan
(4/5)
Free
The Art of War Sun Tsu
(3/5)
Free
Uncommon Carriers John McPhee
(3.5/5)
Free
The Victorian Internet: The Remarkable Story of the Telegraph and the Nineteenth Century's On-line Pioneers Tom Standage
(3.5/5)
Free

Related Audiobooks

Free with a 14 day trial from Scribd

See all
The Quiet Zone: Unraveling the Mystery of a Town Suspended in Silence Stephen Kurczy
(4.5/5)
Free
The Wires of War: Technology and the Global Struggle for Power Jacob Helberg
(4/5)
Free
System Error: Where Big Tech Went Wrong and How We Can Reboot Rob Reich
(4.5/5)
Free
After Steve: How Apple Became a Trillion-Dollar Company and Lost its Soul Tripp Mickle
(4.5/5)
Free
Dignity in a Digital Age: Making Tech Work for All of Us Ro Khanna
(4/5)
Free
Einstein's Fridge: How the Difference Between Hot and Cold Explains the Universe Paul Sen
(4.5/5)
Free
Driven: The Race to Create the Autonomous Car Alex Davies
(4.5/5)
Free
Test Gods: Virgin Galactic and the Making of a Modern Astronaut Nicholas Schmidle
(5/5)
Free
Second Nature: Scenes from a World Remade Nathaniel Rich
(5/5)
Free
Spooked: The Trump Dossier, Black Cube, and the Rise of Private Spies Barry Meier
(4/5)
Free
A World Without Work: Technology, Automation, and How We Should Respond Daniel Susskind
(4.5/5)
Free
Lean Out: The Truth About Women, Power, and the Workplace Marissa Orr
(4.5/5)
Free
Blockchain: The Next Everything Stephen P. Williams
(4/5)
Free
Uncanny Valley: A Memoir Anna Wiener
(4/5)
Free
User Friendly: How the Hidden Rules of Design Are Changing the Way We Live, Work, and Play Cliff Kuang
(4.5/5)
Free
Bitcoin Billionaires: A True Story of Genius, Betrayal, and Redemption Ben Mezrich
(4.5/5)
Free

⛳️ Votre API passe-t-elle le contrôle technique ?

  1. 1. Votre API passe-t-elle le contrôle technique ?
  2. 2. François-Guillaume RIBREAU @FGRibreau
  3. 3. François-Guillaume RIBREAU @FGRibreau Architect & Head of development @Ouest-France ! Available for consulting
  4. 4. François-Guillaume RIBREAU @FGRibreau Architect & Head of development @Ouest-France 🌟 SaaS founder of ! Available for consulting
  5. 5. François-Guillaume RIBREAU @FGRibreau Architect & Head of development @Ouest-France 🌟 SaaS founder of ! Available for consulting
  6. 6. François-Guillaume RIBREAU @FGRibreau Architect & Head of development @Ouest-France 🌟 SaaS founder of ! Available for consulting
  7. 7. <quick> <history>
  8. 8. https://bit.ly/2pMI7aJ “ ” — Christopher Strachey, 1969 (50 yrs ago)
  9. 9. I am quite convinced that in fact computing will become a very important science. https://bit.ly/2pMI7aJ “ ” — Christopher Strachey, 1969 (50 yrs ago)
  10. 10. I am quite convinced that in fact computing will become a very important science. But at the moment we are in a very primitive state of development; we don't know the basic principles yet and we must learn them first. https://bit.ly/2pMI7aJ “ ” — Christopher Strachey, 1969 (50 yrs ago)
  11. 11. I am quite convinced that in fact computing will become a very important science. But at the moment we are in a very primitive state of development; we don't know the basic principles yet and we must learn them first. 
 If universities spend their time teaching the state of the art, they will not discover these principles and that, surely, is what academics should be doing. https://bit.ly/2pMI7aJ “ ” — Christopher Strachey, 1969 (50 yrs ago)
  12. 12. http://bit.ly/2CenmM7 Application Programming Interface (API)
  13. 13. '60s API (only) for libraries http://bit.ly/2CenmM7 Application Programming Interface (API)
  14. 14. '60s API (only) for libraries '80-90s Remote access to procedural API (MoM/Queuing emerges) http://bit.ly/2CenmM7 Application Programming Interface (API)
  15. 15. '60s API (only) for libraries '80-90s Remote access to procedural API (MoM/Queuing emerges) '00s REpresentational State Transfer (REST, Roy Fielding) http://bit.ly/2CenmM7 Application Programming Interface (API)
  16. 16. '60s API (only) for libraries '80-90s Remote access to procedural API (MoM/Queuing emerges) '00s REpresentational State Transfer (REST, Roy Fielding) '10s Public APIs, platforms emerge, hipster RPC protocols... http://bit.ly/2CenmM7 Application Programming Interface (API)
  17. 17. </history> </quick>
  18. 18. Votre API passe-t-elle le contrôle technique ?
  19. 19. Contrôle Technique (kɔ̃.tʁol tɛk.nik) “Porte sur 9 fonctions déclinées en 131 points de contrôle et 410 défaillances.”
  20. 20. “A type of job aid used to reduce failure by compensating for potential limits of human memory and attention.” Checklist (/ˈtʃɛklɪst/) Contrôle Technique (kɔ̃.tʁol tɛk.nik) “Porte sur 9 fonctions déclinées en 131 points de contrôle et 410 défaillances.”
  21. 21. control points70+
  22. 22. control points BUSINESS REQUIREMENTS ON-CALL RESPONSABILITY RISKS CRITICITY DATA-PRIVACY (PIA/AIDP) DEFINE SERVICE NAME HTTPS HSTS HEADER IAM AUTHORIZATION ACCESS VERSIONING CHANGELOG BACKWARD-COMPATIBILITY MAX SIMULTANEOUS CONNECTIONS LIMIT RATE-LIMITING QUOTA TIMEOUTS/RETRIES/CIRCUIT- BREAKERS FOR EVERY CALL CONFIGURE CORS X-CONTENT-TYPE: NOSNIFF X-FRAME-OPTIONS: DENY CONTENT-SECURITY-POLICIES FINGERPRINT PAGINATION SEARCH, SORTING AND FILTERING SUPPORT FIELD SELECTION SUPPORT FIELD EXPANSION UUID INSTEAD OF AUTO-INC USE SEMANTIC SHORTCUTS USE ASYNC HANDLING WHEN NECESSARY SUPPORT PUSH OVERALL CONSISTENCY OVERALL ERROR CONSISTENCY REMOVE SENSITIVE DATA RETURN MINIMUM OUTPUT DEFINE INDIRECTIONS MODEL WITH USAGE IN MIND SUPPORT I18N/G11N FUNCTIONAL ERRORS USE CDN HMAC SPLIT STATE AND LOGIC IMMUTABLE DATA AUDITABILITY SUPPORT PROD/TEST MODE SUPPORT MULTI-TENANT LEVERAGE TESTS POST-DEPLOY TESTS SMOKE-TESTS GENERATE DOCUMENTATION TEST DOCUMENTATION SDK/CLIENTS COST-EFFICIENCY CONTINUOUS DEPLOYMENT MULTI-REGION & GEO-DNS CACHING LOG SYSTEM USAGE MONITORING API USAGE MONITORING BUSINESS USAGE MONITORING PROFILING ERROR REPORTING ALERTING, WRITE RUNBOOKS HEALTH-CHECK TRACING STATUS PAGE BUG-BOUNTY SECURITY.TXT PORTAIL 70+
  23. 23. “Mettre le plus de contraintes en amont”
  24. 24. # Français “C'est en forgeant que l ’on devient forgeron.” “Mettre le plus de contraintes en amont”
  25. 25. # Français “C'est en forgeant que l ’on devient forgeron.” $ Finnois kukaan ei ole seppä syntyessään (personne n'est né forgeron) “Mettre le plus de contraintes en amont”
  26. 26. # Français “C'est en forgeant que l ’on devient forgeron.” % Allemand Übung macht den Meister (L’exercice/habitude fait le maître) $ Finnois kukaan ei ole seppä syntyessään (personne n'est né forgeron) “Mettre le plus de contraintes en amont”
  27. 27. # Français “C'est en forgeant que l ’on devient forgeron.” % Allemand Übung macht den Meister (L’exercice/habitude fait le maître) $ Finnois kukaan ei ole seppä syntyessään (personne n'est né forgeron) & Japonais NaraWaNu Kyô Ha YoMeNu (Il est impossible de réciter un soûtra sans l'apprendre auparavant) “Mettre le plus de contraintes en amont”
  28. 28. Before development
  29. 29. What are your goals?
  30. 30. What are your goals?
  31. 31. Define business requirements
  32. 32. Define business requirements
  33. 33. https://landing.google.com/sre/sre-book/chapters/service-level-objectives/ https://engineering.bitnami.com/articles/implementing-slos-using-prometheus.html Service Level Objectives (SLO) Define business requirements
  34. 34. https://landing.google.com/sre/sre-book/chapters/service-level-objectives/ https://engineering.bitnami.com/articles/implementing-slos-using-prometheus.html Service Level Objectives (SLO) “Must be measurable, with a time period and specify where and how to measure it. Define business requirements
  35. 35. https://landing.google.com/sre/sre-book/chapters/service-level-objectives/ https://engineering.bitnami.com/articles/implementing-slos-using-prometheus.html Service Level Objectives (SLO) “Must be measurable, with a time period and specify where and how to measure it. Drives your dashboards and alerts.” Define business requirements
  36. 36. https://landing.google.com/sre/sre-book/chapters/service-level-objectives/ https://engineering.bitnami.com/articles/implementing-slos-using-prometheus.html Service Level Objectives (SLO) “Must be measurable, with a time period and specify where and how to measure it. Drives your dashboards and alerts.” Define business requirements “95% of chart generation requests latency will be lower than 400ms over the month”
  37. 37. https://landing.google.com/sre/sre-book/chapters/service-level-objectives/ https://engineering.bitnami.com/articles/implementing-slos-using-prometheus.html Service Level Indicators (SLI) Define business requirements
  38. 38. https://landing.google.com/sre/sre-book/chapters/service-level-objectives/ https://engineering.bitnami.com/articles/implementing-slos-using-prometheus.html Service Level Indicators (SLI) Define business requirements Metrics. e.g. error ratios, latency, query per seconds, response time, uptime
  39. 39. https://landing.google.com/sre/sre-book/chapters/service-level-objectives/ https://engineering.bitnami.com/articles/implementing-slos-using-prometheus.html Service Level Agreements 💰 (SLA) Define business requirements
  40. 40. https://landing.google.com/sre/sre-book/chapters/service-level-objectives/ https://engineering.bitnami.com/articles/implementing-slos-using-prometheus.html Service Level Agreements 💰 (SLA) Define business requirements "an explicit or implicit contract with your users that includes consequences of meeting (or missing) the SLOs they contain" — SRE Book
  41. 41. Consider risks, data-privacy
  42. 42. Risks Consider illegitimate access to data. What risks? Likelihood? Consider illegitimate data change. What risks? Likelihood? Consider data disappearance. What risks? Likelihood?
  43. 43. Risks Consider illegitimate access to data. What risks? Likelihood? Consider illegitimate data change. What risks? Likelihood? Consider data disappearance. What risks? Likelihood? Data-Privacy (e.g. PIA - Privacy Impact Assessment) Does the API collect sensitive data? (e.g. political opinion, sexual orientation…) Does the API evaluate or note people? Does the API handle data about vulnerable people? ...
  44. 44. Define service name
  45. 45. “There are only two hard things in CS: cache invalidation and naming things” — Phil Karlton Define service name
  46. 46. Define service name
  47. 47. ups ( Define service name
  48. 48. ups ( rcpu 🤷 Define service name
  49. 49. ups ( rcpu 🤷 ghostbusters * Define service name
  50. 50. ups ( rcpu 🤷 ghostbusters * thanos-service 🙎 Define service name
  51. 51. ups ( rcpu 🤷 ghostbusters * thanos-service 🙎 user-preference ✅ Define service name
  52. 52. “Le nommage doit être ennuyeux” ✅ Descriptive & unambiguous ✅ Transparent ✅ Respect SSoT/SoC
  53. 53. During development
  54. 54. Use an Identity & Access Management service (IAM)
  55. 55. IAM 🎭 Authentication 👮 Authorization 🗂 Audit #SSoT #SoC
  56. 56. http://bit.ly/2TW4s6Q
  57. 57. http://bit.ly/2TW4s6Q
  58. 58. http://bit.ly/2TW4s6Q
  59. 59. http://bit.ly/2TW4s6Q
  60. 60. http://bit.ly/2TW4s6Q
  61. 61. http://bit.ly/2TW4s6Q Charts Product Team CMS Product Team BP-Editorial Product Team BP-Services Product Team
  62. 62. http://bit.ly/2TW4s6Q “L'entreprise est une plateforme sur laquelle reposent les équipes” Charts Product Team CMS Product Team BP-Editorial Product Team BP-Services Product Team
  63. 63. #SSoT #SoC http://bit.ly/2FdJk2v API IAM Policy Administration Point
  64. 64. http://bit.ly/2UFvPPZ
  65. 65. http://bit.ly/2UFvPPZ SaaS tools (outside perimeter) 🕳
  66. 66. http://bit.ly/2UFvPPZ SaaS tools (outside perimeter) 🕳 Employee 💻 malware/trojans
  67. 67. We don't live in the '90s anymore. Build with untrusted network in mind. Forget the unsafe trusted network paradigm. You do want Application Segmentation (zero trust). http://bit.ly/2UFvPPZ SaaS tools (outside perimeter) 🕳 Employee 💻 malware/trojans
  68. 68. Set versioning Update changelog
  69. 69. Use semver
  70. 70. Use conventional commits
  71. 71. client api https://blog.fgribreau.com/2015/03/braindump-versioning-http-api.html Version your API accept: application/vnd.github.v3+json ...through mime headers (standard)
  72. 72. client api https://blog.fgribreau.com/2015/03/braindump-versioning-http-api.html ... sub-domain {version}.domain.com Version your API accept: application/vnd.github.v3+json ...through mime headers (standard)
  73. 73. client api https://blog.fgribreau.com/2015/03/braindump-versioning-http-api.html ... sub-domain {version}.domain.com ... path (mainly RPC over HTTP) api.twitter.com/v1/ api.twitter.com/1.1/ api.twilio.com/2010-04-01/ Version your API accept: application/vnd.github.v3+json ...through mime headers (standard)
  74. 74. client api https://blog.fgribreau.com/2015/03/braindump-versioning-http-api.html ... sub-domain {version}.domain.com ... path (mainly RPC over HTTP) api.twitter.com/v1/ api.twitter.com/1.1/ api.twilio.com/2010-04-01/ Version your API ... query-string /?v={version} accept: application/vnd.github.v3+json ...through mime headers (standard)
  75. 75. client api https://blog.fgribreau.com/2015/03/braindump-versioning-http-api.html Version your API
  76. 76. client api https://blog.fgribreau.com/2015/03/braindump-versioning-http-api.html Version your API ...and then there is
  77. 77. https://blog.fgribreau.com/2015/03/braindump-versioning-http-api.html client api 1) authenticated api request API reverse-engineered
  78. 78. https://blog.fgribreau.com/2015/03/braindump-versioning-http-api.html client api IAM 2) authenticate app request 1) authenticated api request API reverse-engineered
  79. 79. https://blog.fgribreau.com/2015/03/braindump-versioning-http-api.html client api IAM 2) authenticate app request 3) get active app version 1) authenticated api request API reverse-engineered
  80. 80. https://blog.fgribreau.com/2015/03/braindump-versioning-http-api.html client api IAM 2) authenticate app request 3) get active app version 4) down-migration middlewares 1) authenticated api request API reverse-engineered
  81. 81. https://blog.fgribreau.com/2015/03/braindump-versioning-http-api.html client api IAM 2) authenticate app request 3) get active app version 4) down-migration middlewares 5) execute request 1) authenticated api request API reverse-engineered
  82. 82. https://blog.fgribreau.com/2015/03/braindump-versioning-http-api.html client api IAM 2) authenticate app request 3) get active app version 4) down-migration middlewares 5) execute request 6) up-migration middlewares 1) authenticated api request API reverse-engineered
  83. 83. https://stripe.com/blog/api-versioning Version your API
  84. 84. Define backward-compatibility
  85. 85. https://stripe.com/docs/upgrades Define backward-compatibility
  86. 86. Ensure backward-compatibility
  87. 87. “Be conservative in what you send, be liberal in what you accept” — Postel's law (the Robustness Principle) Ensure backward-compatibility
  88. 88. Ensure backward-compatibility
  89. 89. Ensure backward-compatibility API = Application Programming Interface
  90. 90. Ensure backward-compatibility API = Application Programming Interface Interface ∈ Contract
  91. 91. Ensure backward-compatibility API = Application Programming Interface Interface ∈ Contract Find a way to test contracts
  92. 92. Ensure backward-compatibility Twitter "Diffy [...] catch bugs without requiring developers to write many tests" https://github.com/twitter/diffy
  93. 93. Ensure backward-compatibility https://pact.io
  94. 94. Support pagination Support search Support sorting Support filtering Support field selection Support field expansion
  95. 95. Support pagination
  96. 96. Support pagination ⚠ "yeah... maybe later" ⚠ O(n) 3
  97. 97. Support pagination “Tout limiter dans l'espace et dans le temps” ⚠ "yeah... maybe later" ⚠ O(n) 3
  98. 98. https://www.youtube.com/watch?v=UKrS_eXZfHw “Choisir entre une API RPC, SOAP, REST, GraphQL et si le problème était ailleurs ?”
  99. 99. “Mettre le plus de contraintes en amont”
  100. 100. (HTTP specific headers)
  101. 101. Access-Control-Allow-Origin: ... (HTTP specific headers)
  102. 102. Access-Control-Allow-Origin: ... x-content-type: no-sniff (HTTP specific headers)
  103. 103. Access-Control-Allow-Origin: ... x-content-type: no-sniff x-frame-options: deny (HTTP specific headers)
  104. 104. Access-Control-Allow-Origin: ... x-content-type: no-sniff x-frame-options: deny Content-Security-Policy: ... (HTTP specific headers)
  105. 105. Remove fingerprints 👁 - nginx/apache/framework name & versions - load-balancer/proxy/CDN
  106. 106. Split state & logic
  107. 107. Split state & logic Save data as immutable
  108. 108. Split state & logic Save data as immutable Support auditability
  109. 109. Leverage an object storage for files (AWS S3 / GCP Storage / Riak S2 / Minio) Split state & logic
  110. 110. Support multi-tenant
  111. 111. dev api-talks Talks
  112. 112. dev api-talks staging IAM Talks IAM
  113. 113. dev api-talks staging IAM Talks IAM
  114. 114. dev api-talks staging IAM Talks IAM Twitter API Twitter
  115. 115. dev api-talks staging IAM Talks IAM Twitter API Twitter talks- dev (app)
  116. 116. dev api-talks staging IAM Talks IAM Twitter API Twitter talks- dev (app)
  117. 117. dev staging api-talks api-talks staging IAM Talks IAM Twitter API Twitter talks- dev (app)
  118. 118. dev staging api-talks api-talks staging IAM Talks IAM Twitter API Twitter talks- dev (app)
  119. 119. dev staging api-talks api-talks staging IAM Talks IAM Twitter API Twitter talks- dev (app) talks- staging (app)
  120. 120. dev staging api-talks api-talks staging IAM Talks IAM Twitter API Twitter talks- dev (app) talks- staging (app)
  121. 121. production dev staging api-talks api-talks api-talks staging IAM Talks IAM Twitter API Twitter talks- dev (app) talks- staging (app)
  122. 122. production dev staging api-talks api-talks api-talks production staging IAM IAM Talks IAM Twitter API Twitter talks- dev (app) talks- staging (app)
  123. 123. production dev staging api-talks api-talks api-talks production staging IAM IAM Talks IAM Twitter API Twitter talks- dev (app) talks- staging (app) talks- production (app)
  124. 124. production dev staging api-talks api-talks api-talks production staging IAM IAM Talks IAM Twitter API Twitter talks- dev (app) talks- staging (app) talks- production (app)
  125. 125. production dev staging api-talks api-talks api-talks production staging IAM IAM Talks IAM Twitter API Twitter talks- dev (app) talks- staging (app) talks- production (app) 🤔
  126. 126. production dev staging IAM IAM production dev staging api-talks api-talks api-talks production dev staging IAM IAM IAM Talks IAM Twitter API Twitter TeamTeam talks- dev (app) talks- staging (app) talks- production (app) Team
  127. 127. production dev staging IAM IAM production dev staging api-talks api-talks api-talks production dev staging IAM IAM IAM Talks IAM Twitter API Twitter TeamTeam talks- dev (app) talks- staging (app) talks- production (app) Team
  128. 128. production dev staging IAM IAM production dev staging api-talks api-talks api-talks production dev staging IAM IAM IAM Talks IAM Twitter API Twitter TeamTeam talks- dev (app) talks- staging (app) talks- production (app) Team PrivatePublic
  129. 129. production dev staging IAM IAM production dev staging api-talks api-talks api-talks production dev staging IAM IAM IAM Talks IAM Twitter API Twitter TeamTeam talks- dev (app) talks- staging (app) talks- production (app) Team PrivatePublic
  130. 130. production dev staging IAM IAM production dev staging api-talks api-talks api-talks production dev staging IAM IAM IAM Talks IAM Twitter API Twitter TeamTeam talks- dev (app) talks- staging (app) talks- production (app) Team “Les équipes pointent sur la production des autres” PrivatePublic
  131. 131. production dev staging IAM IAM production dev staging api-talks api-talks api-talks production dev staging IAM IAM IAM Talks IAM Twitter API Twitter TeamTeam talks- dev (app) talks- staging (app) talks- production (app) Team “Les équipes pointent sur la production des autres” production (realm) talks- staging (realm) talks- dev (realm)
  132. 132. production dev staging IAM IAM production dev staging api-talks api-talks api-talks production dev staging IAM IAM IAM Talks IAM Twitter API Twitter TeamTeam talks- dev (app) talks- staging (app) talks- production (app) Team “Les équipes pointent sur la production des autres” production (realm) talks- staging (realm) talks- dev (realm) production (????)
  133. 133. dev staging production api-talks production (organization) api-talks api-talks Support multi-tenant
  134. 134. dev staging production api-talks production (organization) api-talks api-talks Design primitives (e.g. realm, app, organization, website) to unleash your teams productivity 😇 and business opportunities 💵 Support multi-tenant
  135. 135. Your company is a platform, everything can be sold.
  136. 136. Your company is a platform, everything can be sold. Your company is a user — like anyone else — of your API.
  137. 137. Your company is a platform, everything can be sold. Your company is a user — like anyone else — of your API. Use your IAM Luke! Morpheus (not sure about this one)
  138. 138. https://amzn.to/2TfqaOI
  139. 139. "How do I run my system/e2e tests?" https://amzn.to/2TfqaOI
  140. 140. "How do I run performance tests?" "How do I run my system/e2e tests?" https://amzn.to/2TfqaOI
  141. 141. "How do I run performance tests?" "How do I run my system/e2e tests?" https://amzn.to/2TfqaOI
  142. 142. Support test/prod mode
  143. 143. https://blog.fgribreau.com/2015/03/braindump-versioning-http-api.html Support test/prod mode
  144. 144. https://blog.fgribreau.com/2015/03/braindump-versioning-http-api.html Support test/prod mode
  145. 145. IAM
  146. 146. Hash-based Message Authentication Code HMAC
  147. 147. Media server https://media.my-website.com/images/{uuid}.{png|webp} ?width=700 &height=300 Job done? 🍾
  148. 148. Media server https://media.my-website.com/images/{uuid}.{png|webp} ?width=700 &height=300 Nope. 🦹
  149. 149. Media server https://media.my-website.com/images/{uuid}.{png|webp} ?width=700 &height=300 &sign={signature} Job done? 🍾
  150. 150. Media server https://media.my-website.com/images/{uuid}.{png|webp} ?width=700 &height=300 &sign={signature} Nope. #multi-tenant
  151. 151. Media server https://media.my-website.com/images/{uuid}.{png|webp} ?width=700 &height=300 &client_id={tenant_id} &sign={signature} Job done.
  152. 152. Verifying webhooks X-Shopify-Hmac-SHA256 HTTP header Stripe-Signature HTTP headersigned_request HTTP POST variable
  153. 153. https://image-charts.com/chart ?chs=700x300 &chxt=x,y &chl=2018|2017|2015 &chd=t:60,40,20 &cht=pa &chdl=Image|Charts|Rocks &chf=ps0-0,lg,45,ffeb3b,0.2,f443367C,1|ps0-1,lg,45,8bc34a, 0.2,0096887C,1|ps0-2,lg,45,EA469E,0.2,03A9F47C,1 &chan How to protect my API monetization model?
  154. 154. https://image-charts.com/chart ?chs=700x300 &chxt=x,y &chl=2018|2017|2015 &chd=t:60,40,20 &cht=pa &chdl=Image|Charts|Rocks &chf=ps0-0,lg,45,ffeb3b,0.2,f443367C,1|ps0-1,lg,45,8bc34a, 0.2,0096887C,1|ps0-2,lg,45,EA469E,0.2,03A9F47C,1 &chan How to protect my API monetization model?
  155. 155. https://image-charts.com/chart ?chs=700x300 &chxt=x,y &chl=2018|2017|2015 &chd=t:60,40,20 &cht=pa &chdl=Image|Charts|Rocks &chf=ps0-0,lg,45,ffeb3b,0.2,f443367C,1|ps0-1,lg,45,8bc34a, 0.2,0096887C,1|ps0-2,lg,45,EA469E,0.2,03A9F47C,1 &chan &icac=fgribreau &ichm=68c82618eccc2f0a861473ef93e978beb0b018a3ce2c2b4b609aec1b27
  156. 156. https://image-charts.com/chart ?chs=700x300 &chxt=x,y &chl=2018|2017|2015 &chd=t:60,40,20 &cht=pa &chdl=Image|Charts|Rocks &chf=ps0-0,lg,45,ffeb3b,0.2,f443367C,1|ps0-1,lg,45,8bc34a, 0.2,0096887C,1|ps0-2,lg,45,EA469E,0.2,03A9F47C,1 &chan &icac=fgribreau &ichm=68c82618eccc2f0a861473ef93e978beb0b018a3ce2c2b4b609aec1b27
  157. 157. https://image-charts.com/chart ?chs=700x300 &chxt=x,y &chl=2018|2017|2015 &chd=t:60,40,20 &cht=pa &chdl=Image|Charts|Rocks &chf=ps0-0,lg,45,ffeb3b,0.2,f443367C,1|ps0-1,lg,45,8bc34a, 0.2,0096887C,1|ps0-2,lg,45,EA469E,0.2,03A9F47C,1 &chan &icac=fgribreau &ichm=68c82618eccc2f0a861473ef93e978beb0b018a3ce2c2b4b609aec1b27 ✅ Signed URL
  158. 158. https://image-charts.com/chart ?chs=700x300 &chxt=x,y &chl=2018|2017|2015 &chd=t:60,40,20 &cht=pa &chdl=Image|Charts|Rocks &chf=ps0-0,lg,45,ffeb3b,0.2,f443367C,1|ps0-1,lg,45,8bc34a, 0.2,0096887C,1|ps0-2,lg,45,EA469E,0.2,03A9F47C,1 &chan &icac=fgribreau &ichm=68c82618eccc2f0a861473ef93e978beb0b018a3ce2c2b4b609aec1b27 ✅ Signed URL ✅ Removed watermark
  159. 159. https://image-charts.com/chart ?chs=700x300 &chxt=x,y &chl=2018|2017|2015 &chd=t:60,40,20 &cht=pa &chdl=Image|Charts|Rocks &chf=ps0-0,lg,45,ffeb3b,0.2,f443367C,1|ps0-1,lg,45,8bc34a, 0.2,0096887C,1|ps0-2,lg,45,EA469E,0.2,03A9F47C,1 &chan &icac=fgribreau &ichm=68c82618eccc2f0a861473ef93e978beb0b018a3ce2c2b4b609aec1b27 ✅ Signed URL ✅ Removed watermark ✅ Available extra-features
  160. 160. https://image-charts.com/chart ?chs=700x300 &chxt=x,y &chl=2018|2017|2015 &chd=t:60,40,20 &cht=pa &chdl=Image|Charts|Rocks &chf=ps0-0,lg,45,ffeb3b,0.2,f443367C,1|ps0-1,lg,45,8bc34a, 0.2,0096887C,1|ps0-2,lg,45,EA469E,0.2,03A9F47C,1 &chan &icac=fgribreau &ichm=68c82618eccc2f0a861473ef93e978beb0b018a3ce2c2b4b609aec1b27 ✅ Signed URL ✅ Removed watermark ✅ Available extra-features ⚠ Caching
  161. 161. Define timeouts for every call (pg: statement_timeout) Implement retries (e.g. exponential-backoff) Define circuit-breakers
  162. 162. Define timeouts for every call (pg: statement_timeout) Implement retries (e.g. exponential-backoff) Define circuit-breakers “Tout limiter dans l'espace et dans le temps”
  163. 163. Leverage tests Write post-deploy tests Write smoke-tests (black-box testing)
  164. 164. Before production
  165. 165. Set max simultaneous connections limit Set rate-limiting
  166. 166. Set max simultaneous connections limit Set rate-limiting “Tout limiter dans l'espace et dans le temps”
  167. 167. https://amzn.to/2HHlq2phttp://bit.ly/2HFZSTO Define quota
  168. 168. Configure alerting, write runbooks
  169. 169. http://bit.ly/2JlncJ1
  170. 170. “Monitoring sans alerting ne sert à rien” http://bit.ly/2JlncJ1
  171. 171. https://gitlab.com/gitlab-com/runbooks
  172. 172. Generate documentation Generate SDK/clients Test documentation 😑
  173. 173. https://www.youtube.com/watch?v=g6Yg2e1cDe8 “Construire et automatiser son SaaS grâce à une spécification OpenAPI/Swagger”
  174. 174. https://github.com/apiaryio/dredd
  175. 175. Leverage CI/CD 😑
  176. 176. "Restart" deployment
  177. 177. "Restart" deployment Blue/green deployment
  178. 178. "Restart" deployment Blue/green deployment Rolling-updates deployment (req. n-1 backward-compat) (commodity: PaaS & CaaS)
  179. 179. "Restart" deployment Blue/green deployment Rolling-updates deployment (req. n-1 backward-compat) (commodity: PaaS & CaaS) Dark-launch + Canarying + rolling-updates (req. n-1 backward-compat) (commodity: GoReplay, Istio)
  180. 180. After production
  181. 181. Ensure cost-efficiency
  182. 182. Expose api in status page Promote bug-bounty Expose .well-known/security.txt Expose .well-known/dnt-policy.txt Expose in portail
  183. 183. control points BUSINESS REQUIREMENTS ON-CALL RESPONSABILITY RISKS CRITICITY DATA-PRIVACY (PIA/AIDP) DEFINE SERVICE NAME HTTPS HSTS HEADER IAM AUTHORIZATION ACCESS VERSIONING CHANGELOG BACKWARD-COMPATIBILITY MAX SIMULTANEOUS CONNECTIONS LIMIT RATE-LIMITING QUOTA TIMEOUTS/RETRIES/CIRCUIT- BREAKERS FOR EVERY CALL CONFIGURE CORS X-CONTENT-TYPE: NOSNIFF X-FRAME-OPTIONS: DENY CONTENT-SECURITY-POLICIES FINGERPRINT PAGINATION SEARCH, SORTING AND FILTERING SUPPORT FIELD SELECTION SUPPORT FIELD EXPANSION UUID INSTEAD OF AUTO-INC USE SEMANTIC SHORTCUTS USE ASYNC HANDLING WHEN NECESSARY SUPPORT PUSH OVERALL CONSISTENCY OVERALL ERROR CONSISTENCY REMOVE SENSITIVE DATA RETURN MINIMUM OUTPUT DEFINE INDIRECTIONS MODEL WITH USAGE IN MIND SUPPORT I18N/G11N FUNCTIONAL ERRORS USE CDN HMAC SPLIT STATE AND LOGIC IMMUTABLE DATA AUDITABILITY SUPPORT PROD/TEST MODE SUPPORT MULTI-TENANT LEVERAGE TESTS POST-DEPLOY TESTS SMOKE-TESTS GENERATE DOCUMENTATION TEST DOCUMENTATION SDK/CLIENTS COST-EFFICIENCY CONTINUOUS DEPLOYMENT MULTI-REGION & GEO-DNS CACHING LOG SYSTEM USAGE MONITORING API USAGE MONITORING BUSINESS USAGE MONITORING PROFILING ERROR REPORTING ALERTING, WRITE RUNBOOKS HEALTH-CHECK TRACING STATUS PAGE BUG-BOUNTY SECURITY.TXT PORTAIL 70+
  184. 184. Questions? @FGRibreau image-charts.com No more server-side rendering pain, 1 url = 1 chart redsmin.com Free plans for Redis administration & monitoring getnobullshit.com (Receive the 70+ points API checklist) 60 principes pratiques fondamentaux, applicables quotidiennement de la petite à la grande entreprise du développeur au CTO du tech-lead à l'architecte.
  185. 185. categories13
  186. 186. modeling performance scalability security recoverability backward compatibility deployment monitoring reporting system health troubleshooting reliability availability documenting categories13
  187. 187. BONUS
  188. 188. Define indirections
  189. 189. Use UUID instead of auto-increment Use semantic shortcuts Model with usage in mind
  190. 190. Configure health-check Log everything Configure system monitoring Configure API monitoring Configure business usage monitoring Configure profiling Implement error reporting Setup tracing 😑
  191. 191. Add server-side caching Leverage defensive-caching (grace mode) Support client-side caching 😑
  192. 192. Expose functional errors http://bit.ly/2uf53Cr
  193. 193. ⚠ How do I let my S3 API users securely expose files/data?
  194. 194. ✅ Control data access ✅ (optional) url expiration https://s3.amazonaws.com/{S3_BUCKET}/{path} ?Expires={expire_date} &AWSAccessKeyId={S3_ACCESS_KEY_ID} &Signature={signature} Note: signature through query string or Authorization header
  195. 195. Add HTTPS Add HSTS header
  196. 196. https://mzl.la/2T863Cl add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; Add HTTPS Add HSTS header
  197. 197. Questions? @FGRibreau image-charts.com No more server-side rendering pain, 1 url = 1 chart redsmin.com Free plans for Redis administration & monitoring getnobullshit.com (Receive the 70+ points API checklist) 60 principes pratiques fondamentaux, applicables quotidiennement de la petite à la grande entreprise du développeur au CTO du tech-lead à l'architecte.

×