Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Votre API passe-t-elle le contrôle technique ?
François-Guillaume RIBREAU @FGRibreau
François-Guillaume RIBREAU @FGRibreau Architect & Head of development @Ouest-France ! Available for consulting
François-Guillaume RIBREAU @FGRibreau Architect & Head of development @Ouest-France 🌟 SaaS founder of ! Available for cons...
François-Guillaume RIBREAU @FGRibreau Architect & Head of development @Ouest-France 🌟 SaaS founder of ! Available for cons...
François-Guillaume RIBREAU @FGRibreau Architect & Head of development @Ouest-France 🌟 SaaS founder of ! Available for cons...
<quick> <history>
https://bit.ly/2pMI7aJ “ ” — Christopher Strachey, 1969 (50 yrs ago)
I am quite convinced that in fact computing will become a very important science. https://bit.ly/2pMI7aJ “ ” — Christopher...
I am quite convinced that in fact computing will become a very important science. But at the moment we are in a very primi...
I am quite convinced that in fact computing will become a very important science. But at the moment we are in a very primi...
http://bit.ly/2CenmM7 Application Programming Interface (API)
'60s API (only) for libraries http://bit.ly/2CenmM7 Application Programming Interface (API)
'60s API (only) for libraries '80-90s Remote access to procedural API (MoM/Queuing emerges) http://bit.ly/2CenmM7 Applicat...
'60s API (only) for libraries '80-90s Remote access to procedural API (MoM/Queuing emerges) '00s REpresentational State Tr...
'60s API (only) for libraries '80-90s Remote access to procedural API (MoM/Queuing emerges) '00s REpresentational State Tr...
</history> </quick>
Votre API passe-t-elle le contrôle technique ?
Contrôle Technique (kɔ̃.tʁol tɛk.nik) “Porte sur 9 fonctions déclinées en 131 points de contrôle et 410 défaillances.”
“A type of job aid used to reduce failure by compensating for potential limits of human memory and attention.” Checklist (...
control points70+
control points BUSINESS REQUIREMENTS ON-CALL RESPONSABILITY RISKS CRITICITY DATA-PRIVACY (PIA/AIDP) DEFINE SERVICE NAME HT...
“Mettre le plus de contraintes en amont”
# Français “C'est en forgeant que l ’on devient forgeron.” “Mettre le plus de contraintes en amont”
# Français “C'est en forgeant que l ’on devient forgeron.” $ Finnois kukaan ei ole seppä syntyessään (personne n'est né fo...
# Français “C'est en forgeant que l ’on devient forgeron.” % Allemand Übung macht den Meister (L’exercice/habitude fait le...
# Français “C'est en forgeant que l ’on devient forgeron.” % Allemand Übung macht den Meister (L’exercice/habitude fait le...
Before development
What are your goals?
What are your goals?
Define business requirements
Define business requirements
https://landing.google.com/sre/sre-book/chapters/service-level-objectives/ https://engineering.bitnami.com/articles/implem...
https://landing.google.com/sre/sre-book/chapters/service-level-objectives/ https://engineering.bitnami.com/articles/implem...
https://landing.google.com/sre/sre-book/chapters/service-level-objectives/ https://engineering.bitnami.com/articles/implem...
https://landing.google.com/sre/sre-book/chapters/service-level-objectives/ https://engineering.bitnami.com/articles/implem...
https://landing.google.com/sre/sre-book/chapters/service-level-objectives/ https://engineering.bitnami.com/articles/implem...
https://landing.google.com/sre/sre-book/chapters/service-level-objectives/ https://engineering.bitnami.com/articles/implem...
https://landing.google.com/sre/sre-book/chapters/service-level-objectives/ https://engineering.bitnami.com/articles/implem...
https://landing.google.com/sre/sre-book/chapters/service-level-objectives/ https://engineering.bitnami.com/articles/implem...
Consider risks, data-privacy
Risks Consider illegitimate access to data. What risks? Likelihood? Consider illegitimate data change. What risks? Likelih...
Risks Consider illegitimate access to data. What risks? Likelihood? Consider illegitimate data change. What risks? Likelih...
Define service name
“There are only two hard things in CS: cache invalidation and naming things” — Phil Karlton Define service name
Define service name
ups ( Define service name
ups ( rcpu 🤷 Define service name
ups ( rcpu 🤷 ghostbusters * Define service name
ups ( rcpu 🤷 ghostbusters * thanos-service 🙎 Define service name
ups ( rcpu 🤷 ghostbusters * thanos-service 🙎 user-preference ✅ Define service name
“Le nommage doit être ennuyeux” ✅ Descriptive & unambiguous ✅ Transparent ✅ Respect SSoT/SoC
During development
Use an Identity & Access Management service (IAM)
IAM 🎭 Authentication 👮 Authorization 🗂 Audit #SSoT #SoC
http://bit.ly/2TW4s6Q
http://bit.ly/2TW4s6Q
http://bit.ly/2TW4s6Q
http://bit.ly/2TW4s6Q
http://bit.ly/2TW4s6Q
http://bit.ly/2TW4s6Q Charts Product Team CMS Product Team BP-Editorial Product Team BP-Services Product Team
http://bit.ly/2TW4s6Q “L'entreprise est une plateforme sur laquelle reposent les équipes” Charts Product Team CMS Product ...
#SSoT #SoC http://bit.ly/2FdJk2v API IAM Policy Administration Point
http://bit.ly/2UFvPPZ
http://bit.ly/2UFvPPZ SaaS tools (outside perimeter) 🕳
http://bit.ly/2UFvPPZ SaaS tools (outside perimeter) 🕳 Employee 💻 malware/trojans
We don't live in the '90s anymore. Build with untrusted network in mind. Forget the unsafe trusted network paradigm. You d...
Set versioning Update changelog
Use semver
Use conventional commits
client api https://blog.fgribreau.com/2015/03/braindump-versioning-http-api.html Version your API accept: application/vnd....
client api https://blog.fgribreau.com/2015/03/braindump-versioning-http-api.html ... sub-domain {version}.domain.com Versi...
client api https://blog.fgribreau.com/2015/03/braindump-versioning-http-api.html ... sub-domain {version}.domain.com ... p...
client api https://blog.fgribreau.com/2015/03/braindump-versioning-http-api.html ... sub-domain {version}.domain.com ... p...
client api https://blog.fgribreau.com/2015/03/braindump-versioning-http-api.html Version your API
client api https://blog.fgribreau.com/2015/03/braindump-versioning-http-api.html Version your API ...and then there is
https://blog.fgribreau.com/2015/03/braindump-versioning-http-api.html client api 1) authenticated api request API reverse-...
https://blog.fgribreau.com/2015/03/braindump-versioning-http-api.html client api IAM 2) authenticate app request 1) authen...
https://blog.fgribreau.com/2015/03/braindump-versioning-http-api.html client api IAM 2) authenticate app request 3) get ac...
https://blog.fgribreau.com/2015/03/braindump-versioning-http-api.html client api IAM 2) authenticate app request 3) get ac...
https://blog.fgribreau.com/2015/03/braindump-versioning-http-api.html client api IAM 2) authenticate app request 3) get ac...
https://blog.fgribreau.com/2015/03/braindump-versioning-http-api.html client api IAM 2) authenticate app request 3) get ac...
https://stripe.com/blog/api-versioning Version your API
Define backward-compatibility
https://stripe.com/docs/upgrades Define backward-compatibility
Ensure backward-compatibility
“Be conservative in what you send, be liberal in what you accept” — Postel's law (the Robustness Principle) Ensure backwar...
Ensure backward-compatibility
Ensure backward-compatibility API = Application Programming Interface
Ensure backward-compatibility API = Application Programming Interface Interface ∈ Contract
Ensure backward-compatibility API = Application Programming Interface Interface ∈ Contract Find a way to test contracts
Ensure backward-compatibility Twitter "Diffy [...] catch bugs without requiring developers to write many tests" https://gi...
Ensure backward-compatibility https://pact.io
Support pagination Support search Support sorting Support filtering Support field selection Support field expansion
Support pagination
Support pagination ⚠ "yeah... maybe later" ⚠ O(n) 3
Support pagination “Tout limiter dans l'espace et dans le temps” ⚠ "yeah... maybe later" ⚠ O(n) 3
https://www.youtube.com/watch?v=UKrS_eXZfHw “Choisir entre une API RPC, SOAP, REST, GraphQL et si le problème était ailleu...
“Mettre le plus de contraintes en amont”
(HTTP specific headers)
Access-Control-Allow-Origin: ... (HTTP specific headers)
Access-Control-Allow-Origin: ... x-content-type: no-sniff (HTTP specific headers)
Access-Control-Allow-Origin: ... x-content-type: no-sniff x-frame-options: deny (HTTP specific headers)
Access-Control-Allow-Origin: ... x-content-type: no-sniff x-frame-options: deny Content-Security-Policy: ... (HTTP specific...
Remove fingerprints 👁 - nginx/apache/framework name & versions - load-balancer/proxy/CDN
Split state & logic
Split state & logic Save data as immutable
Split state & logic Save data as immutable Support auditability
Leverage an object storage for files (AWS S3 / GCP Storage / Riak S2 / Minio) Split state & logic
Support multi-tenant
dev api-talks Talks
dev api-talks staging IAM Talks IAM
dev api-talks staging IAM Talks IAM
dev api-talks staging IAM Talks IAM Twitter API Twitter
dev api-talks staging IAM Talks IAM Twitter API Twitter talks- dev (app)
dev api-talks staging IAM Talks IAM Twitter API Twitter talks- dev (app)
dev staging api-talks api-talks staging IAM Talks IAM Twitter API Twitter talks- dev (app)
dev staging api-talks api-talks staging IAM Talks IAM Twitter API Twitter talks- dev (app)
dev staging api-talks api-talks staging IAM Talks IAM Twitter API Twitter talks- dev (app) talks- staging (app)
dev staging api-talks api-talks staging IAM Talks IAM Twitter API Twitter talks- dev (app) talks- staging (app)
production dev staging api-talks api-talks api-talks staging IAM Talks IAM Twitter API Twitter talks- dev (app) talks- sta...
production dev staging api-talks api-talks api-talks production staging IAM IAM Talks IAM Twitter API Twitter talks- dev (...
production dev staging api-talks api-talks api-talks production staging IAM IAM Talks IAM Twitter API Twitter talks- dev (...
production dev staging api-talks api-talks api-talks production staging IAM IAM Talks IAM Twitter API Twitter talks- dev (...
production dev staging api-talks api-talks api-talks production staging IAM IAM Talks IAM Twitter API Twitter talks- dev (...
production dev staging IAM IAM production dev staging api-talks api-talks api-talks production dev staging IAM IAM IAM Tal...
production dev staging IAM IAM production dev staging api-talks api-talks api-talks production dev staging IAM IAM IAM Tal...
production dev staging IAM IAM production dev staging api-talks api-talks api-talks production dev staging IAM IAM IAM Tal...
production dev staging IAM IAM production dev staging api-talks api-talks api-talks production dev staging IAM IAM IAM Tal...
production dev staging IAM IAM production dev staging api-talks api-talks api-talks production dev staging IAM IAM IAM Tal...
production dev staging IAM IAM production dev staging api-talks api-talks api-talks production dev staging IAM IAM IAM Tal...
production dev staging IAM IAM production dev staging api-talks api-talks api-talks production dev staging IAM IAM IAM Tal...
dev staging production api-talks production (organization) api-talks api-talks Support multi-tenant
dev staging production api-talks production (organization) api-talks api-talks Design primitives (e.g. realm, app, organiz...
Your company is a platform, everything can be sold.
Your company is a platform, everything can be sold. Your company is a user — like anyone else — of your API.
Your company is a platform, everything can be sold. Your company is a user — like anyone else — of your API. Use your IAM ...
https://amzn.to/2TfqaOI
"How do I run my system/e2e tests?" https://amzn.to/2TfqaOI
"How do I run performance tests?" "How do I run my system/e2e tests?" https://amzn.to/2TfqaOI
"How do I run performance tests?" "How do I run my system/e2e tests?" https://amzn.to/2TfqaOI
Support test/prod mode
https://blog.fgribreau.com/2015/03/braindump-versioning-http-api.html Support test/prod mode
https://blog.fgribreau.com/2015/03/braindump-versioning-http-api.html Support test/prod mode
IAM
Hash-based Message Authentication Code HMAC
Media server https://media.my-website.com/images/{uuid}.{png|webp} ?width=700 &height=300 Job done? 🍾
Media server https://media.my-website.com/images/{uuid}.{png|webp} ?width=700 &height=300 Nope. 🦹
Media server https://media.my-website.com/images/{uuid}.{png|webp} ?width=700 &height=300 &sign={signature} Job done? 🍾
Media server https://media.my-website.com/images/{uuid}.{png|webp} ?width=700 &height=300 &sign={signature} Nope. #multi-t...
Media server https://media.my-website.com/images/{uuid}.{png|webp} ?width=700 &height=300 &client_id={tenant_id} &sign={si...
Verifying webhooks X-Shopify-Hmac-SHA256 HTTP header Stripe-Signature HTTP headersigned_request HTTP POST variable
https://image-charts.com/chart ?chs=700x300 &chxt=x,y &chl=2018|2017|2015 &chd=t:60,40,20 &cht=pa &chdl=Image|Charts|Rocks...
https://image-charts.com/chart ?chs=700x300 &chxt=x,y &chl=2018|2017|2015 &chd=t:60,40,20 &cht=pa &chdl=Image|Charts|Rocks...
https://image-charts.com/chart ?chs=700x300 &chxt=x,y &chl=2018|2017|2015 &chd=t:60,40,20 &cht=pa &chdl=Image|Charts|Rocks...
https://image-charts.com/chart ?chs=700x300 &chxt=x,y &chl=2018|2017|2015 &chd=t:60,40,20 &cht=pa &chdl=Image|Charts|Rocks...
https://image-charts.com/chart ?chs=700x300 &chxt=x,y &chl=2018|2017|2015 &chd=t:60,40,20 &cht=pa &chdl=Image|Charts|Rocks...
https://image-charts.com/chart ?chs=700x300 &chxt=x,y &chl=2018|2017|2015 &chd=t:60,40,20 &cht=pa &chdl=Image|Charts|Rocks...
https://image-charts.com/chart ?chs=700x300 &chxt=x,y &chl=2018|2017|2015 &chd=t:60,40,20 &cht=pa &chdl=Image|Charts|Rocks...
https://image-charts.com/chart ?chs=700x300 &chxt=x,y &chl=2018|2017|2015 &chd=t:60,40,20 &cht=pa &chdl=Image|Charts|Rocks...
Define timeouts for every call (pg: statement_timeout) Implement retries (e.g. exponential-backoff) Define circuit-breakers
Define timeouts for every call (pg: statement_timeout) Implement retries (e.g. exponential-backoff) Define circuit-breakers ...
Leverage tests Write post-deploy tests Write smoke-tests (black-box testing)
Before production
Set max simultaneous connections limit Set rate-limiting
Set max simultaneous connections limit Set rate-limiting “Tout limiter dans l'espace et dans le temps”
https://amzn.to/2HHlq2phttp://bit.ly/2HFZSTO Define quota
Configure alerting, write runbooks
http://bit.ly/2JlncJ1
“Monitoring sans alerting ne sert à rien” http://bit.ly/2JlncJ1
https://gitlab.com/gitlab-com/runbooks
Generate documentation Generate SDK/clients Test documentation 😑
https://www.youtube.com/watch?v=g6Yg2e1cDe8 “Construire et automatiser son SaaS grâce à une spécification OpenAPI/Swagger”
https://github.com/apiaryio/dredd
Leverage CI/CD 😑
"Restart" deployment
"Restart" deployment Blue/green deployment
"Restart" deployment Blue/green deployment Rolling-updates deployment (req. n-1 backward-compat) (commodity: PaaS & CaaS)
"Restart" deployment Blue/green deployment Rolling-updates deployment (req. n-1 backward-compat) (commodity: PaaS & CaaS) ...
After production
Ensure cost-efficiency
Expose api in status page Promote bug-bounty Expose .well-known/security.txt Expose .well-known/dnt-policy.txt Expose in p...
control points BUSINESS REQUIREMENTS ON-CALL RESPONSABILITY RISKS CRITICITY DATA-PRIVACY (PIA/AIDP) DEFINE SERVICE NAME HT...
Questions? @FGRibreau image-charts.com No more server-side rendering pain, 1 url = 1 chart redsmin.com Free plans for Redi...
categories13
modeling performance scalability security recoverability backward compatibility deployment monitoring reporting system hea...
BONUS
Define indirections
Use UUID instead of auto-increment Use semantic shortcuts Model with usage in mind
Configure health-check Log everything Configure system monitoring Configure API monitoring Configure business usage monitoring...
Add server-side caching Leverage defensive-caching (grace mode) Support client-side caching 😑
Expose functional errors http://bit.ly/2uf53Cr
⚠ How do I let my S3 API users securely expose files/data?
✅ Control data access ✅ (optional) url expiration https://s3.amazonaws.com/{S3_BUCKET}/{path} ?Expires={expire_date} &AWSA...
Add HTTPS Add HSTS header
https://mzl.la/2T863Cl add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; Add HTTPS Add HS...
Questions? @FGRibreau image-charts.com No more server-side rendering pain, 1 url = 1 chart redsmin.com Free plans for Redi...
⛳️ Votre API passe-t-elle le contrôle technique ?
⛳️ Votre API passe-t-elle le contrôle technique ?
⛳️ Votre API passe-t-elle le contrôle technique ?
⛳️ Votre API passe-t-elle le contrôle technique ?
⛳️ Votre API passe-t-elle le contrôle technique ?
⛳️ Votre API passe-t-elle le contrôle technique ?
⛳️ Votre API passe-t-elle le contrôle technique ?
Upcoming SlideShare
Loading in …5
×

⛳️ Votre API passe-t-elle le contrôle technique ?

2,138 views

Published on

https://getnobullshit.com/

Nous savons tous développer une API mais avons-nous bien intégré toutes les problématiques?

Son aspect organisationnel et humain, sa gouvernance, ses contraintes business et d'opérabilité (SLA, SLO, SLI), son release management, ses méthodes de requêtage, sa sécurité (ses performances, sa mise à l'échelle), ses différents types de test, sa documentation, son versioning (compatibilité, changelog), son monitoring — et bien plus encore — de cette API une fois en production ?

Durant ce talk, c'est plus de 30 points d'attentions rarement évoqué que je vous propose d'aborder, à la lumière de retours d'expériences provenant de tech-leader comme Uber, Stripe, Facebook et Google mais aussi d'entreprise française de la petite startup à la PME.

Published in: Engineering
no profile picture user
  • Get Paid To Write Articles? YES! View 1000s of companies hiring online writers now! ▲▲▲ https://tinyurl.com/vvgf8vz
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • DOWNLOAD THIS BOOKS INTO AVAILABLE FORMAT (Unlimited) ......................................................................................................................... ......................................................................................................................... Download Full PDF EBOOK here { https://soo.gd/qURD } ......................................................................................................................... Download Full EPUB Ebook here { https://soo.gd/qURD } ......................................................................................................................... Download Full doc Ebook here { https://soo.gd/qURD } ......................................................................................................................... Download PDF EBOOK here { https://soo.gd/qURD } ......................................................................................................................... Download EPUB Ebook here { https://soo.gd/qURD } ......................................................................................................................... Download doc Ebook here { https://soo.gd/qURD } ......................................................................................................................... ......................................................................................................................... ................................................................................................................................... eBook is an electronic version of a traditional print book THIS can be read by using a personal computer or by using an eBook reader. (An eBook reader can be a software application for use on a computer such as Microsoft's free Reader application, or a book-sized computer THIS is used solely as a reading device such as Nuvomedia's Rocket eBook.) Users can purchase an eBook on diskette or CD, but the most popular method of getting an eBook is to purchase a downloadable file of the eBook (or other reading material) from a Web site (such as Barnes and Noble) to be read from the user's computer or reading device. Generally, an eBook can be downloaded in five minutes or less ......................................................................................................................... .............. Browse by Genre Available eBooks .............................................................................................................................. Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, ......................................................................................................................... ......................................................................................................................... .....BEST SELLER FOR EBOOK RECOMMEND............................................................. ......................................................................................................................... Blowout: Corrupted Democracy, Rogue State Russia, and the Richest, Most Destructive Industry on Earth,-- The Ride of a Lifetime: Lessons Learned from 15 Years as CEO of the Walt Disney Company,-- Call Sign Chaos: Learning to Lead,-- StrengthsFinder 2.0,-- Stillness Is the Key,-- She Said: Breaking the Sexual Harassment Story THIS Helped Ignite a Movement,-- Atomic Habits: An Easy &amp; Proven Way to Build Good Habits &amp; Break Bad Ones,-- Everything Is Figureoutable,-- What It Takes: Lessons in the Pursuit of Excellence,-- Rich Dad Poor Dad: What the Rich Teach Their Kids About Money THIS the Poor and Middle Class Do Not!,-- The Total Money Makeover: Classic Edition: A Proven Plan for Financial Fitness,-- Shut Up and Listen!: Hard Business Truths THIS Will Help You Succeed, ......................................................................................................................... .........................................................................................................................
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • DOWNLOAD THIS BOOKS INTO AVAILABLE FORMAT (2019 Update) ......................................................................................................................... ......................................................................................................................... Download Full PDF EBOOK here { https://soo.gd/irt2 } ......................................................................................................................... Download Full EPUB Ebook here { https://soo.gd/irt2 } ......................................................................................................................... Download Full doc Ebook here { https://soo.gd/irt2 } ......................................................................................................................... Download PDF EBOOK here { https://soo.gd/irt2 } ......................................................................................................................... Download EPUB Ebook here { https://soo.gd/irt2 } ......................................................................................................................... Download doc Ebook here { https://soo.gd/irt2 } ......................................................................................................................... ......................................................................................................................... ................................................................................................................................... eBook is an electronic version of a traditional print book THIS can be read by using a personal computer or by using an eBook reader. (An eBook reader can be a software application for use on a computer such as Microsoft's free Reader application, or a book-sized computer THIS is used solely as a reading device such as Nuvomedia's Rocket eBook.) Users can purchase an eBook on diskette or CD, but the most popular method of getting an eBook is to purchase a downloadable file of the eBook (or other reading material) from a Web site (such as Barnes and Noble) to be read from the user's computer or reading device. Generally, an eBook can be downloaded in five minutes or less ......................................................................................................................... .............. Browse by Genre Available eBooks .............................................................................................................................. Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, ......................................................................................................................... ......................................................................................................................... .....BEST SELLER FOR EBOOK RECOMMEND............................................................. ......................................................................................................................... Blowout: Corrupted Democracy, Rogue State Russia, and the Richest, Most Destructive Industry on Earth,-- The Ride of a Lifetime: Lessons Learned from 15 Years as CEO of the Walt Disney Company,-- Call Sign Chaos: Learning to Lead,-- StrengthsFinder 2.0,-- Stillness Is the Key,-- She Said: Breaking the Sexual Harassment Story THIS Helped Ignite a Movement,-- Atomic Habits: An Easy &amp; Proven Way to Build Good Habits &amp; Break Bad Ones,-- Everything Is Figureoutable,-- What It Takes: Lessons in the Pursuit of Excellence,-- Rich Dad Poor Dad: What the Rich Teach Their Kids About Money THIS the Poor and Middle Class Do Not!,-- The Total Money Makeover: Classic Edition: A Proven Plan for Financial Fitness,-- Shut Up and Listen!: Hard Business Truths THIS Will Help You Succeed, ......................................................................................................................... .........................................................................................................................
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
Show More

⛳️ Votre API passe-t-elle le contrôle technique ?

  1. 1. Votre API passe-t-elle le contrôle technique ?
  2. 2. François-Guillaume RIBREAU @FGRibreau
  3. 3. François-Guillaume RIBREAU @FGRibreau Architect & Head of development @Ouest-France ! Available for consulting
  4. 4. François-Guillaume RIBREAU @FGRibreau Architect & Head of development @Ouest-France 🌟 SaaS founder of ! Available for consulting
  5. 5. François-Guillaume RIBREAU @FGRibreau Architect & Head of development @Ouest-France 🌟 SaaS founder of ! Available for consulting
  6. 6. François-Guillaume RIBREAU @FGRibreau Architect & Head of development @Ouest-France 🌟 SaaS founder of ! Available for consulting
  7. 7. <quick> <history>
  8. 8. https://bit.ly/2pMI7aJ “ ” — Christopher Strachey, 1969 (50 yrs ago)
  9. 9. I am quite convinced that in fact computing will become a very important science. https://bit.ly/2pMI7aJ “ ” — Christopher Strachey, 1969 (50 yrs ago)
  10. 10. I am quite convinced that in fact computing will become a very important science. But at the moment we are in a very primitive state of development; we don't know the basic principles yet and we must learn them first. https://bit.ly/2pMI7aJ “ ” — Christopher Strachey, 1969 (50 yrs ago)
  11. 11. I am quite convinced that in fact computing will become a very important science. But at the moment we are in a very primitive state of development; we don't know the basic principles yet and we must learn them first. 
 If universities spend their time teaching the state of the art, they will not discover these principles and that, surely, is what academics should be doing. https://bit.ly/2pMI7aJ “ ” — Christopher Strachey, 1969 (50 yrs ago)
  12. 12. http://bit.ly/2CenmM7 Application Programming Interface (API)
  13. 13. '60s API (only) for libraries http://bit.ly/2CenmM7 Application Programming Interface (API)
  14. 14. '60s API (only) for libraries '80-90s Remote access to procedural API (MoM/Queuing emerges) http://bit.ly/2CenmM7 Application Programming Interface (API)
  15. 15. '60s API (only) for libraries '80-90s Remote access to procedural API (MoM/Queuing emerges) '00s REpresentational State Transfer (REST, Roy Fielding) http://bit.ly/2CenmM7 Application Programming Interface (API)
  16. 16. '60s API (only) for libraries '80-90s Remote access to procedural API (MoM/Queuing emerges) '00s REpresentational State Transfer (REST, Roy Fielding) '10s Public APIs, platforms emerge, hipster RPC protocols... http://bit.ly/2CenmM7 Application Programming Interface (API)
  17. 17. </history> </quick>
  18. 18. Votre API passe-t-elle le contrôle technique ?
  19. 19. Contrôle Technique (kɔ̃.tʁol tɛk.nik) “Porte sur 9 fonctions déclinées en 131 points de contrôle et 410 défaillances.”
  20. 20. “A type of job aid used to reduce failure by compensating for potential limits of human memory and attention.” Checklist (/ˈtʃɛklɪst/) Contrôle Technique (kɔ̃.tʁol tɛk.nik) “Porte sur 9 fonctions déclinées en 131 points de contrôle et 410 défaillances.”
  21. 21. control points70+
  22. 22. control points BUSINESS REQUIREMENTS ON-CALL RESPONSABILITY RISKS CRITICITY DATA-PRIVACY (PIA/AIDP) DEFINE SERVICE NAME HTTPS HSTS HEADER IAM AUTHORIZATION ACCESS VERSIONING CHANGELOG BACKWARD-COMPATIBILITY MAX SIMULTANEOUS CONNECTIONS LIMIT RATE-LIMITING QUOTA TIMEOUTS/RETRIES/CIRCUIT- BREAKERS FOR EVERY CALL CONFIGURE CORS X-CONTENT-TYPE: NOSNIFF X-FRAME-OPTIONS: DENY CONTENT-SECURITY-POLICIES FINGERPRINT PAGINATION SEARCH, SORTING AND FILTERING SUPPORT FIELD SELECTION SUPPORT FIELD EXPANSION UUID INSTEAD OF AUTO-INC USE SEMANTIC SHORTCUTS USE ASYNC HANDLING WHEN NECESSARY SUPPORT PUSH OVERALL CONSISTENCY OVERALL ERROR CONSISTENCY REMOVE SENSITIVE DATA RETURN MINIMUM OUTPUT DEFINE INDIRECTIONS MODEL WITH USAGE IN MIND SUPPORT I18N/G11N FUNCTIONAL ERRORS USE CDN HMAC SPLIT STATE AND LOGIC IMMUTABLE DATA AUDITABILITY SUPPORT PROD/TEST MODE SUPPORT MULTI-TENANT LEVERAGE TESTS POST-DEPLOY TESTS SMOKE-TESTS GENERATE DOCUMENTATION TEST DOCUMENTATION SDK/CLIENTS COST-EFFICIENCY CONTINUOUS DEPLOYMENT MULTI-REGION & GEO-DNS CACHING LOG SYSTEM USAGE MONITORING API USAGE MONITORING BUSINESS USAGE MONITORING PROFILING ERROR REPORTING ALERTING, WRITE RUNBOOKS HEALTH-CHECK TRACING STATUS PAGE BUG-BOUNTY SECURITY.TXT PORTAIL 70+
  23. 23. “Mettre le plus de contraintes en amont”
  24. 24. # Français “C'est en forgeant que l ’on devient forgeron.” “Mettre le plus de contraintes en amont”
  25. 25. # Français “C'est en forgeant que l ’on devient forgeron.” $ Finnois kukaan ei ole seppä syntyessään (personne n'est né forgeron) “Mettre le plus de contraintes en amont”
  26. 26. # Français “C'est en forgeant que l ’on devient forgeron.” % Allemand Übung macht den Meister (L’exercice/habitude fait le maître) $ Finnois kukaan ei ole seppä syntyessään (personne n'est né forgeron) “Mettre le plus de contraintes en amont”
  27. 27. # Français “C'est en forgeant que l ’on devient forgeron.” % Allemand Übung macht den Meister (L’exercice/habitude fait le maître) $ Finnois kukaan ei ole seppä syntyessään (personne n'est né forgeron) & Japonais NaraWaNu Kyô Ha YoMeNu (Il est impossible de réciter un soûtra sans l'apprendre auparavant) “Mettre le plus de contraintes en amont”
  28. 28. Before development
  29. 29. What are your goals?
  30. 30. What are your goals?
  31. 31. Define business requirements
  32. 32. Define business requirements
  33. 33. https://landing.google.com/sre/sre-book/chapters/service-level-objectives/ https://engineering.bitnami.com/articles/implementing-slos-using-prometheus.html Service Level Objectives (SLO) Define business requirements
  34. 34. https://landing.google.com/sre/sre-book/chapters/service-level-objectives/ https://engineering.bitnami.com/articles/implementing-slos-using-prometheus.html Service Level Objectives (SLO) “Must be measurable, with a time period and specify where and how to measure it. Define business requirements
  35. 35. https://landing.google.com/sre/sre-book/chapters/service-level-objectives/ https://engineering.bitnami.com/articles/implementing-slos-using-prometheus.html Service Level Objectives (SLO) “Must be measurable, with a time period and specify where and how to measure it. Drives your dashboards and alerts.” Define business requirements
  36. 36. https://landing.google.com/sre/sre-book/chapters/service-level-objectives/ https://engineering.bitnami.com/articles/implementing-slos-using-prometheus.html Service Level Objectives (SLO) “Must be measurable, with a time period and specify where and how to measure it. Drives your dashboards and alerts.” Define business requirements “95% of chart generation requests latency will be lower than 400ms over the month”
  37. 37. https://landing.google.com/sre/sre-book/chapters/service-level-objectives/ https://engineering.bitnami.com/articles/implementing-slos-using-prometheus.html Service Level Indicators (SLI) Define business requirements
  38. 38. https://landing.google.com/sre/sre-book/chapters/service-level-objectives/ https://engineering.bitnami.com/articles/implementing-slos-using-prometheus.html Service Level Indicators (SLI) Define business requirements Metrics. e.g. error ratios, latency, query per seconds, response time, uptime
  39. 39. https://landing.google.com/sre/sre-book/chapters/service-level-objectives/ https://engineering.bitnami.com/articles/implementing-slos-using-prometheus.html Service Level Agreements 💰 (SLA) Define business requirements
  40. 40. https://landing.google.com/sre/sre-book/chapters/service-level-objectives/ https://engineering.bitnami.com/articles/implementing-slos-using-prometheus.html Service Level Agreements 💰 (SLA) Define business requirements "an explicit or implicit contract with your users that includes consequences of meeting (or missing) the SLOs they contain" — SRE Book
  41. 41. Consider risks, data-privacy
  42. 42. Risks Consider illegitimate access to data. What risks? Likelihood? Consider illegitimate data change. What risks? Likelihood? Consider data disappearance. What risks? Likelihood?
  43. 43. Risks Consider illegitimate access to data. What risks? Likelihood? Consider illegitimate data change. What risks? Likelihood? Consider data disappearance. What risks? Likelihood? Data-Privacy (e.g. PIA - Privacy Impact Assessment) Does the API collect sensitive data? (e.g. political opinion, sexual orientation…) Does the API evaluate or note people? Does the API handle data about vulnerable people? ...
  44. 44. Define service name
  45. 45. “There are only two hard things in CS: cache invalidation and naming things” — Phil Karlton Define service name
  46. 46. Define service name
  47. 47. ups ( Define service name
  48. 48. ups ( rcpu 🤷 Define service name
  49. 49. ups ( rcpu 🤷 ghostbusters * Define service name
  50. 50. ups ( rcpu 🤷 ghostbusters * thanos-service 🙎 Define service name
  51. 51. ups ( rcpu 🤷 ghostbusters * thanos-service 🙎 user-preference ✅ Define service name
  52. 52. “Le nommage doit être ennuyeux” ✅ Descriptive & unambiguous ✅ Transparent ✅ Respect SSoT/SoC
  53. 53. During development
  54. 54. Use an Identity & Access Management service (IAM)
  55. 55. IAM 🎭 Authentication 👮 Authorization 🗂 Audit #SSoT #SoC
  56. 56. http://bit.ly/2TW4s6Q
  57. 57. http://bit.ly/2TW4s6Q
  58. 58. http://bit.ly/2TW4s6Q
  59. 59. http://bit.ly/2TW4s6Q
  60. 60. http://bit.ly/2TW4s6Q
  61. 61. http://bit.ly/2TW4s6Q Charts Product Team CMS Product Team BP-Editorial Product Team BP-Services Product Team
  62. 62. http://bit.ly/2TW4s6Q “L'entreprise est une plateforme sur laquelle reposent les équipes” Charts Product Team CMS Product Team BP-Editorial Product Team BP-Services Product Team
  63. 63. #SSoT #SoC http://bit.ly/2FdJk2v API IAM Policy Administration Point
  64. 64. http://bit.ly/2UFvPPZ
  65. 65. http://bit.ly/2UFvPPZ SaaS tools (outside perimeter) 🕳
  66. 66. http://bit.ly/2UFvPPZ SaaS tools (outside perimeter) 🕳 Employee 💻 malware/trojans
  67. 67. We don't live in the '90s anymore. Build with untrusted network in mind. Forget the unsafe trusted network paradigm. You do want Application Segmentation (zero trust). http://bit.ly/2UFvPPZ SaaS tools (outside perimeter) 🕳 Employee 💻 malware/trojans
  68. 68. Set versioning Update changelog
  69. 69. Use semver
  70. 70. Use conventional commits
  71. 71. client api https://blog.fgribreau.com/2015/03/braindump-versioning-http-api.html Version your API accept: application/vnd.github.v3+json ...through mime headers (standard)
  72. 72. client api https://blog.fgribreau.com/2015/03/braindump-versioning-http-api.html ... sub-domain {version}.domain.com Version your API accept: application/vnd.github.v3+json ...through mime headers (standard)
  73. 73. client api https://blog.fgribreau.com/2015/03/braindump-versioning-http-api.html ... sub-domain {version}.domain.com ... path (mainly RPC over HTTP) api.twitter.com/v1/ api.twitter.com/1.1/ api.twilio.com/2010-04-01/ Version your API accept: application/vnd.github.v3+json ...through mime headers (standard)
  74. 74. client api https://blog.fgribreau.com/2015/03/braindump-versioning-http-api.html ... sub-domain {version}.domain.com ... path (mainly RPC over HTTP) api.twitter.com/v1/ api.twitter.com/1.1/ api.twilio.com/2010-04-01/ Version your API ... query-string /?v={version} accept: application/vnd.github.v3+json ...through mime headers (standard)
  75. 75. client api https://blog.fgribreau.com/2015/03/braindump-versioning-http-api.html Version your API
  76. 76. client api https://blog.fgribreau.com/2015/03/braindump-versioning-http-api.html Version your API ...and then there is
  77. 77. https://blog.fgribreau.com/2015/03/braindump-versioning-http-api.html client api 1) authenticated api request API reverse-engineered
  78. 78. https://blog.fgribreau.com/2015/03/braindump-versioning-http-api.html client api IAM 2) authenticate app request 1) authenticated api request API reverse-engineered
  79. 79. https://blog.fgribreau.com/2015/03/braindump-versioning-http-api.html client api IAM 2) authenticate app request 3) get active app version 1) authenticated api request API reverse-engineered
  80. 80. https://blog.fgribreau.com/2015/03/braindump-versioning-http-api.html client api IAM 2) authenticate app request 3) get active app version 4) down-migration middlewares 1) authenticated api request API reverse-engineered
  81. 81. https://blog.fgribreau.com/2015/03/braindump-versioning-http-api.html client api IAM 2) authenticate app request 3) get active app version 4) down-migration middlewares 5) execute request 1) authenticated api request API reverse-engineered
  82. 82. https://blog.fgribreau.com/2015/03/braindump-versioning-http-api.html client api IAM 2) authenticate app request 3) get active app version 4) down-migration middlewares 5) execute request 6) up-migration middlewares 1) authenticated api request API reverse-engineered
  83. 83. https://stripe.com/blog/api-versioning Version your API
  84. 84. Define backward-compatibility
  85. 85. https://stripe.com/docs/upgrades Define backward-compatibility
  86. 86. Ensure backward-compatibility
  87. 87. “Be conservative in what you send, be liberal in what you accept” — Postel's law (the Robustness Principle) Ensure backward-compatibility
  88. 88. Ensure backward-compatibility
  89. 89. Ensure backward-compatibility API = Application Programming Interface
  90. 90. Ensure backward-compatibility API = Application Programming Interface Interface ∈ Contract
  91. 91. Ensure backward-compatibility API = Application Programming Interface Interface ∈ Contract Find a way to test contracts
  92. 92. Ensure backward-compatibility Twitter "Diffy [...] catch bugs without requiring developers to write many tests" https://github.com/twitter/diffy
  93. 93. Ensure backward-compatibility https://pact.io
  94. 94. Support pagination Support search Support sorting Support filtering Support field selection Support field expansion
  95. 95. Support pagination
  96. 96. Support pagination ⚠ "yeah... maybe later" ⚠ O(n) 3
  97. 97. Support pagination “Tout limiter dans l'espace et dans le temps” ⚠ "yeah... maybe later" ⚠ O(n) 3
  98. 98. https://www.youtube.com/watch?v=UKrS_eXZfHw “Choisir entre une API RPC, SOAP, REST, GraphQL et si le problème était ailleurs ?”
  99. 99. “Mettre le plus de contraintes en amont”
  100. 100. (HTTP specific headers)
  101. 101. Access-Control-Allow-Origin: ... (HTTP specific headers)
  102. 102. Access-Control-Allow-Origin: ... x-content-type: no-sniff (HTTP specific headers)
  103. 103. Access-Control-Allow-Origin: ... x-content-type: no-sniff x-frame-options: deny (HTTP specific headers)
  104. 104. Access-Control-Allow-Origin: ... x-content-type: no-sniff x-frame-options: deny Content-Security-Policy: ... (HTTP specific headers)
  105. 105. Remove fingerprints 👁 - nginx/apache/framework name & versions - load-balancer/proxy/CDN
  106. 106. Split state & logic
  107. 107. Split state & logic Save data as immutable
  108. 108. Split state & logic Save data as immutable Support auditability
  109. 109. Leverage an object storage for files (AWS S3 / GCP Storage / Riak S2 / Minio) Split state & logic
  110. 110. Support multi-tenant
  111. 111. dev api-talks Talks
  112. 112. dev api-talks staging IAM Talks IAM
  113. 113. dev api-talks staging IAM Talks IAM
  114. 114. dev api-talks staging IAM Talks IAM Twitter API Twitter
  115. 115. dev api-talks staging IAM Talks IAM Twitter API Twitter talks- dev (app)
  116. 116. dev api-talks staging IAM Talks IAM Twitter API Twitter talks- dev (app)
  117. 117. dev staging api-talks api-talks staging IAM Talks IAM Twitter API Twitter talks- dev (app)
  118. 118. dev staging api-talks api-talks staging IAM Talks IAM Twitter API Twitter talks- dev (app)
  119. 119. dev staging api-talks api-talks staging IAM Talks IAM Twitter API Twitter talks- dev (app) talks- staging (app)
  120. 120. dev staging api-talks api-talks staging IAM Talks IAM Twitter API Twitter talks- dev (app) talks- staging (app)
  121. 121. production dev staging api-talks api-talks api-talks staging IAM Talks IAM Twitter API Twitter talks- dev (app) talks- staging (app)
  122. 122. production dev staging api-talks api-talks api-talks production staging IAM IAM Talks IAM Twitter API Twitter talks- dev (app) talks- staging (app)
  123. 123. production dev staging api-talks api-talks api-talks production staging IAM IAM Talks IAM Twitter API Twitter talks- dev (app) talks- staging (app) talks- production (app)
  124. 124. production dev staging api-talks api-talks api-talks production staging IAM IAM Talks IAM Twitter API Twitter talks- dev (app) talks- staging (app) talks- production (app)
  125. 125. production dev staging api-talks api-talks api-talks production staging IAM IAM Talks IAM Twitter API Twitter talks- dev (app) talks- staging (app) talks- production (app) 🤔
  126. 126. production dev staging IAM IAM production dev staging api-talks api-talks api-talks production dev staging IAM IAM IAM Talks IAM Twitter API Twitter TeamTeam talks- dev (app) talks- staging (app) talks- production (app) Team
  127. 127. production dev staging IAM IAM production dev staging api-talks api-talks api-talks production dev staging IAM IAM IAM Talks IAM Twitter API Twitter TeamTeam talks- dev (app) talks- staging (app) talks- production (app) Team
  128. 128. production dev staging IAM IAM production dev staging api-talks api-talks api-talks production dev staging IAM IAM IAM Talks IAM Twitter API Twitter TeamTeam talks- dev (app) talks- staging (app) talks- production (app) Team PrivatePublic
  129. 129. production dev staging IAM IAM production dev staging api-talks api-talks api-talks production dev staging IAM IAM IAM Talks IAM Twitter API Twitter TeamTeam talks- dev (app) talks- staging (app) talks- production (app) Team PrivatePublic
  130. 130. production dev staging IAM IAM production dev staging api-talks api-talks api-talks production dev staging IAM IAM IAM Talks IAM Twitter API Twitter TeamTeam talks- dev (app) talks- staging (app) talks- production (app) Team “Les équipes pointent sur la production des autres” PrivatePublic
  131. 131. production dev staging IAM IAM production dev staging api-talks api-talks api-talks production dev staging IAM IAM IAM Talks IAM Twitter API Twitter TeamTeam talks- dev (app) talks- staging (app) talks- production (app) Team “Les équipes pointent sur la production des autres” production (realm) talks- staging (realm) talks- dev (realm)
  132. 132. production dev staging IAM IAM production dev staging api-talks api-talks api-talks production dev staging IAM IAM IAM Talks IAM Twitter API Twitter TeamTeam talks- dev (app) talks- staging (app) talks- production (app) Team “Les équipes pointent sur la production des autres” production (realm) talks- staging (realm) talks- dev (realm) production (????)
  133. 133. dev staging production api-talks production (organization) api-talks api-talks Support multi-tenant
  134. 134. dev staging production api-talks production (organization) api-talks api-talks Design primitives (e.g. realm, app, organization, website) to unleash your teams productivity 😇 and business opportunities 💵 Support multi-tenant
  135. 135. Your company is a platform, everything can be sold.
  136. 136. Your company is a platform, everything can be sold. Your company is a user — like anyone else — of your API.
  137. 137. Your company is a platform, everything can be sold. Your company is a user — like anyone else — of your API. Use your IAM Luke! Morpheus (not sure about this one)
  138. 138. https://amzn.to/2TfqaOI
  139. 139. "How do I run my system/e2e tests?" https://amzn.to/2TfqaOI
  140. 140. "How do I run performance tests?" "How do I run my system/e2e tests?" https://amzn.to/2TfqaOI
  141. 141. "How do I run performance tests?" "How do I run my system/e2e tests?" https://amzn.to/2TfqaOI
  142. 142. Support test/prod mode
  143. 143. https://blog.fgribreau.com/2015/03/braindump-versioning-http-api.html Support test/prod mode
  144. 144. https://blog.fgribreau.com/2015/03/braindump-versioning-http-api.html Support test/prod mode
  145. 145. IAM
  146. 146. Hash-based Message Authentication Code HMAC
  147. 147. Media server https://media.my-website.com/images/{uuid}.{png|webp} ?width=700 &height=300 Job done? 🍾
  148. 148. Media server https://media.my-website.com/images/{uuid}.{png|webp} ?width=700 &height=300 Nope. 🦹
  149. 149. Media server https://media.my-website.com/images/{uuid}.{png|webp} ?width=700 &height=300 &sign={signature} Job done? 🍾
  150. 150. Media server https://media.my-website.com/images/{uuid}.{png|webp} ?width=700 &height=300 &sign={signature} Nope. #multi-tenant
  151. 151. Media server https://media.my-website.com/images/{uuid}.{png|webp} ?width=700 &height=300 &client_id={tenant_id} &sign={signature} Job done.
  152. 152. Verifying webhooks X-Shopify-Hmac-SHA256 HTTP header Stripe-Signature HTTP headersigned_request HTTP POST variable
  153. 153. https://image-charts.com/chart ?chs=700x300 &chxt=x,y &chl=2018|2017|2015 &chd=t:60,40,20 &cht=pa &chdl=Image|Charts|Rocks &chf=ps0-0,lg,45,ffeb3b,0.2,f443367C,1|ps0-1,lg,45,8bc34a, 0.2,0096887C,1|ps0-2,lg,45,EA469E,0.2,03A9F47C,1 &chan How to protect my API monetization model?
  154. 154. https://image-charts.com/chart ?chs=700x300 &chxt=x,y &chl=2018|2017|2015 &chd=t:60,40,20 &cht=pa &chdl=Image|Charts|Rocks &chf=ps0-0,lg,45,ffeb3b,0.2,f443367C,1|ps0-1,lg,45,8bc34a, 0.2,0096887C,1|ps0-2,lg,45,EA469E,0.2,03A9F47C,1 &chan How to protect my API monetization model?
  155. 155. https://image-charts.com/chart ?chs=700x300 &chxt=x,y &chl=2018|2017|2015 &chd=t:60,40,20 &cht=pa &chdl=Image|Charts|Rocks &chf=ps0-0,lg,45,ffeb3b,0.2,f443367C,1|ps0-1,lg,45,8bc34a, 0.2,0096887C,1|ps0-2,lg,45,EA469E,0.2,03A9F47C,1 &chan &icac=fgribreau &ichm=68c82618eccc2f0a861473ef93e978beb0b018a3ce2c2b4b609aec1b27
  156. 156. https://image-charts.com/chart ?chs=700x300 &chxt=x,y &chl=2018|2017|2015 &chd=t:60,40,20 &cht=pa &chdl=Image|Charts|Rocks &chf=ps0-0,lg,45,ffeb3b,0.2,f443367C,1|ps0-1,lg,45,8bc34a, 0.2,0096887C,1|ps0-2,lg,45,EA469E,0.2,03A9F47C,1 &chan &icac=fgribreau &ichm=68c82618eccc2f0a861473ef93e978beb0b018a3ce2c2b4b609aec1b27
  157. 157. https://image-charts.com/chart ?chs=700x300 &chxt=x,y &chl=2018|2017|2015 &chd=t:60,40,20 &cht=pa &chdl=Image|Charts|Rocks &chf=ps0-0,lg,45,ffeb3b,0.2,f443367C,1|ps0-1,lg,45,8bc34a, 0.2,0096887C,1|ps0-2,lg,45,EA469E,0.2,03A9F47C,1 &chan &icac=fgribreau &ichm=68c82618eccc2f0a861473ef93e978beb0b018a3ce2c2b4b609aec1b27 ✅ Signed URL
  158. 158. https://image-charts.com/chart ?chs=700x300 &chxt=x,y &chl=2018|2017|2015 &chd=t:60,40,20 &cht=pa &chdl=Image|Charts|Rocks &chf=ps0-0,lg,45,ffeb3b,0.2,f443367C,1|ps0-1,lg,45,8bc34a, 0.2,0096887C,1|ps0-2,lg,45,EA469E,0.2,03A9F47C,1 &chan &icac=fgribreau &ichm=68c82618eccc2f0a861473ef93e978beb0b018a3ce2c2b4b609aec1b27 ✅ Signed URL ✅ Removed watermark
  159. 159. https://image-charts.com/chart ?chs=700x300 &chxt=x,y &chl=2018|2017|2015 &chd=t:60,40,20 &cht=pa &chdl=Image|Charts|Rocks &chf=ps0-0,lg,45,ffeb3b,0.2,f443367C,1|ps0-1,lg,45,8bc34a, 0.2,0096887C,1|ps0-2,lg,45,EA469E,0.2,03A9F47C,1 &chan &icac=fgribreau &ichm=68c82618eccc2f0a861473ef93e978beb0b018a3ce2c2b4b609aec1b27 ✅ Signed URL ✅ Removed watermark ✅ Available extra-features
  160. 160. https://image-charts.com/chart ?chs=700x300 &chxt=x,y &chl=2018|2017|2015 &chd=t:60,40,20 &cht=pa &chdl=Image|Charts|Rocks &chf=ps0-0,lg,45,ffeb3b,0.2,f443367C,1|ps0-1,lg,45,8bc34a, 0.2,0096887C,1|ps0-2,lg,45,EA469E,0.2,03A9F47C,1 &chan &icac=fgribreau &ichm=68c82618eccc2f0a861473ef93e978beb0b018a3ce2c2b4b609aec1b27 ✅ Signed URL ✅ Removed watermark ✅ Available extra-features ⚠ Caching
  161. 161. Define timeouts for every call (pg: statement_timeout) Implement retries (e.g. exponential-backoff) Define circuit-breakers
  162. 162. Define timeouts for every call (pg: statement_timeout) Implement retries (e.g. exponential-backoff) Define circuit-breakers “Tout limiter dans l'espace et dans le temps”
  163. 163. Leverage tests Write post-deploy tests Write smoke-tests (black-box testing)
  164. 164. Before production
  165. 165. Set max simultaneous connections limit Set rate-limiting
  166. 166. Set max simultaneous connections limit Set rate-limiting “Tout limiter dans l'espace et dans le temps”
  167. 167. https://amzn.to/2HHlq2phttp://bit.ly/2HFZSTO Define quota
  168. 168. Configure alerting, write runbooks
  169. 169. http://bit.ly/2JlncJ1
  170. 170. “Monitoring sans alerting ne sert à rien” http://bit.ly/2JlncJ1
  171. 171. https://gitlab.com/gitlab-com/runbooks
  172. 172. Generate documentation Generate SDK/clients Test documentation 😑
  173. 173. https://www.youtube.com/watch?v=g6Yg2e1cDe8 “Construire et automatiser son SaaS grâce à une spécification OpenAPI/Swagger”
  174. 174. https://github.com/apiaryio/dredd
  175. 175. Leverage CI/CD 😑
  176. 176. "Restart" deployment
  177. 177. "Restart" deployment Blue/green deployment
  178. 178. "Restart" deployment Blue/green deployment Rolling-updates deployment (req. n-1 backward-compat) (commodity: PaaS & CaaS)
  179. 179. "Restart" deployment Blue/green deployment Rolling-updates deployment (req. n-1 backward-compat) (commodity: PaaS & CaaS) Dark-launch + Canarying + rolling-updates (req. n-1 backward-compat) (commodity: GoReplay, Istio)
  180. 180. After production
  181. 181. Ensure cost-efficiency
  182. 182. Expose api in status page Promote bug-bounty Expose .well-known/security.txt Expose .well-known/dnt-policy.txt Expose in portail
  183. 183. control points BUSINESS REQUIREMENTS ON-CALL RESPONSABILITY RISKS CRITICITY DATA-PRIVACY (PIA/AIDP) DEFINE SERVICE NAME HTTPS HSTS HEADER IAM AUTHORIZATION ACCESS VERSIONING CHANGELOG BACKWARD-COMPATIBILITY MAX SIMULTANEOUS CONNECTIONS LIMIT RATE-LIMITING QUOTA TIMEOUTS/RETRIES/CIRCUIT- BREAKERS FOR EVERY CALL CONFIGURE CORS X-CONTENT-TYPE: NOSNIFF X-FRAME-OPTIONS: DENY CONTENT-SECURITY-POLICIES FINGERPRINT PAGINATION SEARCH, SORTING AND FILTERING SUPPORT FIELD SELECTION SUPPORT FIELD EXPANSION UUID INSTEAD OF AUTO-INC USE SEMANTIC SHORTCUTS USE ASYNC HANDLING WHEN NECESSARY SUPPORT PUSH OVERALL CONSISTENCY OVERALL ERROR CONSISTENCY REMOVE SENSITIVE DATA RETURN MINIMUM OUTPUT DEFINE INDIRECTIONS MODEL WITH USAGE IN MIND SUPPORT I18N/G11N FUNCTIONAL ERRORS USE CDN HMAC SPLIT STATE AND LOGIC IMMUTABLE DATA AUDITABILITY SUPPORT PROD/TEST MODE SUPPORT MULTI-TENANT LEVERAGE TESTS POST-DEPLOY TESTS SMOKE-TESTS GENERATE DOCUMENTATION TEST DOCUMENTATION SDK/CLIENTS COST-EFFICIENCY CONTINUOUS DEPLOYMENT MULTI-REGION & GEO-DNS CACHING LOG SYSTEM USAGE MONITORING API USAGE MONITORING BUSINESS USAGE MONITORING PROFILING ERROR REPORTING ALERTING, WRITE RUNBOOKS HEALTH-CHECK TRACING STATUS PAGE BUG-BOUNTY SECURITY.TXT PORTAIL 70+
  184. 184. Questions? @FGRibreau image-charts.com No more server-side rendering pain, 1 url = 1 chart redsmin.com Free plans for Redis administration & monitoring getnobullshit.com (Receive the 70+ points API checklist) 60 principes pratiques fondamentaux, applicables quotidiennement de la petite à la grande entreprise du développeur au CTO du tech-lead à l'architecte.
  185. 185. categories13
  186. 186. modeling performance scalability security recoverability backward compatibility deployment monitoring reporting system health troubleshooting reliability availability documenting categories13
  187. 187. BONUS
  188. 188. Define indirections
  189. 189. Use UUID instead of auto-increment Use semantic shortcuts Model with usage in mind
  190. 190. Configure health-check Log everything Configure system monitoring Configure API monitoring Configure business usage monitoring Configure profiling Implement error reporting Setup tracing 😑
  191. 191. Add server-side caching Leverage defensive-caching (grace mode) Support client-side caching 😑
  192. 192. Expose functional errors http://bit.ly/2uf53Cr
  193. 193. ⚠ How do I let my S3 API users securely expose files/data?
  194. 194. ✅ Control data access ✅ (optional) url expiration https://s3.amazonaws.com/{S3_BUCKET}/{path} ?Expires={expire_date} &AWSAccessKeyId={S3_ACCESS_KEY_ID} &Signature={signature} Note: signature through query string or Authorization header
  195. 195. Add HTTPS Add HSTS header
  196. 196. https://mzl.la/2T863Cl add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; Add HTTPS Add HSTS header
  197. 197. Questions? @FGRibreau image-charts.com No more server-side rendering pain, 1 url = 1 chart redsmin.com Free plans for Redis administration & monitoring getnobullshit.com (Receive the 70+ points API checklist) 60 principes pratiques fondamentaux, applicables quotidiennement de la petite à la grande entreprise du développeur au CTO du tech-lead à l'architecte.

×