SlideShare a Scribd company logo

Creating a RESTful api without losing too much sleep

M
Mike Anderson

REST (REpresentational State Transfer) continues to be the dominant way to provide a standard method for data access in a web environment. There are a lot of discussions on what makes a good RESTful API, but examples are sometimes hard to come by. How do you structure your code to enable REST but also ensure that you can update and maintain the code over the long haul? It this talk I will walk through some of the things that I have learned in implementing a RESTful API. We will discuss some of the following topics: * Landmines - what are some things not to do when developing your REST stack * Pure data vs hypermedia (HATEOAS anyone?) * Layering the stack to enable automated testing at all tiers * Securing your endpoints * Testing -- tools to explore and validate your endpoints

Software
1 of 21
Download to read offline
© 2016 SecurityMetrics without losing too much sleep Creating a RESTful API Mike Anderson Chief Architect – Software Development mmandersonii@securitymetrics.com
ABOUT SECURITYMETRICS Helping organizations comply with mandates, avoid security breaches, and recover from data theft since 2000
What is REST • REpresentational State Transfer – An application should be able to “browse” your api by knowing a starting place (a bookmark) – When data is returned from a particular call, available “transfers” are included in the response (REpresentation) as links with data types • Roy Fielding’s Doctoral Dissertation, primarily chapter 5 http://www.ics.uci.edu/~fielding/pubs/dissertation/rest_a rch_style.htm
Data + Hypermedia • HATEOAS - Hypermedia As The Engine Of Application State – One of the driving forces behind REST. – The “Transfer” part of REST
Structuring your code • Layer your code into – Endpoints – Services – Data • If the language you are using supports interfaces, use them to allow you to swap in different implementations for different situations – testing
Structuring your code?page=2 DB Data Layer (ORM) Service Layer (Business logic) REST Layer (endpoint) Test Automation Test Automation Test Automation
Testing • Unit testing – Only test the method under test for logic errors. • Functional testing – Test through multiple layers • Integration testing – Test across multiple services
Data formats • Content-Type and Accept headers – Content-Type: what is the format of the data are you expecting for input – Accept: what is the format of the data will you be returning • Typical data types – JSON - Pretty much the current standard, especially for consumption by JavaScript – XML - Earlier standard. More restrictive format and verbosity – CSV - Useful for data import and export
Security • Closed by default – Build it in at the beginning, don’t tack it on at the end – Allows for “safer”, more reliable releases. If authentication and authorization are built in you can provide releases to authorized users without exposing sensitive data
Documentation • Interactive documentation is very helpful • If it can be generated from/by the code it is more likely to stay up to date • Try and use a standard like the OpenAPI Specification – See http://swagger.io/ – You can define the contract for your api with its associated documentation, generate the base endpoints for different languages and generate test cases to validate your implementation – Good tutorial at https://github.com/tylerdave/OpenAPI-Tutorial/
Resource naming • Two primary URLs for a given resource – /resources - a collection of resources – /resources/:id - a specific resource • :id can be any identifier but it has to be unique • uuid (Universally Unique IDentifier) is a good option • Use plural nouns for resource names – employees vs employee • Use HTTP Verbs for processing – Create = POST – Read = GET/HEAD – Update = PUT/PATCH – Delete = DELETE
Versioning your API • In the URL • With request parameters • Using custom headers • Using Accept header
Versioning your API?page=2 • Depending on whom you ask, any of those ways are wrong – https://www.troyhunt.com/your-api-versioning-is-wrong -which-is/ - a somewhat tongue in cheek article about this • It’s your API – You are defining the contract. You get to choose but make a choice and stick with it – What are the practical reasons for your choice? – How do you support it in your back-end language/framework? – How are you expecting your API to be consumed?
Collections and Pagination • Implement pagination as early as possible. It will save future headaches • Use standard defaults throughout your API – Default number of entries between 10 and 1000. Ask your consumers (if you can) what works best for them – You should probably have an upper limit (1000?) per request • You want to allow for batching but too large of a dataset in a request can slow down applications, particularly JavaScript • Page number and number of entries are query parameters
Collections and Pagination?page=2 • https://server.com/api/resources?page=2&items=100 • In the returned links, include links for the next, previous, first and last pages
Caching responses • Speeds up follow up requests for the same resource – Some frameworks support this directly or have libraries that support it – Proxy servers can be configured to support it but it helps to understand the tradeoffs • Web standards – ETags • Cache busting - updating the cache when a resource is updated
Things to avoid • Doing everything in one method (handle inputs, query database, transform results, handle errors, etc.) • Raw SQL – More of a strong guideline but raw SQL can become brittle – Take advantage of the ORM and data models • NOT writing tests – When you have to change a schema/model or refactor your code, how do you know things still work without tests?
Exercising your API • Postman - https://www.getpostman.com/ • Allows you to test all of the different verbs • Allows you to create collections of related requests • You can set headers and body data for requests • Allows you to define different environments to parameterize requests
Postman Demo
www.securitymetrics.com Questions? ● My email: mmandersonii@securitymetrics.com ● Slides: https://www.slideshare.net/MikeAnderson64/creating-a-restful-api-without- losing-too-much-sleep
www.securitymetrics.com Thank you! ● My email: mmandersonii@securitymetrics.com ● Slides: https://www.slideshare.net/MikeAnderson64/creating-a-restful-api-without- losing-too-much-sleep

Recommended

REST-API overview / concepts
REST-API overview / conceptsREST-API overview / concepts
REST-API overview / conceptsPatrick Savalle
 
How to paas the cloud
How to paas the cloudHow to paas the cloud
How to paas the cloudRobert Debowski
 
Little rock data management 032621
Little rock data management 032621Little rock data management 032621
Little rock data management 032621Brandon Smith
 
Rest api design by george reese
Rest api design by george reeseRest api design by george reese
Rest api design by george reesebuildacloud
 
REST-API's for architects and managers
REST-API's for architects and managersREST-API's for architects and managers
REST-API's for architects and managersPatrick Savalle
 
Implementing Site Search in CQ5 / AEM
Implementing Site Search in CQ5 / AEMImplementing Site Search in CQ5 / AEM
Implementing Site Search in CQ5 / AEMrtpaem
 
Super simple introduction to REST-APIs (2nd version)
Super simple introduction to REST-APIs (2nd version)Super simple introduction to REST-APIs (2nd version)
Super simple introduction to REST-APIs (2nd version)Patrick Savalle
 
Real-time Data Exploration and Analytics with Amazon Elasticsearch Service
Real-time Data Exploration and Analytics with Amazon Elasticsearch ServiceReal-time Data Exploration and Analytics with Amazon Elasticsearch Service
Real-time Data Exploration and Analytics with Amazon Elasticsearch ServiceAmazon Web Services
 

Recommended

REST-API overview / concepts
REST-API overview / conceptsREST-API overview / concepts
REST-API overview / conceptsPatrick Savalle
 
How to paas the cloud
How to paas the cloudHow to paas the cloud
How to paas the cloudRobert Debowski
 
Little rock data management 032621
Little rock data management 032621Little rock data management 032621
Little rock data management 032621Brandon Smith
 
Rest api design by george reese
Rest api design by george reeseRest api design by george reese
Rest api design by george reesebuildacloud
 
REST-API's for architects and managers
REST-API's for architects and managersREST-API's for architects and managers
REST-API's for architects and managersPatrick Savalle
 
Implementing Site Search in CQ5 / AEM
Implementing Site Search in CQ5 / AEMImplementing Site Search in CQ5 / AEM
Implementing Site Search in CQ5 / AEMrtpaem
 
Super simple introduction to REST-APIs (2nd version)
Super simple introduction to REST-APIs (2nd version)Super simple introduction to REST-APIs (2nd version)
Super simple introduction to REST-APIs (2nd version)Patrick Savalle
 
Real-time Data Exploration and Analytics with Amazon Elasticsearch Service
Real-time Data Exploration and Analytics with Amazon Elasticsearch ServiceReal-time Data Exploration and Analytics with Amazon Elasticsearch Service
Real-time Data Exploration and Analytics with Amazon Elasticsearch ServiceAmazon Web Services
 
Spring REST Docs: Documenting RESTful APIs using your tests - Devoxx
Spring REST Docs: Documenting RESTful APIs using your tests - DevoxxSpring REST Docs: Documenting RESTful APIs using your tests - Devoxx
Spring REST Docs: Documenting RESTful APIs using your tests - DevoxxJWORKS powered by Ordina
 
Serverless Datalake Day with AWS
Serverless Datalake Day with AWSServerless Datalake Day with AWS
Serverless Datalake Day with AWSAmazon Web Services
 
Introduction to REST - API
Introduction to REST - APIIntroduction to REST - API
Introduction to REST - APIChetan Gadodia
 
Extending drupal authentication
Extending drupal authenticationExtending drupal authentication
Extending drupal authenticationCharles Russell
 
Introduction to the Web API
Introduction to the Web APIIntroduction to the Web API
Introduction to the Web APIBrad Genereaux
 
Amazon Elasticsearch Service Deep Dive - AWS Online Tech Talks
Amazon Elasticsearch Service Deep Dive - AWS Online Tech TalksAmazon Elasticsearch Service Deep Dive - AWS Online Tech Talks
Amazon Elasticsearch Service Deep Dive - AWS Online Tech TalksAmazon Web Services
 
REST API Design & Development
REST API Design & DevelopmentREST API Design & Development
REST API Design & DevelopmentAshok Pundit
 
Building infrastructure with Azure Resource Manager using PowerShell
Building infrastructure with Azure Resource Manager using PowerShell Building infrastructure with Azure Resource Manager using PowerShell
Building infrastructure with Azure Resource Manager using PowerShell K.Mohamed Faizal
 
Representational State Transfer (REST)
Representational State Transfer (REST)Representational State Transfer (REST)
Representational State Transfer (REST)David Krmpotic
 
REST API and CRUD
REST API and CRUDREST API and CRUD
REST API and CRUDPrem Sanil
 
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...CA API Management
 
HAL APIs and Ember Data
HAL APIs and Ember DataHAL APIs and Ember Data
HAL APIs and Ember DataCory Forsyth
 
Effective Searching by Dominik Kornas
Effective Searching by Dominik KornasEffective Searching by Dominik Kornas
Effective Searching by Dominik KornasAEM HUB
 
Amazon s3
Amazon s3Amazon s3
Amazon s3android-vish
 
EnterpriseSearch
EnterpriseSearchEnterpriseSearch
EnterpriseSearchLieben Kunnumpuram
 
Best Practices in Web Service Design
Best Practices in Web Service DesignBest Practices in Web Service Design
Best Practices in Web Service DesignLorna Mitchell
 
Deep thoughts from the real world of azure
Deep thoughts from the real world of azureDeep thoughts from the real world of azure
Deep thoughts from the real world of azureMichele Leroux Bustamante
 
Web Security Automation: Spend Less Time Securing your Applications
Web Security Automation: Spend Less Time Securing your Applications Web Security Automation: Spend Less Time Securing your Applications
Web Security Automation: Spend Less Time Securing your ApplicationsAmazon Web Services
 
REST API
REST APIREST API
REST APITofazzal Ahmed
 
REST-API introduction for developers
REST-API introduction for developersREST-API introduction for developers
REST-API introduction for developersPatrick Savalle
 
APITalkMeetupSharable
APITalkMeetupSharableAPITalkMeetupSharable
APITalkMeetupSharableObaidur (OB) Rashid
 
Business Applications Integration In The Cloud
Business Applications Integration In The CloudBusiness Applications Integration In The Cloud
Business Applications Integration In The CloudAnna Brzezińska
 

More Related Content

What's hot

Spring REST Docs: Documenting RESTful APIs using your tests - Devoxx
Spring REST Docs: Documenting RESTful APIs using your tests - DevoxxSpring REST Docs: Documenting RESTful APIs using your tests - Devoxx
Spring REST Docs: Documenting RESTful APIs using your tests - DevoxxJWORKS powered by Ordina
 
Serverless Datalake Day with AWS
Serverless Datalake Day with AWSServerless Datalake Day with AWS
Serverless Datalake Day with AWSAmazon Web Services
 
Introduction to REST - API
Introduction to REST - APIIntroduction to REST - API
Introduction to REST - APIChetan Gadodia
 
Extending drupal authentication
Extending drupal authenticationExtending drupal authentication
Extending drupal authenticationCharles Russell
 
Introduction to the Web API
Introduction to the Web APIIntroduction to the Web API
Introduction to the Web APIBrad Genereaux
 
Amazon Elasticsearch Service Deep Dive - AWS Online Tech Talks
Amazon Elasticsearch Service Deep Dive - AWS Online Tech TalksAmazon Elasticsearch Service Deep Dive - AWS Online Tech Talks
Amazon Elasticsearch Service Deep Dive - AWS Online Tech TalksAmazon Web Services
 
REST API Design & Development
REST API Design & DevelopmentREST API Design & Development
REST API Design & DevelopmentAshok Pundit
 
Building infrastructure with Azure Resource Manager using PowerShell
Building infrastructure with Azure Resource Manager using PowerShell Building infrastructure with Azure Resource Manager using PowerShell
Building infrastructure with Azure Resource Manager using PowerShell K.Mohamed Faizal
 
Representational State Transfer (REST)
Representational State Transfer (REST)Representational State Transfer (REST)
Representational State Transfer (REST)David Krmpotic
 
REST API and CRUD
REST API and CRUDREST API and CRUD
REST API and CRUDPrem Sanil
 
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...CA API Management
 
HAL APIs and Ember Data
HAL APIs and Ember DataHAL APIs and Ember Data
HAL APIs and Ember DataCory Forsyth
 
Effective Searching by Dominik Kornas
Effective Searching by Dominik KornasEffective Searching by Dominik Kornas
Effective Searching by Dominik KornasAEM HUB
 
Best Practices in Web Service Design
Best Practices in Web Service DesignBest Practices in Web Service Design
Best Practices in Web Service DesignLorna Mitchell
 
Web Security Automation: Spend Less Time Securing your Applications
Web Security Automation: Spend Less Time Securing your Applications Web Security Automation: Spend Less Time Securing your Applications
Web Security Automation: Spend Less Time Securing your ApplicationsAmazon Web Services
 
REST-API introduction for developers
REST-API introduction for developersREST-API introduction for developers
REST-API introduction for developersPatrick Savalle
 

What's hot (20)

Spring REST Docs: Documenting RESTful APIs using your tests - Devoxx
Spring REST Docs: Documenting RESTful APIs using your tests - DevoxxSpring REST Docs: Documenting RESTful APIs using your tests - Devoxx
Spring REST Docs: Documenting RESTful APIs using your tests - Devoxx
 
Serverless Datalake Day with AWS
Serverless Datalake Day with AWSServerless Datalake Day with AWS
Serverless Datalake Day with AWS
 
Introduction to REST - API
Introduction to REST - APIIntroduction to REST - API
Introduction to REST - API
 
Extending drupal authentication
Extending drupal authenticationExtending drupal authentication
Extending drupal authentication
 
Introduction to the Web API
Introduction to the Web APIIntroduction to the Web API
Introduction to the Web API
 
Amazon Elasticsearch Service Deep Dive - AWS Online Tech Talks
Amazon Elasticsearch Service Deep Dive - AWS Online Tech TalksAmazon Elasticsearch Service Deep Dive - AWS Online Tech Talks
Amazon Elasticsearch Service Deep Dive - AWS Online Tech Talks
 
REST API Design & Development
REST API Design & DevelopmentREST API Design & Development
REST API Design & Development
 
Building infrastructure with Azure Resource Manager using PowerShell
Building infrastructure with Azure Resource Manager using PowerShell Building infrastructure with Azure Resource Manager using PowerShell
Building infrastructure with Azure Resource Manager using PowerShell
 
Representational State Transfer (REST)
Representational State Transfer (REST)Representational State Transfer (REST)
Representational State Transfer (REST)
 
REST API and CRUD
REST API and CRUDREST API and CRUD
REST API and CRUD
 
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
 
HAL APIs and Ember Data
HAL APIs and Ember DataHAL APIs and Ember Data
HAL APIs and Ember Data
 
Effective Searching by Dominik Kornas
Effective Searching by Dominik KornasEffective Searching by Dominik Kornas
Effective Searching by Dominik Kornas
 
Amazon s3
Amazon s3Amazon s3
Amazon s3
 
EnterpriseSearch
EnterpriseSearchEnterpriseSearch
EnterpriseSearch
 
Best Practices in Web Service Design
Best Practices in Web Service DesignBest Practices in Web Service Design
Best Practices in Web Service Design
 
Deep thoughts from the real world of azure
Deep thoughts from the real world of azureDeep thoughts from the real world of azure
Deep thoughts from the real world of azure
 
Web Security Automation: Spend Less Time Securing your Applications
Web Security Automation: Spend Less Time Securing your Applications Web Security Automation: Spend Less Time Securing your Applications
Web Security Automation: Spend Less Time Securing your Applications
 
REST API
REST APIREST API
REST API
 
REST-API introduction for developers
REST-API introduction for developersREST-API introduction for developers
REST-API introduction for developers
 

Similar to Creating a RESTful api without losing too much sleep

Business Applications Integration In The Cloud
Business Applications Integration In The CloudBusiness Applications Integration In The Cloud
Business Applications Integration In The CloudAnna Brzezińska
 
Modern REST API design principles and rules.pdf
Modern REST API design principles and rules.pdfModern REST API design principles and rules.pdf
Modern REST API design principles and rules.pdfAparna Sharma
 
zendframework2 restful
zendframework2 restfulzendframework2 restful
zendframework2 restfultom_li
 
Resting on your laurels will get you powned
Resting on your laurels will get you pownedResting on your laurels will get you powned
Resting on your laurels will get you pownedDinis Cruz
 
Pushing Chemical Biology Through the Pipes
Pushing Chemical Biology Through the PipesPushing Chemical Biology Through the Pipes
Pushing Chemical Biology Through the PipesRajarshi Guha
 
apidays LIVE Paris 2021 - Lessons from the API Stewardship Journey in Azure b...
apidays LIVE Paris 2021 - Lessons from the API Stewardship Journey in Azure b...apidays LIVE Paris 2021 - Lessons from the API Stewardship Journey in Azure b...
apidays LIVE Paris 2021 - Lessons from the API Stewardship Journey in Azure b...apidays
 
Lessons learned on the Azure API Stewardship Journey.pptx
Lessons learned on the Azure API Stewardship Journey.pptxLessons learned on the Azure API Stewardship Journey.pptx
Lessons learned on the Azure API Stewardship Journey.pptxapidays
 
Using Data Lakes: Data Analytics Week SF
Using Data Lakes: Data Analytics Week SFUsing Data Lakes: Data Analytics Week SF
Using Data Lakes: Data Analytics Week SFAmazon Web Services
 
Restful webservice
Restful webserviceRestful webservice
Restful webserviceDong Ngoc
 
RESTful web APIs (build, document, manage)
RESTful web APIs (build, document, manage)RESTful web APIs (build, document, manage)
RESTful web APIs (build, document, manage)Cisco DevNet
 
Ladies Be Architects - Integration - Multi-Org, Security, JSON, Backup & Restore
Ladies Be Architects - Integration - Multi-Org, Security, JSON, Backup & RestoreLadies Be Architects - Integration - Multi-Org, Security, JSON, Backup & Restore
Ladies Be Architects - Integration - Multi-Org, Security, JSON, Backup & Restoregemziebeth
 
JavaOne2013 Leveraging Linked Data and OSLC
JavaOne2013 Leveraging Linked Data and OSLCJavaOne2013 Leveraging Linked Data and OSLC
JavaOne2013 Leveraging Linked Data and OSLCSteve Speicher
 
gRPC, GraphQL, REST - Which API Tech to use - API Conference Berlin oct 20
gRPC, GraphQL, REST - Which API Tech to use - API Conference Berlin oct 20gRPC, GraphQL, REST - Which API Tech to use - API Conference Berlin oct 20
gRPC, GraphQL, REST - Which API Tech to use - API Conference Berlin oct 20Phil Wilkins
 
Role of Rest vs. Web Services and EI
Role of Rest vs. Web Services and EIRole of Rest vs. Web Services and EI
Role of Rest vs. Web Services and EIWSO2
 

Similar to Creating a RESTful api without losing too much sleep (20)

APITalkMeetupSharable
APITalkMeetupSharableAPITalkMeetupSharable
APITalkMeetupSharable
 
Business Applications Integration In The Cloud
Business Applications Integration In The CloudBusiness Applications Integration In The Cloud
Business Applications Integration In The Cloud
 
Modern REST API design principles and rules.pdf
Modern REST API design principles and rules.pdfModern REST API design principles and rules.pdf
Modern REST API design principles and rules.pdf
 
REST APIs
REST APIsREST APIs
REST APIs
 
zendframework2 restful
zendframework2 restfulzendframework2 restful
zendframework2 restful
 
Resting on your laurels will get you powned
Resting on your laurels will get you pownedResting on your laurels will get you powned
Resting on your laurels will get you powned
 
Pushing Chemical Biology Through the Pipes
Pushing Chemical Biology Through the PipesPushing Chemical Biology Through the Pipes
Pushing Chemical Biology Through the Pipes
 
apidays LIVE Paris 2021 - Lessons from the API Stewardship Journey in Azure b...
apidays LIVE Paris 2021 - Lessons from the API Stewardship Journey in Azure b...apidays LIVE Paris 2021 - Lessons from the API Stewardship Journey in Azure b...
apidays LIVE Paris 2021 - Lessons from the API Stewardship Journey in Azure b...
 
Lessons learned on the Azure API Stewardship Journey.pptx
Lessons learned on the Azure API Stewardship Journey.pptxLessons learned on the Azure API Stewardship Journey.pptx
Lessons learned on the Azure API Stewardship Journey.pptx
 
SharePoint 2013 - What's New
SharePoint 2013 - What's NewSharePoint 2013 - What's New
SharePoint 2013 - What's New
 
REST != WebAPI
REST != WebAPIREST != WebAPI
REST != WebAPI
 
Using Data Lakes: Data Analytics Week SF
Using Data Lakes: Data Analytics Week SFUsing Data Lakes: Data Analytics Week SF
Using Data Lakes: Data Analytics Week SF
 
M meijer api management - tech-days 2015
M meijer api management - tech-days 2015M meijer api management - tech-days 2015
M meijer api management - tech-days 2015
 
Restful webservice
Restful webserviceRestful webservice
Restful webservice
 
Using Data Lakes
Using Data Lakes Using Data Lakes
Using Data Lakes
 
RESTful web APIs (build, document, manage)
RESTful web APIs (build, document, manage)RESTful web APIs (build, document, manage)
RESTful web APIs (build, document, manage)
 
Ladies Be Architects - Integration - Multi-Org, Security, JSON, Backup & Restore
Ladies Be Architects - Integration - Multi-Org, Security, JSON, Backup & RestoreLadies Be Architects - Integration - Multi-Org, Security, JSON, Backup & Restore
Ladies Be Architects - Integration - Multi-Org, Security, JSON, Backup & Restore
 
JavaOne2013 Leveraging Linked Data and OSLC
JavaOne2013 Leveraging Linked Data and OSLCJavaOne2013 Leveraging Linked Data and OSLC
JavaOne2013 Leveraging Linked Data and OSLC
 
gRPC, GraphQL, REST - Which API Tech to use - API Conference Berlin oct 20
gRPC, GraphQL, REST - Which API Tech to use - API Conference Berlin oct 20gRPC, GraphQL, REST - Which API Tech to use - API Conference Berlin oct 20
gRPC, GraphQL, REST - Which API Tech to use - API Conference Berlin oct 20
 
Role of Rest vs. Web Services and EI
Role of Rest vs. Web Services and EIRole of Rest vs. Web Services and EI
Role of Rest vs. Web Services and EI
 

Recently uploaded

Folding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesFolding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesPhilip Schwarz
 
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...gurkirankumar98700
 
EY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityEY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityNeo4j
 
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideChristina Lin
 
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024StefanoLambiase
 
Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantAxelRicardoTrocheRiq
 
Cloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEECloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEEVICTOR MAESTRE RAMIREZ
 
Intelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalmIntelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalmSujith Sukumaran
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software DevelopersVinodh Ram
 
software engineering Chapter 5 System modeling.pptx
software engineering Chapter 5 System modeling.pptxsoftware engineering Chapter 5 System modeling.pptx
software engineering Chapter 5 System modeling.pptxnada99848
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...MyIntelliSource, Inc.
 
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio, Inc.
 
The Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdfThe Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdfPower Karaoke
 
chapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptchapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptkotipi9215
 
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)OPEN KNOWLEDGE GmbH
 
Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackCloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackVICTOR MAESTRE RAMIREZ
 
What is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWhat is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWave PLM
 
React Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaReact Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaHanief Utama
 
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxKnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxTier1 app
 

Recently uploaded (20)

Folding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesFolding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a series
 
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
 
EY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityEY_Graph Database Powered Sustainability
EY_Graph Database Powered Sustainability
 
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
 
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
 
Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service Consultant
 
Cloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEECloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEE
 
Intelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalmIntelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalm
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software Developers
 
software engineering Chapter 5 System modeling.pptx
software engineering Chapter 5 System modeling.pptxsoftware engineering Chapter 5 System modeling.pptx
software engineering Chapter 5 System modeling.pptx
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
 
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
 
The Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdfThe Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdf
 
chapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptchapter--4-software-project-planning.ppt
chapter--4-software-project-planning.ppt
 
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)
 
Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackCloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStack
 
What is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWhat is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need It
 
React Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaReact Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief Utama
 
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxKnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
 
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort ServiceHot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
 

Creating a RESTful api without losing too much sleep

  • 1. © 2016 SecurityMetrics without losing too much sleep Creating a RESTful API Mike Anderson Chief Architect – Software Development mmandersonii@securitymetrics.com
  • 2. ABOUT SECURITYMETRICS Helping organizations comply with mandates, avoid security breaches, and recover from data theft since 2000
  • 3. What is REST • REpresentational State Transfer – An application should be able to “browse” your api by knowing a starting place (a bookmark) – When data is returned from a particular call, available “transfers” are included in the response (REpresentation) as links with data types • Roy Fielding’s Doctoral Dissertation, primarily chapter 5 http://www.ics.uci.edu/~fielding/pubs/dissertation/rest_a rch_style.htm
  • 4. Data + Hypermedia • HATEOAS - Hypermedia As The Engine Of Application State – One of the driving forces behind REST. – The “Transfer” part of REST
  • 5. Structuring your code • Layer your code into – Endpoints – Services – Data • If the language you are using supports interfaces, use them to allow you to swap in different implementations for different situations – testing
  • 6. Structuring your code?page=2 DB Data Layer (ORM) Service Layer (Business logic) REST Layer (endpoint) Test Automation Test Automation Test Automation
  • 7. Testing • Unit testing – Only test the method under test for logic errors. • Functional testing – Test through multiple layers • Integration testing – Test across multiple services
  • 8. Data formats • Content-Type and Accept headers – Content-Type: what is the format of the data are you expecting for input – Accept: what is the format of the data will you be returning • Typical data types – JSON - Pretty much the current standard, especially for consumption by JavaScript – XML - Earlier standard. More restrictive format and verbosity – CSV - Useful for data import and export
  • 9. Security • Closed by default – Build it in at the beginning, don’t tack it on at the end – Allows for “safer”, more reliable releases. If authentication and authorization are built in you can provide releases to authorized users without exposing sensitive data
  • 10. Documentation • Interactive documentation is very helpful • If it can be generated from/by the code it is more likely to stay up to date • Try and use a standard like the OpenAPI Specification – See http://swagger.io/ – You can define the contract for your api with its associated documentation, generate the base endpoints for different languages and generate test cases to validate your implementation – Good tutorial at https://github.com/tylerdave/OpenAPI-Tutorial/
  • 11. Resource naming • Two primary URLs for a given resource – /resources - a collection of resources – /resources/:id - a specific resource • :id can be any identifier but it has to be unique • uuid (Universally Unique IDentifier) is a good option • Use plural nouns for resource names – employees vs employee • Use HTTP Verbs for processing – Create = POST – Read = GET/HEAD – Update = PUT/PATCH – Delete = DELETE
  • 12. Versioning your API • In the URL • With request parameters • Using custom headers • Using Accept header
  • 13. Versioning your API?page=2 • Depending on whom you ask, any of those ways are wrong – https://www.troyhunt.com/your-api-versioning-is-wrong -which-is/ - a somewhat tongue in cheek article about this • It’s your API – You are defining the contract. You get to choose but make a choice and stick with it – What are the practical reasons for your choice? – How do you support it in your back-end language/framework? – How are you expecting your API to be consumed?
  • 14. Collections and Pagination • Implement pagination as early as possible. It will save future headaches • Use standard defaults throughout your API – Default number of entries between 10 and 1000. Ask your consumers (if you can) what works best for them – You should probably have an upper limit (1000?) per request • You want to allow for batching but too large of a dataset in a request can slow down applications, particularly JavaScript • Page number and number of entries are query parameters
  • 15. Collections and Pagination?page=2 • https://server.com/api/resources?page=2&items=100 • In the returned links, include links for the next, previous, first and last pages
  • 16. Caching responses • Speeds up follow up requests for the same resource – Some frameworks support this directly or have libraries that support it – Proxy servers can be configured to support it but it helps to understand the tradeoffs • Web standards – ETags • Cache busting - updating the cache when a resource is updated
  • 17. Things to avoid • Doing everything in one method (handle inputs, query database, transform results, handle errors, etc.) • Raw SQL – More of a strong guideline but raw SQL can become brittle – Take advantage of the ORM and data models • NOT writing tests – When you have to change a schema/model or refactor your code, how do you know things still work without tests?
  • 18. Exercising your API • Postman - https://www.getpostman.com/ • Allows you to test all of the different verbs • Allows you to create collections of related requests • You can set headers and body data for requests • Allows you to define different environments to parameterize requests
  • 20. www.securitymetrics.com Questions? ● My email: mmandersonii@securitymetrics.com ● Slides: https://www.slideshare.net/MikeAnderson64/creating-a-restful-api-without- losing-too-much-sleep
  • 21. www.securitymetrics.com Thank you! ● My email: mmandersonii@securitymetrics.com ● Slides: https://www.slideshare.net/MikeAnderson64/creating-a-restful-api-without- losing-too-much-sleep