DEV Community: Nathan Katshi The latest articles on DEV Community by Nathan Katshi (@katshidev). https://dev.to/katshidev https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F2098698%2Ff7fb3553-b02e-4aa0-b50d-c54e2c7fc021.jpeg DEV Community: Nathan Katshi https://dev.to/katshidev en APIs and Security Best Practices: JavaScript and Python Examples Nathan Katshi Tue, 29 Oct 2024 14:39:28 +0000 https://dev.to/katshidev/apis-and-security-best-practices-javascript-and-python-examples-40ki https://dev.to/katshidev/apis-and-security-best-practices-javascript-and-python-examples-40ki <p>As we close the <em>Cybersecurity Awareness Month</em>, it is crucial to underscore the importance of secure coding practices. In this article, I highlight some basic but often overlooked API security best practices, backed by examples in JavaScript and Python.</p> <h2> APIs Overview </h2> <p>An <strong>API</strong> <em>(Application Programming Interface)</em> is a set of protocols and rules that allow different software applications to communicate and exchange data with each other. APIs enable seamless integration of various systems.<br> Think of an API like a waiter in a restaurant. Just as a waiter takes your order, delivers it to the kitchen, and brings your meal back to you, an API takes a request from one application, sends it to the server, and returns the server’s response to the requesting application.</p> <p>Different types of API exist, based on their architectures and use cases. Some common API types are:</p> <ul> <li><p><strong>REST (Representational State Transfer)</strong>: REST APIs are based on standard HTTP protocols and are widely used for many web services. They offer simplicity and ease of use, making them popular for many programs.</p></li> <li><p><strong>GraphQL (Graph Query Language)</strong>: GraphQL APIs allow clients to request exactly the data they need, making data retrieval more efficient. It’s a query language allowing for more flexible data interactions.</p></li> <li><p><strong>SOAP (Simple Object Access Protocol)</strong>: SOAP APIs are protocol-based and use XML for messaging. They provide a more rigid structure and are often used in enterprise-level applications.</p></li> <li><p><strong>RPC (Remote Procedure Call)</strong>: RPC APIs allow a client to execute code on a remote server. This technique is often used to execute functions over the network.</p></li> </ul> <h2> Risk linked to the Use of APIs </h2> <p>Using APIs can expose countless security risks, especially if they are not properly implemented and managed.<br> Some of the risks are broken object-level authorization and user authorization, excessive data exposure, lack of resources and rate limiting, and insufficient logging and monitoring.</p> <p>Addressing these risks involves implementing robust security measures.</p> <h2> API Security Best Practices </h2> <p>API security measures can be implemented in various ways, depending on API use and application requirements. The measures implemented are language-independent. <br> Core concepts are the same, but the syntax may slightly differ. <br> In the examples below, we will use the URL <code>https://api.example.com/data</code></p> <p><strong>1. Use HTTPS over HTTP</strong></p> <p>Using the secure version of the HTTP protocol ensures data transmitted between the client and server are kept private and protected against eavesdropping and man-in-the-middle attacks.</p> <ul> <li> <strong>JavaScript (React)</strong> </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// The API requests use HTTPS</span> <span class="nf">fetch</span><span class="p">(</span><span class="dl">'</span><span class="s1">https://api.example.com/data</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">method</span><span class="p">:</span> <span class="dl">'</span><span class="s1">GET</span><span class="dl">'</span><span class="p">,</span> <span class="na">headers</span><span class="p">:</span> <span class="p">{</span> <span class="dl">'</span><span class="s1">Content-Type</span><span class="dl">'</span><span class="p">:</span> <span class="dl">'</span><span class="s1">application/json</span><span class="dl">'</span><span class="p">,</span> <span class="p">},</span> <span class="p">});</span> </code></pre> </div> <ul> <li> <strong>Python</strong> </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">requests</span> <span class="n">response</span> <span class="o">=</span> <span class="n">requests</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">https://api.example.com/data</span><span class="sh">'</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="n">response</span><span class="p">.</span><span class="n">status_code</span><span class="p">)</span> </code></pre> </div> <p><strong>2. Use API Keys in HTTP Headers</strong><br> API keys are useful for authenticating and authorizing API requests, ensuring that only legitimate clients can access the API data.</p> <ul> <li> <strong>JavaScript (React)</strong> </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nf">fetch</span><span class="p">(</span><span class="dl">'</span><span class="s1">https://api.example.com/data</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">method</span><span class="p">:</span> <span class="dl">'</span><span class="s1">GET</span><span class="dl">'</span><span class="p">,</span> <span class="na">headers</span><span class="p">:</span> <span class="p">{</span> <span class="dl">'</span><span class="s1">Content-Type</span><span class="dl">'</span><span class="p">:</span> <span class="dl">'</span><span class="s1">application/json</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">Authorization</span><span class="dl">'</span><span class="p">:</span> <span class="s2">`Bearer </span><span class="p">${</span><span class="nx">apiKey</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="p">},</span> <span class="p">});</span> </code></pre> </div> <ul> <li> <strong>Python</strong> </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">requests</span> <span class="n">headers</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">'</span><span class="s">Content-Type</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">application/json</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">Authorization</span><span class="sh">'</span><span class="p">:</span> <span class="sa">f</span><span class="sh">'</span><span class="s">Bearer </span><span class="si">{</span><span class="n">api_key</span><span class="si">}</span><span class="sh">'</span> <span class="p">}</span> <span class="n">response</span> <span class="o">=</span> <span class="n">requests</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">https://api.example.com/data</span><span class="sh">'</span><span class="p">,</span> <span class="n">headers</span><span class="o">=</span><span class="n">headers</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="n">response</span><span class="p">.</span><span class="n">status_code</span><span class="p">)</span> </code></pre> </div> <p><strong>3. Implement OAuth 2.0</strong><br> OAuth 2.0 provides secure and scalable authorization for accessing resources, allowing third-party applications to access user data without exposing credentials.</p> <ul> <li> <strong>JavaScript (React)</strong> </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">import</span> <span class="nx">axios</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">axios</span><span class="dl">'</span><span class="p">;</span> <span class="nx">axios</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">https://api.example.com/data</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">headers</span><span class="p">:</span> <span class="p">{</span> <span class="dl">'</span><span class="s1">Authorization</span><span class="dl">'</span><span class="p">:</span> <span class="s2">`Bearer </span><span class="p">${</span><span class="nx">accessToken</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="p">},</span> <span class="p">});</span> </code></pre> </div> <ul> <li> <strong>Python</strong> </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">requests</span> <span class="n">response</span> <span class="o">=</span> <span class="n">requests</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">https://api.example.com/data</span><span class="sh">'</span><span class="p">,</span> <span class="n">headers</span><span class="o">=</span><span class="p">{</span><span class="sh">'</span><span class="s">Authorization</span><span class="sh">'</span><span class="p">:</span> <span class="sa">f</span><span class="sh">'</span><span class="s">Bearer </span><span class="si">{</span><span class="n">access_token</span><span class="si">}</span><span class="sh">'</span><span class="p">})</span> <span class="nf">print</span><span class="p">(</span><span class="n">response</span><span class="p">.</span><span class="n">status_code</span><span class="p">)</span> </code></pre> </div> <p><strong>4. Implement Input Validation</strong><br> Proper input validation ensures that only properly formatted data is accepted by the API, protecting against injection attacks and malformed input.<br> In the examples below, I use the <code>DOMPurify</code> library, which is one of the most powerful and widely trusted in the development community for its robust and reliable features, notably for preventing <strong>XSS</strong> (<em>Cross-Site Scripting</em>) attacks.</p> <ul> <li> <strong>JavaScript</strong> </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">import</span> <span class="nx">DOMPurify</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">dompurify</span><span class="dl">'</span><span class="p">;</span> <span class="kd">function</span> <span class="nf">sanitizeInput</span><span class="p">(</span><span class="nx">input</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">DOMPurify</span><span class="p">.</span><span class="nf">sanitize</span><span class="p">(</span><span class="nx">input</span><span class="p">);</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">userInput</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">&lt;script&gt;alert("XSS Attack!")&lt;/script&gt;</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">sanitizedInput</span> <span class="o">=</span> <span class="nf">sanitizeInput</span><span class="p">(</span><span class="nx">userInput</span><span class="p">);</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="nx">sanitizedInput</span><span class="p">);</span> <span class="c1">// Outputs: ""</span> </code></pre> </div> <p>In this example, <code>DOMPurify</code> removes the <code>&lt;script&gt;</code> tag from the user input, making it safe to use in your application.</p> <p>While <code>DOMPurify</code> is specifically for JavaScript, similar functionality can be achieved in Python using libraries like <code>Bleach</code></p> <ul> <li> <strong>Python</strong> </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">bleach</span> <span class="k">def</span> <span class="nf">sanitize_input</span><span class="p">(</span><span class="nb">input</span><span class="p">):</span> <span class="k">return</span> <span class="n">bleach</span><span class="p">.</span><span class="nf">clean</span><span class="p">(</span><span class="nb">input</span><span class="p">)</span> <span class="n">user_input</span> <span class="o">=</span> <span class="sh">'</span><span class="s">&lt;script&gt;alert(</span><span class="sh">"</span><span class="s">XSS Attack!</span><span class="sh">"</span><span class="s">)&lt;/script&gt;</span><span class="sh">'</span> <span class="n">sanitized_input</span> <span class="o">=</span> <span class="nf">sanitize_input</span><span class="p">(</span><span class="n">user_input</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="n">sanitized_input</span><span class="p">)</span> <span class="c1"># Outputs: "" </span></code></pre> </div> <p><strong>5. Use Rate Limiting</strong><br> Rate limiting controls the number of requests a client can make to an API within a specified time frame, protecting against <strong>DoS</strong>(<em>Denial of Service</em>) attacks.</p> <ul> <li> <strong>JavaScript (Express)</strong> </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">rateLimit</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">express-rate-limit</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">apiLimiter</span> <span class="o">=</span> <span class="nf">rateLimit</span><span class="p">({</span> <span class="na">windowMs</span><span class="p">:</span> <span class="mi">15</span> <span class="o">*</span> <span class="mi">60</span> <span class="o">*</span> <span class="mi">1000</span><span class="p">,</span> <span class="c1">// 15 minutes</span> <span class="na">max</span><span class="p">:</span> <span class="mi">100</span><span class="p">,</span> <span class="c1">// limit each IP to 100 requests per windowMs</span> <span class="p">});</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="dl">'</span><span class="s1">/api/</span><span class="dl">'</span><span class="p">,</span> <span class="nx">apiLimiter</span><span class="p">);</span> </code></pre> </div> <ul> <li> <strong>Python (Flask)</strong> </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">flask</span> <span class="kn">import</span> <span class="n">Flask</span> <span class="kn">from</span> <span class="n">flask_limiter</span> <span class="kn">import</span> <span class="n">Limiter</span> <span class="kn">from</span> <span class="n">flask_limiter.util</span> <span class="kn">import</span> <span class="n">get_remote_address</span> <span class="n">app</span> <span class="o">=</span> <span class="nc">Flask</span><span class="p">(</span><span class="n">__name__</span><span class="p">)</span> <span class="n">limiter</span> <span class="o">=</span> <span class="nc">Limiter</span><span class="p">(</span><span class="n">app</span><span class="p">,</span> <span class="n">key_func</span><span class="o">=</span><span class="n">get_remote_address</span><span class="p">)</span> <span class="nd">@app.route</span><span class="p">(</span><span class="sh">'</span><span class="s">/api/data</span><span class="sh">'</span><span class="p">)</span> <span class="nd">@limiter.limit</span><span class="p">(</span><span class="sh">"</span><span class="s">100 per 15 minutes</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">get_data</span><span class="p">():</span> <span class="k">return</span> <span class="sh">"</span><span class="s">Data</span><span class="sh">"</span> </code></pre> </div> <p><strong>6. Secure Sensitive Data</strong><br> Securing sensitive data ensures data are stored and transmitted securely, and protected from unauthorized access.<br> One of the techniques consists of storing API keys in an environment variable to avoid exposing it in the source code.</p> <ul> <li><strong>JavaScript (React)</strong></li> </ul> <p>a. Create a <code>.env</code> file in the root folder<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>API_KEY=your_api_key_here </code></pre> </div> <p>b. Use the API key in the code<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight jsx"><code><span class="k">import</span> <span class="nx">React</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">react</span><span class="dl">'</span><span class="p">;</span> <span class="kd">function</span> <span class="nf">fetchData</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">apiKey</span> <span class="o">=</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">API_KEY</span><span class="p">;</span> <span class="nf">fetch</span><span class="p">(</span><span class="dl">'</span><span class="s1">https://api.example.com/data</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">method</span><span class="p">:</span> <span class="dl">'</span><span class="s1">GET</span><span class="dl">'</span><span class="p">,</span> <span class="na">headers</span><span class="p">:</span> <span class="p">{</span> <span class="dl">'</span><span class="s1">Content-Type</span><span class="dl">'</span><span class="p">:</span> <span class="dl">'</span><span class="s1">application/json</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">Authorization</span><span class="dl">'</span><span class="p">:</span> <span class="s2">`Bearer </span><span class="p">${</span><span class="nx">apiKey</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="p">},</span> <span class="p">})</span> <span class="p">.</span><span class="nf">then</span><span class="p">(</span><span class="nx">response</span> <span class="o">=&gt;</span> <span class="nx">response</span><span class="p">.</span><span class="nf">json</span><span class="p">())</span> <span class="p">.</span><span class="nf">then</span><span class="p">(</span><span class="nx">data</span> <span class="o">=&gt;</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="nx">data</span><span class="p">))</span> <span class="p">.</span><span class="k">catch</span><span class="p">(</span><span class="nx">error</span> <span class="o">=&gt;</span> <span class="nx">console</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="dl">'</span><span class="s1">Error:</span><span class="dl">'</span><span class="p">,</span> <span class="nx">error</span><span class="p">));</span> <span class="p">}</span> <span class="err">#</span> <span class="nx">Rest</span> <span class="k">of</span> <span class="nx">the</span> <span class="nx">code</span> <span class="nx">here</span> </code></pre> </div> <ul> <li> <strong>Python</strong> In Python, you can use the <code>dotenv</code> package to load the API key from an environment variable.</li> </ul> <p>a. Create a <code>.env</code> file<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>API_KEY=your_api_key_here </code></pre> </div> <p>b. Install the <code>dotenv</code> package<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>pip3 <span class="nb">install </span>python-dotenv </code></pre> </div> <p>c. Use the API key in the code<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">os</span> <span class="kn">from</span> <span class="n">dotenv</span> <span class="kn">import</span> <span class="n">load_dotenv</span> <span class="kn">import</span> <span class="n">requests</span> <span class="nf">load_dotenv</span><span class="p">()</span> <span class="n">api_key</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="nf">getenv</span><span class="p">(</span><span class="sh">'</span><span class="s">API_KEY</span><span class="sh">'</span><span class="p">)</span> <span class="n">headers</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">'</span><span class="s">Content-Type</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">application/json</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">Authorization</span><span class="sh">'</span><span class="p">:</span> <span class="sa">f</span><span class="sh">'</span><span class="s">Bearer </span><span class="si">{</span><span class="n">api_key</span><span class="si">}</span><span class="sh">'</span> <span class="p">}</span> <span class="n">response</span> <span class="o">=</span> <span class="n">requests</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">https://api.example.com/data</span><span class="sh">'</span><span class="p">,</span> <span class="n">headers</span><span class="o">=</span><span class="n">headers</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="n">response</span><span class="p">.</span><span class="nf">json</span><span class="p">())</span> </code></pre> </div> <p><strong>7. Enable Cross-Origin Resource Sharing Properly</strong><br> <strong>CORS</strong> (<em>Cross-Origin Resource Sharing</em>) allows you to control which domains can access your API, protecting against unauthorized cross-origin requests.</p> <ul> <li> <strong>JavaScript (React)</strong> </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">cors</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">cors</span><span class="dl">'</span><span class="p">);</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="nf">cors</span><span class="p">());</span> </code></pre> </div> <ul> <li> <strong>Python</strong> </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">flask_cors</span> <span class="kn">import</span> <span class="n">CORS</span> <span class="n">app</span> <span class="o">=</span> <span class="nc">Flask</span><span class="p">(</span><span class="n">__name__</span><span class="p">)</span> <span class="nc">CORS</span><span class="p">(</span><span class="n">app</span><span class="p">)</span> </code></pre> </div> <h2> Summary </h2> <p>Insecurity costs more than security. <br> By combining some of these security measures, you will improve the overall application robustness and prevent various potential threats. Implementing HTTPS, API keys, OAuth 2.0, input validation, rate limiting, secure data handling, and proper CORS configuration are all critical steps toward safeguarding your APIs. </p> <p>Ensuring that these measures are in place will not only protect your data and systems but also instill confidence in your users about the security of your applications.</p> api security development bestpractices How To Create a Table of Contents (ToC) on Dev.To ? A Comprehensive Guide Nathan Katshi Thu, 10 Oct 2024 10:44:53 +0000 https://dev.to/katshidev/how-to-create-a-table-of-contents-toc-on-devto-a-comprehensive-guide-1mgi https://dev.to/katshidev/how-to-create-a-table-of-contents-toc-on-devto-a-comprehensive-guide-1mgi <p>In this tutorial, I will show you how to create a table of contents for your articles on Dev.to</p> <p>A table of contents is a great way to structure your articles, posts, and blogs, especially if they’re long. It improves navigation for your readers, allows them to glance at the topics covered in the article, and saves time by letting them go straight to the desired section.</p> <h3> What we'll cover </h3> <ul> <li><p>Prerequisites</p></li> <li><p>Write your article</p></li> <li><p>Structure the content of your article</p></li> <li><p>Create the table of contents</p></li> <li><p>Understanding Markdown links</p></li> <li><p>External links</p></li> <li><p>Internal links</p></li> <li><p>Links to headings</p></li> <li><p>Preview and adjust</p></li> </ul> <p><a id="prerequisites"></a></p> <h3> Prerequisites </h3> <p>There is no prerequisite for this tutorial. However, you should be familiar with the <a href="https://www.markdownguide.org/getting-started/" rel="noopener noreferrer">Markdown</a> markup language.</p> <p><a id="write-your-article"></a></p> <h3> Write your article </h3> <p>The first step is writing your article and sharing your ideas and thoughts. Once you have your content ready, you can enhance its readability and accessibility by adding a table of contents.</p> <p><a id="structure-the-content-of-your-article"></a></p> <h3> Structure the content of your article </h3> <p>Divide and structure your articles into sections, subsections, and blocks. You can use Markdown <em>headings</em> to organize your content effectively.</p> <p>You can use <code>#</code> for main sections, <code>##</code> for subsections and <code>###</code> for smaller divisions within subsections</p> <p>This ensures the article is more readable and creates a clear and logical flow of information.</p> <p>For instance,<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight markdown"><code><span class="gh"># Introduction</span> <span class="gu">## Part 1</span> <span class="gu">## Part 2</span> <span class="gu">### Subsection 2.1</span> <span class="gu">### Subsection 2.2</span> </code></pre> </div> <p><a id="create-the-table-of-contents"></a></p> <h3> Create the Table Of Contents </h3> <p>At the beginning of the article, create a list of links that match the <em>headings</em> (sections) in your article. For each heading, Markdown automatically creates an <code>ID</code> based on the text of the heading. </p> <p>Markdown is a lightweight, text-based markup language used to create emails, documents, notes, presentations, websites, etc. The markup for creating links using Markdown is very straightforward. <br> Here’s how you can do it:</p> <p><a id="#understanding-markdown-links"></a></p> <h4> Understanding Markdown links </h4> <p>A Markdown link can be external or internal. It has two parts: </p> <ol> <li>The <em>label</em> in brackets <code>[]</code> </li> <li>The <em>URL</em> in parentheses <code>()</code>. </li> </ol> <p>Only the <em>label is visible</em> on the page.</p> <p><a id="#external-links"></a></p> <h4> External Links </h4> <p>An external link points to a URL outside the article. It may lead to another website or page.</p> <p><em>Example:</em><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight markdown"><code><span class="p">[</span><span class="nv">Katshi.dev Portfolio</span><span class="p">](</span><span class="sx">https://katshi.dev</span><span class="p">)</span> </code></pre> </div> <p>The markdown above will give the following link: <a href="https://katshi.dev" rel="noopener noreferrer">Katshi.dev Portfolio</a></p> <p><a id="#internal-links"></a></p> <h4> Internal Links </h4> <p>An internal link points to a section or paragraph within the article. The link should correspond to the matching heading of the section in the article.</p> <p><em>Examples:</em><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight markdown"><code><span class="p">[</span><span class="nv">Prerequisites</span><span class="p">](</span><span class="sx">#prerequisites</span><span class="p">)</span> <span class="p">[</span><span class="nv">Internal Links</span><span class="p">](</span><span class="sx">#internal-links</span><span class="p">)</span> </code></pre> </div> <p>The markdown above will give:</p> <p>Prerequisites<br> Internal Links</p> <p><a id="links-to-headings"></a></p> <h3> Links to Headings </h3> <p>The most important remaining step is to add an HTML <code>&lt;a&gt;</code> tag to link with the relevant <code>ID</code> on top of each section heading. <br> For example, the following table of contents line <code>[Internal Links](#internal-links)</code> will be referred as:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="nt">&lt;a</span> <span class="na">id=</span><span class="s">'internal-links'</span><span class="nt">&gt;&lt;/a&gt;</span> ## Internal Links ### Internal links section content... </code></pre> </div> <p><a id="preview-and-adjust"></a></p> <h3> Preview and adjust </h3> <p>Use the preview feature of <a href="https://dev.to">Dev.to</a> to ensure that the table of contents links correctly to the sections. You can adjust the links if necessary. <br> Once the article is published, if you make any edits to section headings, don’t forget to update the links in the table of contents accordingly.</p> <p>Following these simple steps, you can create a fully functional table of contents with active links for easier navigation.</p> <p>What tool or strategy do you use to create article navigation links? <br> Feel free to share your experience in the comments.</p> writing productivity tips