I will share 3 things you need to understand and implement in every API system you will build or have already built.
It's important you know that all these principles can be implemented in any language.
Learn how to build production-safe API systems:
1. Implement CORS:
CORS stands for Cross-Origin Resource Sharing, CORS is a security mechanism that the server uses to allow or reject requests from certain origins from accessing resources.
What this means is you can specifically tell your server to only allow requests from one or multiple domain origins only, and every other request that's not from these origins will be rejected.
There are cases you will want to use the wildcard "*" which tells your server any origin can access its resources.
When should I implement this?
This is recommended for all public endpoints. The only case this may not be needed is when you don't want to restrict any origin from accessing server resources.
Even if that public endpoint is only used by your application or other external systems built by your team, this is even one more reason you must implement CORS, because you don't want anybody out there who discovers this endpoint to access server resources.
2. Rate Limiting:
This is a mechanism used to control the number of requests a client (an IP of an actual person or bot) can make to your API within a specified time frame.
So this allows you to set the number of requests an IP can send to your server per second, minute, hour, day etc. This ensures one client doesn't flood your API with requests.
Rate limiting protects your API from bots, scraping, brute force attacks and DoS attacks, which can
- Either max out your server's allocated resources.
- Increase hosting cost
- Or give third parties unrestricted access to scrape data.
When should I implement this?
All API systems should implement a rate limiting algorithm.
Types of rate limiting algorithms:
- Fixed Window Algorithm:
This sets a fixed number as the limit within a timeframe (e.g 1000 per hour), and every request received is counted.
Once the set fixed number is reached in the set period of time, every other subsequent request will be blocked temporarily.
- Token Bucket Algorithm:
This is used for API that want to allow an occasional high number of requests from clients but not every time.
- Sliding Window Algorithm:
This is similar to the fixed window algorithm but shifts the time window depending on a certain circumstance. A common use case is allowing certain users to have higher priority requests or consistent access within a set time window when there's high usage, while reducing or temporarily blocking requests from other users.
Note there are several other rate limiting methods that are not mentioned here.
3. API Logs:
Yeah, an API log is a structured and detailed record of all requests and responses that your API handles.
API logs are very important because they help in tracking issues, monitoring performance, and spotting security threats & patterns.
What you should log:
- Access logs: Record every request made to the API; this should include request method, timestamp, client IP address, requested URL endpoint, and response status code.
- Error logs: Record every exception and error your API encounters. This should contain the error message, the endpoint where it occurred, the timestamp, the request method, and other related information.
A detailed and structured API log provides you a bird's-eye view of what's happening in your API system. You don't just build an API and deploy, but you can also see basically how it's being used, user behaviors, performance gaps & trends, and security threats.
Most times, I wish most beginner tutorials and learning resources out there taught these things; that's why I decided to stop and publish this out here.
Top comments (0)