Forem: xmanhugo

Don’t make security an afterthought when designing APIs

xmanhugo — Thu, 12 Dec 2024 08:35:35 +0000

I found this really cool video about API design on YouTube, and it's got over 250,000 views! That's crazy impressive:

Good APIs Vs Bad APIs: 7 Tips for API Design

Here’s a quick rundown of the key points from the video:

Use clear naming.
Ensure reliability through idempotency.
Add versioning for backward compatibility.
Add pagination for response.
Use clear query strings for sorting.
Security should not be an afterthought.
Keep cross-resource references simple.
Rate limiting

When it comes to considering security in API design, I think that's a really good point.

The video was kind of basic, so I pulled together some more details on API security, which includes:

Authentication and Authorization: Implement robust authentication mechanisms like OAuth 2.0 or API keys. Ensure that users and applications have the appropriate permissions through role-based access control (RBAC).
Input Validation: Always validate and sanitize inputs to prevent injection attacks (e.g., SQL injection, cross-site scripting). Use libraries and frameworks that provide built-in validation.
Use HTTPS: Ensure all data transmitted between the client and server is encrypted using HTTPS to protect against eavesdropping and man-in-the-middle attacks.
Rate Limiting: Implement rate limiting to prevent abuse or denial-of-service attacks. This controls the number of requests a user can make in a given timeframe.
Data Sensitivity Classification: Identify and classify data handled by the API. Sensitive data should be encrypted at rest, and appropriate measures should be in place to control access.
Monitoring and Logging: Regularly monitor API usage and log all activities. This helps in detecting unusual patterns that may signify a security breach.
Error Handling: Avoid revealing sensitive information in error messages. Generic error messages can prevent attackers from gaining insight into the system.
Versioning and Deprecation: Maintain versioning in your APIs, and have a clear deprecation policy. This helps in smoothly transitioning to newer versions that may enhance security.

So, when it comes to implementing things, during the API runtime, it might be a good idea to bring in a gateway layer, like Kong, and ensure it’s properly configured.

Then, in the design and development phase, we can use debugging tools like Apidog to save time and effort, like API keys and OAuth 2.0, which help us quickly set up and troubleshoot:

I’m sure there are lots of details we can still cover. This is just to get the ball rolling, so feel free to share any thoughts you'd like to discuss with me!

How to understand the ins and outs of how DNS really works.

xmanhugo — Thu, 12 Dec 2024 05:51:44 +0000

We're working on a project that needs some teamwork across different teams, and we’ve got to connect to an API. Since the outside team can't just jump in and edit my API definitions, we thought we'd use Apidog's doc publishing feature. I looked through their help docs and found out that the API docs update in real-time and you can even debug right there on the page, and today I realized I can customize the domain name for the published docs, which is an awesome feature for me:

While we were working on it, one of my teammates asked, “What’s a CNAME?” I just gave a quick rundown based on what I know. It sparked a great discussion, and it made me want to dig deeper into the whole DNS thing and really get a better grasp on it.

The way DNS works is often taken for granted. Basically, DNS is used for converting website names into IP addresses, so you can think of it like this: you input a URL, and it spits out an IP.

DNS mainly uses this protocol, which is based on UDP. Because of this, DNS servers can handle an incredible number of queries per second—much higher than web servers, which rely on TCP. It’s important to know about different types of DNS records, including:

A records: these link a domain name to an IPv4 address.
AAAA records: these link a domain name to an IPv6 address.
CNAME records: used for forwarding during the query process.

When you type www.apidog.com into your browser, the DNS protocol actually uses www.apidog.com. It ends with a dot ., but that’s usually not shown for looks.
The browser first checks its local cache (like the host file or browser history) to see if it already has a record for that domain. If it does, it uses that.
If not, the browser sends a DNS request to the ISP’s DNS server, often called local DNS.
The local DNS checks its own cache. It’s important that the caching time is just right—too long or too short can cause issues. Also, how local DNS queries work is up to the ISP, which can get pretty complicated.
If local DNS doesn’t have the information cached, it starts scanning the domain name from right to left, asking the proper servers along the way. For www.apidog.com, it first checks with the root name server (those rare servers that handle .). They will tell it who is in charge of .com, leading the local DNS to look for the server that manages .com (let’s call that S1) to find out who manages apidog.com. Usually, S1 returns a CNAME record, redirecting the query to the authoritative DNS server.
The authoritative server looks up its settings to find the server for www.apidog.com and sends back an IP address.
Local DNS caches that IP address and sends it back to the browser.
Finally, the browser establishes a TCP connection with that IP address's server and sends an HTTP request.

For anyone who’s bought a domain, you know that if you want to start an AI project and buy the domain xmanhugo.com from GoDaddy, and then you want to create a subdomain like ai.xmanhugo.com, you need to set up an A record in GoDaddy’s dashboard to point ai.xmanhugo.com to a specific IP. Each time you set up a subdomain, you follow this same process. Knowing how DNS resolution works lets you do a few things:

Set up a DNS server on D1, making it the authoritative DNS server for xmanhugo.com.
In Wanwang’s dashboard, add a new CNAME record to redirect xmanhugo.com queries to D1.
D1 can return any IP address it chooses.

With this setup, you gain total control since D1 is yours, and you won’t need to access Wanwang’s console anymore. This is what running your own DNS server gets you!

How the STAR Method Can Help You Ace Your Interviews

xmanhugo — Tue, 10 Dec 2024 08:21:52 +0000

I've been involved in recruiting for the testing team lately, so I thought I'd share some of my thoughts on interviewing.

Actually, if you want to find great testers, it’s not enough to just shoot a few technical questions at them, like: “How many testing methods do you know?” or “Are you familiar with tools like Postman and Apidog, and what's the difference between them?” or even, “How do you use Apidog for automated interface testing and organizing test scenarios?” We’ve got to plan and manage the whole interview process carefully, and that takes some specific skills.

For managers, putting together a great team takes a lot of work, and picking the right people is the first step. While getting recommendations from within the organization and promoting existing staff are the best ways to find talent, recruitment is still the main way to go. So, knowing how to spot talented individuals during interviews is a super important skill that every manager needs to nail down.

In my years as a manager, I've interviewed quite a few people. Honestly, interviewing relies quite a bit on luck - it's really difficult to successfully judge whether someone is suitable in just a few dozen minutes, or even just ten-plus minutes. This is especially true for professional technical talent selection, which requires managers themselves to have certain expertise and skills. Even then, there are still elements of "going by feeling" or "trusting your instincts" that involve luck. However, luck has its probabilities, and during interviews, a manager's experience and techniques can greatly improve these probabilities.

Before, I didn't really have a set approach when it came to interviewing, so I often felt a bit lost. But then I came across this technique called the STAR method, and I've found it to be really effective. A lot of folks might be familiar with the STAR method, and some have even dived deep into it. I had heard about it before as well, but I didn't give it much thought or use it the right way.

The STAR method is a key concept in structured interviews, and it stands for Situation, Task, Action, and Result. The terms are pretty straightforward, but how do we actually put it into practice?

In the later part of my interviews, I like to ask this question: "Can you tell me about the most memorable project or task you worked on at your last job?" It's a pretty common open-ended question—not anything fancy—but that doesn't make it any less useful. In fact, the way people with real experience answer this question can be really different from those who don’t.

Once I ask this question, I pay close attention to how the candidate responds and follow up using the STAR method:

Situation

A memorable project usually has a particular context. If they can clearly explain the background, it shows they were really involved in a genuine project. Some candidates skip the background entirely, so I might ask, “Why was this task important?” If they struggle to lay out the context, it raises doubts about their ability to handle tasks effectively.

Task and Action

This part is about looking into their work methods and how they tackle problems. Tech folks often mention the technologies they used to solve specific issues. They tend to be pretty direct—this sense of achievement often comes from overcoming challenges. So, digging a little deeper can reveal their passion for technology, which is a crucial factor in hiring.

Result

At the end of the day, projects and tasks are about results. What did this memorable task actually achieve? It's important to probe this to see if they can deliver. Sometimes, based on your own experience, you can encourage candidates to think wider by asking things like, “How could this have been improved?” This can help verify their experience and skills even more.

In short, the STAR method is a fantastic way to conduct interviews. By using it, we can really assess candidates' genuine abilities in terms of specific skills and task performance. I truly believe this approach can greatly boost our chances of hiring the right talent!