– API calls occur in the background during web browsing, rendering customised pages.
– Server-side API calls may involve multiple micro-services communicating via internal APIs.
– Users can only access their own messages and send messages to friends.
– Users are seeking better authentication than HTTP Basic due to CPU overhead from password hashing.
– Token-based authentication allows users to log in once and be trusted for an hour.
– A random token is generated upon login and used for subsequent requests.
– Tokens are stored in a database and deleted upon logout or expiration.
– Transition to token-based authentication involves a new login endpoint.
– The login endpoint verifies credentials and issues a time-limited token.
– The API endpoint authenticates requests using a shared token store.
– Key security measures:
– Identify user, client, date, time, request type, resource, and success.
– Note simultaneous requests.
– Remove unused APIs (Zombie APIs).
– Ensure data encryption in transit and at rest.
– Use secure tokens and API gateways for authentication and authorisation.
– Conduct regular security scans to identify and fix vulnerabilities.
Data Centric 