Explore key concepts of managing APIs with API gateways, including security, traffic shaping, and developer management. This quiz is designed to assess your understanding of best practices and fundamentals for efficient and secure API operations.
When setting up a quota policy on an API, which action best limits each client's requests to 1,000 per day, even if they attempt to exceed this limit with automated scripts?
Explanation: A quota policy with a per-client identifier and a daily limit directly enforces a cap of 1,000 requests per client per day, regardless of script usage. Caching helps with performance but does not enforce usage limits. Basic authentication only controls access and does not address request volumes. Spike arrest limits requests in short bursts but does not ensure a firm daily limit.
Which approach is most effective for securing an API from unauthorized use when sharing public endpoints?
Explanation: API key verification ensures only approved clients can access the API, making it a fundamental security step. Reducing payload size is a performance optimization, not a security measure. Verbose error messages can expose sensitive details and should be avoided. Optimizing data parsing improves efficiency but does not control access.
What is the primary benefit of using URL-based versioning such as /v1/products for API endpoints?
Explanation: URL-based versioning helps maintain backward compatibility by allowing clients to access different API versions concurrently. It does not inherently affect response time, which depends on other factors. Obfuscating endpoint logic is not achieved by adding versioning. Data encryption relates to transport protocols, not versioning.
In a scenario where a company wants to manage third-party developer access to its APIs, which feature should be configured to control and track usage for each external developer?
Explanation: Giving unique API keys to each developer allows monitoring and controlling API usage per developer. Disabling logging would reduce visibility and tracking capability. IP filtering controls access based on location but is less flexible for individual developer identity. Enforcing JSON-only payloads addresses data formats, not access or usage control.
Which built-in feature of most API gateways is essential for identifying unusual traffic patterns that might indicate misuse or attacks?
Explanation: Traffic analytics and logging help detect anomalies by providing visibility into usage patterns, which is key for security monitoring. Static error responses do not provide insights into traffic behaviors. Manual code review inspects clients but is not practical for real-time monitoring. Excluding POST requests constrains functionality and is not related to monitoring.