Test your understanding of secure API design principles, including resource modeling, input validation, sanitization, idempotency, rate limiting, and versioning. This quiz helps you assess knowledge of best practices for building secure and reliable APIs.
When designing an API to manage products in an online store, which approach best follows resource-oriented modeling?
Explanation: Representing each product as a distinct resource like /products/{id} is aligned with resource-oriented modeling, making APIs intuitive and easily understood. Allowing direct manipulation of database tables exposes implementation details and security risks. Using a single endpoint for all operations defeats the clarity and organization of resource modeling. Storing only system-specific internal IDs reduces the clarity and flexibility for clients interacting with resources.
Why should an API validate all client input before processing requests such as user sign-ups?
Explanation: Validating input protects against malicious data that could exploit system vulnerabilities and helps maintain system integrity. Making endpoints more complicated is not a goal of validation; it simply results from improper implementation. Although input validation can have a small performance impact, it does not exist to decrease performance. Allowing clients to send any kind of information is risky and not secure.
What is the main difference between input validation and input sanitization in an API?
Explanation: Validation is used to check if data is correct and meets required rules, while sanitization is used to clean or remove potentially unsafe parts from data, such as scripts or unwanted characters. Sanitization does not make data faster; this is a misconception. Validation does not encrypt data, and sanitization is not limited to database fields—it applies to input data regardless of its use.
Why is it important for certain API operations, such as payment processing, to be idempotent?
Explanation: Idempotency protects against issues like duplicate payments by ensuring that repeating a request doesn't cause unintended consequences. Idempotency does not always improve speed; it focuses on predictable outcomes. It does not block client access to resources. Requiring APIs to keep all old requests forever is not accurate; idempotency strategies typically use keys or tokens rather than indefinite storage.
What is a practical reason for using rate limiting in a public API?
Explanation: Rate limiting helps protect APIs from abuse and ensures stability by controlling how many requests a client can make in a given period. It does not enforce exclusive access for a single client. Rate limiting is independent of data encryption between client and server. The purpose is to regulate request volume, not to deliberately slow down simple requests.
Why is versioning essential when updating breaking changes in an API's data structure or behavior?
Explanation: Versioning allows clients to keep using a stable, known API version while adopters can migrate to new changes, which helps prevent disruptions. It does not automatically resolve security vulnerabilities or eliminate bugs. While it improves manageability, versioning does not make documentation unnecessary; clear documentation remains crucial.
Which option best describes how resources should be uniquely identified in a well-designed RESTful API?
Explanation: Using clear, predictable URIs for each resource allows clients to interact with resources in a straightforward and consistent way. Randomly changing locations confuses clients and undermines REST principles. Hiding identifiers or requiring clients to guess URIs removes transparency and usability from the API design.
How does input validation and sanitization help protect APIs from common security threats like injection attacks?
Explanation: Input validation and sanitization help stop dangerous data from reaching sensitive backend operations, thereby reducing the chance of injection attacks. Improving the user interface design is unrelated to these protections. Documentation generation and user activity logging are separate concerns from data protection.
If a client accidentally sends the same payment request twice due to a network issue, what feature helps prevent double processing in a secure API?
Explanation: An idempotency key allows the server to identify and ignore repeated requests, ensuring a payment is only processed once. Removing authentication weakens security, and changing URLs does not solve the issue of duplicated requests. Allowing only GET requests prevents operations like payments from occurring at all, which is not practical.
Which API endpoint demonstrates best practice for implementing versioning in the URL?
Explanation: Including the version number in the URL, such as /v1/users, is a common and clear method for versioning. /users/get and /users/old do not communicate the API version explicitly. /latest-users refers to data freshness but not versioning. Proper versioning helps clients easily identify which version of the API they are using.