Sabbir Rupom, profile picture
Uploaded bySabbir Rupom
PPTX, PDF300 views

REST-Api Design & Develop

This document provides an overview of REST APIs and best practices for designing them. It defines REST as Representational State Transfer and describes RESTful APIs as receiving requests from clients over HTTP and responding based on the server state. Key points covered include using JSON for lightweight and readable responses, securing requests through authentication and authorization, optimizing performance through caching and non-blocking I/O, using status codes and result codes to inform clients, and properly documenting and versioning APIs.

Technology
Related topics:
Web Development
Download to read offline
A Road to { REST : API } Design & Develop Sabbir Hossain (Rupom) Web Developer https://sabbirrupom.com/
What is REST? Representation State Transfer !!!
A simple question between two person How are you?
Someone is requesting for an answer Other party is responding based on his state
So, what is a RESTful API? An application program interface (API) that receives a request from client (web/mobile application) and send a response based on the state of server over the HTTP protocol.
REST vs SOAP • REST performs better and faster than SOAP • Coupled with JSON, easily readable language by both human and machine • Though in some cases in data security and transaction reliability, SOAP performs better
What is JSON? • JavaScript Object Notation • Minimal, readable format for structuring data • An alternative for XML, more light weighted in nature • A key features of REST API response is JSON
REST API Design Architecture Key things to be noted Simple request Secure request Fast response Status code Appropriate response Secure response Documentation Console Versioning
Simple Request • URL should be light and meaningful • Avoid unnecessary query string • Use basic HTTP request methods [GET, POST, PUT, PATCH, DELETE] based on API use case
Secure Request • Authentication & Authorization • Token based authentication [e.g JWT] • Client must know the secret key to sign the token for persistent connection • Server will verify the signature by same key • If mismatched, request is unauthorized • Oath2 authentication & authorization • Register client identity in Authorization server firsthand • Request access token from Authorization server • Request resource server with the access token granted from Authorization server • Provide encrypted/encoded session token for persistent connection between user and server • Input filter handling • Cross-site scripting (XSS) protection • SQL-injection protection • SSL installation in server • Block IP of DDos attacker
Fast response • Make backend as light as possible • PHP Microframework (Slim, Lumen, Flight etc.) • Use Non-blocking I/O over blocking I/O • Express JS • Python Django • Cache server to store relatively non-dynamic and light weighted data for faster reading • Memcache / Radis • Backend code optimization
Status codes • Forecast the client to be prepared which comes next • HTTP status codes • 1xx (Informational): The request was received, continuing process • 2xx (Successful): The request was successfully received, understood, and accepted • 3xx (Redirection): Further action needs to be taken in order to complete the request • 4xx (Client Error): The request contains bad syntax or cannot be fulfilled • 5xx (Server Error): The server failed to fulfill an apparently valid request • Result codes • Make client understand the state of requested result
Appropriate response • Send response in correct format • JSON data as response • Avoid data redundancy • Avoid unwanted data { "result_code":0, "time":"2018-12-10 12:20:00", "data":{ "user":{ "id":4, "name":"Mr. X", "items":[ { "id":1, "name":"laptop", "count":1 }, { "id":2, "name":"monitor", "count":1 } ] } } }
Secure response • Masking file directory path with custom URL or Third party cloud storage path http://example.com/uploads/image/users/1.jpg http://example.com/image/user/1?ref=xxxxxxxxxx1 • Remove unnecessary response header to hide server information from exposing to threat
Documentation API must be well documented
Console • A testing ground for API request/response testing • Should be available to system developer/s and tester/s only • Tools • POSTMAN • Custom console tool
Versioning • Keep your api version up while major changes is on • Keep older api versions for old- not yet updated client users • Example: • http://host/v1/get_user_info?user_id=1 • http://host/v2/users/info/1
Code example • A custom REST-API template can be found here • https://github.com/sabbir-rupom/rest-api-flight-PHP • Based on PHP-Flight microframework • Follow the documentation flow • Study the source architecture
Thank You

More Related Content

PPTX
cross document messaging, html 5
byKristoffer Snabb
 
PPT
W-JAX Performance Workshop - Web and AJAX
byAlois Reitbauer
 
PDF
Best Practice in Web Service Design
byLorna Mitchell
 
PDF
CNIT 129S: Ch 3: Web Application Technologies
bySam Bowne
 
PDF
CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 1 of 2)
bySam Bowne
 
PDF
CNIT 129S: Securing Web Applications Ch 1-2
bySam Bowne
 
PDF
CNIT 129S: 13: Attacking Users: Other Techniques (Part 1 of 2)
bySam Bowne
 
PDF
CNIT 129S: Ch 5: Bypassing Client-Side Controls
bySam Bowne
 
cross document messaging, html 5
byKristoffer Snabb
 
W-JAX Performance Workshop - Web and AJAX
byAlois Reitbauer
 
Best Practice in Web Service Design
byLorna Mitchell
 
CNIT 129S: Ch 3: Web Application Technologies
bySam Bowne
 
CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 1 of 2)
bySam Bowne
 
CNIT 129S: Securing Web Applications Ch 1-2
bySam Bowne
 
CNIT 129S: 13: Attacking Users: Other Techniques (Part 1 of 2)
bySam Bowne
 
CNIT 129S: Ch 5: Bypassing Client-Side Controls
bySam Bowne
 

What's hot

PPT
Proxy server
byDlovan Salih
 
PDF
CNIT 129S: 8: Attacking Access Controls
bySam Bowne
 
PPT
zigbee
bymahamad juber
 
PDF
CNIT 129S: 13: Attacking Users: Other Techniques (Part 2 of 2)
bySam Bowne
 
PDF
CNIT 129S: Ch 4: Mapping the Application
bySam Bowne
 
PDF
CNIT 129S: Ch 7: Attacking Session Management
bySam Bowne
 
PDF
CNIT 129S: Ch 6: Attacking Authentication
bySam Bowne
 
PPTX
REST and ASP.NET Web API (Milan)
byJef Claes
 
PDF
CNIT 129S - Ch 3: Web Application Technologies
bySam Bowne
 
PDF
CNIT 129S: 11: Attacking Application Logic
bySam Bowne
 
PPTX
How proxy works
byMuhammad Taqi
 
PDF
Web Fundamental
bySiliconExpert Technologies
 
PPT
Web Fundamentals
byarunv
 
PPTX
GraphQL Security
byShiu-Fun Poon
 
PPTX
Overview of Rest Service and ASP.NET WEB API
byPankaj Bajaj
 
PPTX
Sfdc soap vs rest
byGaurav Singh
 
PDF
Mobile security chess board - attacks & defense
byBlueinfy Solutions
 
PPTX
introduction about REST API
byAmilaSilva13
 
PPT
Tapir user manager
byPaul Houle
 
PPTX
Caching up is hard to do: Improving your Web Services' Performance
byRTigger
 
Proxy server
byDlovan Salih
 
CNIT 129S: 8: Attacking Access Controls
bySam Bowne
 
zigbee
bymahamad juber
 
CNIT 129S: 13: Attacking Users: Other Techniques (Part 2 of 2)
bySam Bowne
 
CNIT 129S: Ch 4: Mapping the Application
bySam Bowne
 
CNIT 129S: Ch 7: Attacking Session Management
bySam Bowne
 
CNIT 129S: Ch 6: Attacking Authentication
bySam Bowne
 
REST and ASP.NET Web API (Milan)
byJef Claes
 
CNIT 129S - Ch 3: Web Application Technologies
bySam Bowne
 
CNIT 129S: 11: Attacking Application Logic
bySam Bowne
 
How proxy works
byMuhammad Taqi
 
Web Fundamental
bySiliconExpert Technologies
 
Web Fundamentals
byarunv
 
GraphQL Security
byShiu-Fun Poon
 
Overview of Rest Service and ASP.NET WEB API
byPankaj Bajaj
 
Sfdc soap vs rest
byGaurav Singh
 
Mobile security chess board - attacks & defense
byBlueinfy Solutions
 
introduction about REST API
byAmilaSilva13
 
Tapir user manager
byPaul Houle
 
Caching up is hard to do: Improving your Web Services' Performance
byRTigger
 

Similar to REST-Api Design & Develop

PDF
REST API Recommendations
byJeelani Shaik
 
PPTX
Restful api
byAnurag Srivastava
 
PPTX
Apitesting.pptx
byNamanVerma88
 
ODP
Attacking REST API
bySiddharth Bezalwar
 
PPTX
REST API Design & Development
byAshok Pundit
 
PPTX
Http and REST APIs.
byRahul Tanwani
 
PPTX
APIs: Driving Digital Connectivity Today
bylokerocky245
 
PDF
Rest ful tools for lazy experts
byColdFusionConference
 
PDF
RESTFul Tools For Lazy Experts - CFSummit 2016
byOrtus Solutions, Corp
 
PDF
Api FUNdamentals #MHA2017
byJoEllen Carter
 
PDF
REST APIs
byArthur De Magalhaes
 
PDF
Modern REST API design principles and rules.pdf
byAparna Sharma
 
PPTX
How to build Simple yet powerful API.pptx
byChanna Ly
 
PDF
Api Testing.pdf
byJitendraYadav351971
 
PDF
API testing Notes and features, difference.pdf
bykunjukunjuzz904
 
PPTX
RESTful APIs in .NET
byGreg Sohl
 
PDF
Role of Rest vs. Web Services and EI
byWSO2
 
PDF
Api fundamentals
byAgileDenver
 
PDF
API SECURITY
byTubagus Rizky Dharmawan
 
PPTX
API Development Essentials: REST, SOAP, GraphQL Explained
byankitraj5ar
 
REST API Recommendations
byJeelani Shaik
 
Restful api
byAnurag Srivastava
 
Apitesting.pptx
byNamanVerma88
 
Attacking REST API
bySiddharth Bezalwar
 
REST API Design & Development
byAshok Pundit
 
Http and REST APIs.
byRahul Tanwani
 
APIs: Driving Digital Connectivity Today
bylokerocky245
 
Rest ful tools for lazy experts
byColdFusionConference
 
RESTFul Tools For Lazy Experts - CFSummit 2016
byOrtus Solutions, Corp
 
Api FUNdamentals #MHA2017
byJoEllen Carter
 
REST APIs
byArthur De Magalhaes
 
Modern REST API design principles and rules.pdf
byAparna Sharma
 
How to build Simple yet powerful API.pptx
byChanna Ly
 
Api Testing.pdf
byJitendraYadav351971
 
API testing Notes and features, difference.pdf
bykunjukunjuzz904
 
RESTful APIs in .NET
byGreg Sohl
 
Role of Rest vs. Web Services and EI
byWSO2
 
Api fundamentals
byAgileDenver
 
API SECURITY
byTubagus Rizky Dharmawan
 
API Development Essentials: REST, SOAP, GraphQL Explained
byankitraj5ar
 

Recently uploaded

PDF
Devfest Harare 2025 Slides [GDG Harare] - Combined Slide Deck
byGoogle Developer Group - Harare
 
PDF
UiPath Community Day UNI - Nuevos productos de UiPath.pdf
byfelixluen
 
PDF
API Days Australia - API Management in the AI Era
byNilesh Gule
 
PDF
Embedding sustainability: Tips for ebook and print production - Tech Forum 2025
byBookNet Canada
 
PDF
AI64 - Mapping the Next Generation of Enterprise Software | Redpoint Ventures
byRazin Mustafiz
 
PDF
Session 8 Specialized AI Associate Series: Fundamentals of Model Training
byDianaGray10
 
PPTX
Softaken SQLite DB Converter for Seamless SQLite Database file Conversion on ...
byDemetrio Parrilla
 
DOCX
Formula 3 - MACO using general limit.docx
byMarkus Janssen
 
PDF
Ready, set, go: Pre-fall sales trends and data-driven insights - Tech Forum 2025
byBookNet Canada
 
PDF
Fighting CVEs in Embedded Linux with the Yocto Project and OTA Updates
byLeon Anavi
 
PDF
The Invisible Threads: How 'Connection' Builds the Smartest Organizations. By...
byTheta Prime Institute, Cheyenne, Wyoming, USA.
 
PDF
Staying Ahead of the Curve - Roaming Just Got Easier
bypanagenda
 
PDF
AI Demands More: Help Ensure Network Readiness With ThousandEyes
byThousandEyes
 
PDF
G.O.RT.No. 1173_LRS Extension of time limit
byRAGHU RAM
 
PDF
GDG Cloud Southlake #47: Bala Desikan: Build Autonomous Agentic AI Apps on GCP
byJames Anderson
 
PDF
How UK Employers Are Simplifying Entry-Level Hiring with Day One Jobs
byDay One Talent Solutions Ltd
 
PDF
AWS Community Day Indonesia 2025 - Attack the Cloud Before Attackers Do Build...
byMuhammad Yuga Nugraha
 
PDF
Integrare AI e Automazione con UiPath Agent Builder
byUiPathCommunity
 
PPTX
Unitree H2 Humanoid Robot: Redefining Robotics with Advanced Dexterity and In...
byDronevex
 
PPTX
Stop Worrying, Start Wiring: Azure Serverless for the AI Era
byMuralidharan Deenathayalan
 
Devfest Harare 2025 Slides [GDG Harare] - Combined Slide Deck
byGoogle Developer Group - Harare
 
UiPath Community Day UNI - Nuevos productos de UiPath.pdf
byfelixluen
 
API Days Australia - API Management in the AI Era
byNilesh Gule
 
Embedding sustainability: Tips for ebook and print production - Tech Forum 2025
byBookNet Canada
 
AI64 - Mapping the Next Generation of Enterprise Software | Redpoint Ventures
byRazin Mustafiz
 
Session 8 Specialized AI Associate Series: Fundamentals of Model Training
byDianaGray10
 
Softaken SQLite DB Converter for Seamless SQLite Database file Conversion on ...
byDemetrio Parrilla
 
Formula 3 - MACO using general limit.docx
byMarkus Janssen
 
Ready, set, go: Pre-fall sales trends and data-driven insights - Tech Forum 2025
byBookNet Canada
 
Fighting CVEs in Embedded Linux with the Yocto Project and OTA Updates
byLeon Anavi
 
The Invisible Threads: How 'Connection' Builds the Smartest Organizations. By...
byTheta Prime Institute, Cheyenne, Wyoming, USA.
 
Staying Ahead of the Curve - Roaming Just Got Easier
bypanagenda
 
AI Demands More: Help Ensure Network Readiness With ThousandEyes
byThousandEyes
 
G.O.RT.No. 1173_LRS Extension of time limit
byRAGHU RAM
 
GDG Cloud Southlake #47: Bala Desikan: Build Autonomous Agentic AI Apps on GCP
byJames Anderson
 
How UK Employers Are Simplifying Entry-Level Hiring with Day One Jobs
byDay One Talent Solutions Ltd
 
AWS Community Day Indonesia 2025 - Attack the Cloud Before Attackers Do Build...
byMuhammad Yuga Nugraha
 
Integrare AI e Automazione con UiPath Agent Builder
byUiPathCommunity
 
Unitree H2 Humanoid Robot: Redefining Robotics with Advanced Dexterity and In...
byDronevex
 
Stop Worrying, Start Wiring: Azure Serverless for the AI Era
byMuralidharan Deenathayalan
 

REST-Api Design & Develop

  • 1.
    A Road to {REST : API } Design & Develop Sabbir Hossain (Rupom) Web Developer https://sabbirrupom.com/
  • 2.
    What is REST? RepresentationState Transfer !!!
  • 3.
    A simple question betweentwo person How are you?
  • 4.
    Someone is requestingfor an answer Other party is responding based on his state
  • 5.
    So, what isa RESTful API? An application program interface (API) that receives a request from client (web/mobile application) and send a response based on the state of server over the HTTP protocol.
  • 6.
    REST vs SOAP •REST performs better and faster than SOAP • Coupled with JSON, easily readable language by both human and machine • Though in some cases in data security and transaction reliability, SOAP performs better
  • 7.
    What is JSON? •JavaScript Object Notation • Minimal, readable format for structuring data • An alternative for XML, more light weighted in nature • A key features of REST API response is JSON
  • 8.
    REST API DesignArchitecture Key things to be noted Simple request Secure request Fast response Status code Appropriate response Secure response Documentation Console Versioning
  • 9.
    Simple Request • URLshould be light and meaningful • Avoid unnecessary query string • Use basic HTTP request methods [GET, POST, PUT, PATCH, DELETE] based on API use case
  • 10.
    Secure Request • Authentication& Authorization • Token based authentication [e.g JWT] • Client must know the secret key to sign the token for persistent connection • Server will verify the signature by same key • If mismatched, request is unauthorized • Oath2 authentication & authorization • Register client identity in Authorization server firsthand • Request access token from Authorization server • Request resource server with the access token granted from Authorization server • Provide encrypted/encoded session token for persistent connection between user and server • Input filter handling • Cross-site scripting (XSS) protection • SQL-injection protection • SSL installation in server • Block IP of DDos attacker
  • 11.
    Fast response • Makebackend as light as possible • PHP Microframework (Slim, Lumen, Flight etc.) • Use Non-blocking I/O over blocking I/O • Express JS • Python Django • Cache server to store relatively non-dynamic and light weighted data for faster reading • Memcache / Radis • Backend code optimization
  • 12.
    Status codes • Forecastthe client to be prepared which comes next • HTTP status codes • 1xx (Informational): The request was received, continuing process • 2xx (Successful): The request was successfully received, understood, and accepted • 3xx (Redirection): Further action needs to be taken in order to complete the request • 4xx (Client Error): The request contains bad syntax or cannot be fulfilled • 5xx (Server Error): The server failed to fulfill an apparently valid request • Result codes • Make client understand the state of requested result
  • 13.
    Appropriate response • Sendresponse in correct format • JSON data as response • Avoid data redundancy • Avoid unwanted data { "result_code":0, "time":"2018-12-10 12:20:00", "data":{ "user":{ "id":4, "name":"Mr. X", "items":[ { "id":1, "name":"laptop", "count":1 }, { "id":2, "name":"monitor", "count":1 } ] } } }
  • 14.
    Secure response • Maskingfile directory path with custom URL or Third party cloud storage path http://example.com/uploads/image/users/1.jpg http://example.com/image/user/1?ref=xxxxxxxxxx1 • Remove unnecessary response header to hide server information from exposing to threat
  • 15.
  • 16.
    Console • A testingground for API request/response testing • Should be available to system developer/s and tester/s only • Tools • POSTMAN • Custom console tool
  • 17.
    Versioning • Keep yourapi version up while major changes is on • Keep older api versions for old- not yet updated client users • Example: • http://host/v1/get_user_info?user_id=1 • http://host/v2/users/info/1
  • 18.
    Code example • Acustom REST-API template can be found here • https://github.com/sabbir-rupom/rest-api-flight-PHP • Based on PHP-Flight microframework • Follow the documentation flow • Study the source architecture
  • 19.