Being Software Craftsman (DFTBA)

Common Mistakes in Designing and Managing Public REST APIs

Published by

Dattatraya Kale

on

Here are some common issues that can occur in the development of APIs:

  • Inadequate Authentication and Authorization:
    • No proper way to verify users.
    • Weak security measures for authentication like using simple API keys or Basic Authentication without any additional security measures.
    • Not controlling access based on user roles.
    • Exposing sensitive information without restrictions.
  • Lack of Input Validation:
    • Not checking the type of data received.
    • Allowing attacks like SQL injection or script injection.
    • Not handling unexpected input values like out-of-bounds.
  • Exposing Sensitive Data:

    • Returning too much information, including passwords, personal data, API Keys, etc.
    • Not encrypting or protecting sensitive information properly.
  • Poor Error Handling:
    • Revealing internal system details in error messages.
    • Not handling exceptions that can cause application crashes.
  • Rate Limiting and Throttling:

    • Not controlling the rate at which requests are allowed.
    • Allowing excessive requests that can overload the system.
  • Not keeping things safe:
    • Not using secure communication protocols or encryption.
    • Failing to protect data at rest or in transit.
  • Not writing down the rules:
    • Insufficient or outdated documentation for developers.
    • Missing information about API endpoints, parameters, and responses.
  • Versioning:

    • Making changes that break compatibility with existing clients.
  • Logging and Monitoring:

    • Not keeping records of requests, errors, or suspicious activity.
    • Failing to set up alerts for monitoring the system.
  • CORS (Cross-Origin Resource Sharing):

    • Allowing unauthorized access from any origin, potentially leading to attacks.
    • Not specifying which HTTP methods are allowed.|
  • State and Session Management:

    • Not implementing statelessness properly.
    • Relying solely on client-side sessions without server-side validation.
  • Secret Management:

    • Storing secret keys or credentials in the source code.
  • Not Keeping Dependencies Updated:
    • Using outdated libraries or frameworks that have known vulnerabilities.

Leave a Reply

Hello,

I’m Datta

Welcome to BeingCraftsman — where software architecture is treated as a long-term responsibility. I’m a Software Architect and Cloud Lead based in Pune, India, with over a decade of experience designing scalable systems, guiding teams, and making practical engineering decisions. This space is about clarity in architecture, reliability in systems, and leadership that helps teams build software that lasts.

Let’s connect

Linkedin

Join the fun!

Stay updated with our latest tutorials and ideas by joining our newsletter.

Recent posts

Discover more from Being Software Craftsman (DFTBA)

Subscribe now to keep reading and get access to the full archive.

Continue reading