The Most Secure Cross Browser Testing Platform since 2012


Web Services Dos and Don’ts: Making Your API Secure and Efficient

Web Development

Web Services Dos and Don’ts: Making Your API Secure and Efficient

Web services are programming interfaces you use to be an intermediate between an outside program and your internal business applications. You use web services to allow external programmers to “talk” to your internal applications. The API sets the rules and standards for the programmer to protect your data. Using a web service API, you can allow customers and affiliates to use your apps while setting rules for how they can manipulate the data. These API components can be used for mobile phone apps, desktop programs or other web applications.

Document Your API Methods

Even the smallest APIs have some kind of documentation. Facebook, Twitter and Google are just a few companies that offer well-documented APIs. These companies have extensive documentation to help programmers understand how to use each API method. A well-documented API is more successfully implemented by developers, which helps your API become more popular with outside vendors. (tweet this) If you have competitors, good documentation can sell your product over your competitor’s.

Don’t Ignore Security Risks

Your API is available to anyone on the Internet, because it runs on a web server. Just like a website, it can be crawled by search engine bots and hackers. If there are parts of your API that shouldn’t be indexed, use the robots.txt file to block crawlers. Always make security a top priority and run security audits periodically. Always use logs to log each login attempt for both successful and failed attempts.

Use Tokens to Verify Users

You only want users who have signed up for your service to use the API. Tokens are dynamically created character strings that uniquely identify a user. You can store these strings in a database and only give access if the user enters the correct user name and password. The token is then used by the API user to access your API’s methods.

Respond with Standard Data Formats

Using standard protocols makes it easier for programmers to implement your API into their own applications. If you use nonstandard formats, the programmer is forced to learn a new language, and it can mean choosing a competitor’s API over your own. The standard data formats are SOAP XML and JSON. JSON is the more current standard and therefor the way to go.

Don’t Forget Error-Checking

If a method throws an exception error, don’t let the API crash. Instead, create an error message that makes it easy for the developer to identify that an error occurred instead of completing the process. You should document error that can occure, so the programmer can fix the code if the issue is with the programmer’s code. If the API has an error, your audit logs should catch it, and you should automatically send an email to someone who can look into the faulty code. Error-checking handles errors instead of having complete crashes in your code.

Encrypt Sensitive Data

All sensitive data should be encrypted. This data includes medical information, financial transactions or private customer data such as social security numbers. Never create a security hole by using plain text transfers. Always use SSL certificates on web APIs that transfer sensitive data between the end-point program and your web service interface, because hackers can sniff this data. If you make your API a subdirectory in your current web application, you can use the same security certificate that you have for your website.


These tips help you avoid some simple errors that most new API coders forget to implement. Always be sensitive to security issues especially if you pass customer data from the API to an outside vendor.

Photo by Chuck Coker