Caching strategies in web apps can be a really helpful mechanism for performance improvement and for many other things, but also can be really harmful when is not measured or well thought.
This may sound a little dumb, and you may be asking, how the duck can possibly go wrong when caching? but the thing is that caching actions are underestimated by web developers because are commonly used for website assets, styles, and a bunch of images.
But caching can lead to exposing sensitive data to the world and be accessible as a result of a Google hacking query or…
This third and final part of the API designing series will be focused on data security and pitfalls concerns. This is the most important thing in order to design an API because you should be aware of security since the foundations.
Security should be present anywhere, you can find vulnerabilities in the client software, directly on the gateway software by breaking firewall rules, and also specifically into the related layers such as databases, mid-tiers, load balancing software, and more.
The goal is to prevent the attack to the API itself, and you should think about every “touchpoint” in the API…
This second part is oriented on the architectural constraints of API development. These are a bunch of concepts that are extremely related to code work, in different aspects.
Client -> Load balancer -> App Server -> DB Layer
And then, the server can respond from…
APIs are the most common software piece used today for building products and services, these are considered as a kind of abstraction or middleware component for low-level system interactions.
Many authors skip the logic behind an API implementation and go straight on explaining how to use a framework and connect to persisted data. Leaving aside the designing aspect of it.
The aim of this post is to talk briefly about good practices of API development, the HTTP protocol, REST architecture and their resource representation, error handling, versioning, caching, and so on.
Let’s start by talking about the API value chain…
In this new post, I will be reviewing APIs management in a general manner because it is a quite vast topic. As you may already know, APIs are mechanisms used for exposing data between environments in an efficient way.
Many years ago, connecting or sharing data with a third-party component was some kind of impossible, it was expensive in terms of efficiency due to scraping techniques, this was the only solution available back then for grabbing data from a different service or websites.
Scrapping sites strongly depends on an HTML structure. If the source-side performs a change in their frontend…
Cloud has evolved drastically in recent times. While ago, physical servers were everything, bare-metal machines managed by Datacenter operators, where you as a developer or a sysadmin were responsible for managing your own rented machine. Commonly there was an SLA for uptime and scaling reliability scenarios.
After that, virtualization tech came up.
This technology has the ability to create virtual machines inside physical servers. This process was easy in terms of provisioning, scaling, and resource usage, letting you increase the experience in software delivery time, usage, and efficiency. …
I wanted to do this some time ago because there’s a lot of confusion about what is the next step to follow after new-comers web developers dominate or achieve fluid HTML work.
Frontend developers should be familiar with backend activities, regardless of doing it professionally, and not only in terms of tools and how to send/receive data, but the foundations of HTTP communications and more.
Full-stack jobs are more and more required, due to the proficiency of both worlds. IMO I think is not enough just to learn one side of the road.
In the NodeJS world, there’s a lot…
Continuing on this practice, we just covered SQLi definitions, types of possible attacks, how classic and blind SQLi work, data processing and its differences in HTTP, and two practical examples.
Doing things manually is great, but requires tons of effort just to prove a point, and depending on your skills, you can try so hard to get a false positive scenario or maybe skip a real scenario.
There are a bunch of tools for automating and exploiting SQLi cases, but here are a few that worth mentioning, including:
Databases have been around since forever, and almost 50 years ago a lot of projects were put together and transformed into what is today known as SQL or the Structured Query Language. A lot of things came up just to get what we know today as a database.
Before going practical we need to talk about SQL as a language.
As you may know, SQL is not a product, is a standard programming language that is used for managing and obtaining data from a database. …
The weakest link of software is not a technical factor, but a human.
Social Engineering is the suite of knowledge, strategies, and resources that looks to apply any type of physical manipulation (tricking people) to a specific or general target with a simple goal of accessing confidential information. In a few words, the social engineer applies any form/technique to persuade a victim to do something that seems to be good intended and voluntary.
This is much more than performing a technical skill and it’s really not magic. …
Backend Developer, Pentesting and InfoSec Student