Interface design security specifications, token authorization mechanism, HTTPS transmission encryption, interface call anti-abuse. For more dry goods information, please click the editor's avatar to enter the homepage.
Token authorization mechanism: After the business system logs in through the assigned APP ID and APPKEY, the server returns a Token to the client, which is the access credential of both parties.
Timestamp timeout mechanism: Each API request is accompanied by a timestamp timestamp of the current time, and the server receives the timestamp and compares it with the current time.
Signature mechanism: The token and timestamp are encrypted with other request parameters and then encrypted with the MD5 algorithm, and the encrypted data is the signature sign of this request, and the signing mechanism ensures that the data will not be tampered with.
Interface call anti-abuse interface call whitelist mechanism: Whitelist the server that needs to call the interface to restrict the source IP address.
Limit the number of calls: A single IP address or APPid can be limited to a threshold, such as limiting the cumulative number of access to the interface < 1,000 times in one day.
Call frequency limit: A single IP address or APP ID can be limited to a threshold, such as limiting the number of access to an interface < 20 times within one minute.
Limit data content: A single IP address or APP ID can be limited to a threshold, such as limiting the number of data requests that cannot exceed 5,000 in one day.
API call logs and monitoring
1. Event logs that should be audited: the time of call start and exit, and the audit content of abnormal system call behavior; At a minimum, the following information is recorded in each audit log record: the date and time of the event, the type of event, the subject ID, the outcome of the event (success, failure), and information about the event.
2. All sensitive data such as passwords, ID cards, and mobile phone numbers cannot appear in the log, and if they really need to appear, some information needs to be hidden when saving.
3. View real-time logs through the monitoring screen, query and summarize