General goals: security, repeatability, stability, traceability
1. Signature: The interface provided externally needs to be signed and authenticated. If the authentication fails, the request is not allowed to access the interface and provide services.
2. Encryption: Sensitive data should be encrypted during network transmission.
3. IP whitelist: limit the requested IP, add IP whitelist, generally processed at the gateway layer.
4. Current limiting: Especially for externally provided interfaces, the frequency of calls cannot be guaranteed, so current limiting should be done to ensure that the interface services can provide services normally.
5. Parameter verification: Even if the front-end has done non-null and normative verification, server-side parameters are still very necessary.
6. Unified return value: A set of unified data return results and parameter passing specifications for a service.
7. Unified exception packaging: the system reports friendly prompts to avoid exposing sql exception information to the caller.
8. Request log: record the log generated by the system, which is convenient for quickly locating and analyzing problems.
9. Idempotent design: For some interfaces that involve data consistency, idempotent design must be done well to prevent data duplication.
10. Limit the number of records: For the batch interface provided externally, the number of records requested must be limited.
11. Pressure test: Before going online, we must do a stress test on the API interface to know the qps of each interface. So that we can better estimate how many server nodes need to be deployed, it is very important for the stability of the API interface.
12. Asynchronous processing: If the business is processed synchronously, it will take a very long time. In this case, in order to improve the performance of the API interface, we can change it to asynchronous processing.
13. Data desensitization: Sensitive data related to users in the business should be desensitized.