Ad Server API: Security Best Practices

AdvertServe offers all its users a complete data management, code generation and reporting API.

What can you do with the API? Just about anything that you can do with the control panel. In fact, our control panel is running on top of the API, which means you could even go so far as to build your own.

More commonly the API can be used for integration with other systems and automation of bulk operations.

For more information, please visit our developers page to access the API documentation. Here are a few best practices to protect your API:

1. Protect Your Secret Key

While it may be tempting to use JavaScript to interface directly with the API from a web page it’s not a safe practice.

Especially if the page is located on a publicly accessible web site. All someone needs to do is view the source code of the page and they can easily steal your secret API key and start wreaking havoc on your data!

We’re not saying to avoid using JavaScript. By all means use it. Just make sure you’re doing it in a safe way.

  1. Create a script using your language of choice (Java, Perl, PHP, Ruby, etc…) on your server that makes the request to the API and outputs its response.
  2. Your secret API key should be stored in the script or in a file or environment variable that it can read.
  3. Restrict file system access to your script or other file(s) where your secret API key is stored to only the necessary system users.
  4. Make your JavaScript interface with your script rather than using the API directly.

This accomplishes the goal of keeping your API key a secret because it does not need to be transmitted to the client.

2. Restricting Access by IP

The API settings allow you to restrict access by IP address. This should be used to permit only the systems that need to use the API to connect to it.

These IP restrictions can be further configured to support range matching. For example, if you enter 192.168.1. it will allow access from 192.168.1.0 through 192.168.1.255 or if you need to target a smaller group of IP addresses entering 192.168.1.[8-16] would only allow access from 192.168.1.8 through 192.168.1.16.

Just make sure to only put one IP address or range per line in the box when entering them.

3. Preventing Eavesdropping

Even though you are restricting access by IP address and not exposing your secret API key to the client, it is still a concern that data is being transmitted to and from the AdvertServe servers over the public Internet.

It might hop over 20+ servers before it gets there. If any one of those servers along the way is compromised an attacker could capture your secret API key and more importantly all of the data that you’re transmitting back and forth.

What can you do to stop that? The same thing you do to protect financial transactions: use HTTPS with an SSL certificate. This encrypts the data going back and forth between the API so that it can’t be read by anyone who might be attempting to listen in.

With AdvertServe, all accounts are automatically secured via SSL. This ensures that all data is encrypted as it travels across servers.

What are your API use cases? Drop us a line and let us know how the an ad server API can best serve your needs.

Start Your Free Trial

Interested in giving AdvertServe a spin? Check out our demo page take a look at our interface and get an overview of the ad management process. When you’re ready, sign up for your free 30 day trial¬†