API: Security Best Practices

Home » Blog » API: Security Best Practices
API: Security Best Practices
Posted: September 22, 2011 | By: Mike Cherichetti | Tags: api, security

Wait... There's an API?

For those of you that missed the announcement back in April, both AdvertPro and AdvertServe now have a complete data management, code generation and reporting API. What can you do with the API? Just about anything that you can do with the control panel. In fact, our control panel is running on top of the API, which means you could even go so far as to build your own. More commonly the API can be used for integration with other systems and automation of bulk operations.

For more information, please visit our developers page to access the API documentation.

Protect Your Secret Key

While it may be tempting to use JavaScript to interface directly with the API from a web page it's not a safe practice. Especially if the page is located on a publicly accessible web site. All someone needs to do is view the source code of the page and they can easily steal your secret API key and start wreaking havoc on your data!

We're not saying to avoid using JavaScript. By all means use it. Just make sure you're doing it in a safe way.

  1. Create a script using your language of choice (Java, Perl, PHP, Ruby, etc...) on your server that makes the request to the API and outputs its response.
  2. Your secret API key should be stored in the script or in a file or environment variable that it can read.
  3. Restrict file system access to your script or other file(s) where your secret API key is stored to only the necessary system users.
  4. Make your JavaScript interface with your script rather than using the API directly.

This accomplishes the goal of keeping your API key a secret because it does not need to be transmitted to the client.

Restricting API Access

The API settings allow you to restrict access by IP address. This should be used to permit only the systems that need to use the API to connect to it. Like the IP address targeting in AdvertPro it supports range matching. For example, if you enter 192.168.1. it will allow access from 192.168.1.0 through 192.168.1.255 or if you need to target a smaller group of IP addresses entering 192.168.1.[8-16] would only allow access from 192.168.1.8 through 192.168.1.16. Just make sure to only put one IP address or range per line in the box when entering them.

Preventing Eavesdropping

Even though you are restricting access by IP address and not exposing your secret API key to the client, it is still a concern that data is being transmitted to and from the AdvertPro or AdvertServe servers over the public Internet. It might hop over 20+ servers before it gets there. If any one of those servers along the way is compromised an attacker could capture your secret API key and more importantly all of the data that you're transmitting back and forth.

What can you do to stop that? The same thing you do to protect financial transactions: use HTTPS with an SSL certificate. This encrypts the data going back and forth between the API so that it can't be read by anyone who might be attempting to listen in.

With AdvertServe getting an SSL certificate is easy. Just contact support and ask them to set up SSL for your account. It only takes a few hours to set up and it's only $10/month! This will also secure your control panel and enable you to serve ads to secure pages as a bonus.

AdvertPro users will need to purchase and install an SSL certificate with Tomcat or Apache if they're using mod_proxy_ajp. Our recommendation is the Standard SSL certificate from GoDaddy. It's only $69.99/year and it's guaranteed compatible with Tomcat, which is something I can't say for many other SSL vendors. Many of them claim their SSL certificates will work with Java applications but they don't and SSL certificates are generally non-refundable. Don't say you weren't warned!

Stay Tuned!

In the coming weeks I will be writing several articles about using the API for various purposes. Security comes first though. Some of the things that I plan on writing about will include creating advertiser and publisher signup forms, bulk zone creation, bulk changes to campaigns and media and how to create a script to e-mail PDF reports to you. If you have anything else that you'd like to see an example of, please comment!

About the author

Mike Cherichetti Mike Cherichetti
Mike Cherichetti is the CTO and co-founder of Renegade Internet. He has been leading the development of AdvertServe since 1998. In addition to computer programming, Mike enjoys playing poker and running racks of 9-ball while his code compiles. He is also addicted to hybrid woodworking and can often be found making sawdust in his shop.
← Lightbox Ads with jQuery and SimpleModal
API: Making Bulk Changes →

Follow Us

Recent Posts

Popular Topics

actionscript adblock adhesion ajax amp analytics api auditing banners behavioural betterads budget campaigns carousel castaway cdn chains chrome clickid clicktag cloudflare cms companion competitors compliance contextual crawler dma doubleclick expandable flash flip fraud gdpr geography google html5 https integration jquery json language lightbox magic mid-roll mobile multilingual optimization overlay page peel post-roll pre-roll prefetch pricing priority privacy productivity pushdown regulatory reports responsive retargeting rich media rocketloader s2s scheduling security seo shoutbox sizes slideshow smokescreen ssl targeting testing third-party thirdparty trafficking trial updates vast video viewability vmware wallpaper weather wordpress wrapper xml zone code