Support for

Development and Production: Access and Security

Alistair Wilson
by Alistair Wilson 5 years ago
 

Your website and its data

You'll need to replicate some data structures on your website, which correspond with some of those in the TCAPI. At the very least, you'll be storing id fields from TemplateCloud, and temporarily holding lists of objects when processing the results of queries.

See also:

  • Template Discovery
  • Template Editing and File Assets

Separating development from production

We have provided a developers' sandbox, to help you avoid incurring charges and writing to live data while you're testing.

Environment API server URL
Development http://api.templatecloud.com/sandbox/...
Production https://api.templatecloud.com/v1/...

Your API Key

Guard your API Key

Your API Key allows your systems to access TemplateCloud. If someone else has your key, they too can access the same services, posing as your business.

It is important that you take reasonable measures to ensure that you do not publish your API Key:

  1. Use SSL for API calls — https:// instead of http://

  2. If you experience problems due to unauthorised sharing of your API Key, then request a new API Key, close the security hole, and update your services to use your new API Key.

  3. Do not hard-code your API Key in every request call; instead use a variable containing the key.

    • Specify your API Key once, in a file on a private part of your server, and include it (by reference) in your framework or page code.

  4. Do not allow your web server to show code that might display the API Key.

    • Do not use debug code in the production environment, which might reveal the contents of variables that contain the API Key.

    • Handle errors correctly, so they do not reveal the code that caused the error. If you want traceability, then handle and privately log the error, and optionally inform the user there was a problem along with a reference number that can be used for support.

    • Try to use syntax checkers and syntax-highlighting code editors, and separate the processing code from the presentation code. This helps to avoid serving code into your HTML pages.

  5. Do not serve scripts or web pages that contain the API Key, i.e. do not design your systems so that your clients' web browsers are making TCAPI requests directly. Instead, your servers should take minimal requests from your client's pages, and then your servers issue the TCAPI requests to the TemplateCloud API on your clients' behalf.

  6. Do not inject unprocessed user-supplied strings into expressions, e.g. do not use something like

    PHP
    $thatWorked = 'Insecure handy calculator: ' . eval( $userInput );
 

Jump to contents page of

TemplateCloud API Guide

 
 
 

All content is (c) Grafenia Operations Limited, 2020 and may not be used, copied or distributed without permission.