Net API Notes for 2020/10/23 - Issue 144

A fall vacation, an extracurricular MIT course, and a last-minute all-hands presentation have kept me busy the last several weeks. Despite my preoccupation, however, the API news kept coming. Let's get right to it.



Since they are a programmatic interface to a company's data, APIs need to be secured. That isn't new. What is new is a considerable write-up on how one hacker teams managed to breach Apple's defenses. Written by Sam Curry, the piece details several exploits that were discovered over several months.

It's long. If you want to jump to the good stuff, do a browser search for 'API'. Even Apple, with its considerable resources, had places where SQL injection was successful. Hopefully, the article serves as inspiration for reviewing your APIs.

Without good security, you might end up like McDonald's. Their API now has some guy ordering $18,752 in ice cream every minute to figure out which locations have a broken ice cream machine.


Speaking of security, Cloudflare launched a free API security tool earlier this month. Called 'API Shield', it denies any incoming connection if that request doesn't provide a cryptographic certificate and key that the API owner has generated in the API Shield dashboard and installed on approved clients.

Using certificates isn't new. What Cloudflare is attempting to do here, however, is simplify and automate the best practice. They currently support JSON-based traffic and consider extending to binary protocols, like gRPC, if there is enough demand.


Kent Beck is probably most known as the creator of extreme programming. Recently, he wrote an article on why moving to microservices was neither quick nor easy.

Kent rightly points out that the mess that microservices are intended to solve wasn't created in a month. Therefore, it is unlikely they'll fix it in that amount of time, either.

One area that I see people get hung up on is coupling. Specifically, the move to microservices is treated as an opportunity to reach some decoupled, theoretical state. Unfortunately, even with careful consideration of boundaries, coupling still exists. As Kent says, that may be OK:

"Note I don’t say, "Eliminating coupling." Decoupling comes with its own costs, both the cost of the decoupling itself and the future costs of unanticipated changes. The more perfectly a design is adapted to one set of changes, the more likely it is to be blind-sided by novel changes."

Ultimately, Kent's advice is to iterate little bits at a time. Avoid the "big bang" change initiatives. And plan on doing lots of learning as you go.



The number of events on is looking a bit lean. If I had to guess, I'd say the switch to virtual has not been kind to many organizers or attendees. Furthermore, the in-person meetups often run on volunteer time and gumption are still (justifiably) in the wind. People will always desire to connect with other like minded-folks. What form that takes after the pandemic, however, still remains to be seen. Do you work in developer evangelism? If so, I'd love to hear how you've seen Covid-19 impact your approaches and what the response has been like.

I'll end with a thank you, as always, to the Patreons who chip in to cover the caffeine that powers this newsletter.

Till next time,

Matthew @libel_vox and

Subscribe to Net API Notes

Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.