It is time for thinking about the securing our API. Right now, it is open to everyone, which we don’t want. So, what choice do we have?
When we return error messages, and along, we should not expose too much information. Same goes for normal data. More, especially detailed is not always better. It depends on the type of API and what the clients do with it and who the clients are.
Last time we talked about using proper HTTP status codes and also returning errors in a JSON format back to the client.
Let’s start talking about error handling in our API.
The black box testing with a RAML tool failed last time, so we are left with unit and our own integration tests. Which brings me to the point what should we use? Should our tests focus more on pure unit testing or more integration tests, testing different parts at the same time?