You'll need to replicate some data structures on your website, which correspond with some of those in the TCAPI. At the very least, you'll be storing id fields from TemplateCloud, and temporarily holding lists of objects when processing the results of queries.
We have provided a developers' sandbox, to help you avoid incurring charges and writing to live data while you're testing.
Environment | API server URL |
---|---|
Development | http://api.templatecloud.com/sandbox/... |
Production | https://api.templatecloud.com/v1/... |
It is important that you take reasonable measures to ensure that you do not publish your API Key:
Use SSL for API calls — https:// instead of http://
If you experience problems due to unauthorised sharing of your API Key, then request a new API Key, close the security hole, and update your services to use your new API Key.
Do not hard-code your API Key in every request call; instead use a variable containing the key.
Specify your API Key once, in a file on a private part of your server, and include it (by reference) in your framework or page code.
Do not allow your web server to show code that might display the API Key.
Do not use debug code in the production environment, which might reveal the contents of variables that contain the API Key.
Handle errors correctly, so they do not reveal the code that caused the error. If you want traceability, then handle and privately log the error, and optionally inform the user there was a problem along with a reference number that can be used for support.
Try to use syntax checkers and syntax-highlighting code editors, and separate the processing code from the presentation code. This helps to avoid serving code into your HTML pages.
Do not serve scripts or web pages that contain the API Key, i.e. do not design your systems so that your clients' web browsers are making TCAPI requests directly. Instead, your servers should take minimal requests from your client's pages, and then your servers issue the TCAPI requests to the TemplateCloud API on your clients' behalf.
Do not inject unprocessed user-supplied strings into expressions, e.g. do not use something like
$thatWorked = 'Insecure handy calculator: ' . eval( $userInput );
Jump to contents page of
|