Why are many web APIs so bad?

drguildo · December 2, 2016, 11:18am

So over the course of doing FCC I’ve had to use a lot of web APIs and one thing I have noticed is that almost every single one of them has a fairly major problem that makes their usage a complete pain.

What I mean is, either the site will not support HTTPS, it won’t support CORS, it won’t support JSONP etc. or a combination of all of those things. Seeing as those things are pretty much essential to use the API without implementing a bunch of hacks and workarounds I was wondering why are many sites are like this?

drguildo · December 2, 2016, 11:28am

I mean you could argue that even the fundamental architecture of web “APIs” is broken/flawed thanks to CORS because it is pretty much meant to prevent code on one website from requesting code from another website. Isn’t JSONP a hack to get around this fact?

olihough · December 2, 2016, 12:42pm

Depends how you look at it really, some would say that querying an api should be left to the back-end of an application and then the data should be pushed/pulled to the front-end therefore cors would never be an issue

BenGitter · December 2, 2016, 1:07pm

The default “setting” does indeed prevent cross origin requests, but the API can also easily set its server to accept cross origin requests.

drguildo · December 2, 2016, 3:50pm

Lots of servers (or maybe I’ve just been unlucky) seem not to do this, though. It’s completely baffling to me that somebody would take the time to make a public web API and not do this.

BenGitter · December 2, 2016, 4:12pm

According to https://www.quora.com/Why-doesnt-Twitters-API-support-CORS

This is deliberately done to discourage browser-only clients, even with OAuth-whatever, to reduce chances of having client (or consumer) secrets being stolen.

PortableStick · December 2, 2016, 6:07pm

Can you give some examples? I only use services that are securely hosted and have had no trouble.

drguildo · December 2, 2016, 8:32pm

forismatic.com and OpenWeatherMap

JacksonBates · December 2, 2016, 9:16pm

I find that public APIs are usually fine, but can be really poorly documented. It’s not that they don’t work, just that they often forget to tell you the weird secret handshake you need to get it to work

PortableStick · December 2, 2016, 9:28pm

The problem with both of those is simply that they aren’t hosted securely. It’s not that the API is poorly designed, it’s just that security policies in the most popular browsers are changing and these services are left behind. To your question, their rational (not mine) for not allowing a SSL connection is simply one of economics. Encryption is a slow, processor intensive operation that can cost a significant amount of money and bandwidth when it’s being done at the sort of scale both of those companies see.

Keep in mind that “API” is a huge concept that goes far beyond the scope of remote services or AJAX. Servers expose data, but many of the frustrations you’ve faced have been due to security policies in the browser, not the server. While it seems unnecessarily obstructive, it’s anything but. Without these strict security protocols, I could easily put up a web page with a provocative domain like “http://www.nakedsexpicturesooohyeahhubbahubba.com” that simply runs a script looking for browser cookies, accesses your bank account, and transfers all funds to my overseas bank.