api
5 articles
-
Rate limiting — how to test the limits everyone remembers only after an incident
While nobody is hammering the API, limits seem unnecessary — their absence is invisible right up until the first incident. A first-person take: the limit as a two-sided contract (the server restricts — the client survives it), the N/N+1 boundary and an honest 429 with Retry-After, key scope and how an account-based limit lets attackers DoS a victim, the burst at window boundaries, bypasses via X-Forwarded-For and sibling endpoints, the zones where a limit is mandatory (OTP, reset, promo codes), and why 'limits are off on staging' equals an untested production.
-
Mock servers for QA: WireMock and friends — when to replace a dependency with a stub
When an external dependency can't or shouldn't be run for real, you mock it. Why mock, what a good mock server does (stubs, fault injection, record/replay, verify), tools WireMock/MockServer/Mockoon/Prism/Hoverfly, mock vs Testcontainers, contract drift and Pact. A 10-point checklist.
-
Idempotency and retry storms — what QA must test in distributed systems
The most expensive class of bugs in payments isn't 'didn't go through' — it's 'went through twice'. A QA-eye view of idempotency: Idempotency-Key, 5 typical retry scenarios, retry storms, tools (WireMock, Toxiproxy, k6), and a 13-point release checklist.
-
OWASP API Security Top 10 for QA — a guide with test cases
Most QAs know SQL injection and XSS. But 90% of vulnerabilities in modern products live in APIs, and the OWASP API Top 10 2023 is a separate list that QA courses don't cover. All 10 threats with test cases, curl snippets, and tools.
-
API tools for QA in 2026 — Postman, Bruno, Insomnia, Hurl: which to pick when
A comparison of four API tools on the dimensions that matter in real QA work. Postman pushed into the cloud, Bruno grew up as a git-friendly alternative, Hurl owns the CI niche.