How to secure your API access

Learn the dos and don'ts on how to integrate Highlightly APIs safely into your projects.

Highlightly Football API

Proper API usage has always been a hot topic among developers. Techniques such as API authorization, authentication, enabling HSTS and secure storage are all a part of how you can protect your integration. However, there are still methods malicious users can use to abuse exposed APIs if best practises aren't followed.

Ensuring proper Highlightly API integration

When you create an account on RapidAPI or Highlightly and get your API token, you gain access to the sport data. To keep your API access secure and prevent misuse read on which guidelines you should follow.

Keep your API token private
  • Store your API key securely on your backend server.
  • Never embed the API token directly into your frontend code (e.g. Javascript, mobile apps), where users can easily inspect and steal it.
  • If using repositories like GitHub or GitLab, never push your API token into version control
  • Use environment variables (like .env files) to securely manage credentials and make sure your .gitignore file excludes sensitive files
Use an intermediate server
  • Always make API requests to Highlightly from your own backend server.
  • Your server can then either serve the response to the client or store relevant information into your database for later use.
  • This approach masks the API key completely meaning that potential malicious users will not be able to abuse it.
Implement caching
  • If your users request the same data frequently, cache the API responses.
  • Caching reduces the number of API calls and prevents "request bleeding" where repeated queries could exhaust your daily quota.
  • Depending on your use case and subscribed plan, you can cache responses for a few seconds, minutes or even hours.
  • Highlightly's documentation provides guidance on update frequencies for various endpoints.
Apply user rate limiting
  • Add rate limiting at your server level (e.g. allow X requests per minute per specific user).
  • This protects your system from abuse and prevents a single user from using up your daily request quota.
Validate and sanitize user requests
  • Ensure that any data coming from users (e.g. match IDs, league names, etc.) are properly validated and sanitized before being forwarded to Highlightly's API
  • This reduces risks of malformed requests, unexpected errors and prevents pointless resource exhaustion.
Monitor your API usage
  • Regularly monitor usage statistics provided by RapidAPI or Highlightly's dashboard.
  • Sudden spikes in requests can indicate unauthorized use or abuse that should be addressed immediately.
Rotate your API keys regularly
  • If you suspect your API key has been compromised, rotate it immediately.
  • Keeping your credentials fresh reduces long term risks.

Wrap up

It is important to remember that API security heavily depends on your overall backend infrastructure. Make sure your server is regularly updated where libraries and dependencies are patched and do not have known vulnerabilities or misconfigurations Keep your backend robust and your Highlightly usage will remain safe and reliable.