When calling a Fluid Topics web service, it is often necessary to define user credentials or provide additional information about the caller in an HTTP header.
The following header parameters should be present in the HTTP header when calling a Fluid Topics web service:
Content-Type: application/jsonFt-Calling-App
This applies to all API calls, except for the ones involving a file upload.
The Fluid Topics Analytics engine relies on the Ft-Calling-App parameter to calculate API calls.
It is highly recommended to also add the following header parameter to the HTTP header of each call:
Ft-Calling-App-Version
Example 1
In the following example, the header parameters are defined in a cURL command to retrieve Analytics data:
curl -D - --location --request POST 'https://doc.antidot.net/analytics/api/v2/traffic/browsers-top' \
--header 'Ft-Calling-App: antidot/doc' \
--header 'Ft-Calling-App-Version: master-48257' \
--header 'Authorization: Basic kljJFLS45fdsar4asdrgKGjdfKJLSUONjfsalfjFLFfsjosjfalKas4fd45==' \
--header 'Content-Type: application/json' \
--data-raw '{
"startDate": "2022-01-01",
"endDate": "2022-10-10"
}'
The call yields the following response:
content-type: application/json;charset=UTF-8
set-cookie:
AWSALB=lAVGYRCzCAtwh1LYjQGCEb/BObUr3o/rrU/nfMh1Eqf3brAbPXlYytrK48D5EsoC1V8ZtTnbaYr8r95Ozgpu4XA4CBAAWSNgAD9HxLixb5Epv/9XjvYITPzIX/e/; Expires=Thu, 24 Dec 2023 09:42:29 GMT; Path=/
set-cookie:
AWSALBCORS=lAVGYRCzCAtwh1LYjQGCEb/BObUr3o/rrU/nfMh1Eqf3brAbPXlYytrK48D5EsoC1V8ZtTnbaYr8r95Ozgpu4XA4CBAAWSNgAD9HxLixb5Epv/9XjvYITPzIX/e/; Expires=Thu, 24 Dec 2023 09:42:29 GMT; Path=/; SameSite=None; Secure
server: Apache
vary: Accept-Encoding
ft-called-app: analytics/ft_ws
ft-called-app-version: master-48088
referrer-policy: no-referrer
content-security-policy: base-uri 'self'; connect-src 'self'; default-src 'none'; font-src 'self'; form-action 'self'; frame-ancestors 'self'; img-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'
content-disposition: attachment; filename="api.json"
x-content-type-options: nosniff
x-xss-protection: 1; mode=block
cache-control: no-cache, no-store, max-age=0, must-revalidate
pragma: no-cache
expires: 0
strict-transport-security: max-age=15724800; includeSubDomains
x-frame-options: DENY
pool-info: /Common/k8s_prod 10.10.200.62 443
front: front01 vtr
{"results":[{"browserName":"Chrome","percentage":76.3939935042772,"queryCount":1622736}, ...]}
Example 2
In the following example, the header parameters are defined in a cURL command to retrieve data about content locales in a Fluid Topics portal:
curl -D - --location --request GET 'https://doc.antidot.net/api/khub/locales' \
--header 'Ft-Calling-App: antidot/doc' \
--header 'Ft-Calling-App-Version: 3.8.30' \
--header 'Content-Type: application/json' \
--header 'Authorization: Basic kljJFLS45fdsar4asdrgKGjdfKJLSUONjfsalfjFLFfsjosjfalKas4fd45=='
The call yields the following response:
HTTP/2 200
date: Thu, 17 Dec 2022 16:38:04 GMT
content-type: application/json
set-cookie: AWSALB=wK3P5/LZmU8HSMujGBlxTceLnYkUDDTkqS2RQgE3ugcXZZHSvdO3A40YOd2pmiWafWWT+luzU/LkgPLWn/xYCrXzzLIk9Sj7JydZovDB05IpB3lOKLIywUDfPv; Expires=Thu, 24 Dec 2023 16:38:04 GMT; Path=/
set-cookie: AWSALBCORS=wK3P5/LZmU8HSMujGBlxTceLnYkUDDTkqS2RQgE3ugcXZZHSvdO3A40YOd2pmiWafWWT+luzU/LkgPLWn/xYCrXzzLIk9Sj7JydZovDB05IpB3lOKLIywUDfPv; Expires=Thu, 24 Dec 2023 16:38:04 GMT; Path=/; SameSite=None; Secure
server: Apache
ft-called-app: ft/server
ft-called-app-version: 3.8.30:555a73466f2e1501b33f12456defff79719980ac
vary: accept-encoding,origin,access-control-request-headers,access-control-request-method
set-cookie: FT_LOCALES=ui:en-US/content:en-US; Path=/; Secure; SameSite=None
set-cookie: FT_SESSION=3ccee4e5-cb8d-42a6-ab68-ab31c7505e7f; Path=/; Secure; HttpOnly; SameSite=None
front: front01 vtr
{"contentLocales":[{"lang":"en-US","label":"English","count":33351},{"lang":"fr-FR","label":"Français","count":158}]}
OWASP compliance
In addition to the required header parameters described above, Fluid Topics includes the following header parameters in each web service call:
X-Content-Type-Options.Strict-Transport-Security.Referrer-Policy.Content-Security-Policy.
The presence of these header parameters respects OWASP Secure Software Development Lifecycle Requirements #14.4.4, #14.4.5, #14.4.6, and #14.4.7.
The Content-Security-Policy header parameter retrieves the values defined in the Trusted origins field.