OWASP-Web-Checklist VS services

For security/safety sensitive tasks, you should be using checklists e.g. [1] so you don't need to remember. Pilots use pre-takeoff checklists to reduce chances of human error. Likewise, you should not assume the framework will give you proper defaults.

[1] https://github.com/0xRadi/OWASP-Web-Checklist

I suggest these resources: - Some fundamentals: https://www.cyberciti.biz/tips/linux-security.html - One of the best imho ( exhaustive list ): https://github.com/imthenachoman/How-To-Secure-A-Linux-Server - Ansible playbook to harden security by Jeff Geerling: https://github.com/geerlingguy/ansible-role-security - OAWSP Check list ( targeted for web apps... and honestly a bit overkill ): https://github.com/0xRadi/OWASP-Web-Checklist

We used Micro to build and offer Micro services on M3O. Every API to you see there is powered by the open source equivalent Micro service here https://github.com/micro/services

I will make a note here https://github.com/micro/services/issues/262

I shared this post in a few developer communities like Hacker News and it was well received. Over the past few years I've been working on an open source project called Micro, an API first development platform and I'm now sharing Micro Services, a catalog of reusable real world Micro services.

Thanks, that made now more sense. I'd put this condensed together with https://micro.dev/blog/2022/09/27/real-world-micro-services.... more prominently to the readme of https://github.com/micro/services ! Looking at that github alone makes it hard to commect the context.

Thanks for the comments and questions. I'll do my best to answer them.

> Are things hosted on some other cloud provider, if so where? What region?

Our core platform is currently hosted on DigitalOcean in the London region. That will expand to multiple regions and multiple providers over time. We did start that way many years ago but with a small team it's hard to manage.

> What about uptime? If I end up building an application with all of these APIs, I do need a bit more confidence that things will be stable.

We want to be able to provide uptime guarantees in the near future. Right now I'll say based on our experience running it in the past 9-12 months it's feeling like four 9s verging on 5 but I don't want to jinx us. We are dependent on our providers but we're also people who have managed platforms for many years.

> the crypto endpoint looks interesting, but for me, it would be quite crucial to know where the data is from? How often is it updated?

Our crypto APIs are currently powered Finage.co.uk. We do some level of caching on our side but only for 5-10 mins. I'll try add some details around that in the overview. You can see the source at https://github.com/micro/services

We're playing in this space with M3O (https://m3o.com) but focused very much on making APIs programmable as opposed to completely doing away with the code.