# OpenAPI Webhooks

There are cases where you want to tell your API **users** that your app could call *their* app (sending a request) with some data, normally to **notify** of some type of **event**.

This means that instead of the normal process of your users sending requests to your API, it's **your API** (or your app) that could **send requests to their system** (to their API, their app).

This is normally called a **webhook**.

## Webhooks steps

      </searchConfiguration>

#### The time to answer helps the attackers

At that point, by noticing that the server took some microseconds longer to send the "Incorrect username or password" response, the attackers will know that they got _something_ right, some of the initial letters were right.

      createFile(left.resolve("some.txt"));

      Path right = createDirectory(root.resolve("right"));
      createFile(right.resolve("another.txt"));

      createSymbolicLink(left.resolve("sibling"), right);
      createSymbolicLink(right.resolve("sibling"), left);
      assertEquals(
          ImmutableSet.of(
              new ResourceInfo(FILE, "left/some.txt", loader),

# Testing Dependencies with Overrides

## Overriding dependencies during testing

There are some scenarios where you might want to override a dependency during testing.

You don't want the original dependency to run (nor any of the sub-dependencies it might have).

In this case, it would be better to get **one extra server** and run some processes on it so that they all have **enough RAM and CPU time**.

# Advanced Security

## Additional Features

There are some extra features to handle security apart from the ones covered in the [Tutorial - User Guide: Security](../../tutorial/security/index.md){.internal-link target=_blank}.

/// tip

The next sections are **not necessarily "advanced"**.

And it's possible that for your use case, the solution is in one of them.

///

## Read the Tutorial first

### Certificate Renewal

At some point in the future, each certificate would **expire** (about 3 months after acquiring it).

And then, there would be another program (in some cases it's another program, in some cases it could be the same TLS Termination Proxy) that would talk to Let's Encrypt, and renew the certificate(s).

    * A "token" is just a string with some content that we can use later to verify this user.
    * Normally, a token is set to expire after some time.
        * So, the user will have to log in again at some point later.
        * And if the token is stolen, the risk is less. It is not like a permanent key that will work forever (in most of the cases).

However, some applications do not utilize Service readiness (connecting directly to the pod, etc).
Additionally, eventually consistency means we will often get some final requests trickle in before all clients are aware the Pod is shutting down.

Finally, we SHOULD tell our (HBONE) peers we are shutting down.