You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: content/backend/web_framework.md
+7-7Lines changed: 7 additions & 7 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -97,8 +97,9 @@ script = 'animation'
97
97
<dl>
98
98
<dt>Dependencies</dt>
99
99
<dd>Don’t use deprecated or vulnerable versions of your dependencies. Use <mark>npm audit fix</mark> to scan your project for vulnerabilities and automatically install any compatible updates to vulnerable dependencies. Alternatively, use <a href="https://snyk.io/"> Snyk.io</a>.</dd><br/>
100
-
<dt>Use HTTPS/TLS</dt>
101
-
<dd>In HTTPS, the communication protocol is encrypted using Transport Layer Security (TLS) to encrypt data before it is sent from the client to the server, thus preventing some common (and easy) hacks. </dd><br/>
100
+
<dt>SSL/TLS Certificate</dt>
101
+
<dd>In HTTPS, the communication protocol is encrypted using Transport Layer Security (TLS) to encrypt data before it is sent from the client to the server, thus preventing some common hacks (Man in the middle). HTTPS is based on <b>public/private-key cryptography</b>. This means that there is a key pair: The public key is used for encryption and the secret private key is required for decryption. A website certificate is a public key with a label identifying the owner. when your browser connects to an HTTPS server, the server will answer with its certificate. The browser checks if the certificate is valid and signed by a trusted certification authority. After the verification, the browser extracts the public key and uses it to encrypt information it sends back to the server. The server can decrypt it because the server has the matching private key.
102
+
</dd><br/>
102
103
<dt>Set security related HTTP headers</dt>
103
104
<dd><b>Cross-origin resource sharing (CORS)</b> is a mechanism that allows restricted resources on a web page to be requested from another domain outside the domain from which the first resource was served. A web page may freely embed cross-origin images, stylesheets, scripts, iframes, and videos. Certain "cross-domain" requests, notably Ajax requests, are forbidden by default by the same-origin security policy. These have to be set explicitly on the header.</dd><br/>
104
105
<dd>There are many other security related headers. Use a middleware function like <a href="https://helmetjs.github.io/">Helmet</a> to set these for you.</dd><br/>
@@ -109,12 +110,11 @@ script = 'animation'
109
110
<li><b>Cross-Site Request Forgery (CSRF)</b> - unauthorized commands are transmitted from a user that the web application trusts.</li>
110
111
<li><b>Distributed Denial-of-service attack (DDoS)</b> - flooding the server or resource with superfluous requests in an attempt to overload systems and prevent some or all legitimate requests from being fulfilled.</li>
111
112
</ul></dd><br/>
112
-
<dt>Secure development environments</dt>
113
+
<dt>Secure development environments as well</dt>
113
114
<dd><ul>
114
-
<li><b>Different security concerns than production</b> - For example, in a development environment you may want verbose logging of errors for debugging, while the same behavior can become a security concern in a production environment. And in development, you don’t need to worry about scalability, reliability, and performance, while those concerns become critical in production.
115
-
<li><b>Successful key management</b> - involves dealing with the generation, exchange, storage, use, crypto-shredding (destruction) and replacement of keys. It is the more challenging side of cryptography in a sense that it involves aspects of social engineering such as system policy, user training, organizational and departmental interactions, and coordination between all of these elements, in contrast to pure mathematical practices that can be automated.</li>
116
-
<li><b>Principle of least privilege</b> - Every process, user, or program must be able to access only the information and resources that are necessary for its legitimate purpose and nothing more.</li>
117
-
<li><b>Use HTTPS or a VPN</b> - encrypt data if using unsecured or untrustworthy networks vulnerable to packet sniffing and man-in-the-middle attacks.</li>
115
+
<li><b>Successful key management</b> - involves dealing with the generation, exchange, storage, use, destruction and replacement of keys. It is the more challenging side of cryptography as it involves aspects of social engineering, system policy, user training, organizational and departmental interactions, and coordination between all of these elements.</li>
116
+
<li><b>Principle of least privilege</b> - Every process, user, or program must be able to access only the information and resources that are necessary for its legitimate purpose and nothing more. This especially applies in teams of developers.</li>
117
+
<li><b>Use VPN</b> - encrypt data if using unsecured or untrustworthy networks vulnerable to packet sniffing and man-in-the-middle attacks.</li>
118
118
<li><b>Monitor system</b> - Check open ports and unrecognized running processes</li>
<p>An operating system feature in which the kernel allows the existence of multiple isolated user-space instances called containers. Containers isolate software from its environment so that it may run uniformly on all machines.</p>
<dd>A container is a runtime instance of an image--what the image becomes in memory when executed (an image with state). An <b>image</b> is an executable package that includes everything needed to run an application--the code, a runtime, libraries, environment variables, and configuration files. Containers are a key enabling technology for microservices, providing a lightweight encapsulation of each component so that it is easy to maintain and replicate. </dd>
14
35
<dt>Microservices</dt>
15
-
<dd>TBD </dd>
36
+
<dd>An architectural style that structures an application as a collection of loosely coupled services. The benefit of decomposing an application into different smaller services is that it improves modularity. This makes the application easier to understand, develop, test, and become more resilient to architecture erosion. It parallelizes development by enabling small autonomous teams to develop, deploy and scale their respective services independently. It also allows the architecture of an individual service to emerge through continuous refactoring. </dd>
<dd>A platform for developers and sysadmins to develop, deploy, and run applications with containers. </dd><br/>
44
+
<dd>The Docker <b>Client</b> runs commands like <mark>docker build</mark> or <mark>docker run</mark>. The Docker <b>Daemon</b> (aka Host or Engine) makes the system calls to create, operate and manage containers. Many of the configurations in Docker image will from Docker <b>Registry</b> where it will be downloaded. </dd>
<dd><b>Swarm</b> is a native clustering tool for Docker. Swarm pools together several Docker hosts and exposes them as a single virtual Docker host. In Swarm mode, there are two types of nodes: Managers and workers. Manager nodes maintain cluster state and schedule services. Worker nodes execute containers. Clustering is an important feature for container technology, because it creates a cooperative group of systems that can provide redundancy through failover and scalability through automation.</dd>
<dd><b>AWS ECS</b> and <b>Kubernetes</b> are two alternate services for maintaining and coordinating clusters of container. <i>Their functionlity is similar</i>.</dd>
<dd>A load balancer is a device that acts as a reverse proxy and distributes network or application traffic across a number of servers. Autoscaling is when computational resources in a server farm, typically measured in terms of the number of active servers, scales automatically based on the load on the farm. When using containers, orchestration services <ins>Kubernetes and Amazon ECS handle load balancing and autoscaling</ins> for you.</dd><br/>
40
62
<dt>CDN</dt>
41
-
<dd>Static files </dd>
42
-
</dl>
43
-
<dl>
63
+
<dd>A content delivery network (CDN) refers to a geographically distributed group of servers which work together to provide fast delivery of Internet content. A CDN allows for the quick transfer of static assets needed for loading Internet content including HTML pages, javascript files, stylesheets, images, and videos. Using a CDN improves website load times, reduces bandwidth costs, increases content availability and redundancy, and improves website security (e.g. DDoS mitigation).</dd><br/>
<dd>A <b>cache</b> A hardware or software component that stores data so that future requests for that data can be served faster; the data stored in a cache might be the result of an earlier computation or a copy of data stored elsewhere. A CDN is an example of a cache when a user retrieves assets from an edge location rather than a distant origin server. Web browsers also uses caches that store static data rather than re-retrieve them. The timeframe for how long these items stay cached can be set by a <b>cache header</b> or <b>service worker</b>. For databases, <b>Redis</b> can be used to intercept requests and send cached data rather than querying the database additional times for the same data.</dd><br/>
48
69
<dt>Data transfer</dt>
49
-
<dd>GZIP, QUIC, streams </dd>
50
-
</dl>
51
-
<dl>
70
+
<dd><b>QUIC</b> - An experimental transport layer network protocol that is built on top of UDP. It handles error handling without the handshaking that the higher latency protocol TCP has.</dd>
71
+
<dd><b>Compression</b> - compress all static assets. Also make sure your server uses <b>gzip</b> - a file format and a software application used for file compression and decompression.<br/></dd>
72
+
<dd><b>Lazy loading</b> - Transfer data to the client as it is needed like a stream, rather than having them wait for the entire bundle to complete downloading.
73
+
</dd><br/>
52
74
<dt>Language selection</dt>
53
-
<dd> Java, webassembly </dd>
75
+
<dd><b>Java</b> - For some tasks a different language might be necessary for performance gains. Java is an excellent language for computationally intensive operations. IO operations, on the other hand, might be better served using Node.js.</dd>
76
+
<dd><b>WebAssembly</b> - a web standard that defines a binary format and a corresponding assembly-like text format for executable code in Web pages. It is meant to enable executing code nearly as quickly as running native machine code. Many believe WebAssembly could replace JavaScript entirely in the distant future.</dd>
<dd><b>Logging</b> - the practice of storing large volumes of computer generated audit logs for later analysis. The creation of logs is dependent on the goals of the application. In addition, there are middleware packages like <a href="https://github.com/expressjs/morgan">Morgan</a> that can automate some of these processes. For reporting, modern logging systems use <a href="http://localhost:1313/backend/databases/#h-Section4">Elasticsearch</a> to visualize logs and metrics using string analysis. <br/>
87
+
<ins>Logging can also be used for:</ins>
88
+
<ul>
89
+
<li>Compliance with security policies</li>
90
+
<li>Compliance with audit or regulation</li>
91
+
<li>System troubleshooting</li>
92
+
<li>Forensics (during investigations or in response to subpoena)</li>
93
+
<li>Security incident response</li>
94
+
<li>Understanding online user behavior</li>
95
+
</ul>
96
+
</dd>
97
+
<dt>Monitoring</dt>
98
+
<dd>It is important to monitor systems and send automated notifications to respond to system-wide performance changes. On AWS, <b>CloudWatch</b> provides a unified view of AWS resources, applications and services that run on AWS. You can set alarms, visualize logs and metrics, take automated actions, configure health checks, troubleshoot issues, and discover insights to optimize your applications, and ensure they are running smoothly. Another service essential monitoring system health is <a href="https://sentry.io">Sentry.io</a> which provides client-side error notifications.</dd>
bref="Big data is a term used to refer to data sets that are too large or complex for traditional data-processing application software to adequately deal with"
0 commit comments