Essential for Web developers: Web application check list

Source: Internet
Author: User
Tags sql injection prevention
To create a high-quality Web application, you have to do a lot of work before and after. The foreign developer atasmaz creates and shares a check list for & nbsp; Web developers, including application development, performance, security, analysis, availability, reliability, conversion policies, and competitive strategies. JavaScript & nbsp; allows you to capture exceptions. This

To create a high-quality Web application, you have to do a lot of work before and after. What is Ata Sasmaz of a foreign developer? The Web developer creates and shares a check list, including application development, performance, security, analysis, availability, reliability, conversion policies, and competitive strategies.

  • Record UI error logs

JavaScript? Exception capture is allowed. These exceptions must be submitted to log service through Ajax requests, otherwise it is difficult to intercept errors in the Web environment.

  • Interchangeable data layer

The data layer can be separated or exchanged with another compliant data layer.

  • Deployment process automation

The deployment process should be automated. Project files used in the production environment should be generated by the deployment server and automatically completed without manual intervention.

  • Use version control system

The version control system saves the code change history to prevent the loss of existing code. It also helps collaborative development. GitHub is the most popular provider of this service. In addition, there is also a BitBucket. Does Microsoft have a Team that provides additional collaboration features? .

  • Code review

People will always have the time to write wrong code, and the code review system can ensure the high-quality production of developers. The system also familiarized more than one developer with the code. When the author of a piece of code is absent, other developers can make modifications smoothly. GitHub and Team? Foundation provides the corresponding code review function.

  • Permission and role system

Each application needs to design and implement the permission and role system. Setting up a system administrator, User Administrator, and other roles requires a flexible global role system.

  • Record all unprocessed errors

All errors should be recorded and used for future comprehensive checks. That is, all errors should be submitted to the global error record mechanism.

  • Automated testing process

Before each deployment, the test server should run all tests. Deploy the application when the code test passes and report the application to the system administrator if the application fails to pass the code test.

  • The business layer can be used in different environments

The code in the business layer must be generic. Even if the code is oriented to the Web environment, it should be able to be used in different user interfaces and data layers in the desktop environment, server environment, and mobile device environment without changing the code.

  • Coding specifications

A well-defined coding specification plays an important role in future project development. Do you need to write comments before the method? What are naming conventions? Where should the sample code be placed?

  • Developer machine Configuration Guide

The most time-consuming issue during development is that different developers have different development environments. What people need to know is what software they should install, what versions they use, what components they need to install, and how to install them.

  • Use CDN

Content? Delivery? Networks (Content Delivery Network) provides images, JS files, CSS files, and other static files for your services through servers closest to visitors to increase access speeds and reduce bandwidth usage. CloudFlare is an excellent example of the CDN service.

  • Compress all JS and CSS files

Should JS and CSS files use YUI? Compressor to reduce the file volume and use gzip for transmission. It is also a good practice to put the reference of JS code at the end.

  • Pages with slow record loading

Web applications should respond quickly. The system responsible for page loading analysis is responsible for identifying slow pages. A page that runs fast may encounter a problem where the loading time is too long for users to read specific data.

  • Use NoSQL for non-critical data storage

NoSQL databases (document-based databases) are fast in receiving and storing data and can be expanded on a large scale. Because such databases do not guarantee the integrity of the relationship, they should be used for key data. In scenarios such as user notifications and chat records, NoSQL can save costs and be used securely.

  • Select a nearby Data Center

The data center address should be close to the vast majority of users. Data centers in the same country as users have a significant impact on the page access speed. If necessary, multiple data centers can be created.

  • Allow multiple data sources

The doubling of data storage results in lower application performance. The program architecture should be prepared to process large-scale data from multiple sources.

  • Isolate key information in the database

Database users should be restricted when accessing key information, such as obtaining even Hash passwords and Email addresses of all users. Stored procedures and views should be used for verification or custom data.

  • Prevent remote code execution

When the application contains a dependency on code with poor security, attackers May remotely execute the corresponding attack code.

  • Prevent flood attacks and spam attacks

It is possible to authenticate flood attacks and spam attacks initiated by users. Be sure to keep track of the last unknown operations they initiated at any time to avoid making a large number of requests.

  • Unique salt value used for password hashing

All passwords should be hashed by salt values, and each user's salt value is unique. It is easy for people to use the same password on different services, and applications have the responsibility to protect users' passwords.

  • Global Cross-site scripting (XSS) protection

Cross? Site? The Scripting cross-site Scripting attack is a Web vulnerability that allows users to execute remote malicious scripts.

  • SQL Injection Prevention

SQL injection is a common vulnerability. Attackers can construct strings to execute harmful SQL commands. Using ORM is a good precaution.

  • Prevents cross-site request forgery (CSRF)

Cross-Site? Request? Forgery cross-site request Forgery is a common Web vulnerability. attackers place an iframe framework on their websites, which requests pages from programs, but users are not in applications. GET requests should not modify data. this is a rigid requirement to prevent POST requests from outside the application domain name, and protect the program from attacks. In contrast, it is better to provide a token for authentication after receiving the request in each form.

  • Verify password before modifying key information

Even if the user information has been recorded on the computer and you have successfully logged on to the system a few minutes ago, you always need to verify the password when accessing or modifying key information such as password, Email, or data backup.

  • Strict and secure transmission of HTTP

If you use HTTPS to transmit data, you should only use HTTPS for transmission. Otherwise, the man-in-the-middle is likely to be the transformer for HTTPS to HTTP transmission, so that users can send requests using HTTP to analyze data.

  • Use HTTPS in all applications

HTTPS is a world-wide encryption standard, and there is no additional overhead after the first handshake. All pages and resources should be transmitted over HTTPS. When using HTTPS, the recommended information source is HTTPS. Otherwise, the browser will not be displayed for security reasons.

  • Verify the browser and location information of the session

Sessions and Cookies can be hijacked. The browser header information and the location information of the user's last IP address can be compared with the original user session information. An active defense method is to bind a session to the user's IP address, but it may cause problems in the case of dynamic addresses and mobile devices.

  • Keep data as much as possible

Every data, every request, and every event should be recorded in the storage of "big data. This data will be useful in the future, and data mining technology will present useful analysis reports.

  • Observe user intention

For future plans, it is very important to identify the reasons behind the use of applications by users.

  • Allows users to flexibly obtain analysis reports

Nowadays, data analysis is critical. The analysis report reveals the future business direction. Excellent applications not only facilitate users, but also allow users to generate reports as needed.

  • Distribute requests and achieve a 100% online rate

If the application server directly accepts connections, it is better to build a reverse proxy server that distributes requests internally. In this way, some servers can also be used as servers to provide services.

  • Automatic data backup

Data should be backed up at least on a daily basis, and more backup tasks should depend on specific storage and application servers. if necessary, a disaster recovery solution for the data center should also be prepared.

  • 100%? Test covering the business layer and data layer

The test should cover all the code at the business layer and data layer. Disrupting user data, calculating incorrect results, providing incorrect data, and storing errors can result in loss of users and loss of money.

  • Check the server's online time

Currently, there are many third-party services that detect the server's online duration. They also provide customized services to check the server status at specified intervals.

  • Reduce page refresh

Compared with Ajax technology, refreshing pages is slower, and users are also lost when pages are redirected. Single-page applications (like Gmail) have a good user experience and are more difficult to develop, making it easier to produce bugs. If resources (manpower) are sufficient, you can choose to develop a single-page application. otherwise, Ajax technology should be used.

  • Hide detailed error information in the production environment

The detailed error prompt page outputs any information related to the error, which is required by every developer. Applications in the production environment can still record the information logs, so it is necessary to hide the information.

  • Simplified user interface

The era of "learning to use programs" has passed. Before you get familiar with it, the program should be simple enough. After you are familiar with it, advanced operations will be displayed. Complex interfaces can discourage users.

  • Global search system

The tendency to use search has gradually increased in recent years. Google, Facebook, and Twitter all have search functions. All software giants provide global search systems that can filter search results. To make your applications have consistent functions.

  • Guide the user in case of any situation

When an error occurs or a password is entered, you must specify the direction and direction of the user. remember this.

  • Mobile UI

The general approach of uidesign is to first consider the desktop and then adapt to mobile devices. This method is costly in adaptation. The UI should first consider mobile devices and then adapt to the desktop.

  • Global feedback system

Developers and testers cannot predict the problem from time to time. The best solution is to set a feedback mechanism on every page that allows users to access.

  • Consistent UI behavior

Users may use Windows, Mac, Linux, mobile devices, or an unknown device. In these environments, the UI behavior must be consistent. To achieve this, follow the standards and do not use nonstandard components. At the same time, using a framework such as Bootstrap or Foundation is also helpful.

  • Use a friendly URL

Although Web applications are not targeted at organized visitors (from search engines), people always want to know what appears after clicking when sharing addresses in emails or IM. There are usually few interpretations of this, so the URL itself can provide at least relevant information during sharing.

Conversion Policy
  • Invitation code system

Inviting registration is the oldest and most effective conversion strategy for new users. The successful invitation system not only rewards the invitee, but also benefits the invitee.

  • Supported systems

Users will always have problems, and every application needs to support the system. The lack of support systems can discourage users. Here are some external solutions: ZenDesk, Desk, Freshdesk, Zoho? Support ......

  • Message notification and timed Email sending

It is important for users to go back and use the software. Users often do not remember the software and will not come back after they forget it. Regular sending of emails with message notifications can retain users. Do not forget to keep the switch of this type of option, otherwise it will become spam.

  • Always Better

No matter how many users you have, even one or even thousands of users, you always have to do better. This will cover up the flaws of every software.

  • Integrate social networking + incentives

Visitors, even paying users, have a hard time sharing their applications on social networks. An incentive mechanism should be set up for this purpose. This requires that you use social network APIs such as Facebook and Twitter to disseminate relevant information.

  • Email list

It is important to keep users updated. When users use the software, they will be happy to know that you will support it and do better. Create a mail list to let users know that every month's improvement is a responsible attitude.

  • Understanding potential customers

Don't expect users to come here. you have to fight for it. Although there are many high-quality advertising solutions, it is better to spend a small amount of money on the Internet or even provide the corresponding value for free, and then direct it to the corresponding products.

  • Do not let users flow

It is very important to know why the user leaves. A good system will send an email when the user leaves, provide a discount, and ask for feedback.

Competitive Strategy
  • Study User product requirements

The demand for software products has never been created out of thin air. Requirement Analysis allows developers and product managers to follow suit. Try to understand the customer's real needs by analyzing the most commonly used parts of the user.

  • Understanding competitors

No product is born perfect. One company developed, and other companies improved; the first one was improved. This is a development process in every industry. Each product has its competitors.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.