Sep 5, 2024
security
Static (SAST) Run linters/semgrep/bandit/gosec/spotbugs per language; fail on high severity. Baseline to reduce noise; allow sarif upload to code host for inline review. Secret scanning in every push; block commits with keys. Dynamic (DAST) Stage environment with prod-like config; run zap/owasp/amass scopes carefully. Define allowlist targets; time-bounded scans; throttle to avoid DoS. Pipeline hygiene Shift-left: PR checks for fast SAST; nightly deeper scans. Artifacts stored with build SHA; track findings trend. Break-glass only with approvals; keep rules versioned. Checklist SAST/secret scans on push + PR. DAST on staging with scoped targets. SARIF/uploaded results visible to devs. Findings triaged with SLA.
ReadAug 21, 2024
cache
Choosing engine Redis: rich data types, persistence, clustering, scripts; good for queues/rate limits. Memcached: simple KV, pure in-memory, fast; great for stateless caches. Design Namespaced keys, versioned; TTL with jitter; avoid giant values. Pick eviction (LRU/LFU); monitor hit rate and evictions. Stampede control: locks/SETNX, stale-while-revalidate, per-key backoff. Ops Pooling + timeouts; alert on latency, evictions, memory fragmentation. For Redis, persistence config (AOF/RDB) matched to durability needs; replicas for HA. For Memcached, spread slabs; watch for evictions of hot slabs. Checklist Engine chosen per use case; durability/HA decided. TTLs + jitter; stampede protection in place. Metrics for hit/miss/evictions/latency.
ReadAug 15, 2024
security
Security is crucial in web development. Here are essential security practices to protect your applications.
1. Authentication & Authorization Strong Password Policies // Enforce strong passwords const passwordRegex = /^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[@$!%*?&])[A-Za-z\d@$!%*?&]{8,}$/; // Hash passwords (never store plaintext) const hashedPassword = await bcrypt.hash(password, 10); JWT Best Practices // Use short expiration times const token = jwt.sign( { userId: user.id }, process.env.JWT_SECRET, { expiresIn: '15m' } ); // Implement refresh tokens // Store tokens securely (httpOnly cookies) 2. Input Validation Server-Side Validation // Always validate on server const schema = z.object({ email: z.string().email(), password: z.string().min(8), age: z.number().min(18).max(120) }); const validated = schema.parse(req.body); Sanitize Inputs // Prevent XSS const sanitized = DOMPurify.sanitize(userInput); // Prevent SQL Injection (use parameterized queries) db.query('SELECT * FROM users WHERE id = ?', [userId]); 3. HTTPS & SSL/TLS // Always use HTTPS in production // Redirect HTTP to HTTPS // Use HSTS headers app.use((req, res, next) => { if (!req.secure && process.env.NODE_ENV === 'production') { return res.redirect(`https://${req.headers.host}${req.url}`); } next(); }); 4. CORS Configuration // Configure CORS properly app.use(cors({ origin: process.env.ALLOWED_ORIGINS.split(','), credentials: true, methods: ['GET', 'POST', 'PUT', 'DELETE'], allowedHeaders: ['Content-Type', 'Authorization'] })); 5. Rate Limiting // Prevent brute force attacks const rateLimit = require('express-rate-limit'); const limiter = rateLimit({ windowMs: 15 * 60 * 1000, // 15 minutes max: 5 // limit each IP to 5 requests per windowMs }); app.use('/api/login', limiter); 6. SQL Injection Prevention // Always use parameterized queries // Bad db.query(`SELECT * FROM users WHERE email = '${email}'`); // Good db.query('SELECT * FROM users WHERE email = ?', [email]); 7. XSS Prevention // Escape user input const escapeHtml = (text) => { const map = { '&': '&', '<': '<', '>': '>', '"': '"', "'": ''' }; return text.replace(/[&<>"']/g, m => map[m]); }; // Use Content Security Policy app.use((req, res, next) => { res.setHeader('Content-Security-Policy', "default-src 'self'; script-src 'self'"); next(); }); 8. CSRF Protection // Use CSRF tokens const csrf = require('csurf'); const csrfProtection = csrf({ cookie: true }); app.use(csrfProtection); app.get('/form', (req, res) => { res.render('form', { csrfToken: req.csrfToken() }); }); 9. Security Headers // Set security headers app.use((req, res, next) => { res.setHeader('X-Content-Type-Options', 'nosniff'); res.setHeader('X-Frame-Options', 'DENY'); res.setHeader('X-XSS-Protection', '1; mode=block'); res.setHeader('Strict-Transport-Security', 'max-age=31536000'); next(); }); 10. Dependency Security # Regularly update dependencies npm audit npm audit fix # Use tools like Snyk, Dependabot 11. Error Handling // Don't expose sensitive information app.use((err, req, res, next) => { if (process.env.NODE_ENV === 'production') { res.status(500).json({ error: 'Internal server error' }); } else { res.status(500).json({ error: err.message }); } }); 12. Logging & Monitoring // Log security events logger.warn('Failed login attempt', { ip: req.ip, email: req.body.email, timestamp: new Date() }); // Monitor for suspicious activity Best Practices Summary Strong authentication Input validation & sanitization Use HTTPS Configure CORS properly Implement rate limiting Prevent SQL injection Prevent XSS CSRF protection Security headers Keep dependencies updated Proper error handling Monitor security events Conclusion Security requires:
...
ReadAug 15, 2024
kubernetes
Kubernetes provides several deployment strategies to ensure zero-downtime updates and safe rollouts of new application versions. Understanding these strategies is crucial for maintaining reliable production systems.
Deployment strategy overview Kubernetes deployment strategies determine how new versions of your application replace old ones. The choice depends on:
Risk tolerance: How critical is zero downtime? Traffic patterns: Can you route traffic to multiple versions? Rollback speed: How quickly can you revert if issues occur? Resource constraints: Can you run multiple versions simultaneously? Rolling update (default) The default Kubernetes deployment strategy gradually replaces old pods with new ones.
...
ReadAug 14, 2024
php
Low-effort wins php artisan config:cache, route:cache, view:cache; warm on deploy. Enable OPcache with sane limits; preloading for hot classes when applicable. Use queues for emails/webhooks; keep HTTP requests lean. Database hygiene Add missing indexes; avoid N+1 with eager loading; paginate large lists. Use read replicas where safe; cap per-request query count in logs. Measure slow queries; set alarms on p95 query time. HTTP layer Cache responses with tags (Redis) for fast invalidation. Use CDN for static/media; compress and set cache headers. Leverage middleware to short-circuit authenticated user cache when possible. Observability Laravel Telescope or Horizon for queues; metrics on throughput, failures, latency. Log DB/query counts; track opcache hit rate and memory usage. Checklist Config/route/view cached on deploy. OPcache enabled and monitored. DB queries optimized and indexed; N+1 checks in CI. Responses cached where safe; queues handle slow work.
ReadAug 9, 2024
node
Keys & TTLs Namespaced keys: app:domain:entity:id. Set TTLs per data volatility; use jitter to avoid thundering expirations. Version keys on schema changes to prevent stale reads. Stampede protection Use SETNX/lock around rebuild; short lock TTL with fallback. Serve stale-while-revalidate: return cached value, refresh asynchronously. Serialization & size Prefer JSON with bounded fields; compress only large blobs. Avoid massive lists/hashes; paginate or split keys. Operations Monitor hit rate, command latency, memory, evictions. Use connection pooling; set timeouts and retries with backoff. Cluster/replica for HA; read from replicas if consistency allows. Checklist Keys versioned; TTLs with jitter. Stampede controls in place. Metrics for hit/miss/latency/evictions; alerts configured.
ReadJul 28, 2024
php
Query hygiene Add composite indexes matching filters/order; avoid leading wildcards. Use EXPLAIN to verify index usage; watch for filesort/temp tables. Prefer keyset pagination over OFFSET for large tables. Config basics Set innodb_buffer_pool_size (50-70% RAM), innodb_log_file_size, innodb_flush_log_at_trx_commit=1 (durable) or 2 (faster). max_connections aligned with app pool size; avoid connection storms. Enable slow query log with sane threshold; sample for tuning. App considerations Reuse connections (pooling); avoid long transactions. Limit selected columns; cap payload sizes; avoid large unbounded IN lists. For read-heavy workloads, add replicas; route reads carefully. Checklist Indexes audited; EXPLAIN reviewed. Buffer pool sized; slow log enabled. Pagination and payloads bounded; connections pooled.
ReadJul 20, 2024
testing
Comprehensive testing is essential for reliable backend systems. Here’s a guide to effective testing strategies.
Testing Pyramid /\ / \ E2E Tests (Few) /____\ / \ Integration Tests (Some) /________\ / \ Unit Tests (Many) /____________\ 1. Unit Tests What to Test Individual functions Business logic Data transformations Edge cases Example describe('UserService', () => { it('should create user with valid data', () => { const userData = { email: '[email protected]', name: 'Test User' }; const user = userService.createUser(userData); expect(user.email).toBe('[email protected]'); expect(user.id).toBeDefined(); }); it('should throw error for duplicate email', () => { userService.createUser({ email: '[email protected]' }); expect(() => { userService.createUser({ email: '[email protected]' }); }).toThrow('Email already exists'); }); }); 2. Integration Tests What to Test API endpoints Database operations External service interactions Service integration Example describe('User API', () => { beforeEach(async () => { await db.migrate.latest(); }); afterEach(async () => { await db.migrate.rollback(); }); it('POST /api/users should create user', async () => { const response = await request(app) .post('/api/users') .send({ email: '[email protected]', name: 'Test User', password: 'password123' }) .expect(201); expect(response.body.email).toBe('[email protected]'); const user = await db('users').where({ email: '[email protected]' }).first(); expect(user).toBeDefined(); }); }); 3. End-to-End Tests What to Test Complete user workflows System integration Critical paths Example describe('User Registration Flow', () => { it('should complete full registration process', async () => { // Register user const registerResponse = await request(app) .post('/api/auth/register') .send({ email: '[email protected]', password: 'password123' }); expect(registerResponse.status).toBe(201); // Login const loginResponse = await request(app) .post('/api/auth/login') .send({ email: '[email protected]', password: 'password123' }); expect(loginResponse.status).toBe(200); expect(loginResponse.body.token).toBeDefined(); // Access protected route const profileResponse = await request(app) .get('/api/users/me') .set('Authorization', `Bearer ${loginResponse.body.token}`); expect(profileResponse.status).toBe(200); }); }); 4. Test Data Management Fixtures const userFixtures = { validUser: { email: '[email protected]', name: 'Test User', password: 'password123' }, adminUser: { email: '[email protected]', name: 'Admin', password: 'admin123', role: 'admin' } }; Factories function createUser(overrides = {}) { return { email: '[email protected]', name: 'Test User', password: 'password123', ...overrides }; } 5. Mocking External Services // Mock external API jest.mock('../services/paymentService', () => ({ processPayment: jest.fn().mockResolvedValue({ transactionId: 'tx_123', status: 'success' }) })); 6. Database Testing // Use test database const testDb = { host: process.env.TEST_DB_HOST, database: process.env.TEST_DB_NAME }; // Clean database between tests beforeEach(async () => { await db.raw('TRUNCATE TABLE users CASCADE'); }); 7. Test Coverage // Aim for high coverage // Focus on critical paths // Don't obsess over 100% // Use coverage tools // jest --coverage // nyc Best Practices Write tests first (TDD) Test behavior, not implementation Keep tests independent Use descriptive test names Test edge cases Mock external dependencies Clean up test data Run tests in CI/CD Maintain test code quality Review test failures Conclusion Effective testing requires:
...
ReadJul 7, 2024
node
Pooling Use a pool (pg/pgbouncer); size = (CPU * 2–4) per app instance; avoid per-request connections. For PgBouncer in transaction mode, avoid session features (temp tables, session prep statements). Query hygiene Parameterize queries; prevent plan cache thrash; set statement timeout. Add indexes; avoid wild % patterns; paginate with keyset when possible. Monitor slow queries; cap max rows returned; avoid huge JSON blobs. App settings Set statement_timeout, idle_in_transaction_session_timeout. Use prepared statements judiciously; for PgBouncer, prefer server-prepared off or use pgbouncer session mode. Pool instrumentation: queue wait time, checkout latency, timeouts. OS/DB basics Keep Postgres on same AZ/region; latency kills. Tune work_mem, shared_buffers, effective_cache_size appropriately (DB side). Use EXPLAIN (ANALYZE, BUFFERS) in staging for heavy queries. Checklist Pool sized and monitored; PgBouncer for many short connections. Query timeouts set; slow logs monitored. Key indexes present; pagination optimized. App-level metrics for pool wait, query latency, error rates.
Read
