Wiki
Clone wikiDirektna-Distribucija / Technical
Direktna Distribucija
Technical Features
Performance
- Server side code, including Regular Expressions, is already precompiled - for a faster first execution.
- Reflection is avoided whenever possible - to prevent the metadata slowdowns.
- Parallel
Tasks
are used for background operations - for concurrent multi-core processing, and non-blocking asynchronous multi-threading. - Parallel
PageAsyncTasks
are used for page IO operations - to free up the request threads while awaiting on completion ports. SessionState
is read-only for all pages - to prevent write lock from blocking concurrent requests in the same session.ViewState
is disabled for all non-data-bound controls - to reduce the size of responses and postbacks.ViewState
andControlState
are compressed before encryption, and decompressed after decryption. Compression of cleartext is significantly better than of cyphertext, and cryptography is much faster with smaller data.UpdatePanel
is used for partial rendering on postbacks - to reduce the size of responses, with AJAX.AutoEventWireup
is disabled - to match page events with their handler methods faster.- Request validation checks only the needed form fields, not all of them - to speed up the postbacks.
- CSS files are loaded first, at the end of the
<HEAD>
tag - for a progressive page rendering. - Required JavaScript files are loaded at the start of the
<BODY>
tag - so that the page is fully functional even while still rendering. - Non-critical JavaScript files are loaded last, at the end of the
<BODY>
tag - to avoid blocking the parallel loading of other resources. They also load deferred (IE) or asynchronously (other browsers) - so that the page renders faster. - IE browsers are forced to use the best rendering engine, or the Google Chrome Frame if available - to support the latest web standards. It is done by a HTTP header, instead of a meta tag - to avoid re-rendering when switching engines.
- Static content (scripts, styles, and images) can optionally be loaded from a separate (sub) domain - to avoid sending Cookies, reducing the size of requests and responses. Or it can optionally be loaded from edge CDN servers (which are closer to the client for a faster response) - to free up the request threads on the main web server.
- Static content is not subject to most managed handlers and modules - speeding up their requests and responses.
- Images have all the metadata stripped, their dimensions are reduced to the actually displayed size, and non-animated GIFs are converted to the PNG format (retaining transparency) - to reduce file sizes.
- GIF and PNG images are interlaced, and JPEGs use progressive rendering - to display faster.
- Images have their dimensions prespecified - to avoid reflowing the page when they load.
- Image dimensions are read from its properties - without loading the whole file.
- Page layout uses just pure CSS3 styles whenever possible, without any images or JavaScript - for faster loading.
- If non-secure pages are being accessed by HTTPS, they are redirected to HTTP - to avoid SSL encryption.
- Links on secure pages to the non-secure pages are absolute - as relative links are also secure.
- Maximum connections limit to a single domain is removed - to prevent blocking concurrent requests.
Caching
- Frequently used data is temporarily cached in web server's memory, with a sliding expiration - to avoid unnecessary database calls.
- Enum values are cached, their names hardcoded, and descriptions retrieved from resources (instead of the
DescriptionAttribute
) - to avoid unnecessary reflection. - Static content and non-secure pages are cached publicly - on web server, any proxy, and clients.
- "ETag" header is removed from responses - to cache the same file from different web servers only once.
- All content is compressed (before caching, to save space) with GZip, which is more compatible with browsers than Deflate - to reduce the size of responses (web server must support static and/or dynamic HTTP compression).
- Data-bound controls are cached in
ViewState
- to avoid unnecessary database calls on postbacks. ViewState
andControlState
are always additionally compressed, even after the HTTP decompression, to negate the size increase of responses and postbacks (browser posts them back still compressed, which is a huge difference on a client's slower upload speed).SessionState
uses the State Server service - so that data is preserved even across Application Pool recycles, and can be shared in a web garden/farm.
Database
- Database connections are asynchronous, and statement execution is non-blocking.
- Opened connections are closed even on exception, and are always returned to the Connection Pool cache - to avoid opening too many new connections.
- Stored Procedures are used instead of command statements - as they are precompiled for a faster first execution, and their execution plans (and often their results as well) are cached on the database server.
- Optional columns are nullable, or have default values - to reduce the number of required Stored Procedure parameters, and also speed up manual data manipulation.
- Columns have a defined maximum length or precision - to reduce the database size, and prevent data mismatches.
- Operations that do not manipulate the data use the
NoCount On
directive - to reduce the results size. - Data is filtered and sorted directly in the database - to reduce the results size.
- SELECT statements target only the required columns, not the whole table - to reduce the results size.
- Data paging retrieves only the required rows, not the whole table - to reduce the results size.
- A table row is read whole, all at once - instead of just one column at a time. That saves even more time when checking for
DBNull
values - no need to read the same columns twice. - Foreign key relations are cascading - to prevent data "orphans", even for manual data manipulation.
- Unique indexes and value constraints are enforced in the database as well - even for manual data manipulation.
- Data manipulation uses transactions - to be rolled back on any error.
- Data manipulation returns the number of affected rows - to detect the operation result (-1 for error).
- SELECT statements inside transactions use the "With (UpdLock)" table hint - so that original conditions do not change until the commit.
- Stored Procedure parameters are checked for the expected type, and length or precision - to avoid data mismatch.
Stability
- Modular architecture for the ease of adding and testing new functionalities.
- Undoable operations require an explicit user confirmation.
- Disposable objects are closed even on exception - to prevent memory leaks.
- Server side Regular Expressions auto timeout if they are taking too long.
- Parallel
Tasks
auto timeout if they are taking too long, and can always be manually canceled. - Requests and responses auto timeout if they are taking too long.
- If a file is under a sharing or a lock violation, access is retried with increasing delay until timeout.
- Every file access is synchronized using reader and writer locks.
- Data-bound controls with paging use
EnablePersistedSelection
- to prevent selected index from spanning pages. - All exceptions and errors are observed, formatted for readability, added the current request trace - and then either e-mailed to the administrator, or saved in a log file.
- If e-mailing failed, the whole message is saved in a log file.
TimeoutExceptions
andOperationCanceledExceptions
return the "503 Service Unavailable" HTTP error, with a "Retry-After" header - to delay crawlers when the web server is busy.- HTTP errors caused by crawlers are not logged - to prevent false positives.
- Custom error pages always work - wherever the exception originated.
- All images, CSS, and JavaScript files have a local fallback - if they fail to load from the edge CDN server.
- Every JavaScript client feature has a server side fallback, or an accompanying
<NOSCRIPT>
tag - for a graceful failover without it.
Security
- There is no direct contact from the Presentation UI to the Data Layer, and all communication between them goes strictly through the Business Logic - to prevent SQL injection attacks.
- All special characters in database strings are escaped - to prevent SQL injection attacks.
- User input is validated on the client and server side as well - if JavaScript is intentionally disabled.
- File upload allows only certain mime-types, and checks for a maximum size - to prevent overload.
ViewState
uses a unique user key - to prevent one-click attacks.- Custom error pages prevent the web server from showing the default, more detailed ones - to hide the target software from potential attackers.
- "Server", "X-Powered-By", and "X-AspNet-Version" headers are removed from responses - to hide the target software from potential attackers.
- There is only one default page - to prevent defacing attacks.
- Folder browsing is disabled - to hide the file structure from potential attackers.
- SMTP supports not just explicit SSL authentication - but also implicit as well.
- If secure pages are accessed by HTTP, they are redirected to HTTPS - to enforce SSL encryption.
- Links on non-secure pages to the secure pages are absolute - as relative links are also non-secure.
- All resources on a secure page are also being accessed securely as well - to avoid the related security warning in browsers.
- Secure pages are cached privately - only on clients.
- Request validation uses a whitelist instead of a blacklist - to completely prevent cross-site scripting (XSS) attacks.
- IIS managed modules on an Integrated Pipeline are being used even for files without extensions (rewritten URLs, but not static content) - for authentication and authorization purposes.
Encryption and Validation
- Database connection can optionally be encrypted with a SSL license (database server must own a certificate that is not self-signed).
- Sensitive sections in "Web.config" file can optionally be encrypted with a RSA public key (web server must import the private key).
- Sensitive application settings in "Web.config" file are encrypted with an AES symmetric key (using a unique IV), and validated with a HMAC-SHA keyed hash (using a unique salt).
- Forms Authentication and
ViewState
are always encrypted and hashed. Machine keys are not randomly generated - so that postbacks are preserved even across Application Pool recycles, and can be shared in a web garden/farm. - Sensitive data is always transmitted encrypted and hashed - it can never be intercepted as cleartext.
- User Password and Secret Answer are kept hashed, using a unique salt - to prevent even employees from misusing them.
Authentication and Authorization
- Cookies cannot be accessed by client JavaScript.
- Login cookie expires after a period of inactivity - if a user forgets to logout.
- User e-mail address must be valid and unique - account registration requires automatic verification as a proof of ownership over an e-mail address.
- E-mail address changing alerts the user by e-mailing to the old address - as a precautionary measure.
- Password changing or resetting alerts the user by an e-mail - as a precautionary measure.
- Forgotten password can only be randomly reset - the original can never be retrieved, not even by an employee.
- Password must not contain the username, and must be minimum of eight characters long, containing at least one symbol, a number, and mixed case letters.
- The Secret Answer must not contain the Security Question.
- User is temporarily locked out on 5 failed authentications, and auto unlocked after 10 minutes - to prevent brute-force attacks.
- If a user is anonymous, or tries to impersonate another user, he is redirected to the login page.
- If a user role changed on postback, the request is canceled, and the page is reloaded for the new role.
Localization and Globalization
- All enums are localized.
- Fully localized dates, numbers, and currencies.
- All files, requests, and responses are UTF-8 encoded - to support any language.
- User's language is auto detected from his browser, and can be manually changed at any time.
- User's time zone is auto detected from his IP address geo location, and can be manually changed at any time.
- Date and time inputs have a localized date picker.
- Numeric inputs have a localized number spinner.
Search Engine Optimization (SEO)
- Top scores in Google Page Speed and Yahoo YSlow tests - for higher SEO ranking.
- All manually entered and auto generated HTML5 markup and CSS3 styles pass the strict standards validation - for an identical display in every browser, instead of an individual "quirks" mode. They also pass the web accessibility validation - for compatibility with crawlers, and browsers for people with disabilities.
- Addresses are canonized by a "canon" meta tag - so that crawlers will combine the ratings for the same page (instead of dividing it between its Query Strings), and remove the non-canon addresses from their index.
- IIS URL Rewrite Module permanently redirects (canonizes) all non-canon addresses to their canon ones.
- Query Strings are rewritten as part of the address - to be read-friendly for users, and keyword-rich for crawlers. Reserved characters are replaced by their safe alternatives, to avoid URL encoding of the clear text.
- Rewritten addresses are also checked for canonization, and are otherwise reported as not found - to avoid the website being reported by crawlers as a random content generator (different links to the same content).
- Custom error pages return the appropriate HTTP Status Code - for crawlers.
- Every page has a unique "title" meta tag, which contains the website name.
- Page keywords are inside the
<H>
tags, sized according to their relevancy - for crawlers to extract their own "keywords" meta tag from headers (so they must not be inside images or Flash animations). - The main content comes before anything else (even navigation sidebars) - for crawlers to extract their own "description" meta tag from the start of the page (the most relevant part).
- Redundant navigation (all pages are accessible from all others), and breadcrumb links - for easier indexing.
- Shortcuts to social sharing on FaceBook, LinkedIn, MySpace, Twitter, and Google Plus (One).
- Validator services are correctly recognized (instead of as text-only browsers), and sent valid markup and styles - instead of the crawler compatible versions by default.
- "Sitemap.xml" file is auto generated, including for dynamic pages, and can be auto published to all major SEO web services - for easier indexing.
- "Robots.txt" file is pointing to the sitemap, sets the canonical domain name, disallows access to the secure pages and those behind a login, and enforces a request delay for crawlers (to avoid traffic congestion).
- In the root folder are "favicon.ico" file, empty placeholders for in-memory ".axd" files, and files proving the website ownership for Webmaster Tools (even when using the meta tag verification method) - to prevent crawlers from reporting them as not found (HTTP errors lower the SEO rank).
- Meta microdata makes page content machine-readable for crawlers - for semantic search results.
- All dates and times are inside the
<TIME>
tag - giving them UTC context.
Updated