1. Nikola Bogdanović Avatar Nikola Bogdanović
  2. Untitled project
  3. Direktna-Distribucija

Wiki

Clone wiki

Direktna-Distribucija / Technical

View History

Direktna Distribucija

Technical Features

Performance

  • Server side code, including Regular Expressions, is already precompiled - for a faster first execution.
  • Reflection is avoided whenever possible - to prevent the metadata slowdowns.
  • Parallel Tasks are used for background operations - for concurrent multi-core processing, and non-blocking asynchronous multi-threading.
  • Parallel PageAsyncTasks are used for page IO operations - to free up the request threads while awaiting on completion ports.
  • SessionState is read-only for all pages - to prevent write lock from blocking concurrent requests in the same session.
  • ViewState is disabled for all non-data-bound controls - to reduce the size of responses and postbacks.
  • ViewState and ControlState are compressed before encryption, and decompressed after decryption. Compression of cleartext is significantly better than of cyphertext, and cryptography is much faster with smaller data.
  • UpdatePanel is used for partial rendering on postbacks - to reduce the size of responses, with AJAX.
  • AutoEventWireup is disabled - to match page events with their handler methods faster.
  • Request validation checks only the needed form fields, not all of them - to speed up the postbacks.
  • CSS files are loaded first, at the end of the <HEAD> tag - for a progressive page rendering.
  • Required JavaScript files are loaded at the start of the <BODY> tag - so that the page is fully functional even while still rendering.
  • Non-critical JavaScript files are loaded last, at the end of the <BODY> tag - to avoid blocking the parallel loading of other resources. They also load deferred (IE) or asynchronously (other browsers) - so that the page renders faster.
  • IE browsers are forced to use the best rendering engine, or the Google Chrome Frame if available - to support the latest web standards. It is done by a HTTP header, instead of a meta tag - to avoid re-rendering when switching engines.
  • Static content (scripts, styles, and images) can optionally be loaded from a separate (sub) domain - to avoid sending Cookies, reducing the size of requests and responses. Or it can optionally be loaded from edge CDN servers (which are closer to the client for a faster response) - to free up the request threads on the main web server.
  • Static content is not subject to most managed handlers and modules - speeding up their requests and responses.
  • Images have all the metadata stripped, their dimensions are reduced to the actually displayed size, and non-animated GIFs are converted to the PNG format (retaining transparency) - to reduce file sizes.
  • GIF and PNG images are interlaced, and JPEGs use progressive rendering - to display faster.
  • Images have their dimensions prespecified - to avoid reflowing the page when they load.
  • Image dimensions are read from its properties - without loading the whole file.
  • Page layout uses just pure CSS3 styles whenever possible, without any images or JavaScript - for faster loading.
  • If non-secure pages are being accessed by HTTPS, they are redirected to HTTP - to avoid SSL encryption.
  • Links on secure pages to the non-secure pages are absolute - as relative links are also secure.
  • Maximum connections limit to a single domain is removed - to prevent blocking concurrent requests.

Caching

  • Frequently used data is temporarily cached in web server's memory, with a sliding expiration - to avoid unnecessary database calls.
  • Enum values are cached, their names hardcoded, and descriptions retrieved from resources (instead of the DescriptionAttribute) - to avoid unnecessary reflection.
  • Static content and non-secure pages are cached publicly - on web server, any proxy, and clients.
  • "ETag" header is removed from responses - to cache the same file from different web servers only once.
  • All content is compressed (before caching, to save space) with GZip, which is more compatible with browsers than Deflate - to reduce the size of responses (web server must support static and/or dynamic HTTP compression).
  • Data-bound controls are cached in ViewState - to avoid unnecessary database calls on postbacks.
  • ViewState and ControlState are always additionally compressed, even after the HTTP decompression, to negate the size increase of responses and postbacks (browser posts them back still compressed, which is a huge difference on a client's slower upload speed).
  • SessionState uses the State Server service - so that data is preserved even across Application Pool recycles, and can be shared in a web garden/farm.

Database

  • Database connections are asynchronous, and statement execution is non-blocking.
  • Opened connections are closed even on exception, and are always returned to the Connection Pool cache - to avoid opening too many new connections.
  • Stored Procedures are used instead of command statements - as they are precompiled for a faster first execution, and their execution plans (and often their results as well) are cached on the database server.
  • Optional columns are nullable, or have default values - to reduce the number of required Stored Procedure parameters, and also speed up manual data manipulation.
  • Columns have a defined maximum length or precision - to reduce the database size, and prevent data mismatches.
  • Operations that do not manipulate the data use the NoCount On directive - to reduce the results size.
  • Data is filtered and sorted directly in the database - to reduce the results size.
  • SELECT statements target only the required columns, not the whole table - to reduce the results size.
  • Data paging retrieves only the required rows, not the whole table - to reduce the results size.
  • A table row is read whole, all at once - instead of just one column at a time. That saves even more time when checking for DBNull values - no need to read the same columns twice.
  • Foreign key relations are cascading - to prevent data "orphans", even for manual data manipulation.
  • Unique indexes and value constraints are enforced in the database as well - even for manual data manipulation.
  • Data manipulation uses transactions - to be rolled back on any error.
  • Data manipulation returns the number of affected rows - to detect the operation result (-1 for error).
  • SELECT statements inside transactions use the "With (UpdLock)" table hint - so that original conditions do not change until the commit.
  • Stored Procedure parameters are checked for the expected type, and length or precision - to avoid data mismatch.

Stability

  • Modular architecture for the ease of adding and testing new functionalities.
  • Undoable operations require an explicit user confirmation.
  • Disposable objects are closed even on exception - to prevent memory leaks.
  • Server side Regular Expressions auto timeout if they are taking too long.
  • Parallel Tasks auto timeout if they are taking too long, and can always be manually canceled.
  • Requests and responses auto timeout if they are taking too long.
  • If a file is under a sharing or a lock violation, access is retried with increasing delay until timeout.
  • Every file access is synchronized using reader and writer locks.
  • Data-bound controls with paging use EnablePersistedSelection - to prevent selected index from spanning pages.
  • All exceptions and errors are observed, formatted for readability, added the current request trace - and then either e-mailed to the administrator, or saved in a log file.
  • If e-mailing failed, the whole message is saved in a log file.
  • TimeoutExceptions and OperationCanceledExceptions return the "503 Service Unavailable" HTTP error, with a "Retry-After" header - to delay crawlers when the web server is busy.
  • HTTP errors caused by crawlers are not logged - to prevent false positives.
  • Custom error pages always work - wherever the exception originated.
  • All images, CSS, and JavaScript files have a local fallback - if they fail to load from the edge CDN server.
  • Every JavaScript client feature has a server side fallback, or an accompanying <NOSCRIPT> tag - for a graceful failover without it.

Security

  • There is no direct contact from the Presentation UI to the Data Layer, and all communication between them goes strictly through the Business Logic - to prevent SQL injection attacks.
  • All special characters in database strings are escaped - to prevent SQL injection attacks.
  • User input is validated on the client and server side as well - if JavaScript is intentionally disabled.
  • File upload allows only certain mime-types, and checks for a maximum size - to prevent overload.
  • ViewState uses a unique user key - to prevent one-click attacks.
  • Custom error pages prevent the web server from showing the default, more detailed ones - to hide the target software from potential attackers.
  • "Server", "X-Powered-By", and "X-AspNet-Version" headers are removed from responses - to hide the target software from potential attackers.
  • There is only one default page - to prevent defacing attacks.
  • Folder browsing is disabled - to hide the file structure from potential attackers.
  • SMTP supports not just explicit SSL authentication - but also implicit as well.
  • If secure pages are accessed by HTTP, they are redirected to HTTPS - to enforce SSL encryption.
  • Links on non-secure pages to the secure pages are absolute - as relative links are also non-secure.
  • All resources on a secure page are also being accessed securely as well - to avoid the related security warning in browsers.
  • Secure pages are cached privately - only on clients.
  • Request validation uses a whitelist instead of a blacklist - to completely prevent cross-site scripting (XSS) attacks.
  • IIS managed modules on an Integrated Pipeline are being used even for files without extensions (rewritten URLs, but not static content) - for authentication and authorization purposes.

Encryption and Validation

  • Database connection can optionally be encrypted with a SSL license (database server must own a certificate that is not self-signed).
  • Sensitive sections in "Web.config" file can optionally be encrypted with a RSA public key (web server must import the private key).
  • Sensitive application settings in "Web.config" file are encrypted with an AES symmetric key (using a unique IV), and validated with a HMAC-SHA keyed hash (using a unique salt).
  • Forms Authentication and ViewState are always encrypted and hashed. Machine keys are not randomly generated - so that postbacks are preserved even across Application Pool recycles, and can be shared in a web garden/farm.
  • Sensitive data is always transmitted encrypted and hashed - it can never be intercepted as cleartext.
  • User Password and Secret Answer are kept hashed, using a unique salt - to prevent even employees from misusing them.

Authentication and Authorization

  • Cookies cannot be accessed by client JavaScript.
  • Login cookie expires after a period of inactivity - if a user forgets to logout.
  • User e-mail address must be valid and unique - account registration requires automatic verification as a proof of ownership over an e-mail address.
  • E-mail address changing alerts the user by e-mailing to the old address - as a precautionary measure.
  • Password changing or resetting alerts the user by an e-mail - as a precautionary measure.
  • Forgotten password can only be randomly reset - the original can never be retrieved, not even by an employee.
  • Password must not contain the username, and must be minimum of eight characters long, containing at least one symbol, a number, and mixed case letters.
  • The Secret Answer must not contain the Security Question.
  • User is temporarily locked out on 5 failed authentications, and auto unlocked after 10 minutes - to prevent brute-force attacks.
  • If a user is anonymous, or tries to impersonate another user, he is redirected to the login page.
  • If a user role changed on postback, the request is canceled, and the page is reloaded for the new role.

Localization and Globalization

  • All enums are localized.
  • Fully localized dates, numbers, and currencies.
  • All files, requests, and responses are UTF-8 encoded - to support any language.
  • User's language is auto detected from his browser, and can be manually changed at any time.
  • User's time zone is auto detected from his IP address geo location, and can be manually changed at any time.
  • Date and time inputs have a localized date picker.
  • Numeric inputs have a localized number spinner.

Search Engine Optimization (SEO)

  • Top scores in Google Page Speed and Yahoo YSlow tests - for higher SEO ranking.
  • All manually entered and auto generated HTML5 markup and CSS3 styles pass the strict standards validation - for an identical display in every browser, instead of an individual "quirks" mode. They also pass the web accessibility validation - for compatibility with crawlers, and browsers for people with disabilities.
  • Addresses are canonized by a "canon" meta tag - so that crawlers will combine the ratings for the same page (instead of dividing it between its Query Strings), and remove the non-canon addresses from their index.
  • IIS URL Rewrite Module permanently redirects (canonizes) all non-canon addresses to their canon ones.
  • Query Strings are rewritten as part of the address - to be read-friendly for users, and keyword-rich for crawlers. Reserved characters are replaced by their safe alternatives, to avoid URL encoding of the clear text.
  • Rewritten addresses are also checked for canonization, and are otherwise reported as not found - to avoid the website being reported by crawlers as a random content generator (different links to the same content).
  • Custom error pages return the appropriate HTTP Status Code - for crawlers.
  • Every page has a unique "title" meta tag, which contains the website name.
  • Page keywords are inside the <H> tags, sized according to their relevancy - for crawlers to extract their own "keywords" meta tag from headers (so they must not be inside images or Flash animations).
  • The main content comes before anything else (even navigation sidebars) - for crawlers to extract their own "description" meta tag from the start of the page (the most relevant part).
  • Redundant navigation (all pages are accessible from all others), and breadcrumb links - for easier indexing.
  • Shortcuts to social sharing on FaceBook, LinkedIn, MySpace, Twitter, and Google Plus (One).
  • Validator services are correctly recognized (instead of as text-only browsers), and sent valid markup and styles - instead of the crawler compatible versions by default.
  • "Sitemap.xml" file is auto generated, including for dynamic pages, and can be auto published to all major SEO web services - for easier indexing.
  • "Robots.txt" file is pointing to the sitemap, sets the canonical domain name, disallows access to the secure pages and those behind a login, and enforces a request delay for crawlers (to avoid traffic congestion).
  • In the root folder are "favicon.ico" file, empty placeholders for in-memory ".axd" files, and files proving the website ownership for Webmaster Tools (even when using the meta tag verification method) - to prevent crawlers from reporting them as not found (HTTP errors lower the SEO rank).
  • Meta microdata makes page content machine-readable for crawlers - for semantic search results.
  • All dates and times are inside the <TIME> tag - giving them UTC context.

Updated