SlideShare ist ein Scribd-Unternehmen logo

Tips tricks deliver_high_performing_secure_web_pages

•
•
A
Aditya Singh

Find the best tips and tricks for creating a high performing secure web pages

Technologie
1 von 62
Downloaden Sie, um offline zu lesen
Tips & Tricks to deliver high performing and secure web pages GauravVerma, Harsh Agarwal
Why? • Why do time and performance matter? • Why don’t we like to wait? • Why does faster not always mean better in the online world?
PERFORMANCE OPTIMIZATION process of improving the delivery speed of services, feedback or any other type of response action in order to meet a user’s expectation.
Psychological time durations • 0.1 to 0.2 seconds: range of the maximum acceptable response time to simulate instantaneous behavior • 0.5 to 1 seconds: maximum response time for immediate behavior • 2 to 5 seconds: flow or optimal experience as a state when people experience concentration, absolute absorption in an activity • 5 to 10 seconds: user would still be focused on their task but would become easily distracted 10 seconds as the absolute maximum time of a user’s attention span
20% RULE • In 1834, Ernst Heinrich Weber, postulated a law that defines “Just Noticeable Difference” (JND) as the minimum difference in stimulation that a person can detect most of the time. • Fechner applied the law to the measurement of sensations, setting the basis for the science of psychophysics.
20% RULE • This work by Weber and Fechner is known to us as the Weber-Fechner Law. • Practical experiments in psychophysics show that time intervals are prone to a JND of between 7% to 18% on average for shorter periods
20% RULE • Good rule of thumb is to simplify the Weber-Fechner Law into a 20% rule. • In order for users to barely see a difference in time duration, it has to be changed by a minimum of 20%
5.0 seconds 4.5 seconds
5.0 seconds 4.0 seconds
Regression allowance • Technique also works in the opposite direction • If you are developing a feature that slows down your web page, you could apply the 20% rule to determine whether the performance decrease will be noticed by users at all. • Allowing our code to be a bit slower without harming the user experience is called regression allowance.
Neutralization Time neutralization occurs when the time difference between two services is noticeable but does not influence the user’s preference of one service over another
• We cannot decrease the search response time to 2 seconds. • If 2 seconds is out of reach, the next best solution would be to use the 20% • Rule of regression allowance relative to the competitor’s time: 2 seconds + 20% = 2.4 seconds. But if we cannot achieve 2 seconds, then 2.4 seconds is probably also out of reach.
• Thankfully, there exists a “magical” psychological threshold. • Time durations longer than this threshold will be perceived by the user as being closer to 5 seconds. • Time durations shorter than that threshold will be perceived as being closer to 2 seconds. This threshold proved to be predictable and is found at the geometric mean, instead of an arithmetical one. √(2 × 5) ≈ 3.2 seconds
Performance Perceptionis all about
Preemptive start • dns-prefetch:This is useful for pre-resolving domain names that are found lower down on the page. • preconnect:This hint is used not only to pre- resolve a domain name, but to initiate a full connection handshake. • prefetch:This hint has the lowest priority and is used to prefetch assets or resources required for future navigation. • prerender:This enables background pre- rendering of an entire page, with all of its assets.
SHOWING PROGRESS is important
• Instantaneous (0.1–0.2s): No need for any activity indicator. • Immediate (0.5–1s): spinners or very basic progress indicator • Optimal experience (1.0-5.0s): optimal indicator would be a class D or a simplified class A indicator – there is no need to draw a user’s attention to additional information. • Attention Span (5-10s): we should show a dynamic indicator of class A or B where the advance of the process is clear.
FrontEnd Performance Tips &Tricks
Be 20% faster than your fastest competitor. • Focus on important metrics other than full-page loading time. • First meaningful paint - the time required for a page to display its primary content • Time to interactive - the time at which a page appears to be ready enough that a user can interact with it UsefulTools: •WebpageTest •Lighthouse by Google •Pagespeed Insights
100-millisecond response time, 60 frames per second. • Do your best to provide feedback in less than 100 milliseconds after initial input. • Each frame of animation should be completed in less than 16 milliseconds, thereby achieving 60 frames per second • Because the browser needs time to paint the new frame to the screen your code should finish executing before hitting the 16.6 milliseconds mark.
First meaningful paint under 1.25 seconds • Your ultimate goal should be a start rendering time under 1.0 second and a SpeedIndex value under 1000 (on a fast connection) • For the first meaningful paint, count on 1250 milliseconds at most. • For mobile, a start rendering time under 3 seconds for 3G on a mobile device is acceptable.
Progressive enhancement • Keeping progressive enhancement as the guiding principle of your front-end architecture and deployment is a safe bet • Design and build the core experience first, and then enhance the experience with advanced features for capable browsers
Accelerated Mobile Page • You can achieve good performance without them, but AMP does provide a solid performance framework with a free content delivery network (CDN) • You could build progressive web AMPs, too.
Consider micro-optimization and progressive booting • Display skeleton screens instead of loading indicators. • Look for modules and techniques to speed up the initial rendering time • Use server-side rendering to get a quick first meaningful paint. • Also include some minimal JavaScript to keep the time-to- interactive close to the first meaningful paint.
Are HTTP cache headers set properly? • Double-check that expires, cache-control, max-age and other HTTP cache headers have been set properly. • If resources are static, they should be cached indefinitely - you can just change their version in the URL when needed. • If possible, use Cache- control: immutable, designed for fingerprinted static resources, to avoid revalidation * * Support only in Firefox
Limit third-party libraries, and load JavaScript asynchronously. • As developers, we have to explicitly tell the browser not to wait and to start rendering the page. • The way to do this for scripts is with the defer and async attributes in HTML • In practice, it turns out we should prefer defer to async • limit the impact of third- party libraries and scripts, especially with social sharing buttons and <iframe> embeds
Are images properly optimized? • As far as possible, use responsive images with srcset, sizesand the <picture> element • mozJPEG improves the start rendering time by manipulating scan levels • Pingo for PNG, Lossy GIF for GIF and SVGOMG for SVG. For background images, exporting photos from Photoshop with 0 to 10% quality can be absolutely acceptable as well.
Are web fonts optimized? • start rendering text in the fallback right away, and load fonts asynchronously • You might be able to get away with locally installed OS fonts as well. • If you can’t serve fonts from your server and are relying on third-party hosts, make sure to use Web Font Loader
Push critical CSS quickly • To ensure that browsers start rendering your page as quickly as possible, add critical CSS inline in the <head> of the page. • With HTTP/2, critical CSS could be stored in a separate CSS file and delivered via a server push without bloating the HTML.
14 Rules for Faster-Loading Web Sites • Make Fewer HTTP Requests • Use a Content Delivery Network • Add an Expires Header • Gzip Components • Put Stylesheets at theTop • Put Scripts at the Bottom • Avoid CSS Expressions • Make JavaScript and CSS External • Reduce DNS Lookups • Minify JavaScript • Avoid Redirects • Remove Duplicate Scripts • Configure ETags • Make AJAX Cacheable
SECURITY
CROSS SITE SCRIPTING(XSS)
WHAT IS XSS ? • XSS refers to client-side code injection attack • Occurs when a web application makes use of unvalidated or unencoded user input within the output it generates. • Most commonly using a script in JS. • TwoType : Reflected, Persistent
HOW XSS WORKS ? 1.The attacker injects a payload in the website’s database by submitting a vulnerable form with some malicious JavaScript
HOW XSS WORKS ? 2.The victim requests the web page from the website.
HOW XSS WORKS ? 3.The website serves the victim’s browser the page with the attacker’s payload as part of the HTML body.
HOW XSS WORKS ? 4.The victim’s browser will execute the malicious script inside the HTML body.
HOW XSS WORKS ? In this case it would send the victim’s cookie to the attacker’s server, after which the attacker can use the victim’s stolen cookie for impersonation.
HOWTO STOP IT ? X-XSS-Protection: 0 turns it off.
HOWTO STOP IT ? X-XSS-Protection: 1 (Default) will lter out scripts that came from the request - but will still render the page
HOWTO STOP IT ? X-XSS-Protection: 1; mode=block (Recommended) when triggered, will block the whole page
CONTENT SECURITY POLICY(CSP)
WHY CSP ? • CSP gives you a language to define where the browser can load resources from. • You can white list origins for scripts, images, fonts, stylesheets, etc in a very granular manner.
EXAMPLE You can also compare any loaded content against a hash or signature.
HOW ?
EXAMPLES
X FRAME OPTIONS
WHY? • Clickjacking is a thing • Eg: Sharing or liking links on Facebook • PlayingYouTube videos to gain views • Downloading and running a malware • Making users follow someone onTwitter
EXAMPLE Hijacking camera/microphone by loading this page in an invisible iframe, and tricking user into altering the security settings of Flash
HOWTO STOP IT?
X CONTENT TYPE OPTIONS
WHAT DOES IT DO? • MIME sniffing is browser feature. • Browsers inspect the contents while ignoring the content type header. • This might open XSS vulnerability. • X-Content-Type-Options overrides the default browser behaviour.
HOW ?
COOKIES
THE FINE PRINT • There are three different options for cookies that you should be aware of. • secure; will only be served over HTTPS only • HttpOnly; prevents js from accessing cookies • SameSite; helps defend against CSRF attacks.
THE FINER PRINT • SameSite cookies are still experimental and not yet supported by all browsers. • If you use a cookie only to identify a server-side session, the HttpOnly flag should be set.
CROSS SITE REQUEST FORGERY (CSRF)
CSRF EXAMPLE
CSRF EXAMPLE
HOWTO STOP IT ? • SynchronizerTokens • Any state changing operation requires a secure random token • Token is unique per user session • Cryptographically secure large random value
HOWTO STOP IT? • Double Submit Cookie • SameSite cookie attribute • Require User Interaction
THANK YOU

Empfohlen

Mobile Api and Caching
Mobile Api and CachingMobile Api and Caching
Mobile Api and CachingNew Relic
 
Building Faster Websites
Building Faster WebsitesBuilding Faster Websites
Building Faster WebsitesCraig Walker
 
Optimizing your WordPress website
Optimizing your WordPress websiteOptimizing your WordPress website
Optimizing your WordPress websitemwfordesigns
 
Cache is keeping you from reaching the full potential as a developer (word ca...
Cache is keeping you from reaching the full potential as a developer (word ca...Cache is keeping you from reaching the full potential as a developer (word ca...
Cache is keeping you from reaching the full potential as a developer (word ca...Thomas Audunhus
 
Metrics, metrics everywhere (but where the heck do you start?)
Metrics, metrics everywhere (but where the heck do you start?)Metrics, metrics everywhere (but where the heck do you start?)
Metrics, metrics everywhere (but where the heck do you start?)Tammy Everts
 
Service workers your applications never felt so good
Service workers your applications never felt so goodService workers your applications never felt so good
Service workers your applications never felt so goodChris Love
 
A Modern Approach to Performance Monitoring
A Modern Approach to Performance MonitoringA Modern Approach to Performance Monitoring
A Modern Approach to Performance MonitoringCliff Crocker
 
Web Performance in the Age of HTTP2 - Topconf Tallinn 2016 - Holger Bartel
Web Performance in the Age of HTTP2 - Topconf Tallinn 2016 - Holger BartelWeb Performance in the Age of HTTP2 - Topconf Tallinn 2016 - Holger Bartel
Web Performance in the Age of HTTP2 - Topconf Tallinn 2016 - Holger BartelHolger Bartel
 

Empfohlen

Mobile Api and Caching
Mobile Api and CachingMobile Api and Caching
Mobile Api and CachingNew Relic
 
Building Faster Websites
Building Faster WebsitesBuilding Faster Websites
Building Faster WebsitesCraig Walker
 
Optimizing your WordPress website
Optimizing your WordPress websiteOptimizing your WordPress website
Optimizing your WordPress websitemwfordesigns
 
Cache is keeping you from reaching the full potential as a developer (word ca...
Cache is keeping you from reaching the full potential as a developer (word ca...Cache is keeping you from reaching the full potential as a developer (word ca...
Cache is keeping you from reaching the full potential as a developer (word ca...Thomas Audunhus
 
Metrics, metrics everywhere (but where the heck do you start?)
Metrics, metrics everywhere (but where the heck do you start?)Metrics, metrics everywhere (but where the heck do you start?)
Metrics, metrics everywhere (but where the heck do you start?)Tammy Everts
 
Service workers your applications never felt so good
Service workers your applications never felt so goodService workers your applications never felt so good
Service workers your applications never felt so goodChris Love
 
A Modern Approach to Performance Monitoring
A Modern Approach to Performance MonitoringA Modern Approach to Performance Monitoring
A Modern Approach to Performance MonitoringCliff Crocker
 
Web Performance in the Age of HTTP2 - Topconf Tallinn 2016 - Holger Bartel
Web Performance in the Age of HTTP2 - Topconf Tallinn 2016 - Holger BartelWeb Performance in the Age of HTTP2 - Topconf Tallinn 2016 - Holger Bartel
Web Performance in the Age of HTTP2 - Topconf Tallinn 2016 - Holger BartelHolger Bartel
 
Cache is King
Cache is KingCache is King
Cache is KingSteve Souders
 
Optimizing web performance (Fronteers edition)
Optimizing web performance (Fronteers edition)Optimizing web performance (Fronteers edition)
Optimizing web performance (Fronteers edition)Dave Olsen
 
Stress Test Drupal on Amazon EC2 vs. RackSpace cloud
Stress Test Drupal on Amazon EC2 vs. RackSpace cloudStress Test Drupal on Amazon EC2 vs. RackSpace cloud
Stress Test Drupal on Amazon EC2 vs. RackSpace cloudAndy Kucharski
 
How Can You Make Your Website Faster?
How Can You Make Your Website Faster?How Can You Make Your Website Faster?
How Can You Make Your Website Faster?HTS Hosting
 
How to make WordPress Faster in 2019
How to make WordPress Faster in 2019How to make WordPress Faster in 2019
How to make WordPress Faster in 2019Dan Bochichio
 
Challenges in test automation for web apps
Challenges in test automation for web appsChallenges in test automation for web apps
Challenges in test automation for web appsSudara Fernando
 
Html5 Fit: Get Rid of Love Handles
Html5 Fit: Get Rid of Love HandlesHtml5 Fit: Get Rid of Love Handles
Html5 Fit: Get Rid of Love HandlesChris Love
 
Performace optimization (increase website speed)
Performace optimization (increase website speed)Performace optimization (increase website speed)
Performace optimization (increase website speed)clickramanm
 
Frontend SPOF
Frontend SPOFFrontend SPOF
Frontend SPOFPatrick Meenan
 
Measuring Web Performance (HighEdWeb FL Edition)
Measuring Web Performance (HighEdWeb FL Edition)Measuring Web Performance (HighEdWeb FL Edition)
Measuring Web Performance (HighEdWeb FL Edition)Dave Olsen
 
Performance Tuning on the Fly at CMP.LY
Performance Tuning on the Fly at CMP.LYPerformance Tuning on the Fly at CMP.LY
Performance Tuning on the Fly at CMP.LYMongoDB
 
How to Flip a Switch for 55% Web Performance Gains
How to Flip a Switch for 55% Web Performance GainsHow to Flip a Switch for 55% Web Performance Gains
How to Flip a Switch for 55% Web Performance GainsCloudflare
 
implement lighthouse-ci with your web development workflow
implement lighthouse-ci with your web development workflowimplement lighthouse-ci with your web development workflow
implement lighthouse-ci with your web development workflowWordPress
 
Measuring What Matters - Fluent Conf 2018
Measuring What Matters - Fluent Conf 2018Measuring What Matters - Fluent Conf 2018
Measuring What Matters - Fluent Conf 2018Cliff Crocker
 
Implementing a Responsive Image Strategy
Implementing a Responsive Image StrategyImplementing a Responsive Image Strategy
Implementing a Responsive Image StrategyChris Love
 
Performance Tuning On the Fly at CMP.LY Using MongoDB Management Service
Performance Tuning On the Fly at CMP.LY Using MongoDB Management ServicePerformance Tuning On the Fly at CMP.LY Using MongoDB Management Service
Performance Tuning On the Fly at CMP.LY Using MongoDB Management ServiceMichael De Lorenzo
 
Lazy load Website Assets
Lazy load Website AssetsLazy load Website Assets
Lazy load Website AssetsChris Love
 
Website speed optimization techniques
Website speed optimization techniquesWebsite speed optimization techniques
Website speed optimization techniquesValueCoders
 
Speed up your site! #wcmtl2015 by Meagan Hanes
Speed up your site! #wcmtl2015 by Meagan HanesSpeed up your site! #wcmtl2015 by Meagan Hanes
Speed up your site! #wcmtl2015 by Meagan HanesMeagan Hanes
 
Improving frontend performance
Improving frontend performanceImproving frontend performance
Improving frontend performanceSagar Desarda
 
Website Performance
Website PerformanceWebsite Performance
Website PerformanceHugo Fonseca
 
BD Conf: Visit speed - Page speed is only the beginning
BD Conf: Visit speed - Page speed is only the beginningBD Conf: Visit speed - Page speed is only the beginning
BD Conf: Visit speed - Page speed is only the beginningPeter McLachlan
 

Weitere ähnliche Inhalte

Was ist angesagt?

Optimizing web performance (Fronteers edition)
Optimizing web performance (Fronteers edition)Optimizing web performance (Fronteers edition)
Optimizing web performance (Fronteers edition)Dave Olsen
 
Stress Test Drupal on Amazon EC2 vs. RackSpace cloud
Stress Test Drupal on Amazon EC2 vs. RackSpace cloudStress Test Drupal on Amazon EC2 vs. RackSpace cloud
Stress Test Drupal on Amazon EC2 vs. RackSpace cloudAndy Kucharski
 
How Can You Make Your Website Faster?
How Can You Make Your Website Faster?How Can You Make Your Website Faster?
How Can You Make Your Website Faster?HTS Hosting
 
How to make WordPress Faster in 2019
How to make WordPress Faster in 2019How to make WordPress Faster in 2019
How to make WordPress Faster in 2019Dan Bochichio
 
Challenges in test automation for web apps
Challenges in test automation for web appsChallenges in test automation for web apps
Challenges in test automation for web appsSudara Fernando
 
Html5 Fit: Get Rid of Love Handles
Html5 Fit: Get Rid of Love HandlesHtml5 Fit: Get Rid of Love Handles
Html5 Fit: Get Rid of Love HandlesChris Love
 
Performace optimization (increase website speed)
Performace optimization (increase website speed)Performace optimization (increase website speed)
Performace optimization (increase website speed)clickramanm
 
Measuring Web Performance (HighEdWeb FL Edition)
Measuring Web Performance (HighEdWeb FL Edition)Measuring Web Performance (HighEdWeb FL Edition)
Measuring Web Performance (HighEdWeb FL Edition)Dave Olsen
 
Performance Tuning on the Fly at CMP.LY
Performance Tuning on the Fly at CMP.LYPerformance Tuning on the Fly at CMP.LY
Performance Tuning on the Fly at CMP.LYMongoDB
 
How to Flip a Switch for 55% Web Performance Gains
How to Flip a Switch for 55% Web Performance GainsHow to Flip a Switch for 55% Web Performance Gains
How to Flip a Switch for 55% Web Performance GainsCloudflare
 
implement lighthouse-ci with your web development workflow
implement lighthouse-ci with your web development workflowimplement lighthouse-ci with your web development workflow
implement lighthouse-ci with your web development workflowWordPress
 
Measuring What Matters - Fluent Conf 2018
Measuring What Matters - Fluent Conf 2018Measuring What Matters - Fluent Conf 2018
Measuring What Matters - Fluent Conf 2018Cliff Crocker
 
Implementing a Responsive Image Strategy
Implementing a Responsive Image StrategyImplementing a Responsive Image Strategy
Implementing a Responsive Image StrategyChris Love
 
Performance Tuning On the Fly at CMP.LY Using MongoDB Management Service
Performance Tuning On the Fly at CMP.LY Using MongoDB Management ServicePerformance Tuning On the Fly at CMP.LY Using MongoDB Management Service
Performance Tuning On the Fly at CMP.LY Using MongoDB Management ServiceMichael De Lorenzo
 
Lazy load Website Assets
Lazy load Website AssetsLazy load Website Assets
Lazy load Website AssetsChris Love
 
Website speed optimization techniques
Website speed optimization techniquesWebsite speed optimization techniques
Website speed optimization techniquesValueCoders
 
Speed up your site! #wcmtl2015 by Meagan Hanes
Speed up your site! #wcmtl2015 by Meagan HanesSpeed up your site! #wcmtl2015 by Meagan Hanes
Speed up your site! #wcmtl2015 by Meagan HanesMeagan Hanes
 

Was ist angesagt? (19)

Cache is King
Cache is KingCache is King
Cache is King
 
Optimizing web performance (Fronteers edition)
Optimizing web performance (Fronteers edition)Optimizing web performance (Fronteers edition)
Optimizing web performance (Fronteers edition)
 
Stress Test Drupal on Amazon EC2 vs. RackSpace cloud
Stress Test Drupal on Amazon EC2 vs. RackSpace cloudStress Test Drupal on Amazon EC2 vs. RackSpace cloud
Stress Test Drupal on Amazon EC2 vs. RackSpace cloud
 
How Can You Make Your Website Faster?
How Can You Make Your Website Faster?How Can You Make Your Website Faster?
How Can You Make Your Website Faster?
 
How to make WordPress Faster in 2019
How to make WordPress Faster in 2019How to make WordPress Faster in 2019
How to make WordPress Faster in 2019
 
Challenges in test automation for web apps
Challenges in test automation for web appsChallenges in test automation for web apps
Challenges in test automation for web apps
 
Html5 Fit: Get Rid of Love Handles
Html5 Fit: Get Rid of Love HandlesHtml5 Fit: Get Rid of Love Handles
Html5 Fit: Get Rid of Love Handles
 
Performace optimization (increase website speed)
Performace optimization (increase website speed)Performace optimization (increase website speed)
Performace optimization (increase website speed)
 
Frontend SPOF
Frontend SPOFFrontend SPOF
Frontend SPOF
 
Measuring Web Performance (HighEdWeb FL Edition)
Measuring Web Performance (HighEdWeb FL Edition)Measuring Web Performance (HighEdWeb FL Edition)
Measuring Web Performance (HighEdWeb FL Edition)
 
Performance Tuning on the Fly at CMP.LY
Performance Tuning on the Fly at CMP.LYPerformance Tuning on the Fly at CMP.LY
Performance Tuning on the Fly at CMP.LY
 
How to Flip a Switch for 55% Web Performance Gains
How to Flip a Switch for 55% Web Performance GainsHow to Flip a Switch for 55% Web Performance Gains
How to Flip a Switch for 55% Web Performance Gains
 
implement lighthouse-ci with your web development workflow
implement lighthouse-ci with your web development workflowimplement lighthouse-ci with your web development workflow
implement lighthouse-ci with your web development workflow
 
Measuring What Matters - Fluent Conf 2018
Measuring What Matters - Fluent Conf 2018Measuring What Matters - Fluent Conf 2018
Measuring What Matters - Fluent Conf 2018
 
Implementing a Responsive Image Strategy
Implementing a Responsive Image StrategyImplementing a Responsive Image Strategy
Implementing a Responsive Image Strategy
 
Performance Tuning On the Fly at CMP.LY Using MongoDB Management Service
Performance Tuning On the Fly at CMP.LY Using MongoDB Management ServicePerformance Tuning On the Fly at CMP.LY Using MongoDB Management Service
Performance Tuning On the Fly at CMP.LY Using MongoDB Management Service
 
Lazy load Website Assets
Lazy load Website AssetsLazy load Website Assets
Lazy load Website Assets
 
Website speed optimization techniques
Website speed optimization techniquesWebsite speed optimization techniques
Website speed optimization techniques
 
Speed up your site! #wcmtl2015 by Meagan Hanes
Speed up your site! #wcmtl2015 by Meagan HanesSpeed up your site! #wcmtl2015 by Meagan Hanes
Speed up your site! #wcmtl2015 by Meagan Hanes
 

Ähnlich wie Tips tricks deliver_high_performing_secure_web_pages

Improving frontend performance
Improving frontend performanceImproving frontend performance
Improving frontend performanceSagar Desarda
 
Website Performance
Website PerformanceWebsite Performance
Website PerformanceHugo Fonseca
 
BD Conf: Visit speed - Page speed is only the beginning
BD Conf: Visit speed - Page speed is only the beginningBD Conf: Visit speed - Page speed is only the beginning
BD Conf: Visit speed - Page speed is only the beginningPeter McLachlan
 
Cvcc performance tuning
Cvcc performance tuningCvcc performance tuning
Cvcc performance tuningJohn McCaffrey
 
AD113 Speed Up Your Applications w/ Nginx and PageSpeed
AD113 Speed Up Your Applications w/ Nginx and PageSpeedAD113 Speed Up Your Applications w/ Nginx and PageSpeed
AD113 Speed Up Your Applications w/ Nginx and PageSpeededm00se
 
Supercharge Application Delivery to Satisfy Users
Supercharge Application Delivery to Satisfy UsersSupercharge Application Delivery to Satisfy Users
Supercharge Application Delivery to Satisfy UsersNGINX, Inc.
 
Pearls and Must-Have Tools for the Modern Web / .NET Developer
Pearls and Must-Have Tools for the Modern Web / .NET DeveloperPearls and Must-Have Tools for the Modern Web / .NET Developer
Pearls and Must-Have Tools for the Modern Web / .NET DeveloperOfer Zelig
 
AWS re:Invent 2016: Amazon CloudFront Flash Talks: Best Practices on Configur...
AWS re:Invent 2016: Amazon CloudFront Flash Talks: Best Practices on Configur...AWS re:Invent 2016: Amazon CloudFront Flash Talks: Best Practices on Configur...
AWS re:Invent 2016: Amazon CloudFront Flash Talks: Best Practices on Configur...Amazon Web Services
 
Best Practices for WordPress in Enterprise
Best Practices for WordPress in EnterpriseBest Practices for WordPress in Enterprise
Best Practices for WordPress in EnterpriseTaylor Lovett
 
An Introduction to Pagespeed Optimisation
An Introduction to Pagespeed OptimisationAn Introduction to Pagespeed Optimisation
An Introduction to Pagespeed OptimisationPratyush Majumdar
 
Progressive Web App
Progressive Web AppProgressive Web App
Progressive Web AppSaleemMalik52
 
Brighton SEO July 2021 How JavaScript is preventing you from passing Core W...
Brighton SEO July 2021 How JavaScript is preventing you from passing Core W...Brighton SEO July 2021 How JavaScript is preventing you from passing Core W...
Brighton SEO July 2021 How JavaScript is preventing you from passing Core W...Izabela Wisniewska
 
20 tips for website performance
20 tips for website performance20 tips for website performance
20 tips for website performanceAndrew Siemer
 
Best practices-wordpress-enterprise
Best practices-wordpress-enterpriseBest practices-wordpress-enterprise
Best practices-wordpress-enterpriseTaylor Lovett
 
The Accessible Web
The Accessible WebThe Accessible Web
The Accessible WebSteven Lambert
 
Performance Optimization in Drupal 8
Performance Optimization in Drupal 8Performance Optimization in Drupal 8
Performance Optimization in Drupal 8valuebound
 
Optimization of modern web applications
Optimization of modern web applicationsOptimization of modern web applications
Optimization of modern web applicationsEugene Lazutkin
 
10 things you can do to speed up your web app today stir trek edition
10 things you can do to speed up your web app today stir trek edition10 things you can do to speed up your web app today stir trek edition
10 things you can do to speed up your web app today stir trek editionChris Love
 

Ähnlich wie Tips tricks deliver_high_performing_secure_web_pages (20)

Improving frontend performance
Improving frontend performanceImproving frontend performance
Improving frontend performance
 
Website Performance
Website PerformanceWebsite Performance
Website Performance
 
BD Conf: Visit speed - Page speed is only the beginning
BD Conf: Visit speed - Page speed is only the beginningBD Conf: Visit speed - Page speed is only the beginning
BD Conf: Visit speed - Page speed is only the beginning
 
Cvcc performance tuning
Cvcc performance tuningCvcc performance tuning
Cvcc performance tuning
 
AD113 Speed Up Your Applications w/ Nginx and PageSpeed
AD113 Speed Up Your Applications w/ Nginx and PageSpeedAD113 Speed Up Your Applications w/ Nginx and PageSpeed
AD113 Speed Up Your Applications w/ Nginx and PageSpeed
 
Supercharge Application Delivery to Satisfy Users
Supercharge Application Delivery to Satisfy UsersSupercharge Application Delivery to Satisfy Users
Supercharge Application Delivery to Satisfy Users
 
Pearls and Must-Have Tools for the Modern Web / .NET Developer
Pearls and Must-Have Tools for the Modern Web / .NET DeveloperPearls and Must-Have Tools for the Modern Web / .NET Developer
Pearls and Must-Have Tools for the Modern Web / .NET Developer
 
Salesforce Performance hacks - Client Side
Salesforce Performance hacks - Client SideSalesforce Performance hacks - Client Side
Salesforce Performance hacks - Client Side
 
AWS re:Invent 2016: Amazon CloudFront Flash Talks: Best Practices on Configur...
AWS re:Invent 2016: Amazon CloudFront Flash Talks: Best Practices on Configur...AWS re:Invent 2016: Amazon CloudFront Flash Talks: Best Practices on Configur...
AWS re:Invent 2016: Amazon CloudFront Flash Talks: Best Practices on Configur...
 
Best Practices for WordPress in Enterprise
Best Practices for WordPress in EnterpriseBest Practices for WordPress in Enterprise
Best Practices for WordPress in Enterprise
 
An Introduction to Pagespeed Optimisation
An Introduction to Pagespeed OptimisationAn Introduction to Pagespeed Optimisation
An Introduction to Pagespeed Optimisation
 
Progressive Web App
Progressive Web AppProgressive Web App
Progressive Web App
 
Brighton SEO July 2021 How JavaScript is preventing you from passing Core W...
Brighton SEO July 2021 How JavaScript is preventing you from passing Core W...Brighton SEO July 2021 How JavaScript is preventing you from passing Core W...
Brighton SEO July 2021 How JavaScript is preventing you from passing Core W...
 
20 tips for website performance
20 tips for website performance20 tips for website performance
20 tips for website performance
 
Best practices-wordpress-enterprise
Best practices-wordpress-enterpriseBest practices-wordpress-enterprise
Best practices-wordpress-enterprise
 
The Accessible Web
The Accessible WebThe Accessible Web
The Accessible Web
 
Progressive Web Apps
Progressive Web AppsProgressive Web Apps
Progressive Web Apps
 
Performance Optimization in Drupal 8
Performance Optimization in Drupal 8Performance Optimization in Drupal 8
Performance Optimization in Drupal 8
 
Optimization of modern web applications
Optimization of modern web applicationsOptimization of modern web applications
Optimization of modern web applications
 
10 things you can do to speed up your web app today stir trek edition
10 things you can do to speed up your web app today stir trek edition10 things you can do to speed up your web app today stir trek edition
10 things you can do to speed up your web app today stir trek edition
 

KĂźrzlich hochgeladen

Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel AraĂşjo
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 

KĂźrzlich hochgeladen (20)

Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 

Tips tricks deliver_high_performing_secure_web_pages

  • 1. Tips & Tricks to deliver high performing and secure web pages GauravVerma, Harsh Agarwal
  • 2. Why? • Why do time and performance matter? • Why don’t we like to wait? • Why does faster not always mean better in the online world?
  • 3. PERFORMANCE OPTIMIZATION process of improving the delivery speed of services, feedback or any other type of response action in order to meet a user’s expectation.
  • 4. Psychological time durations • 0.1 to 0.2 seconds: range of the maximum acceptable response time to simulate instantaneous behavior • 0.5 to 1 seconds: maximum response time for immediate behavior • 2 to 5 seconds: flow or optimal experience as a state when people experience concentration, absolute absorption in an activity • 5 to 10 seconds: user would still be focused on their task but would become easily distracted 10 seconds as the absolute maximum time of a user’s attention span
  • 5. 20% RULE • In 1834, Ernst Heinrich Weber, postulated a law that denes “Just Noticeable Difference” (JND) as the minimum difference in stimulation that a person can detect most of the time. • Fechner applied the law to the measurement of sensations, setting the basis for the science of psychophysics.
  • 6. 20% RULE • This work by Weber and Fechner is known to us as the Weber-Fechner Law. • Practical experiments in psychophysics show that time intervals are prone to a JND of between 7% to 18% on average for shorter periods
  • 7. 20% RULE • Good rule of thumb is to simplify the Weber-Fechner Law into a 20% rule. • In order for users to barely see a difference in time duration, it has to be changed by a minimum of 20%
  • 8. 5.0 seconds 4.5 seconds
  • 9. 5.0 seconds 4.0 seconds
  • 10. Regression allowance • Technique also works in the opposite direction • If you are developing a feature that slows down your web page, you could apply the 20% rule to determine whether the performance decrease will be noticed by users at all. • Allowing our code to be a bit slower without harming the user experience is called regression allowance.
  • 11. Neutralization Time neutralization occurs when the time difference between two services is noticeable but does not influence the user’s preference of one service over another
  • 12. • We cannot decrease the search response time to 2 seconds. • If 2 seconds is out of reach, the next best solution would be to use the 20% • Rule of regression allowance relative to the competitor’s time: 2 seconds + 20% = 2.4 seconds. But if we cannot achieve 2 seconds, then 2.4 seconds is probably also out of reach.
  • 13. • Thankfully, there exists a “magical” psychological threshold. • Time durations longer than this threshold will be perceived by the user as being closer to 5 seconds. • Time durations shorter than that threshold will be perceived as being closer to 2 seconds. This threshold proved to be predictable and is found at the geometric mean, instead of an arithmetical one. √(2 × 5) ≈ 3.2 seconds
  • 15. Preemptive start • dns-prefetch:This is useful for pre-resolving domain names that are found lower down on the page. • preconnect:This hint is used not only to pre- resolve a domain name, but to initiate a full connection handshake. • prefetch:This hint has the lowest priority and is used to prefetch assets or resources required for future navigation. • prerender:This enables background pre- rendering of an entire page, with all of its assets.
  • 17. • Instantaneous (0.1–0.2s): No need for any activity indicator. • Immediate (0.5–1s): spinners or very basic progress indicator • Optimal experience (1.0-5.0s): optimal indicator would be a class D or a simplied class A indicator – there is no need to draw a user’s attention to additional information. • Attention Span (5-10s): we should show a dynamic indicator of class A or B where the advance of the process is clear.
  • 19. Be 20% faster than your fastest competitor. • Focus on important metrics other than full-page loading time. • First meaningful paint - the time required for a page to display its primary content • Time to interactive - the time at which a page appears to be ready enough that a user can interact with it UsefulTools: •WebpageTest •Lighthouse by Google •Pagespeed Insights
  • 20. 100-millisecond response time, 60 frames per second. • Do your best to provide feedback in less than 100 milliseconds after initial input. • Each frame of animation should be completed in less than 16 milliseconds, thereby achieving 60 frames per second • Because the browser needs time to paint the new frame to the screen your code should nish executing before hitting the 16.6 milliseconds mark.
  • 21. First meaningful paint under 1.25 seconds • Your ultimate goal should be a start rendering time under 1.0 second and a SpeedIndex value under 1000 (on a fast connection) • For the rst meaningful paint, count on 1250 milliseconds at most. • For mobile, a start rendering time under 3 seconds for 3G on a mobile device is acceptable.
  • 22. Progressive enhancement • Keeping progressive enhancement as the guiding principle of your front-end architecture and deployment is a safe bet • Design and build the core experience rst, and then enhance the experience with advanced features for capable browsers
  • 23. Accelerated Mobile Page • You can achieve good performance without them, but AMP does provide a solid performance framework with a free content delivery network (CDN) • You could build progressive web AMPs, too.
  • 24. Consider micro-optimization and progressive booting • Display skeleton screens instead of loading indicators. • Look for modules and techniques to speed up the initial rendering time • Use server-side rendering to get a quick rst meaningful paint. • Also include some minimal JavaScript to keep the time-to- interactive close to the rst meaningful paint.
  • 25. Are HTTP cache headers set properly? • Double-check that expires, cache-control, max-age and other HTTP cache headers have been set properly. • If resources are static, they should be cached indenitely - you can just change their version in the URL when needed. • If possible, use Cache- control: immutable, designed for ngerprinted static resources, to avoid revalidation * * Support only in Firefox
  • 26. Limit third-party libraries, and load JavaScript asynchronously. • As developers, we have to explicitly tell the browser not to wait and to start rendering the page. • The way to do this for scripts is with the defer and async attributes in HTML • In practice, it turns out we should prefer defer to async • limit the impact of third- party libraries and scripts, especially with social sharing buttons and <iframe> embeds
  • 27. Are images properly optimized? • As far as possible, use responsive images with srcset, sizesand the <picture> element • mozJPEG improves the start rendering time by manipulating scan levels • Pingo for PNG, Lossy GIF for GIF and SVGOMG for SVG. For background images, exporting photos from Photoshop with 0 to 10% quality can be absolutely acceptable as well.
  • 28. Are web fonts optimized? • start rendering text in the fallback right away, and load fonts asynchronously • You might be able to get away with locally installed OS fonts as well. • If you can’t serve fonts from your server and are relying on third-party hosts, make sure to use Web Font Loader
  • 29. Push critical CSS quickly • To ensure that browsers start rendering your page as quickly as possible, add critical CSS inline in the <head> of the page. • With HTTP/2, critical CSS could be stored in a separate CSS le and delivered via a server push without bloating the HTML.
  • 30. 14 Rules for Faster-Loading Web Sites • Make Fewer HTTP Requests • Use a Content Delivery Network • Add an Expires Header • Gzip Components • Put Stylesheets at theTop • Put Scripts at the Bottom • Avoid CSS Expressions • Make JavaScript and CSS External • Reduce DNS Lookups • Minify JavaScript • Avoid Redirects • Remove Duplicate Scripts • Congure ETags • Make AJAX Cacheable
  • 33. WHAT IS XSS ? • XSS refers to client-side code injection attack • Occurs when a web application makes use of unvalidated or unencoded user input within the output it generates. • Most commonly using a script in JS. • TwoType : Reflected, Persistent
  • 34. HOW XSS WORKS ? 1.The attacker injects a payload in the website’s database by submitting a vulnerable form with some malicious JavaScript
  • 35. HOW XSS WORKS ? 2.The victim requests the web page from the website.
  • 36. HOW XSS WORKS ? 3.The website serves the victim’s browser the page with the attacker’s payload as part of the HTML body.
  • 37. HOW XSS WORKS ? 4.The victim’s browser will execute the malicious script inside the HTML body.
  • 38. HOW XSS WORKS ? In this case it would send the victim’s cookie to the attacker’s server, after which the attacker can use the victim’s stolen cookie for impersonation.
  • 39. HOWTO STOP IT ? X-XSS-Protection: 0 turns it off.
  • 40. HOWTO STOP IT ? X-XSS-Protection: 1 (Default) will lter out scripts that came from the request - but will still render the page
  • 41. HOWTO STOP IT ? X-XSS-Protection: 1; mode=block (Recommended) when triggered, will block the whole page
  • 43. WHY CSP ? • CSP gives you a language to dene where the browser can load resources from. • You can white list origins for scripts, images, fonts, stylesheets, etc in a very granular manner.
  • 44. EXAMPLE You can also compare any loaded content against a hash or signature.
  • 45. HOW ?
  • 48. WHY? • Clickjacking is a thing • Eg: Sharing or liking links on Facebook • PlayingYouTube videos to gain views • Downloading and running a malware • Making users follow someone onTwitter
  • 49. EXAMPLE Hijacking camera/microphone by loading this page in an invisible iframe, and tricking user into altering the security settings of Flash
  • 51. X CONTENT TYPE OPTIONS
  • 52. WHAT DOES IT DO? • MIME snifng is browser feature. • Browsers inspect the contents while ignoring the content type header. • This might open XSS vulnerability. • X-Content-Type-Options overrides the default browser behaviour.
  • 53. HOW ?
  • 55. THE FINE PRINT • There are three different options for cookies that you should be aware of. • secure; will only be served over HTTPS only • HttpOnly; prevents js from accessing cookies • SameSite; helps defend against CSRF attacks.
  • 56. THE FINER PRINT • SameSite cookies are still experimental and not yet supported by all browsers. • If you use a cookie only to identify a server-side session, the HttpOnly flag should be set.
  • 60. HOWTO STOP IT ? • SynchronizerTokens • Any state changing operation requires a secure random token • Token is unique per user session • Cryptographically secure large random value
  • 61. HOWTO STOP IT? • Double Submit Cookie • SameSite cookie attribute • Require User Interaction