menu

Cross Site Scripting (XSS)

2022-02-04 Gyuri prog web security

Data (from untrusted source) gets into the application, then this data is later displayed in the website without being properly validated/sanitized/escaped.

Cross-Origin Resource Sharing

2022-02-03 Gyuri prog web security

Modern browsers apply the same-origin policy to some resources, meaning they refuse to load or restrict access to resources coming from other origins than the loaded website. Servers can implement CORS to describe which origins are permitted to load their resources.

For some HTTP requests, browsers issue a “preflight” request (HTTP OPTIONS) to check whether the resource is available for the given origin.

PGP/GPG

2022-01-27 Gyuri prog security

PGP: Pretty Good Privacy

GPG: GNU Privacy Guard

PGP

  • from 1991
  • cryptographically sign/verify, encrypt/decrypt files, emails, etc.
  • OpenPGP standard, RFC 4880
  • key “verification” via fingerprints, Web of trust
  • public/private keys

Cellular noise

2021-06-17 Gyuri prog shader art

Random points

  • true randomness is hard
  • pseudo random number generators usually don’t have even distribution
    • or “slow”
    • or cannot be used in a parallel way
  • OpenGL does not have random API (reasons above)

And in most cases higher “entropy” is more pleasant to the eyes.

Deploying a webapp

2021-06-03 Gyuri prog web

Backend

  • app to the server
    • scp
    • git
    • maven/npm/pip/whatever
  • start it
    • prefer using a “webapp container” like tomcat or gunicorn
    • on a “high” port like 5000, 8000, 8080
  • make it start on reboot
    • systemd
    • supervisord/pm2

Core Web Vitals

2021-04-27 Gyuri prog web performance

Google: “page experience” will be (June 2021) part of search ranking

What

  • LCP: Largest Contentful Paint
  • FID: First Input Delay (RUM only)
  • CLS: Cumulative Layout Shift

Rendering content to HTML

2021-03-03 Gyuri prog web
  • offline/static
  • online/dynamic

Offline

Somebody or something generates the raw HTML “offline”, long before the request, then the generated HTML is served via a static webserver (nginx, apache, …) or CDN.

Container Queries

2021-02-08 Gyuri prog web

The problem

Currently we have media queries, but in most cases widgets have not the full width of the viewport.

CSS Painting API

2021-01-15 Gyuri prog web art

One of the new CSS Houdini APIs:

  • CSS Parser API - possibility to implement sass/less/etc support
  • CSS Properties and Values API - more advanced CSS properties (variables)
  • CSS Typed OM - CSS values as typed JS objects
  • CSS Layout API - create custom layouts (like grid or flexbox)
  • CSS Painting API - draw something in CSS

WebComponents

2020-11-30 Gyuri prog web
  • reusable custom elements
  • framework independent
  • standardized