Web Authentication API

WebAuthn uses public key cryptography (asymmetric) instead of passwords or SMS texts for registration, authentication and 2FA.

  • Protection against phishing: webauthn signatures changes with the origin, so it won’t work on “similar” webpages (with different domain name).
  • Reduced impact of data breaches: it does not really matter if the public key is stolen.
  • Invulnerable to password attacks: much harder to crack it by “brute force” than passwords.

Form Data

How form data can get from the browser to the backend.

Without JS

  • action: where to send the data (URL, current URL by default)
  • method: GET, POST (and there’s dialog too…)
  • enctype: only for POST, Content-Type of the data
    • application/x-www-form-urlencoded - default, URL encoded body
    • multipart/form-data - multipart data, required for file uploads
    • text/plain - for debugging, don’t use, security issues

Rate limiting


  • DoS - Denial of Service attacks
  • Brute Force attacks
    • collect customer email addresses (signup)
    • reveal username/password pairs (login)
    • send emails (contact us, gift card)

Cross-Site Request Forgery

CSRF is an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated.

Cross Site Scripting (XSS)

Data (from untrusted source) gets into the application, then this data is later displayed in the website without being properly validated/sanitized/escaped.

Cross-Origin Resource Sharing

Modern browsers apply the same-origin policy to some resources, meaning they refuse to load or restrict access to resources coming from other origins than the loaded website. Servers can implement CORS to describe which origins are permitted to load their resources.

For some HTTP requests, browsers issue a “preflight” request (HTTP OPTIONS) to check whether the resource is available for the given origin.

Deploying a webapp


  • app to the server
    • scp
    • git
    • maven/npm/pip/whatever
  • start it
    • prefer using a “webapp container” like tomcat or gunicorn
    • on a “high” port like 5000, 8000, 8080
  • make it start on reboot
    • systemd
    • supervisord/pm2

Core Web Vitals

Google: “page experience” will be (June 2021) part of search ranking


  • LCP: Largest Contentful Paint
  • FID: First Input Delay (RUM only)
  • CLS: Cumulative Layout Shift

Rendering content to HTML

  • offline/static
  • online/dynamic


Somebody or something generates the raw HTML “offline”, long before the request, then the generated HTML is served via a static webserver (nginx, apache, …) or CDN.

Container Queries

The problem

Currently we have media queries, but in most cases widgets have not the full width of the viewport.