203
votes
Fear of web-app not being "future-proof"
Perfect is the enemy of good.
Or put another way, don't worry about it today. If your app does what it needs to do, then it's fine. It's not a bad thing to rewrite parts of software further down the ...
- 26.1k
190
votes
Can we assume while testing software that a user wouldn't perform such silly actions on software?
You might not enter random values into fields of a web application, but there certainly people out there that do just that.
Some people enter random by accident and others do it intentionally trying ...
113
votes
Fear of web-app not being "future-proof"
Any thoughts on how I can overcome this mental block, and to ensure my app will be scalable?
The crux of the issue isn't scalability. The crux of the issue is thinking that you will get it right the ...
- 59.5k
101
votes
Can we assume while testing software that a user wouldn't perform such silly actions on software?
Never Assume Anything
You cannot assume that any user will not do something "dumb" with your software by accident or on-purpose. Users can accidentally press the wrong button, the cat can ...
- 12.1k
72
votes
How and why did modern web application frameworks evolve to decouple URL routes from the file system?
In its most basic form, a website serves static files. Mapping the URL path to a file path is the most obvious choice; essentially, it's a read-only FTP site.
Then people wanted to change the content ...
- 84.4k
68
votes
Accepted
Is it common practice to validate responses from 3rd party APIs?
Absolutely. For starters, you never know that somebody hasn't hacked into your connection and the reply you receive doesn't come from the API at all.
And some time in the last two weeks I think ...
- 49.4k
60
votes
Can we assume while testing software that a user wouldn't perform such silly actions on software?
There are several factors to take in account. To illustrate those points, I'll use an example of a field where a user should enter a percentage in a context of a quota defined for a specific task in ...
- 139k
56
votes
Why is XSLT so rarely used on the web?
XSLT does not really have a useful role in the modern interactive web. The purpose of XSLT is to transform from one XML language into another - but you actually never need to do that in the first ...
- 62.3k
43
votes
Is it common practice to validate responses from 3rd party APIs?
Somebody else's API is your external interface. You shouldn't blindly trust anything that crosses that boundary. Your future debuggers will thank you for not propagating the other system's errors ...
- 10.5k
40
votes
How and why did modern web application frameworks evolve to decouple URL routes from the file system?
You can look to a white paper by Roy Fielding on REpresentational State Transfer (REST) as to the when and the why. The first framework I was aware of that made the distinction between a resource and ...
- 46.5k
37
votes
Accepted
How can I prevent a user from editing my code in their browser?
You literally cannot prevent users from accessing and modifying content that you are sending them. You have no control over the browser, or which browser they use, or whether they are in fact ...
- 136k
23
votes
How can I prevent a user from editing my code in their browser?
You can't. One of the fundamental rules of computing: you can't trust the client. Whatever clever scheme you think of, I can get round it if I am in control of the client.
- 26.1k
22
votes
Accepted
How to design for API use cases that need different data from the same table?
In the end, there is no "right" or "wrong" in this situation, so my advice can only be on a very general level.
You seem to be falling into the trap of leaking a certain design ...
- 2,360
21
votes
Why is XSLT so rarely used on the web?
Depends what you mean by "in Web".
XSLT is very widely used. As far as we can judge from metrics like the number of StackOverflow questions, it is in the top 30 programming languages, which probably ...
- 3,599
20
votes
How and why did modern web application frameworks evolve to decouple URL routes from the file system?
I don't think it's an artefact of modern web application frameworks, it's mostly an artefact of dynamic page serving in general.
In the old days there were mostly static web pages, where a software ...
- 1,367
18
votes
Fear of web-app not being "future-proof"
Despite the enormous amount of money Facebook and Google have poured into marketing to convince you otherwise, front end frameworks exist for two primary reasons:
First, offloading hardware/network ...
- 1,115
17
votes
Is it common practice to validate responses from 3rd party APIs?
Is your API-boundary also a trust-boundary?
As you are communicating with a remote system, that's nearly a certainty. Even if the remote system itself might be trusted, the medium might not be.
...
- 9,309
16
votes
Accepted
Is it a good practice to hide the framework used in a web application?
Hiding your framework does not guarantee security. But it makes successful attacks less easy.
Even assuming that all your software is up to date, if you broadcast the fact that you are using ...
- 136k
16
votes
Use Case of HTTP GET Request with a Body
GET requests with a body are supported in the HTML specs.
See the Stack Overflow question Is this statement correct? HTTP GET method always has no message body for a discussion.
However, it's unusual. ...
- 84.4k
12
votes
Can we assume while testing software that a user wouldn't perform such silly actions on software?
There are a lot of good answers here that describe why this is important, but not a lot of advice on how to sensibly protect your application. The "standard practice" is to use robust input ...
- 201k
12
votes
How and why did modern web application frameworks evolve to decouple URL routes from the file system?
One reason is that loading a file from disk on every request is slow, so web servers started creating ways to cache files in memory, then if you're going to try to keep it in memory anyway, why does ...
- 149k
11
votes
Why does Facebook obfuscate the names of CSS classes?
Another likely answer is that they use this to subvert adblockers.
These usually select elements for removal based on their css attributes, i.e.:
class="post promoted".
Obfuscating the css names makes ...
- 211
11
votes
Can we assume while testing software that a user wouldn't perform such silly actions on software?
Usually the 'random' values are not random. You are attempting to capture edge cases, the "unknown unknown".
Say for example the # character will crash you app. You don't know this in advance and it ...
- 84.4k
11
votes
How and why did modern web application frameworks evolve to decouple URL routes from the file system?
On of the major reasons is likely that this approach of mapping URIs to file paths has lead to a large number of accidental releases of data via File Path Traversal
When you map the path to the file ...
- 30.9k
11
votes
How to solve form submission consistency in a web application?
This is a pretty common problem, and one of the reasons that web applications tend to commit right away after any change. Sometimes the right answer is do nothing. You have to decide up front how ...
- 46.5k
10
votes
Where should I do localization (server-side or client-side)?
Have clients send the standardized Accept-Language header in requests, then localize on the server and include a Content-Language header in responses. See RFC 7231 Section 5.3.5 for details.
...
- 4,539
10
votes
Accepted
How do sites like LeetCode & HackerRank test your code for correctness?
If you notice, most of these systems are setup in such a way that you're going to get some well known string input and have to produce some well known string output. At that point, they can take your ...
- 110k
10
votes
Accepted
Email Confirmation links must be GET, but not safe
Rather than being language lawyers and analysing the spec, let's look at the possible downside of a GET request changing the state in this case:
The action might be triggered without user interaction,...
- 5,957
9
votes
REST-based desktop application
Platform independency of the GUI is not dependent on the platform independency of the library's API, it is dependent on the platform independency of the GUI's implementation. And your GUI will not be &...
- 220k
9
votes
Email Confirmation links must be GET, but not safe
Let's have a look into the RFC-7231: 4.2.1. Safe Methods. Safe methods are allowed to do state changes, althoug it is highly not recommended. So this is not a violation of the Standard. It's more a ...
- 214
Only top scored, non community-wiki answers of a minimum length are eligible