Search Results

If you're a developer, then choosing a tech stack to use is probably going to come down to what you are most familiar with. For non-developers, that isn't going to be as relevant per, since if you are hiring a developer then it's just a case of them being comp...

In most websites, user "sessions" are stored to keep users logged in, among other things. There are some important things to note about this that are explained below. User sessions aren't only for logged-in users A user session can be for any website visitor...

Configuring Apache properly is essential for website security. Generally, pre-packaged webserver software (e.g. Bitnami instances) are not designed to have every security measure enabled, as some measures need to be carefully decided by the server administrato...

Depending on your tech stack, the language of choice that serves backend requests must be configured to handle requests and user sessions securely. This page focuses on PHP as an example. This is not an exhaustive list, as some languages have their own specif...

To protect your website from malicious attacks (and also simply to prevent weird errors for users), you need to sanitize and validate user input. Sanitization Sanitization means removing any potentially malicious content, like a user writing a comment that c...

Your webservers usually have to connect to various services, like your database and cache servers. To do this, they will usually need to have credentials on hand to authenticate themselves. How should you store these? Best practices The Need to Know (Least-A...

For the most part, this is about storing passwords, and understanding how to secure them properly. Password encryption algorithms When it comes to storing user passwords, the algorithm you use for doing so is always going to be a tradeoff between security st...

When using the WebSockets protocol, there are a lot of potential pitfalls to bear in mind that can be very confusing to really get your head around from a security standpoint. There's no real "authentication system" in WebSockets In a normal HTTPS scenario, ...

CSRF Headers Adding a custom request header to 'unsafe' outgoing AJAX requests (e.g. POST requests) adds some additional protection against CSRF attacks. Article here: https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_...

Defending against security threats, such as XSS (Cross-Site Scripting) and CSRF (Cross-Site Request Forgery) attacks is, like most of computer security, a case of defence-in-depth: there is no "one single approach" that defends against them. You need to use se...

XSS (Cross-Site Scripting) generally results from bad practices regarding user input. For example, suppose there is a simple HTML text box for users to comment on an artwork, and a user writes: <script> alert('Execute order 66'); </script> If this comment ...

If you are going to implement your own image transcoding solution, the first thing to understand is the basic infrastructure and execution flow. Infrastructure As a reminder of the basic execution flow that was shown earlier: Your website is going to invo...

Prerequisites Before reading this page, read the page on implementing image transcoding solutions yourself (as much of the same process is required). This page assumes you already know the steps involved in that, and focuses on specific differences you need ...

Before thinking about code of any sort, creating a website bigger than "Hello World!" requires a lot of infrastructure: it involves much more than simply a webserver. It will effectively have an entire network of systems and servers that work with each other t...

For the most part, big web infrastructure providers are fairly few in number (as the cost and difficulty of setting them up is very high). In addition, you are likely to use several features of whichever provider you choose, such as webservers / database serve...

There are a lot more CDN providers than there are cloud service providers (though most of the cloud services providers also offer CDNs). For an art website in particular, but also for any site hosting large assets like big images or videos, which CDN you choos...

Workspace Provider For sending non-automated emails, you have a few options. The "traditional" providers - Microsoft and Google - are actually fairly expensive, and unless you plan to make use of all the features they offer, that can be an unnecessary expense...

Ultimately, an art website faces mostly similar costs to other websites (and extra bandwidth costs, like other media-heavy websites). Below is a list of expenses to keep in mind, roughly ordered from most expensive to least expensive. Staff If you're hiring ...

Homepage https://ffmpeg.org/  What is it? An open-source library for processing and transforming videos. Why did we choose it? It's open source, well maintained, and extremely powerful. What do we use it for? Resizing and re-encoding user video uploads ...

Homepage What is it? Why did we choose it? What do we use it for?