Are you building a public facing website, here is a peak at factors you might wanna consider [Adapted from stackoverflow.com]
Factors you might want to consider when building a public facing website
Interface and User Experience
* Be aware that browsers implement standards inconsistently and make sure your site works reasonably well across all major browsers. At a minimum test against a recent Gecko engine (Firefox), a Webkit engine (Safari, Chrome, and some mobile browsers), your supported IE browsers (take advantage of the Application Compatibility VPC Images), and Opera. Also consider how browsers render your site in different operating systems.
* Consider how people might use the site other than from the major browsers: cell phones, screen readers and search engines, for example. — Some accessibility info: WAI and Section508, Mobile development: MobiForge
* Staging: How to deploy updates without affecting your users. Ed Lucas’s answer has some comments on this.
* Don’t display unfriendly errors directly to the user
* Don’t put users’ email addresses in plain text as they will get spammed to death
* Build well-considered limits into your site – This also belongs under Security.
* Learn how to do progressive enhancement
* Always redirect after a POST.
* Don’t forget to take accessibility into account. It’s always a good idea and in certain circumstances it’s a legal requirement. WAI-ARIA is a good resource in this area.
* It’s a lot to digest but the OWASP development guide covers Web Site security from top to bottom
* Know about SQL injection and how to prevent it
* Never trust user input (cookies are user input too!)
* Encrypt Hash and salt passwords rather than storing them plain-text.
* Don’t try to come up with your own fancy authentication system: it’s such an easy thing to get wrong in subtle and untestable ways and you wouldn’t even know it until after you’re hacked.
* Know the rules for processing credit cards. (See this question as well)
* Use SSL/HTTPS for login and any pages where sensitive data is entered (like credit card info)
* How to resist session hijacking
* Avoid cross site scripting (XSS)
* Avoid cross site request forgeries (XSRF)
* Keep your system(s) up to date with the latest patches
* Make sure your database connection information is secured.
* Keep yourself informed about the latest attack techniques and vulnerabilities affecting your platform.
* Read The Google Browser Security Handbook
* Read The Web Application Hackers Handbook
* Implement caching if necessary, understand and use HTTP caching properly as well as HTML5 Manifest
* Optimize images – don’t use a 20 KB image for a repeating background
* Learn how to gzip/deflate content (deflate is better)
* Combine/concatenate multiple stylesheets or multiple script files to reduce number of browser connections and improve gzip ability to compress duplications between files
* Take a look at the Yahoo Exceptional Performance site, lots of great guidelines including improving front-end performance and their YSlow tool. Google page speed is another tool for performance profiling. Both require Firebug installed.
* Use CSS Image Sprites for small related images like toolbars (see the “minimize http requests” point)
* Busy web sites should consider splitting components across domains. Specifically…
* Minimize the total number of HTTP requests required for a browser to render the page.
SEO (Search Engine Optimization)
* Use “search engine friendly” URL’s, i.e. use example.com/pages/45-article-title instead of example.com/index.php?page=45
* Don’t use links that say “click here”. You’re wasting an SEO opportunity and it makes things harder for people with screen readers.
* Have an XML sitemap
* Use when you have multiple URLs that point to the same content
* Use Google Webmaster Tools and Yahoo Site Explorer
* Install Google Analytics right at the start (or an open source analysis tool like Piwik)
* Know how robots.txt and search engine spiders work
* Redirect requests (using 301 Moved Permanently) asking for http://www.example.com to example.com (or the other way round) to prevent splitting the google ranking between both sites
* Know that there can be bad behaving spiders out there
* If you have non-text content look into Google’s sitemap extensions for video, etc. There is some good information about this in Tim Farley’s answer.
* Understand HTTP and things like GET, POST, sessions, cookies, and what it means to be “stateless”.
* Write your XHTML/HTML and CSS according to the W3C specifications and make sure they validate. The goal here is to avoid browser quirks modes and as a bonus make it much easier to work with non-standard browsers like screen readers and mobile devices.
* Learn the difference between 301 and 302 redirects (this is also an SEO issue).
* Learn as much as you possibly can about your deployment platform
* Consider using a Reset Style Sheet
* Understand you’ll spend 20% of the time coding and 80% of it maintaining, so code accordingly
* Set up a good error reporting solution
* Have some system for people to contact you with suggestions and criticism.
* Document how the application works for future support staff and people performing maintenance
* Make frequent backups! (And make sure those backups are functional) Ed Lucas’s answer has some advice. Have a Restore strategy, not just a Backup strategy.
* Don’t forget to do your Unit Testing. Frameworks like Selenium can help.
Have you tried installing Fedora 13 and you can’t get past the select storage device step and your
system just remains at that point, then you might errors with one of your storage devices. At this point Anaconda, the Fedora installer
tries to identify all your storage devices bu cannot seem to get one or more of your of your storage devices.
FDC is Floppy Disc controller, and is not enabled in the BIOS. During installation as above and you change into a terminal, you will
notice an I/O error with device fdo0. This happened to me because I had disconnected my Floppy drive and when Anaconda tried to probe it
could not find the device.
The solution is to disable the Floppy Disc controller from your BIOS so that it is not loaded during boot. You might get errors with other storage
devices that are not available so you need to disable them as appropriate. After the disabling the floppy disc controller, my Fedora upgrade
continued without any further problems.
Was this article helpful, leave a comment..
By Carrie Hill, Search Engine Watch, Nov 25, 2008..
Designing a Web site can be a daunting task. Where do you start after your business plan is worked out and you’re secure in what you’re going to place on your Web site?
Whether you plan to hire a designer or figure it out for yourself, there are definitely some best practices you should follow. Use this list to get a good start on finding the best Web site platform and design elements for your businesses audience.
These are general best practices for creating a great site — from design and coding elements to arranging content and calls to action on your page. The goal is to have a site that will please your visitors and the search engines.
1. Install Analytics!
2. Create an eye-catching header/logo. This makes an impression on visitors, much like the façade, front door, or foyer of your store.
3. Ensure you have the right balance between text and graphics. Graphics-heavy Web sites with little (or no) text can make it hard for a search engines to determine the relevancy of your site to queries you should rank for. Images and graphics, on the other hand, help tell a story about your products and services.
4. Allow space for a minimum of 250 words of relevant text if possible.
5. Consider how easy the home page and interior pages will be to manage in the future. Can you easily add pages and redirect old pages to new ones?
6. Write unique page titles and meta descriptions for each page. This is ad copy, so take advantage of it. Sell using great keyword phrases and calls to action.
7. Use Cascading Style Sheets (CSS) to keep excessive code out of the way. This leaves a clean and concise interface for the search engines.
8. Your phone number should be prominent and located at top of page in large type. The higher the better.
9. Use a readable font and font size, and one that is hopefully easily scalable for low-vision users.
10. Buying or reserving information should be prominent and above the fold (book now, checkout, shopping cart, etc).
11. Break up long paragraphs with photos or bullet points. Having great paragraphs of text bores your user — give them information in a concise and easy to skim manner. Search engines don’t care how the words are delivered — paragraphs or bullet points are fine — just as long as your services and products are fully described on each page.
12. Bold only key ideas in the text. Adding too much bold will over-emphasize the whole page, which is counterproductive.
13. Create logical and custom navigation with “Product” and “Purchase” links in clear view.
15. Place strong call to actions throughout the site. Make it very easy for your user to find the “buy” button and get through your checkout process.
16. A simple few hyperlinked keywords (make them blue underlined) in a paragraph can also be a simple call to action that encourages visits to interior pages. Don’t overdo it or the text will become difficult to read.
17. Use header tags (H1-H6) on every page — your tag should support the page title and be relevant to on page content that follows it.
18. Use quality graphics and photos, including Flash elements and photo slideshows. Poor photography can lead to less trust in what you’re offering. Remember: a picture is worth 1,000 words.
19. Don’t overload your contact or RFP forms with information. Make it simple and easy to fill out and submit — name, phone, e-mail address, and comments are the basics.
21. Physical address and phone number in text form on every page is a great way to associate your storefront or service business with a geographic location. Make sure you don’t skip this step.
22. Location of business should be prominent/obvious on the page — town, region or even a regional colloquialism. For example: Finger Lakes, SoHo, DIA, Orange County.
23. Have a static HTML sitemap and an XML sitemap that can be uploaded to your Google Webmaster Tools account.
24. Remember: when you add pages to a site, update your navigation and sitemap.
25. Consider having static sitemap links that use main keyword phrase for the page it links to. It doesn’t hurt to wrap some descriptive text around those sitemap links either.
#1: Update, update, update
Just because it is Apache running on Linux doesn’t mean you shouldn’t bother to update. New holes and security risks are found all the time. You should always develop a sound update policy to keep on top of patches. If you have installed Apache with your distributions package manager, you can make the updates go seamlessly. If you have installed from source, make sure that upgrade is not going to break any modules or dependencies your Web site has. And if you update Apache, make sure PHP (if used) is updated as well.
#2: Use the right user:group
I have seen Apache installed under many groups and/or users. One of the biggest offenders is the root user. This can lead to some serious issues. Or say both Apache and MySQL are run by the same user/group. If there is a hole in one, it can lead to an attack on the other. The best scenario is to make sure Apache is run as the user and group apache. To make this change, open the httpd.conf file and check the lines that read:
Change these entries to:
If you get any errors indicating the group or user do not exist, you’ll have to create them.
#3: Turn off unwanted services
There are a few services and/or features that you will want to turn off or not allow. All of these services can be disabled in the httpd.conf file. Those services/features that could cause the most issues include:
- Directory browsing. This is done within a directory tag (the document root is a good place to start) using the Options directive and is set with “-Indexing”.
- Server side Includes. This is another feature that is disabled within a directory tag (using Options directive) and is set with “-Includes”.
- CGI execution. Unless your site needs CGI, turn this off. This feature is also set within a directory tag using the Options directive, with “-ExecCGI”.
- Symbolic links. Set this inside a (surprise, surprise) directory tag with “-FollowSymLinks”.
- None. You can turn off all options (in the same way you set the above) using “None” with the Option directive.
#4: Disable unused modules
Apache has a ton of modules. To get an idea how many modules your installation is running, issue the command (as the root user) grep -n LoadModule httpd.conf from within your Apache configuration directory. This command will show you every module Apache is loading, along with the line number it falls on. To disable the modules you don’t need, simply comment them out with a single # character at the beginning of the module line.
#5: Restrict access
Say you have an intranet that contains critical company information. You will want to deny anyone outside your private network from seeing this information. To do this, you can restrict access to your internal network by adding the following inside a directory tag in your httpd.conf file:
Order Deny, Allow
Deny from all
Allow from 192.168.1.0/16
where 192.168.1.0/16 is the configuration matching your internal network. As with all modifications to the httpd.conf file, make sure you restart Apache so the changes take effect.
#6: Limit request size
Denial of service attacks are always a possibility when you allow large requests on Apache. Apache has a directive, LimitRequestBody, that is placed within a Directory tag. The size of your limit will depend upon your Web site’s needs. By default, LimitRequestBody is set to unlimited.
#7: Employ mod_security
One of the most important Apache modules is mod_security. This module handles many tasks, including simple filtering, regular expression filtering, URL encoding validation, and server identity masking. The mod_security installation and setup is a bit beyond a one-paragraph description. But you can begin by adding the “unique_id” and “security2″ directives in the Apache modules section. Once you have added the entries, run the command service apache2 configtest. If you get returned Syntax OK you’re good to go.
#8: Do not allow browsing outside the document root
Allowing browsing outside the document root is inviting trouble. Unless you have a specific need to allow it, disable this feature. First, you’ll need to edit the document root Directory entry like so:
Order Deny, Allow
Deny from all
Now, if you need to add options to any directory within the document root, you will have to add a new Directory entry for each one.
#9: Hide Apache’s version number
The best offense is a good defense. And one of the best defenses is to obfuscate as much information about your service as you can. One crucial bit of information to hide is the Apache version number. By hiding it, you keep unwanted users from knowing how to quickly hack your Web server. To hide Apache’s version number, add the following in your document root Directory tag:
#10: Immunize httpd.conf
One of the best security measures is to hide your httpd.conf file from prying eyes. If people who shouldn’t see your httpd.conf file can’t see it, they can’t change it. To immunize the httpd.conf file, set the immutable bit with the following command:
chattr +i /path/to/httpd.conf
where /path/to/httpd.conf is the path to your Apache configuration file. Now it will be very difficult for anyone to make any changes to httpd.conf.
We’ve looked at 10 quick ways to secure your Apache server. There are actually quite a few more configuration options for Apache. Some are fairly generic, but some are designed for specific purposes. Make sure you employ the most secure Apache options/configurations that suite your Web server needs.
Here is a link to edmunds’ blog on how to set up a bluetooth dial up connection, very good stuff
If you find Oracle 10g fairly complex to install – if you find Oracle 10g memory hungry, especially when you’re trying to run several JVMs, and a VMWare instance in parallel with a heavy running Oracle 10g system. Think of Oracle Database 10g Express.
The installation of Oracle XE is straightforward and no necessary modifications of the Kernel params as Oracle 10g.
First install libaio :
# yum install libaio
Then download the Oracle XE rpm from Oracle.
Launch rpm install :
# rpm -ihv oracle-xe-10.2.0.1-1.0.i386.rpm
After install launch the following command as root, to configure HTTP Listener, SQL*Net Listener, SYSTEM & SYS passwords.
# /etc/init.d/oracle-xe configure
Oracle Database 10g Express Edition Configuration
This will configure on-boot properties of Oracle Database 10g Express
Edition. The following questions will determine whether the database should
be starting upon system boot, the ports it will use, and the passwords that
will be used for database accounts. Press <Enter> to accept the defaults.
Ctrl-C will abort.
Specify the HTTP port that will be used for Oracle Application Express :8888
Specify a port that will be used for the database listener :
Specify a password to be used for database accounts. Note that the same
password will be used for SYS and SYSTEM. Oracle recommends the use of
different passwords for each database account. This can be done after
Confirm the password:
Do you want Oracle Database 10g Express Edition to be started on boot (y/n) [y]:y
Starting Oracle Net Listener…Done
Starting Oracle Database 10g Express Edition Instance…Done
Installation Completed Successfully.
To access the Database Home Page go to “http://127.0.0.1:8888/apex”
The RPM/configure script does not configure environment. Add the following lines in your .profile file :
Try now a connection as system with SQL*Plus :
# sqlplus system/<password>
If you do heavy use of connection poolings, you could have problems with sessions/processes. Increase this params by connecting as SYSTEM , then launch SQL commands:
alter system set processes=200 scope=spfile;
alter system set sessions=225 scope=spfile;
More about Oracle XE:
Oracle XE is not only a database for novices, students, hobbyists, or small businesses; it can be used in many other situations.
It can bring value to DBAs, developers, analysts in their everyday job, regardless of the size of their businesses.
If you’re developer and you want to try DBA tasks, or you need a R&D database to try out new things it can be for you.
Oracle has built some limitations in the system:
First of all the memory : Oracle XE can not address more than 1GB memory.
Oracle XE can use only one CPU. This does not mean Oracle XE isn’t multi-tasks, but it cannot scale on multi processors machines, by using more than one CPU at a time.
One instance of Oracle XE per computer. It’s not really a limitation if you consider that we do not use one Oracle database per application : Oracle uses the concept of schemas to separate applications.
4GB limit on disk space. Even if it seems small, compared to multi terabytes of data warehouses, 4GB is already a huge amount for many applications.
Examples of uses :
The aggregation angle : you could consider to install Oracle XE instances on your users’s desktops, then schedule purges and refreshes of aggregated data (by push or pull). Advantages are : users can have control of their data, you reduce the load on your enterprise hardware, and you reduce the licenses costs for your Oracle database Enterprise Edition.
For the developer :
The configuration of Oracle XE is minimalist, so you can concentrate on the developments. Nevertheless, if you want to try DBA Tasks, you are in complete control.
The Admin control is a web GUI developed with Oracle Application Express(APEX, ex HTML Db) : you can create users with this admin tool, or if you prefer use Oracle SQL*Plus.
Oracle Express doesn’t support Java in the database (no internal JVM) : you can nevertheless connect an external JVM using JDBC.
The .NET CLR external process listener is included, so registered .NET programs can be called from database PL/SQL stored procedures. .NET support only exists on Windows version of Oracle XE.
Other development tools like Toad, SQL Developer, JDeveloper, Forms, PHP, Ruby are supported.
Oracle Database XE includes the Application Express Web-based development and deployment tool as well as XML DB. With the latter, you can immediately start using XML, WebDAV, and the built-in HTTP and FTP servers.
This blog represents the thoughts and processes of Eugene, a Web Designer and Developer and also a student of experience and motivation. The content available here represents the views of eugene and is not neccesarily correct although I put as much effort to ensure that this information is correct.
Read through the blog, leave a comment if you wish to, have fun people !!