From 2002f6b254f59a80ecbc52ad333210f5597659c2 Mon Sep 17 00:00:00 2001 From: Rubek Date: Mon, 1 Nov 2021 13:45:59 +0545 Subject: [PATCH] Undo changes from auto-formatter --- README.md | 174 +++++++++++++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 166 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index 17a51c91..a12e6cc9 100644 --- a/README.md +++ b/README.md @@ -51,14 +51,172 @@ Read in a different language: [![CN](./assets/flags/CN.png)**CN**](./README.chin ## Table of Contents -1. [Project Structure Practices (5)](#1-project-structure-practices) -2. [Error Handling Practices (12) ](#2-error-handling-practices) -3. [Code Style Practices (12) ](#3-code-style-practices) -4. [Testing And Overall Quality Practices (13) ](#4-testing-and-overall-quality-practices) -5. [Going To Production Practices (19) ](#5-going-to-production-practices) -6. [Security Practices (25)](#6-security-best-practices) -7. [Performance Practices (2) (Work In Progress️ ✍️)](#7-draft-performance-best-practices) -8. [Docker Practices (15)](#8-docker-best-practices) +
+ + 1. Project Structure Practices (5) + + +  1.1 Structure your solution by components
+  1.2 Layer your components, keep the web layer within its boundaries
+  1.3 Wrap common utilities as npm packages
+  1.4 Separate Express 'app' and 'server'
+  1.5 Use environment aware, secure and hierarchical config
+ +
+ +
+ + 2. Error Handling Practices (12) + + +  2.1 Use Async-Await or promises for async error handling
+  2.2 Use only the built-in Error object
+  2.3 Distinguish operational vs programmer errors
+  2.4 Handle errors centrally, not within a middleware
+  2.5 Document API errors using Swagger or GraphQL
+  2.6 Exit the process gracefully when a stranger comes to town
+  2.7 Use a mature logger to increase error visibility
+  2.8 Test error flows using your favorite test framework
+  2.9 Discover errors and downtime using APM products
+  2.10 Catch unhandled promise rejections
+  2.11 Fail fast, validate arguments using a dedicated library
+  2.12 Always await promises before returning to avoid a partial stacktrace
+ +
+ +
+ + 3. Code Style Practices (12) + + +  3.1 Use ESLint
+  3.2 Node.js specific plugins
+  3.3 Start a Codeblock's Curly Braces on the Same Line
+  3.4 Separate your statements properly
+  3.5 Name your functions
+  3.6 Use naming conventions for variables, constants, functions and classes
+  3.7 Prefer const over let. Ditch the var
+  3.8 Require modules first, not inside functions
+  3.9 Require modules by folders, as opposed to the files directly
+  3.10 Use the === operator
+  3.11 Use Async Await, avoid callbacks
+  3.12 Use arrow function expressions (=>)
+ +
+ +
+ + 4. Testing And Overall Quality Practices (13) + + +  4.1 At the very least, write API (component) testing
+  4.2 Include 3 parts in each test name
+  4.3 Structure tests by the AAA pattern
+  4.4 Detect code issues with a linter
+  4.5 Avoid global test fixtures and seeds, add data per-test
+  4.6 Constantly inspect for vulnerable dependencies
+  4.7 Tag your tests
+  4.8 Check your test coverage, it helps to identify wrong test patterns
+  4.9 Inspect for outdated packages
+  4.10 Use production-like environment for e2e testing
+  4.11 Refactor regularly using static analysis tools
+  4.12 Carefully choose your CI platform (Jenkins vs CircleCI vs Travis vs Rest of the world)
+  4.13 Test your middlewares in isolation
+ +
+ +
+ + 5. Going To Production Practices (19) + + +  5.1. Monitoring
+  5.2. Increase transparency using smart logging
+  5.3. Delegate anything possible (e.g. gzip, SSL) to a reverse proxy
+  5.4. Lock dependencies
+  5.5. Guard process uptime using the right tool
+  5.6. Utilize all CPU cores
+  5.7. Create a ‘maintenance endpoint’
+  5.8. Discover errors and downtime using APM products
+  5.9. Make your code production-ready
+  5.10. Measure and guard the memory usage
+  5.11. Get your frontend assets out of Node
+  5.12. Be stateless, kill your servers almost every day
+  5.13. Use tools that automatically detect vulnerabilities
+  5.14. Assign a transaction id to each log statement
+  5.15. Set NODE_ENV=production
+  5.16. Design automated, atomic and zero-downtime deployments
+  5.17. Use an LTS release of Node.js
+  5.18. Don't route logs within the app
+  5.19. Install your packages with npm ci
+ +
+ +
+ + 6. Security Practices (25) + + +  6.1. Embrace linter security rules
+  6.2. Limit concurrent requests using a middleware
+  6.3 Extract secrets from config files or use packages to encrypt them
+  6.4. Prevent query injection vulnerabilities with ORM/ODM libraries
+  6.5. Collection of generic security best practices
+  6.6. Adjust the HTTP response headers for enhanced security
+  6.7. Constantly and automatically inspect for vulnerable dependencies
+  6.8. Protect Users' Passwords/Secrets using bcrypt or scrypt
+  6.9. Escape HTML, JS and CSS output
+  6.10. Validate incoming JSON schemas
+  6.11. Support blocklisting JWTs
+  6.12. Prevent brute-force attacks against authorization
+  6.13. Run Node.js as non-root user
+  6.14. Limit payload size using a reverse-proxy or a middleware
+  6.15. Avoid JavaScript eval statements
+  6.16. Prevent evil RegEx from overloading your single thread execution
+  6.17. Avoid module loading using a variable
+  6.18. Run unsafe code in a sandbox
+  6.19. Take extra care when working with child processes
+  6.20. Hide error details from clients
+  6.21. Configure 2FA for npm or Yarn
+  6.22. Modify session middleware settings
+  6.23. Avoid DOS attacks by explicitly setting when a process should crash
+  6.24. Prevent unsafe redirects
+  6.25. Avoid publishing secrets to the npm registry
+ +
+ +
+ + 7. Performance Practices (2) (Work In Progress️ ✍️) + + +  7.1. Don't block the event loop
+  7.2. Prefer native JS methods over user-land utils like Lodash
+ +
+ +
+ + 8. Docker Practices (15) + + +  8.1 Use multi-stage builds for leaner and more secure Docker images
+  8.2. Bootstrap using node command, avoid npm start
+  8.3. Let the Docker runtime handle replication and uptime
+  8.4. Use .dockerignore to prevent leaking secrets
+  8.5. Clean-up dependencies before production
+  8.6. Shutdown smartly and gracefully
+  8.7. Set memory limits using both Docker and v8
+  8.8. Plan for efficient caching
+  8.9. Use explicit image reference, avoid latest tag
+  8.10. Prefer smaller Docker base images
+  8.11. Clean-out build-time secrets, avoid secrets in args
+  8.12. Scan images for multi layers of vulnerabilities
+  8.13 Clean NODE_MODULE cache
+  8.14. Generic Docker practices
+  8.15. Lint your Dockerfile
+ +