Part 4 - TLS, Performance, More JS, and Progressive Web Apps

Question 1

What is TLS?

Answer 1

Transport Layer Security
- Transport Layer: works on top of TCP/UDP
- Fully integrated with QUIC
- TLS is primarily used to secure data during transmission

Question 2

What is HTTP inside of TLS is called?

Answer 2

HTTPS

Question 3

How does TLS ensure identity?

Answer 3

With TLS I can ensure the server I’m connected to is the server I meant to connect to.
This is done with certificates.
A certificate works like an ID card.
The server sends a certificate with its domain name (called a “Common Name”) and a big number called a public key.
The certificate also includes other details, such as who made it, for example, “Bank Inc.”

Question 4

What does the certificate that the server sends (in TLS) have that is so crucial?

Answer 4

cryptographic signature

Question 5

What are signed certificates?

Answer 5

The certificate’s signature is unique to that certificate.
If you change the public key or the domain name, the signature won’t match anymore.
The certificate’s signature also comes from a specific entity that made that signature.
It tells us who signed it, and only they could have produced that signature.
No one else can pretend to have signed the certificate, or the signature won’t match.

Question 6

Explain how Cryptographic Signatures work

Answer 6

I make a private key and a public key as a part of a cryptographic signature algorithm.
I keep my private key secret, known only to me.
I give away my public key to the whole world so everyone knows it’s my public key.
I make signatures by combining my private key and some other information I want to sign. In this case its the banks domain name and the bank’s different public key.
You can check my signature by using my public key (which I already gave you) and combining it with the signature and information that’s been signed to check it.

Question 7

What is Certificate Authority?

Answer 7

In an example with a bank,
A certificate authority uses their private key to sign the bank’s certificate.
The bank sends their certificate to you so you can check it.
You have the CA’s public key.
You combine it with the banks certificate.

I.E the person that uses their private key to sign the certificate

Question 8

What is the TLS handshake?

Answer 8

TCP Handshake
Client sends TLS “hello”
Server sends TLS “hello”
Client verifies server certificate
Client and server agree on an encryption key
Client sends encrypted “ready”
Server sends encrypted “ready”

Question 9

What are Cipher Suites

Answer 9

Client and server agree on crypto algorithm to use during handshake
Many different crypto algorithms are available

Question 10

So then generally, how do we avoid security problems?

Answer 10

TLS everything
Make sure all traffic to/from your web app is running over TLS
Example: it may not help if only login is over TLS because an attacker can replace your TLS-encrypted login page with an unencrypted one by replacing the link on the unencrypted main site

Question 11

How do we avoid TLS security problems?

Answer 11

Keep software up to date
No Windows XP
Don’t communicate with out-of-date software
Example: if something on your site is meant to be secret, even one bad client can leak the secret!

Question 12

How is performance measured in web development

Answer 12

It is a non-functional requirement
measured as:
- Concurrency (# of requests or users at once)
- Latency (ms)
- Volume (requests/second)
- Bandwidth (bytes/second)
- Utilization (percent)

Question 13

What are the things we have to do before we optimize?

Answer 13

Make sure you have a performance problem.
Measure all of our performance metrics
record these #s
compare performance after changes
run tests

Question 14

What are the techniques of optimization?

Answer 14

Caching
Reduce # of round trips
Reduce download size
Asynchronous communication

Question 15

How does Caching affect performance?

Answer 15

Caching increases locality
Content/data is closer to where it is needed
Locality increases available bandwidth
Locality decreases latency

Question 16

What are the levels we can cache?

Answer 16

CPU
Memory (RAM)
Disk
Network

Question 17

What are the levels of HTTP caching?

Answer 17

Browser cache (memory/disk)
Near reverse proxy cache server or CDN (Network)
Far reverse proxy cache server (Network, but higher latency and lower bandwidth)
Original server

Question 18

Browser Caching

Answer 18

Fastest
Force-refresh with control-shift-R
Browser manages balance between RAM and disk
Private windows typically won’t use disk at all

Question 19

What is the difference between tracking state and caching

Answer 19

Server tracking state and changing its response depending on state prevents effective caching
Authentication is a kind of state
→ Authentication prevents caching
Limit stateful and authenticated server content
Separate out content that needs to be stateful/authenticated from content that can be public and shared!

Question 20

What should you avoid for static content?

Answer 20

Cookies and Auth

Question 21

What is static content?

Answer 21

Static content = content that doesn’t change or rarely changes
Examples:
Images
CSS
Fonts
Scripts

Question 22

what should you use for static content

Answer 22

Use GET for static content
Use cache-busting: version number or hash in URL for static content

Question 23

What effect do round-trips have on latency?

Answer 23

Increase latency
Happen whenever you have to wait for a response before making the next request

Question 24

How do we reduce round trips?

Answer 24

• Use HTTP/3: TCP is eliminated, TLS/HTTP requests can be done in fewer round trips
• Use Fewer Servers –> look up fewer domains, make fewer connections
  use
• use asynchronous loading
• Avoid CSS imports, use JS ‘complier’ like webpack
• Avoid HTTP redirects

Question 25

How do we reduce DNS round trips?

Answer 25

Avoid CNAME Allow DNS Caching Provide multiple A/AAAA records in a single response

Question 26

Why is async better than sync?

Answer 26

Other things can be processed or loaded while something is loading Fewer requests are blocked Synchronous adds a round trip for each request Asynchronous = Parallelizable Synchronous = Serialized

Question 27

How do we reduce request size?

Answer 27

Use HTTP/2 and HTTP/3 - Automatically applies header compression - If headers don't change, they won't be re-sent! - Lots of headers, big cookies and big URIs not a big deal!

Question 28

How do we minimize the resource size?

Answer 28

HTTP compression image compression

Question 29

Why should we avoid POST?

Answer 29

POST is not idempotent POST is not cacheable POST is dynamic POST adds lots of round trips

Question 30

How do errors affect performance?

Answer 30

403s, 404s, 410s, etc. are all slow - Server often works harder to serve an error than serve content - Errors not cached/cacheable - cause logging overhead

Question 31

Why do we use ES modules?

Answer 31

At some point it became necessary to split js into multiple files So now we use ES(ES6) modules

Question 32

How does node tell if something is an ES module

Answer 32

.mjs

Question 33

What extensions does node not recognize is an ES module, but actually is?

Answer 33

.esm or .esm.js

Question 34

What are common JS module?

Answer 34

frontend code that uses CommonJS - Needs a library or bundler to work in browser

Question 35

What is an ES module?

Answer 35

Needs Node.js version 14 or better, supported natively in browser. You can use "top-level await" that is, await outside of an async function This delays loading until the promise resolves

Question 36

What are transpilers and bundlers?

Answer 36

They make JS load faster (possibly) by merging large trees of modules into single files Support modern features on older browsers Compile a variety of languages to JS

Question 37

What is tree shaking

Answer 37

Bundlers usually perform Tree-Shaking Removing unused parts of modules and their dependencies For example, say you exported a bunch of modules, but only used 2, all other exports would just get removed

Question 38

What are polyfillls?

Answer 38

Bundlers often also auto-add these JS script that adds support for newer features not supported in older browsers

Question 39

What is the difference between a transpiler and a Polyfill?

Answer 39

Transpiler: runs before deployment during build Polyfill: runs in the browser at runtime

Question 40

What does the spread operator do?

Answer 40

... When used in arguments: takes an array and turns it into arguments When used in parameters: takes the rest of the arguments passed in and turns it into an array When used in an array: takes an array and inserts its contents into the array *Maybe add examples here later

Question 41

What are progressive web apps?

Answer 41

Run on multiple platforms and devices from one codebase Can run both as a website and a mobile app Can even run on some refrigerators Can perform tasks while main app is not running Modern examples include Uber, Spotify, Google Maps, and Pinterest

Question 42

What are the parts of PWA

Answer 42

ServiceWorkers API Installer script ServiceWorker Script

Question 43

What is the service worker script

Answer 43

Loaded by HTML (directly or indirectly) script tag Should be in all the main pages of the app Uses the navigator.serviceWorker object, a ServiceWorkerContainer Has access to the page and everything like a normal script

Question 44

What is a ServiceWorker?

Answer 44

Intended to improve performance of website/app caching - different from HTTP cache Event based Works in the background- does not interrupt main app Optional

Question 45

How does the ServiceWorker API work?

Answer 45

Basically everything returns promises async / await is your friend!

Question 46

How does the ServiceWorker Script work?

Answer 46

Loaded by the browser after being registered by the installer script Must be at the root of all the pages it's going to work with It includes sub-folders and pages in the same folder Excludes other domains and other parent folders!

Question 47

How must the ServiceWorker script be loaded? How does it run? What can it access?

Answer 47

Must be loaded over HTTPS Cannot access the page, window, and most JS APIs console.log messages will not show up in the tab! Runs in a separate thread

Question 48

In PWA, can objects be cloned?

Answer 48

Yes! Objects that can be easily cloned Similar to Python copy.deepcopy Used for thread-to-thread Communication - Web Workers - Shared Workers - Service Workers

Question 49

What can structured cloneable objects not have?

Answer 49

Functions DOM Nodes Complicated objects (e.g. made by a class) Event

Question 50

Are serviceworker scripts always running?

Answer 50

Can (and will!) be killed by the browser whenever it feels like it Use event.waitUntil() to ask browser for more time They are not always running!

Question 51

When does the service worker script run?

Answer 51

Only runs when first registered and some events: install - service worker is first installed activate - service worker becomes the active service worker version message - a tab (client) sent the serviceworker a message fetch - page makes a fetch request push... - Push API (Notifications)