I have
Frontend SPA app written in Nuxt.js 2
Backend API for that SPA written in Nest.js
I don't know if I should host Frontend and Backend separately or use Nest's Serve Static module.
Hosting SPA in Nest.js is more convenient but I'm not sure if it's the best practice
I recommend splitting the frontend and backend, it will be:
cheaper
simpler to manage/debug/organize yourself
more suited to the given stack: performance, charge, price
I'm not sure how Nest is able to serve anything static but the points above are still totally valid.
Related
I've got a public Java web app created with Spring Boot. I'm ready to release it to production and wanted to get some tips on making sure that it is as secure as possible.
It is basically a search engine that uses Apache Lucene in the backed and a lot of javascript in the front end. I am planning on deploying it to Amazon Web Services, while using my local machine as a backup/test enviroment.
Users can search and browse data. The frontend calls REST endpoints using Javascripts XMLHttpRequest to query the backend for content and then displays it to the user.
The app is completely public and there is no user authentication as of yet.
The app also persists user requests to a database for tracking purposes.
Here's what I've done so far to secure it:
Make sure that the REST endpoints fully verify that the parameters given to them in the requests are valid.
What I plan on doing:
Using HTTPS.
Verifying that any put request or url requests have a reasonable size.
What I am considering adding:
Limiting the number of requests a user can make in a given time period. (not sure if Spring-Boot already has a facility to do this, or I should implement this myself)
Use some kind of API key scheme to make sure that my endpoints are only accessed by my front end. (not sure if this is effective and don't yet know how to do this).
Is there anything else that I should consider doing? Do the things I listed above make sense?
Would greatly appreciate any tips on this.
Why do API's use different URLs? Is there two different interfaces on the web server? One processing API requests and the other web HTTP requests? For example there might be a site called www.joecoffee.com but then they use the URL www.api.joecoffe.com for their API requests. Why are different URLS being used here?
We separate ours for a couple of reasons, and they won't always apply.
Separation of concerns.
We write API code in one project, and deploy it in one unit. When we work on the API we only worry about that and we don't worry about page layout. When we do web work, that's completely separate
Different authentication mechanisms.
The way you tell a user to log in is quite different to how you tell an API client it's not authenticated.
Different scalability requirements
It might be that the API does a lot of complex operations, while the web-server serves more or less static content. So you might want to add hundreds of API servers around the world, but only have 10 web servers.
Different Clients
You might have an API for the web client and a separate API for a mobile client. Or perhaps a public one and a private / authenticated one. This might not apply to your example.
Different Technologies
Kind of an extension of Separation of concerns, but it allows you to have Linux server for one and use something like an AWS Lambda for the other.
SSL Wrangling
This one is more of an anti-reason (particularly for the specific example you give). Many sites use SSL for both web and api. Most sites are going to use SSL for the API at least. You tend to have SSL certificates matched to your URL, so there might be a reason there. That said, if you had a *.joecoffee.com certificate you would use api.joecoffee.com not www.api.joecoffee.com (because apparently an extra '.' in your URL costs more, or something like that).
As #james suggested - there's no really right answer and some debate.
How would you implement a data synchronization solution that ensures data on a mobile device and web server are in sync.
Take a look to this tutorial (part one and part two), basically what they do is add a timestamp attribute storing the last modifications. It is developed to synchronize with the parse.com backend service but it is extendable to any backend.
We use a Unix-Timestamp in our company for this. The Server is comunicating with us in json over tls and client is using AsyncSocket. For Web-Server (https) you can take for example a REST-service and ASIHTTP for client. But our solutions are used for client independent services, so if you have only access with IOS/OS X it's maybe easier to use other solutions for direct synchronization :)
I'd like to start practicing JS server-based stuff in a real-world environment (not localhost) and AWS seems to be the most economical way to do this. And I'd like to start by using Backbone in conjunction with REST.
If I do this, is REST out-of-the-box ready on AWS and it's just a matter of throwing my Backbone code on the server? Or is it a matter of configuring the REST API on AWS?
Thanks in advance!!!!
As the comments indicated, web applications are broken up in to two parts, the client and the server, and Backbone is an exclusively a client-side library ...
... well, almost. There is a server-side Javascript web framework called Node.js, and if you really wanted you could use Backbone on it. Alternatively you could run a more traditional server-side language/framework like Ruby/Rails, Python/Django, etc. If you are using AWS's EC2 service you basically get your own computer to do what you want with, and you can use Node, Django, or whatever else to write a REST-ful webservice that your client-side code can use.
I'm working with NodeJS + Mongoose, writing a Single Page Application, so I need to serve some statics and then all the interaction between frontend and backend is done via XHR. Eventually I'm thinking about writing a native mobile app accessing the same backend. Is there any pattern / best practice I should apply here?, I thought that I may need to extract the API to be exposed via Restify, and handle the requests from the webapp only with ExpressJS? or should I just put all the stuff exposed via Restify? I guess my confusion comes from not being worked with Restify before, so any explanation about how is it different from ExpressJS (specially when talking about a Single Page App) is really welcome.
I am implementing a similar solution, mobile app & website with expressjs and backbonejs. I did not use restify because i did not think i needed the extra complexity, there were not that many API endpoints so expressjs handled everything ok for me.
BTW take a look at this post on restify performance, I just saw it today and have not personally validate the contents.
Benchmarking APIs using PerfectAPI vs Express.js vs Restify.js « « PerfectAPI Blog PerfectAPI Blog http://bit.ly/xrTguB
Restify is packaging DTrace and various handlers that Express doesn't. If you just have one API endpoint and don't need DTrace, it doesn't make sense to run Restify.
Also, you might want to try express-resource