Cakefest 2021 Workshop 1

Transcript

1. CakeFest 2021 Virtual Event Workshop 1

2. Workshop 1 • 3x2.5h sessions (this is the first one)

   • Slides and code • Code - https:/ /github.com/cakephp/cakefest2021/ (check branches) • Database - https:/ /bit.ly/3Ao1rO8 • Slides - https:/ /speakerdeck.com/steinkel/cakefest-2021-workshop-1

3. About Jorge González @steinkelz • CakePHP Developer at CakeDC [email protected]

   https:/ /www.cakedc.com • Trainer at Cake Software Foundation https:/ /training.cakephp.org

4. Workshop 1 Useful CakePHP features for your projects • Middlewares

   • Security • Caching • Events

5. Setup dev environment • docker / docker-compose • PostgreSQL 13

   as a dependency • PHP stack as a dependency • git clone [email protected]:cakephp/cakefest2021.git • cd cakefest2021 • docker-compose up • ./dk.sh • Use ./initdb.sh from host to restore a dbdump 5

6. Middlewares • Definition • Configuration

7. How? Bake a new middleware using • bin/cake bake middleware

   Profiler 7

8. Middleware examples • https:/ /github.com/orgs/middlewares/repositories • Using another approach for

   timing https:/ /github.com/tuupola/server-timing-middleware 8

9. Security List of attacks by type https:/ /owasp.org/www-community/attacks/ Hardening your

   CakePHP app

10. Bots • All your public forms will be spammed •

    Honeypot • Google reCaptcha is another option… or both 10

11. SQL Injection • A good old friend is worth a

    mention • ORM • Raw queries 11

12. XSS Injection • First step to more dangerous attacks https:/

    /cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sh eet.html 12

13. DDoS • Good choice for a poorly optimized stack •

    Do it yourself • OR Let others do if for you (Cloudflare, Akamai, Cloudfront and others) 13

14. CSRF • They force you to do something while authenticated

    in another site • How it works? • Cookie AND hidden field in your generated form • Check on POST PUT PATCH DELETE 14

15. Other references • https:/ /owasp.org/www-project-top-ten/ • https:/ /github.com/guardrailsio/awesome-php-security • Consider

    using a WAF 15

16. Performance & Cache Interesting CakePHP features for your projects

17. Bottlenecks • How to detect bottlenecks in your application? •

    DIY • DebugKit • XDebug • Let others do it • Sentry, Newrelic, etc. 17

18. XDebug debug • https:/ /www.youtube.com/watch?v=8yUY063WgDg • xdebug + phpstorm 18

19. XDebug profiling • https:/ /www.youtube.com/watch?v=8yUY063WgDg • xdebug + phpstorm 19

20. Typical performance tips • Ensure your queries are fast •

    Check again your queries and 3rd party services, then continue with this list • Remove filesystem access • Logs • Session • Cache engines • Do not use sessions if they are not needed • Ensure your assets are optimized • Consider a cache layer... 20

21. Cache & Invalidation • Invalidation is a hard problem, if

    the benefits are not clear, reconsider the cache layer • Be careful with hidden keys • Users::view cache • Users belongsToMany Groups • Naive invalidation strategy: ANY change done to Users, Groups, GroupsUsers, invalidate all • More complex strategy • Change in users > invalidate by key • Change in groups > invalidate all related users by key 21

22. OPT: Redis engine • Install and configure Redis as cache

    engine 22

23. OPT: Counter Cache • Counter Cache optimization for Files /

    Groups 23

24. OPT: Simple Paginator • Switch to SimplePaginator when COUNT becomes

    a problem 24

25. OPT: Cache Paginator • Cache Paginated results • Cache result

    counts 25

26. OPT: Full Cache • When you just want to cache

    all the things • Middleware based Full Cache example • Consider using varnish or similar alternatives instead • It could make sense when invalidation is time based 26

27. Events Interesting CakePHP features for your projects

28. Pros • Remove hard coded dependencies • Observer pattern •

    Deeply integrated into the Framework 28

29. Cons • Harder to understand • Harder to debug 29

30. Example • New Notifications plugin • Send a warning email

    notification to the administrator when a file is tagged as a "virus" 30

31. OPT: Deferred • Install cakephp/queue • Defer email sending to

    a background worker 31

32. Questions ?

33. Thank You ありがとうございました。 Gracias

34. End of the road Thank you all! 34