This roadmap is completely for mine. I make this for my own learning Purpose. I don't so many things but i still believe all those things all clear my confusion and darkness.
IF YOU WANT TO KNOW EVERYTHING ABOUT SYSTEM,APPLICATION and what's going on system,Then this RoadMap is for you.
- How does the internet work?
- What is HTTP?
- Browsers and how they work?
- DNS and How it works?
- What is Domain Name?
- What is hosting?
- Basics
- Forms and validations
- conventions and Best Practices
- Basics
- Making Layouts
- Responsive design and Media Queries
- Float, positioning, Display, Box Model, CSS GRID , Flex Box
- Basic
- Syntax
- DOM, DOM manipulation
- AJAX(XHR), Learn Fetch API
- ES6+ and modular JS
- Hoisting, Event Bubbling, scope, prototype, Shadow DOM, strict - concept
- Learn the Basic Data Structure -
- Learn the Algorithms
At least solve 100 problems using DS & Algo
You will face Coding Interview.
Try to make at least 10 projects. search for youtube, google but make yourself. Be honest!. After finishing the project, go through again everything.Give yourself a timeline- like 3 months, 2 months!
- GitHub
- GitLab
- HTTPS
- CORS
- Content Security Policy
- OWASP security Risks
HTTP is a application layer protocol. It was designed for communication between web browsers and web servers.web browsers ask for the information they need to load a website. A typical HTTP request contains:
- HTTP version type
- a URL
- an HTTP method
- HTTP request headers
- Optional HTTP body.
- GET
- POST
An HTTP response is what web clients (often browsers) receive from an Internet server in answer to an HTTP request. These responses communicate valuable information based on what was asked for in the HTTP request.
A typical HTTP response contains:
- an HTTP status code
- HTTP response headers
- optional HTTP body
Hypertext transfer protocol secure (HTTPS) is the secure version of HTTP, which is the primary protocol used to send data between a web browser and a website. HTTPS is encrypted in order to increase security of data transfer. This is particularly important when users transmit sensitive data, such as by logging into a bank account, email service, or health insurance provider.
HTTPS uses an encryption protocol to encrypt communications. The protocol is called Transport Layer Security (TLS), although formerly it was known as Secure Sockets Layer (SSL). This protocol secures communications by using what’s known as an asymmetric public key infrastructure. This type of security system uses two different keys to encrypt communications between two parties:
The private key - this key is controlled by the owner of a website and it’s kept, as the reader may have speculated, private. This key lives on a web server and is used to decrypt information encrypted by the public key.
The public key - this key is available to everyone who wants to interact with the server in a way that’s secure. Information that’s encrypted by the public key can only be decrypted by the private key.
A primary use case of TLS is encrypting the communication between web applications and servers, such as web browsers loading a website.
There are three main components to what the TLS protocol accomplishes: Encryption, Authentication, and Integrity.
Encryption: hides the data being transferred from third parties. Authentication: ensures that the parties exchanging information are who they claim to be. Integrity: verifies that the data has not been forged or tampered with.
Cross-Origin Resource Sharing
Cross-origin resource sharing (CORS) is a mechanism that allows a way for web pages to access API or assets running on a different restricted domain.
cors needs to declared at server side.
I have a domain which is www.domain-A.com. Now i want to use a picture in my domain A website. The picture is located at www.domain-B.com. When i sent GET request domain-B server for pictures, it will give me a cors error at browser.
Solution: i need to declare cors library at my backend code(nodejs-app.js)
is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement to distribution of malware.
link: https://stackoverflow.com/questions/30280370/how-does-content-security-policy-csp-work
The Open Web Application Security Project.OWASP, is an international non-profit organization dedicated to web application security. OWASP, is an international non-profit organization dedicated to web application security.
Brute Force Attack
Data Breach
On-Path Attack
Buffer Overflow Attack
Copy article link
The Open Web Application Security Project, or OWASP, is an international non-profit organization dedicated to web application security. One of OWASP’s core principles is that all of their materials be freely available and easily accessible on their website, making it possible for anyone to improve their own web application security. The materials they offer include documentation, tools, videos, and forums. Perhaps their best-known project is the OWASP Top 10.
- Injection
Injection attacks happen when untrusted data is sent to a code interpreter through a form input or some other data submission to a web application. For example, an attacker could enter SQL database code into a form that expects a plaintext username. If that form input is not properly secured, this would result in that SQL code being executed. This is known as an SQL injection attack.
Injection attacks can be prevented by validating and/or sanitizing user-submitted data. (Validation means rejecting suspicious-looking data, while sanitization refers to cleaning up the suspicious-looking parts of the data.) In addition, a database admin can set controls to minimize the amount of information an injection attack can expose.
- Broken Authentication
Vulnerabilities in authentication (login) systems can give attackers access to user accounts and even the ability to compromise an entire system using an admin account. For example, an attacker can take a list containing thousands of known username/password combinations obtained during a data breach and use a script to try all those combinations on a login system to see if there are any that work.
Some strategies to mitigate authentication vulnerabilities are requiring two-factor authentication (2FA) as well as limiting or delaying repeated login attempts using rate limiting.
- Sensitive Data Exposure
If web applications don’t protect sensitive data such as financial information and passwords, attackers can gain access to that data and sellor utilize it for nefarious purposes. One popular method for stealing sensitive information is using an on-path attack.
Data exposure risk can be minimized by encrypting all sensitive data as well as disabling the caching* of any sensitive information. Additionally, web application developers should take care to ensure that they are not unnecessarily storing any sensitive data.
*Caching is the practice of temporarily storing data for re-use. For example, web browsers will often cache webpages so that if a user revisits thosepages within a fixed time span, the browser does not have to fetch the pages from the web.
- XML External Entities (XEE) This is an attack against a web application that parses XML* input. This input can reference an external entity, attempting to exploit a vulnerability in the parser. An ‘external entity’ in this context refers to a storage unit, such as a hard drive. An XML parser can be duped into sending data to an unauthorized external entity, which can pass sensitive data directly to an attacker.
The best ways to prevent XEE attacks are to have web applications accept a less complex type of data, such as JSON**, or at the very least to patch XML parsers and disable the use of external entities in an XML application.
*XML or Extensible Markup Language is a markup language intended to be both human-readable and machine-readable. Due to its complexity and security vulnerabilities, it is now being phased out of use in many web applications.
**JavaScript Object Notation (JSON) is a type of simple, human-readable notation often used to transmit data over the internet. Although it was originally created for JavaScript, JSON is language-agnostic and can be interpreted by many different programming languages.
- Broken Access Control Access control refers a system that controls access to information or functionality. Broken access controls allow attackers to bypass authorization and perform tasks as though they were privileged users such as administrators. For example a web application could allow a user to change which account they are logged in as simply by changing part of a url, without any other verification.
Access controls can be secured by ensuring that a web application uses authorization tokens* and sets tight controls on them.
*Many services issue authorization tokens when users log in. Every privileged request that a user makes will require that the authorization token be present. This is a secure way to ensure that the user is who they say they are, without having to constantly enter their login credentials.
- Security Misconfiguration
Security misconfiguration is the most common vulnerability on the list, and is often the result of using default configurations or displaying excessively verbose errors. For instance, an application could show a user overly-descriptive errors which may reveal vulnerabilities in the application. This can be mitigated by removing any unused features in the code and ensuring that error messages are more general.
- Cross-Site Scripting
Cross-site scripting vulnerabilities occur when web applications allow users to add custom code into a url path or onto a website that will be seen by other users. This vulnerability can be exploited to run malicious JavaScript code on a victim’s browser. For example, an attacker could send an email to a victim that appears to be from a trusted bank, with a link to that bank’s website. This link could have some malicious JavaScript code tagged onto the end of the url. If the bank’s site is not properly protected against cross-site scripting, then that malicious code will be run in the victim’s web browser when they click on the link.
Mitigation strategies for cross-site scripting include escaping untrusted HTTP requests as well as validating and/or sanitizing user-generated content. Using modern web development frameworks like ReactJS and Ruby on Rails also provides some built-in cross-site scripting protection.
- Insecure Deserialization
This threat targets the many web applications which frequently serialize and deserialize data. Serialization means taking objects from the application code and converting them into a format that can be used for another purpose, such as storing the data to disk or streaming it. Deserialization is just the opposite: converting serialized data back into objects the application can use. Serialization is sort of like packing furniture away into boxes before a move, and deserialization is like unpacking the boxes and assembling the furniture after the move. An insecure deserialization attack is like having the movers tamper with the contents of the boxes before they are unpacked.
An insecure deserialization exploit is the result of deserializing data from untrusted sources, and can result in serious consequences like DDoS attacks and remote code execution attacks. While steps can be taken to try and catch attackers, such as monitoring deserialization and implementing type checks, the only sure way to protect against insecure deserialization attacks is to prohibit the deserialization of data from untrusted sources.
- Using Components With Known Vulnerabilities
Many modern web developers use components such as libraries and frameworks in their web applications. These components are pieces of software that help developers avoid redundant work and provide needed functionality; common example include front-end frameworks like React and smaller libraries that used to add share icons or a/b testing. Some attackers look for vulnerabilities in these components which they can then use to orchestrate attacks. Some of the more popular components are used on hundreds of thousands of websites; an attacker finding a security hole in one of these components could leave hundreds of thousands of sites vulnerable to exploit.
Component developers often offer security patches and updates to plug up known vulnerabilities, but web application developers don’t always have the patched or most-recent versions of components running on their applications. To minimize the risk of running components with known vulnerabilities, developers should remove unused components from their projects, as well as ensuring that they are receiving components from a trusted source and ensuring they are up to date.
- Insufficient Logging And Monitoring
Many web applications are not taking enough steps to detect data breaches. The average discovery time for a breach is around 200 days after it has happened. This gives attackers a lot of time to cause damage before there is any response. OWASP recommends that web developers should implement logging and monitoring as well as incident response plans to ensure that they are made aware of attacks on their applications.
- npm - Node Package Manager
npm is the world's largest Software Library (Registry) npm is also a software Package Manager and Installer
- React.js - Redux, mobX
- Modern CSS - Styled Component, CSS module,Styled JSX, Emotion
- HTML Template
- Custom Elements
- Shadow DOM
-
Terminal Usage
-
How Os work in General
-
Process Management
-
Threads and Concurrency
-
Basic Terminal Command
- grep, awk, sed
- isof, curl, wget tail, head, less
- find, ssh, kill
-
Memory Management
-
Interprocess Communication
-
I/O Management
-
POSIX BASICS - stdin, stdout, stderr, pipes
-
Basic Networking concepts
- Python
- Bash
- Go
- NodeJS
- Django
- .Net Core
- PostgreSQL
- MySQL
- Document MongoDB, CouchDB
- Column DBs Cassandra
- InfluxDB, TimescaleDB
- Realtime FireBase
- ORMs
- ACID
- Transactions
- N+1 Problem
- Database Normalization
- Indexes and How they work
- Data Replication
- Sharding Strategies
- CAP Theorem
- JSON APIs
- SOAP
- gRPC
- REST
- Authentication
- Cookie Based
- OAuth
- Basic Authentication
- Token Authentication
- JWT
- CDN
- Server side - Redis, Memcached
- Client Side
- MD5 and why not to use it
- SHA Family
- scrypt, bcrypt
- Integration Testing
- Unit Testing
- Functional Testing
- SOLID
- KISS
- YAGNI
- DRY
- Monolithic Apps.
- Microservices
- SOA
- Serverless
- Elasticsearch
- Solr
- RabbitMQ
- Kafka
- Docker
- Apache
- Nginx
- Migration Strategies
- Horizontal vs Vertical Scaling
- Linux
- Debian, Fedora, RHEL, CentOs, Ubuntu
- Unix
- Windows
- HTTP
- HTTPS
- FTP
- SSL/TLS
- SSH
- PORT Forwarding
- Basic Networking
- SMTP
- IMAPS
- POP3S
- DMARC
- SPF
- Domain Keys
- Reverse Proxy
- Forward Proxy
- Caching Server
- Load Balancer
- Firewall
- Istio
- Envoy
- Linkerd
- Consul
- Docker
- LXC
- Ansible
- Chef
- Puppet
- Kubernetes
- Docker Swarm
- Mesos
- Nomad
- Terraform
- CloudFormation
- Pulumi
- Prometheus
- Nagios
- Grafana
- Zabbix
- Datadog
- Monit
- Jaeger
- New Relic
- Instana
- AppDynamics
- OpenTracing
- Graylog
- Splunk
- Papertrail
- Elastic Stack
Master only one
- AWS
- Google Cloud
- Azure
- Heroku
- Availability
- Data Management
- Design and Implementation
- Management and Monitoring