Our team has evaluated Q2A and following are some feedback , I will be thankful if Gidgreen can comment on modifications suggested and other observations
1. For scenario where we will not be using native search app but will be using classification by tags and also use related questions widget, the following line can be commented
qa_db_contentwords_add_post_wordidcounts($postid, $type, $questionid, $contentwordidcounts);
This is in qa-search-basic. php
Advantage : Smaller database and faster indexing,faster performance
2. Many configuration variables are set at run time for every page load, they can be easily moved to a master global list. This will enhanche performance. However, such a change will mean incompatibility with future releases and hence have put it on hold.
I am not a developer to give further details, but this is the gist that they have shared. Will this be incorporated in future releases as apparently it will markedly improve performance
3. For immediate performance, when traffic is not expected to be high, APC is adequate. Script is well written for hardware scaling as and when required which will be cheaper.
While true Cache is not there, simple mysql caching will be adequate for reasonably large website.
Is native cache in pipeline for the application?
Security
----------
4.Built in adequate protection for sql injection attack.
XSS and other first level defence, performance optimization can be enhanched with simpler htaccess modification as below
#Standard htacess file for all apache-php
ServerSignature Off
RewriteCond %{REQUEST_METHOD} ^(HEAD|TRACE|DELETE|TRACK) [NC,OR]
RewriteCond %{THE_REQUEST} (\\r|\\n|%0A|%0D) [NC,OR]
RewriteCond %{HTTP_REFERER} (<|>|’|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
RewriteCond %{HTTP_COOKIE} (<|>|’|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
RewriteCond %{REQUEST_URI} ^/(,|;|:|<|>|”>|”<|/|\\\.\.\\).{0,9999} [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^$ [OR]
RewriteCond %{HTTP_USER_AGENT} ^(java|curl|wget) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} (winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} (libwww-perl|curl|wget|python|nikto|scan) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} (<|>|’|%0A|%0D|%27|%3C|%3E|%00) [NC]
#client side cache
<IfModule mod_expires.c>
# Enable expiration control for better cache management at client end
ExpiresActive On
# CSS and JS expiration: 1 week after request
ExpiresByType text/css "now plus 1 week"
# Image files expiration: 1 month after request
ExpiresByType image/gif "now plus 1 month"
ExpiresByType image/jpeg "now plus 1 month"
ExpiresByType image/png "now plus 1 month"
ExpiresByType image/ico "now plus 1 month"
ExpiresByType image/icon "now plus 1 month"
</IfModule>
########## Begin - Redirect index.php to / for SEO
## Note: Change domain.com to domain name being tested
RewriteCond %{THE_REQUEST} !^POST
RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /index\.php\ HTTP/
RewriteCond %{SERVER_PORT}>s ^(443>(s)|[0-9]+>s)$
RewriteRule ^index\.php$ http%2://www.domain.com/$1 [R=301,L]
########## Redirect non-www to www for SEO
RewriteCond %{HTTP_HOST} !^www\. [NC]
RewriteRule ^(.*)$ http://www.%{HTTP_HOST}/$1 [R=301,L]
########## First Level defence against File injection attack
RewriteCond %{REQUEST_METHOD} GET
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=http:// [OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC]
RewriteRule .* - [F]
## Disallow access toconfiguration file and php.ini
RewriteRule ^(qa-config\.php|php\.ini)$ - [F]
# Return 403 Forbidden error.
RewriteRule .* index.php [F]
Htaccess modification with server hardening can be adequate to go ahead without fear of security breach.
Note, there is no history of any targeted attack on this script. Asa precaution,remove all explicit references to script source to prevent future targeted attacks. Concern: HTML class reference cannot be easily removed but risk is low.
Author will be best to identify other no so obvious fingerprints for which we can take adequate protection.
Minor Performance changes
5.1 Remove version number suffix from CSS and JS requests to implement apache gzip or better use minify by modifying URI reference in the script.:
qa-theme and qa-page
5.1.1 Jquery is not used for most pages - where all is it used?
Can it be replaced with smaller script for voting(if yes, which one)
If future version uses Jquery extensively, we could put it back.
5.1.2 If Jquery is needed,can we replace with Google API version for better performance without loss of any fuctionality by making chage in qa-theme
6. Licencing : In the future, will there be one edition of the software always available under GNU General Public License version 2? Any possibility of paid version (better) along with community edition?
7. Some third party plugins were not efficient - is there a curation of third party plugins? If no central curation, vet every plugin for security and performance.
8. Summary of positives
8.1 Theme and layer support - making it easy for inhouse enhanchements without loss of future upgradability. Consequent,performance degradation can be set right with many other levers - APC and hardware
8.2 Canonical support
8.3 all queries are SQL injection attack proof
8.4 Simple to manage, enhanche and administer with basic PHP skills
8.5 Right trade off between maintainability and performance essential in early stages of website
8.6 Withstood Jmeter test but with search totally disabled. Now, we need to search module back for tag and related question support. Not storing words should be adequate
Negatives
- No native cache
-
