Important

Important

There are some general guidelines on things to do or not do. Despite some of these being mainly limited to serverside work they are good to keep in mind. As sometimes work is done across boundaries.

Some tips:

• Code is read more often than it is written. Make sure your code is understandable!

• Comment code only when the "why" is not self-explanatory. Do not comment the "how", it should be obvious by reading the code.

• Use meaningful variable-names

• Always format your code

• Watch your browser's console - make sure no solvable errors or warnings are left

• Always fix your prop-type warnings when they occur

• Never ever send sensitive data like passwords to the client (browser).

• Never store passwords in plain-text, use a hashing algorithm (for example bcrypt).

• Never write hashing or encryption-algorithms yourself. Use proven libraries for those (ask your colleagues in case of doubt).

• Never write your own authentication system, rely on libraries for that (for node you can use passport.js for example).

• Client-side validation alone is almost always insufficient (and unreliable). Always validate on the serverside as well.

• Be as restrictive as possible, whenever possible.

• Do not add secrets to source-control. If you accidentally added secrets to your source control, the process of removing them can be a bit painful (because it isn't as simple as force pushing unfortunately). The alternative is changing the secret, but make sure you invalidate the old one.

• Always add any files containing secrets to the .gitignore

• If this file is complex it might pay off having an example-file in your repository, for example: .some-secret.example