age 1 of 25

Lesson 20 – Develop Website Backend System (Part 4)

Objectives:
1. Select appropriate server-side script.
2. Design and develop secure CRUDE server-side script.
3. Design and develop secure efficient APIs.
4. Implement website security using server-side scripting.

Content:
Appropriate server-side scripting language is selected

Server-side code can be written in any number of programming languages — examples of popular
server-side web languages include PHP, Python, Ruby, C#, and JavaScript (NodeJS).

Best Language for Server-Side Programming

Source: Google.com

Server-side languages power web applications, handling server logic, data processing, and content
delivery. Unlike client-side languages, they manage tasks like data manipulation and database
communication, enabling personalized web experiences based on user input.
 age 2 of 25

Server-side languages form the core of web apps, enabling intricate data management, security, and
vital functions like user authentication and real-time interactions. The choice of language significantly
impacts an app’s performance and scalability, guiding developers to select based on ease of use,
community support, and project needs.

In the realm of server-side programming, languages like JavaScript (Node.js), Python, and many others
are prominent. Each language offers distinct advantages and is chosen based on project needs and
goals, providing the necessary tools and support for efficient development tailored to the application’s
requirements.

What is Server-Side Programming Language?

Server-side programming languages are crucial tools used by developers to create and manage the
backend of websites and web applications procedures. Unlike client-side languages, which operate on
the user’s browser, server-side languages execute on the server, handling data processing, server logic,
and database interactions.

 Backend Logic Management: These languages control the core functionality of a server, orchestrating
how the application operates behind the scenes, including routing, request handling, and more.
 Data Handling and Processing: They handle data operations, such as manipulation, calculations,
validation, and transformation, ensuring efficient and effective processing.
 Database Connectivity and Operations: Server-side languages facilitate communication with databases,
handling data storage, retrieval, querying, and modification.
 Dynamic Content Generation: They enable the dynamic creation of content based on user input,
allowing for personalized and adaptive user experiences.
 Security Implementation and Management: These languages are fundamental in implementing various
security measures, including encryption, user authentication, and preventing vulnerabilities to safeguard
sensitive data.

In summary, server-side programming languages are the powerhouse behind the functionality and
dynamic nature of web applications. Their role in managing the backend, processing data, interacting
with databases, and ensuring security is essential for creating robust and interactive web experiences.

Importance of Server-Side Programming Language

Server-side programming languages play a pivotal role in the foundation and functionality of web
applications. They handle the server’s core logic, data processing, and database interactions, crucial for
delivering dynamic and interactive content to users.

 Dynamic Content Generation: These languages are instrumental in generating dynamic and
personalized content, facilitating tailored user experiences, and delivering information in real time
based on user interactions.
 Database Connectivity and Operations: They manage interactions with databases, enabling efficient
data storage, retrieval, and manipulation, ensuring seamless access to information and efficient data
handling within the application.
 age 3 of 25

 Security Implementation and Management: Server-side languages play a vital role in implementing
robust security measures, including encryption, user authentication, and shielding against potential
cyber threats, ensuring the safety and confidentiality of sensitive data.
 Server Logic and Request Handling: They control server-side logic, managing user requests, sessions,
and computational processes, orchestrating the backend functionality and the flow of data within the
application.
 Scalability and Performance Optimization: The choice of server-side language significantly influences an
application’s scalability and performance. These languages, when employed skillfully, enable the
development of applications capable of handling increased load and maintaining optimal performance
as user traffic grows.

Server-side programming languages are the backbone of web applications, driving dynamic content
generation, database connectivity, security implementation, server logic management, scalability, and
performance.

Their role in creating robust, secure, and efficient applications is fundamental, ensuring a responsive,
personalized, and secure user experience while maintaining the integrity and functionality of the
application.

Best Server-Side Programming Languages

Server-side programming languages serve as the cornerstone for web application development, offering
various tools and capabilities that drive the backend functionality. Among the leading languages,
JavaScript, with its Node.js framework, stands out for its versatility and efficiency.

1. JavaScript (Node.js)

JavaScript, primarily known for client-side development, extended its functionality to the server with
Node.js. This runtime environment allows JavaScript to be used on servers, empowering developers with
a unified language for both client-side and server-side scripting. Node.js utilizes an event-driven, non-
blocking I/O model, enhancing the language’s performance and scalability for server-side operations.

Features JavaScript Offers as a Server-Side Programming Language

JavaScript, predominantly recognized for its role in client-side scripting, has evolved into a robust server-
side language, primarily through Node.js. Its versatility and adaptability to server-side development have
unlocked various features and functionalities, transforming it into a powerful tool for backend
operations.

 Asynchronous Event-Driven Model: Node.js leverages an event-driven architecture, enabling

asynchronous operations. This allows for non-blocking I/O, improving the application’s responsiveness
and scalability.
 Vibrant Ecosystem and NPM: JavaScript benefits from a vast ecosystem of libraries and packages via the
Node Package Manager (NPM). Developers can access a myriad of tools and modules for diverse
functionalities.
 Efficient Real-time Applications: Node.js is well-suited for building real-time applications such as chat
platforms and online gaming due to its ability to handle multiple simultaneous connections efficiently.
 age 4 of 25

 Scalability and Performance: Its lightweight nature and non-blocking I/O model contribute to high
performance and scalability, making it an excellent choice for applications requiring high throughput.
 Code Reusability: With JavaScript running on both client and server sides, developers can reuse code,
reducing redundancy and enhancing consistency in development efforts.

JavaScript, powered by Node.js, provides a robust server-side programming environment. Its

asynchronous, event-driven nature, vast library support, efficiency in real-time applications, scalability,
and code reusability make it an excellent choice for developers. For precise results, consider hiring
dedicated JavaScript developers or reaching out to a JavaScript development company for efficient
deployment and optimal utilization of its capabilities.

2. Python

Python, renowned for its readability and versatility, has gained recognition in the realm of server-side
programming. With frameworks like Django and Flask, Python offers an array of tools empowering
developers in building robust and scalable server-side applications.

Features Python Offers as a Server-Side Programming Language

Python, highly regarded for its readability and versatile nature, has established itself as a robust server-
side programming language, notably through frameworks such as Django and Flask.

 Extensive Frameworks: Python boasts frameworks like Django and Flask, streamlining web development
with ready-to-use components, and enabling rapid and efficient coding.
 Readability and Simplicity: Known for its clear and concise syntax, Python allows for quicker
development and easier maintenance, reducing development time and costs.
 Vast Library Support: Its rich library repository provides numerous modules and packages, aiding in
diverse functionalities without starting from scratch.
 Scalability and Flexibility: Python offers scalability and flexibility, accommodating the growth and
adaptability needs of applications.
 Community Support and Documentation: Python enjoys a robust community, ensuring comprehensive
support, vast resources, and extensive documentation, making it easier for developers to find solutions
to various challenges.

Python, with its readability, powerful frameworks, extensive libraries, scalability, and strong community
support, serves as an excellent server-side programming language.Its simplicity and vast resources
contribute to efficient and scalable development.

3. Ruby on Rails

Ruby on Rails, often referred to as Rails, is a prominent framework for web development, utilizing the
Ruby programming language. It’s known for its elegant simplicity and convention over the configuration
approach, streamlining and expediting the development process.

Features Ruby on Rails Offers as a Server-Side Programming Language

Ruby on Rails, known for its elegance and efficiency, is a robust server-side programming framework
built on the Ruby language. It emphasizes convention over configuration, simplifying and accelerating
 age 5 of 25

web development by providing a structured environment for developers to build powerful and scalable
applications.

 Convention over Configuration: Ruby on Rails promotes a philosophy where developers follow
conventions, minimizing configuration needs and allowing quick setup without excessive settings.
 Rapid Development: Its elegant and clean syntax, along with pre-built modules, accelerates
development, enabling faster prototyping and project deployment.
 Scalability and Modularity: Ruby on Rails supports modular design, facilitating the development of
scalable applications, and making it adaptable to evolving project requirements.
 Rich Ecosystem and Community Support: It benefits from a robust community and a wide array of gems
(libraries) that simplify complex functionalities and enhance productivity.
 Security Measures: Rails integrates various built-in security features, reducing common security threats,
and making it a reliable choice for secure application development.

Ruby on Rails, celebrated for its convention-based approach, rapid development, scalability, rich
ecosystem, and security measures, serves as a potent server-side programming language.

Its emphasis on developer convenience and efficiency, combined with a supportive community, makes it
a valuable choice for developing robust web applications. Engaging with a Ruby on Rails development
company can further leverage its potential for crafting efficient and secure server-side solutions.

4. PHP

PHP, a popular server-side scripting language, is deeply entrenched in web development. Renowned for
its simplicity and integration with HTML, it powers a significant portion of the web, offering a versatile
environment for building dynamic web applications.

Features PHP Offers as a Server-Side Programming Language

PHP is a versatile and widely-utilized server-side scripting language that plays a crucial role in web
development. Known for its seamless integration with HTML, it empowers developers to create dynamic
web applications effortlessly. With extensive community support, robust database integration, and cost-
effectiveness, PHP enables scalable and compatible solutions for diverse web-based projects.

 Versatility and Integration: PHP seamlessly integrates with HTML, allowing developers to embed
dynamic content within web pages effortlessly.
 Vast Community and Support: Its extensive community support provides numerous resources,
frameworks, and libraries for varied functionalities and problem-solving.
 Efficient Database Integration: PHP is adept at interacting with various databases, enabling smooth data
storage, retrieval, and management.
 Cost-Efficient and Accessible: As an open-source language, PHP is freely available, reducing
development costs and providing accessibility to a wide range of developers.
 Scalability and Compatibility: It scales well and runs on multiple platforms, making it suitable for a
broad spectrum of applications and adaptable to diverse environments.
 age 6 of 25

PHP, celebrated for its integration capabilities, vast community support, efficient database integration,
cost-effectiveness, scalability, and compatibility, remains a popular choice for server-side development.

Its versatility and widespread usage across different web applications showcase its enduring significance
in the world of web development. Leveraging it with the expertise of proficient PHP developers ensures
the creation of robust and dynamic web solutions.

5. Java

Java, recognized for its portability and scalability, is a widely used programming language for server-side
development. With its robust ecosystem and extensive libraries, Java is favored for building secure and
high-performance applications.

Features Java Offers as a Server-Side Programming Language

With Java’s robust ecosystem, comprehensive libraries, and a strong emphasis on security, Java stands
out as a reliable choice for building high-performance and secure server-side applications. Its features
include portability, a strong library ecosystem, emphasis on security, scalability, and multithreading
capabilities for concurrent execution.

 Portability and Platform Independence: Java’s “write once, run anywhere” principle allows applications
to run on any device or platform supporting Java, ensuring portability.
 Strong Ecosystem and Libraries: Java provides a rich set of libraries and frameworks, such as Spring and
Hibernate, offering comprehensive tools for various functionalities.
 Security Measures: Known for its strong security features, Java enables developers to build highly
secure applications, protecting against vulnerabilities.
 Scalability and Performance: Java’s architecture supports scalability, making it suitable for large-scale
applications and ensuring high performance.
 Multithreading and Concurrency: Java’s multithreading capabilities allow for concurrent execution,
beneficial for handling multiple tasks simultaneously and optimizing performance.

Java, with its portability, strong ecosystem, security measures, scalability, and multithreading
capabilities, stands as a reliable language for server-side programming.

Its versatile nature and emphasis on security make it a preferred choice for developing robust and
secure server-side applications. Partnering with experienced Java developers can leverage its full
potential for creating efficient and reliable solutions.

Factors to Consider when Choosing a Server-Side Programming

When selecting a server-side programming language, various critical factors should influence your
decision, impacting the performance, scalability, security, community support, and the availability of an
extensive ecosystem and libraries.

1. Performance
 age 7 of 25

Performance stands as a cornerstone in choosing a server-side language. It encompasses the language’s

execution speed, its efficiency in handling complex computational tasks, and how it operates under
various workloads.

A language’s performance directly affects the responsiveness and speed of your application. Consider
benchmarking, profiling tools, and examining real-world performance metrics to ensure the language
aligns with your application’s speed requirements.

2. Scalability

Scalability refers to the language’s ability to grow along with your application’s demands. It involves
assessing how well the language handles increased user load and growing data volumes without
compromising performance. A scalable language allows your application to expand without architectural
constraints or significant rewrites.

3. Community and Support

The community surrounding a programming language is pivotal. A vibrant and supportive community
provides extensive resources, forums, documentation, and a pool of experienced developers. A strong
community ensures ongoing support, swift issue resolution, and a wide array of libraries and tools for
efficient development.

4. Security

Security is non-negotiable. Evaluate the language’s built-in security features, its track record in handling
data securely, and the community’s responsiveness to security concerns and patches. A language with
robust security features is fundamental in safeguarding sensitive data and protecting against potential
vulnerabilities.

5. Ecosystem and Libraries

The availability and quality of an ecosystem consisting of frameworks, libraries, and tools associated
with the language can significantly impact development efficiency.

A rich ecosystem streamlines the development process, offering ready-made solutions to complex
problems and reducing the need to reinvent the wheel.

In conclusion, the selection of a server-side programming language should be a meticulous process,

considering performance, scalability, community support, security measures, and the availability of a
robust ecosystem and libraries. Each factor plays a crucial role in determining the success and efficiency
of your server-side development.

Secure CRUD server-side scripts are designed and developed

 age 8 of 25

CRUD is an acronym from the world of computer programming and refers to the four functions
considered necessary to implement a persistent storage application: create, read, update and delete.

Understanding CRUD Apps and Security Concerns

Source: Google.com

CRUD applications perform four fundamental operations on underlying data: Create, Read, Update, and
Delete. These operations are essential when storing, managing, and retrieving data in databases or
other storage systems. While CRUD applications provide an interactive way for users to manipulate data,
adequate security mechanisms are crucial to ensure the integrity, confidentiality, and availability of the
stored information.

Several security concerns arise when developing CRUD applications, such as user authentication, access
control, data validation, and protection from common web-based threats. To mitigate these concerns,
developers should follow best practices, use appropriate tools and technologies, and continuously
assess the security posture of their applications. This article discusses essential security aspects in CRUD
applications, focusing on user authentication and authorization, data validation and sanitization, and
what you can do to secure your application from potential attacks.

Securing User Authentication and Authorization

Authentication and authorization are the two main pillars in ensuring that only legitimate users access
your CRUD application's data. By implementing a strong authentication and authorization system, you
can verify users' identities and prevent unauthorized access to protected resources.

User Authentication
 age 9 of 25

User authentication verifies the identity of a user attempting to perform actions within your application.
Ensuring a secure user authentication process involves:

 Strong password policies: Implement password requirements such as minimum length, a mix of
uppercase and lowercase letters, numbers, and special characters. Encourage users to use
unique, non-dictionary passwords to minimize the risk of credential theft.
 Multi-factor authentication (MFA): Use MFA to add an extra layer of security to the
authentication process. This typically involves combining something the user knows (e.g., a
password) with something the user has (e.g., a smartphone) or something the user is (e.g., a
fingerprint).
 Password storage with hashing and salting: Do not store passwords as plaintext. Instead, use
secure hashing algorithms like bcrypt or Argon2 and a unique and random salt to store hashed
representations of user passwords.
 Implement account lockout policies: To prevent brute-force attacks, lock user accounts after
several failed login attempts and require manual intervention or a password reset process to
unlock them.

User Authorization

User authorization determines what actions authenticated users can perform within your CRUD
application. To implement proper authorization in your application, follow these best practices:

 Role-Based Access Control (RBAC) or Attribute-Based Access Control (ABAC): Use RBAC or ABAC
models to define user roles and their corresponding permissions. This allows for a more
manageable and granular approach to granting and revoking access to your application's
resources.
 Principle of Least Privilege (POLP): Grant users the minimum permissions necessary to perform
their tasks. This makes your CRUD application more resilient to accidental data exposure and
limits the potential damage of compromised user accounts.

Data Validation and Sanitization for Input Fields

One of the primary security concerns in a CRUD application is validating and sanitizing user input.
Attackers can exploit poorly validated input fields to carry out malicious activities, such as SQL injection
and cross-site scripting (XSS). Therefore, properly handling user input is essential to ensure your CRUD
application's security.

Data Validation

Data validation checks whether the input data meets certain criteria and conforms to specific patterns
or rules. Some common data validation techniques include:

 Client-side validation: Use JavaScript or similar client-side technologies to validate user input
before submitting forms. While this method provides quick user feedback, it is not enough to
ensure security, as an attacker can bypass client-side validation.
 Server-side validation: Perform validation on the server-side to ensure that input data matches
the expected format and meets any specific business rules. Server-side validation is a more
 age 10 of 25

reliable method of securing user input and should always be part of your data validation
strategy.

Data Sanitization

Data sanitization is removing or escaping potentially harmful code or characters from user input. HTML
encoding or URL encoding are examples of escaping mechanisms that can prevent specific attacks, like
XSS or path traversal. To perform data sanitization:

 Use available libraries and frameworks: Leverage libraries and frameworks that offer built-in
input sanitation features, such as OWASP's Java Encoder or Microsoft's AntiXSS library.
 Sanitize HTML content: If your CRUD application allows users to submit HTML content, use a
whitelisting approach to only allow safe tags and attributes. Make sure to sanitize both the input
and output phases of data processing, as attackers can exploit stored and reflected
vulnerabilities.

By implementing data validation and sanitization measures, you can protect your CRUD application from
common security threats and significantly improve the security posture of your software.

Maintaining a Secure Database Connection

When developing CRUD applications, it's crucial to maintain a secure connection with your database to
protect sensitive data from unauthorized access or manipulation. A secure database connection can
help mitigate attacks such as SQL injection, which is a common vulnerability in CRUD applications.

Here are some best practices for maintaining a secure database connection:

1. Least Privilege Access Policy - Grant the minimum required permissions to the database
user account. Limiting access helps reduce the potential damage in case of a security
breach. For example, if an application only needs to read data, don't grant it write or
delete permissions.
2. Data Encryption - Use Secure Sockets Layer (SSL) or Transport Layer Security (TLS)
encryption to secure data both in transit and at rest. Encrypting data prevents
eavesdropping and tampering with sensitive information.
3. Parameterized Queries or Prepared Statements - Prevent SQL injection attacks by using
parameterized queries or prepared statements instead of string concatenation to build SQL
commands. Parameterized queries separate data from commands, making it difficult for
attackers to inject malicious code.
4. Monitoring and Auditing - Regularly monitor your database logs and perform audits to
detect suspicious activity, unauthorized access attempts, or data breaches. Use monitoring
tools, set up alerts, and review logs periodically to keep tabs on your database security.
5. Database Software Updates - Keep your database software up-to-date with the latest
security patches and updates. Database vendors frequently release updates to address
vulnerabilities and enhance security. Regularly review your software's release notes to stay
informed of important updates.

Addressing Common Security Threats in CRUD Applications

 age 11 of 25

CRUD applications can be vulnerable to several common security threats. Awareness of these threats
and implementing appropriate countermeasures can help protect your application and its data. Here are
some common security threats and how to address them:

1. SQL Injection - SQL injection occurs when an attacker manipulates SQL queries by injecting
malicious code through user inputs, potentially compromising your database. To prevent
SQL injection, use parameterized queries or prepared statements, validate and sanitize
user inputs, and employ a least privilege access policy for your database user account.
2. Cross-Site Scripting (XSS) - XSS is a security vulnerability wherein an attacker injects
malicious client-side scripts into webpages viewed by other users, potentially stealing
sensitive information or hijacking user sessions. To combat XSS, validate and sanitize user
inputs, and never trust data from untrusted sources. Also, employ Content Security Policy
(CSP) headers and encode data that is rendered on the client-side.
3. Cross-Site Request Forgery (CSRF) - CSRF is an attack where a user is tricked into
performing an unwanted action, such as deleting data, on a web application in which they
are authenticated. Protect your CRUD app from CSRF attacks by using CSRF tokens,
validating user requests, and implementing SameSite cookie attribute.
4. Insecure Direct Object Reference (IDOR) - IDOR attacks occur when an application exposes
a reference to an internal implementation object, such as a file, directory, or database
record. Attackers can exploit these references to access unauthorized data. To prevent
IDOR, implement proper access controls, use indirect object references, and limit the
exposure of internal data.

Security Best Practices for CRUD App Development

Following security best practices is essential for developing secure and reliable CRUD applications. These
practices help mitigate potential security threats and ensure the safety of your application. Here are
some key security best practices for CRUD app development:

1. Principle of Least Privilege - Always follow the principle of least privilege when granting access
rights and permissions. Limit user and system privileges to the bare minimum required to
complete tasks, reducing the possible impact of a security breach.
2. Secure Coding Standards - When developing your CRUD application, adhere to secure coding
standards and guidelines, such as OWASP or CERT. Following established standards can help
avoid common security pitfalls and streamline development efforts.
3. Security Testing - Regularly test your CRUD application to identify vulnerabilities and risks. Use
penetration testing, static and dynamic code analysis, and vulnerability scanning techniques to
uncover potential issues.
4. Web Application Firewall - Employ a web application firewall (WAF) to protect your CRUD
application from common attacks like SQL injection, XSS, and CSRF. A WAF can detect and block
malicious traffic, helping to safeguard your application and data.
5. Patch and Update Software Components - Regularly patch and update all software components,
including your database, web server, and any libraries or frameworks in use. Staying up-to-date
ensures that your application remains protected against newly discovered vulnerabilities.
 age 12 of 25

Secure, efficient and standard-compliant web service/API are designed and

developed

API design is the collection of planning and architectural decisions you make when building an API. Your
basic API design influences how well developers are able to consume it and even how they use it. Just
like website design or product design, API design informs the user experience.

What is API?

API stands for Application Programming Interface. API interface is a set of rules that entail the
interaction of two applications. By using this set of rules, these two-applications exchange data, send API
requests, and receive responses from one another.

If we talk about web applications, these two apps are client and server and this interaction is actually
executed. A client is an application that commonly makes requests for receiving the required data from
the API server, while the API server receives these requests, processes them, and forms the responses to
a client.

A note: The equivalent to this process is a restaurant where the customer orders a dish, and the waiter
is tasked with taking this order and providing a dish.

To send requests and receive responses, API uses various protocols and standards, and architectural
styles. The most frequently used architectural style for web applications is considered to be REST API.

What is REST API?

REST is an architectural approach for creating API. This title decrypts as Representational State Transfer
in the making of transmission of representative state.

The main peculiarity and differentiator of REST APIs is that this approach is supposed to be the best
choice to use methods of the HTTP protocol.
 age 13 of 25

Requests to this type of API are commonly similar to the open URL pages by users but instead of the
graphic page display, a server displays the simple text data only.

Also, we would like to mention, in this case, the interaction is executed with no state saving and a server
does not save the client information between diverse requests.

Furthermore, we would like to highlight the key benefits of REST API we haven’t mentioned above:

 Productive capacity
 Scalability
 Caching
 The simplicity of a consistent interface

Common types of APIs

Various types of APIs differ not only by architectural style but by their applications within web solutions.

Open API

Open APIs are generally available so that anyone who requires them can use them. Services of this type
may have user authorization and authentication and also require a certain charge for their use.

As for examples of this type of API, we would mention Google API which provides such services as
Google Maps API, and Google Places API for general use.

In addition, there are specially made catalogs with lists of open APIs that allow finding the off-the-shelf
API solution, testing it on your software products, and assessing it before providing payment for this API.
For example, these APIs can be Public API, Rapid API, etc.

Private API

This type of API is used by different businesses to content the inner systems and databases. They are not
available to other users, thereby, these interfaces and data can be accessed by third-party software
suppliers.

Partner API

The title of this API speaks for itself, meaning this API is accessible only to authorized third-party
developers. Such a partner must reach a partnership agreement or pay for a partnership license that
allows them to use these paid APIs.

Main software components of API

The main components of API unite several of the aforementioned types of API for the solution and
implementation of the tasks and requirements.
 age 14 of 25

Why do businesses use third-party API?

Overall, API can be a solution to a wide range of concerns as well as boost business capabilities. To start
with issues to solve, we would like to provide a use case.

Let’s say you work at the servicing depot and your clients are keen on unique cars, challenging your
business to find the required material and equipment to repair or improve these cars.

Thereby, your business may face numerous complexities that lead to long terms of execution of such
orders. And here comes the problem. The creation and processing of one order take approximately 30
minutes for an employee. This problem is because an employee needs to access five different systems to
search for the required information and process a single order.

The solution to this problem is to integrate APIs of the required services to create orders within a single
software system. Thereby, the details of each order will be automatically displayed within a single
interface.

As a result, the time for processing an order decreases to 12 minutes per each, which allows your team
to increase the number of processed orders in the future with no gain in the number of employees.
How can your own API benefit your business?

With the availability of a database and its specifically created new API, you get an additional method of
monetization for your business, and you can sell the ability to use this API for others.

If you don’t own a database, but you can provide another service that you are willing to scale to a
broader audience, then you can write your own API for this purpose that will let other web services who
use this paid API get the service you offer at your website.

For example, Google Place API monetizes its API depending on the number of requests that a client-side
sends to it. Talking about Stripe, the service that provides the availability of online payments takes a
certain percentage for each bank operation.

Attracting more clients to use your service in different applications thanks to using your API ensures
more engagement and higher interest in your product for many new users.

5 steps to creating API for your web app

Step #1 Defining the goals

It is pivotal to start with planning and detailed exploration of the area, define the tasks which your
solution needs to be capable of executing, and define the essence of the area.

Before the development part, it is essential to properly discover the requirements of the user that will
use this application, as it will help to form the initial demand for the API.

Step #2 API development

 age 15 of 25

API is a kind of connection bridge between a client and a server in the client-server API architecture.
That is why it is worthy to define the format of interaction to make it clear and accessible for both sides.
The selection of this format will define the efficiency and success of this interaction between a client and
a server. The most common data formats are considered to be JSON, YAML и XML. The next step entails
defining the format of the error message. Depending on the case, your API can respond successfully or
contain a code or a message about an error. The complete list of HTTP response codes you can find at
this link – https://developer.mozilla.org/ru/docs/Web/HTTP/Status. After these steps, the following one
is the creation of endpoints that allows clients to interact with resources via different HTTP methods of
sending: GET, POST, PUT, PATCH, DELETE:

 GET – is used to receive the records of a resource

 POST – is used for adding a new resource
 PATCH – is used for partial change of a resource
 PUT – is used to create a new resource or replace the target data resource in the request body;
 DELETE – is used to delete a resource.

Examples of endpoints

GET https://yoursite.com/v1/products – it allows you to receive a list of

products. GET https://yoursite.com/v1/products/{id}/reviews – it allows you to receive a list of reviews
about a certain product. POST https://yoursite.com/v1/products – it allows you to add a product to a
catalog. When selecting the addresses, we recommend following certain rules of titling and keeping the
same style of titling for existing resource and endpoints, structure of requests, and response during the
entire project. Thus, your API will be consistent and convenient to use. During this stage, developers
implement the code of the endpoints and solve tasks of business logic connected with resource data
using the required tools. They implement the required formats of interaction, work with databases,
ensure caching and try to improve their productivity. It is essential to think of the safety of your web
service during the API development process. HTTPS protocol is highly recommended to use as SSL/TLS
encryption allows protecting API the traffic of your server from the massive attack and leakage of
sensitive data. Also, it is pivotal to use various methods of authentication and authorization to restrict
the access to API resources of different users. This step is critical to know that users are real and have
the right for reading, record, and delete data from a certain API address. As a result of web app
development and upgrading, some functions, as well as API interfaces, may vary. It is vital to ensure that
additional web app functionality doesn’t prevent the work of the existing solution, which can be fixed
with the versioning system. There are several methods to type the versioning of the API. The easiest of
them is typing the version in the address bar, for example, HTTPS:// api.yoursite.com/v1,
HTTPS:// api.yoursite.com/v2, and so on. To work the versions transparently, there are specifications
like SemVer – the set of rules that help to standard the launches of new versions of the web solution.
 age 16 of 25

Step #3 Testing

The next step of API building is API testing. This is an iterative process of checking the workability of the
API that allows revealing the errors that may occur while using interfaces.

API can be tested using the automated module and integration tests that will regularly check the
methods of using various methods of data income, imitating the actions of real API consumers, and the
probability of certain system errors during production.

In addition, developers can also use other kinds of testing to ensure the API corresponds to the
additional requirements like safety, fault tolerance, and others.

Step #4: Documentation

API documentation is technical information that fixes the guides on effectively and correctly using these
programming interfaces. It describes the available endpoints, resources, formats of requests and
responses, examples of returned data, codes and texts of errors, etc. API documentation has to be easy
to understand and content the examples of using, and also has to be relevant and accurate.

Numerous tools can simplify the creation of API documentation for the project, like Swagger and
OpenAPI Specification. The well-aligned API documentation decreases time and expenses for
integration and work of developers.
Step #5: Monitoring

After all the aforementioned steps are complete, the web application is deployed to production for
further monitoring and analysis phases. It is essential to track the system errors and find a quick solution
to fix them.

Also, it is vital to consider the metrics of web app performance CPU/memory, follow the uptime
indicators, number of simultaneous users, the time spent for server responses, and other indicators that
 age 17 of 25

allow assessing API performance. You can use tools like Sentry, New Relic, Amazon CloudWatch, and
many others.

Website security is implemented using server-side scripting

With advancements in web technology, businesses need highly functional, visually appealing websites
with improved security, emphasizing secure server-side programming language.

Understanding the Process: Bringing Websites to Your Screen

When you load the website in your browser, from server to the browser a sequenced messaging had
worked with a list of code to bring a page to your screen. Behind the screen, there has a server-side
script on the web server that unites the database with front-end and the browser to bring a user
requested page with a smooth user-friendly experience. There are many server-side scripting languages
out to deliver the best possible results.

Even though we use the best server-side scripting language for web development, there are the utmost
cases we get hacked. In general, most hacks occur opportunistically when an attacker identifies
weaknesses in your site or server. Every day, attackers discover new weaknesses, leading to exploits and
hacked sites. Opportunistic hackers use an array of tools to recognize the potential targets. It all starts
with the list of exploits. For example, let’s say a weakness has been discovered in a popular slideshow
plugin. The hacker will learn about this weakness and investigates the plugin. They will detect that
there’s a recognizable “footprint” for the plugin – every site that uses it has the text “powered by My
CoolSlideShowPlugin”.

From the above point, it was clear that it’s easy to scrape Google to build a huge list of hackable sites. So
that’s what the attacker does.
 age 18 of 25

Then they write a simple script to perform the hack, they load up their list of targets and set it to lose.
The script will go onto the web and attempts to hack every site on the list.

Understanding Website Security Beyond WordPress

It’s not just WordPress site gets hacked. Whenever you visit a site, WordPress is the most used
component. It’s not only software installed on your server. Server environments are difficult systems,
with thousands of moving parts. Security exploits exist at all levels of the technology stack, from
hardware up. WP White Security reported that weaknesses in the web host account for 41% of hacked
WordPress sites. Some software component running on the server machine that had a security hole and
a hacker exploited it.

As a footnote, only a tiny number of sites are hacked through the WordPress core files. This is just to
show that how thorough the WordPress team is at closing security holes

Sever security is a vast subject – we could easily fill several books covering all the details. We have
examined how attackers discover and utilize exploits to hack sites. Your major goal is to protect your site
from such an attack. To do that, you must need a understanding of security that we must implement.

What are the key features of security?

 Know Your System

 The Principle of Least Privilege
 Defense in Depth
 Protection is the Key aspect but Detection is a Must
 Know Your Enemy
 age 19 of 25

Know your System

Before securing your site, you need to understand how your system works. The deeper you understand,
the more easily you spot to fix the weaknesses. It is necessary to understand which plugins are
responsible for which features, what custom code has been added, and so on.

The Principle of Least Privilege

Each person who uses the system should have the least privileges they need to perform the tasks. The
website designers need not have root access to the server. The writer should only be able to log on and
write the content. You do understand who is interacting with your site and understand which privileges
they require to perform their tasks.

Defense in Depth

Never depend on a single safety measure to keep the server safe. You need to have multiple security
measures of defense. The more layers you deploy, the harder it is to break through and harm the site.

Protection is the key aspect but detection is a must

Do everything to protect your site. Get some ways to detect the attack in order to prevent it to happen
in future.

Know Your Enemy

Know the methods used to attack the website. This will allow us to be more secure from hackers.

Instead of the above-mentioned tactics to know the hackers, we need to implement some technical
methods to overcome attackers.

How to protect your website against attacks?

 age 20 of 25

A business can adopt the below-mentioned policy to protect itself against web server attacks.

 SQL Injection –
In order to reduce the attacks, you need to sanitize and validate the user parameters before
getting submitted to the database for processing. Database engines as MS SQL server, MYSQL
etc. supports the parameters and prepared statements. They are much safer than any
traditional SQL statement.

 Denial of service attacks –

Firewall is the best one that is used to drop traffic from suspicious IP address if the attack is a
simple DoS. Proper configuration of networks and Intrusion Detection System helps to reduce
the chances of a DoS attack been successful.

 Cross Site Scripting –

Validating and sanitizing headers, parameters passed via the URL, form parameters, and hidden
values can reduce XSS attacks.

 Cookie/Session Poisoning –
Encrypting the contents of the cookies, timing out the cookies after some time, and coordinating
the cookies with the client IP address used to create them can avoid this.

 Form Tempering –
We can prevent it by validating and verifying the user input before processing.

 Code Injection –
 age 21 of 25

This can be prevented by considering all the parameters as data rather than executable code.
Implementing sanitization and validation can achieve this.

 Defacement –
Best web application development security policy should ensure that it seals the commonly
used vulnerabilities to access the web server.

By following this we can get rid of hackers and keep our website safe and secure.

The 5 most popular and the best server-side scripting languages for web development

PHP

Poorly developed PHP coding by developers who fail to accurately mistrust user input causes the
majority of vulnerabilities. In simple words, the developers need not involve the code to sufficiently or
correctly sanitize various form of user input.

The two key major key factors that make your Php site secure is at the input to Validate and
Sanitize and at output to Sanitize and Escape. Which means you are performing checks at the input and
output points.

Considering, PHP serves as the most popular open-source server-side HTML-embedded scripting
language utilized for creating dynamic web pages in web development. In general, PHP was designed for
web development to pull and edit information in the database, making it mostly used for small or
medium-level website development compared to other languages. Even though demand for Python is
increasing, PHP is still very popular for Secure Server-Side Programming.

Java

The major reason that the Java become such a very popular target for attacks. The huge Eco-system of
add-on software components in Java. In fact, Java is the second most easy language to hack by the mid-
level hacker as Java was designed at the maximum compatibility, It is an object-oriented, that it runs on
the host of device, class-based and concurrent language that will work on any platform that developed
by the sun micro system. But still, if have an expert on your side as Java is a little complex to hack.
Businesses consider java because it’s very helpful for the enterprise-level business applications, high-
traffic sites, and Android apps as it has a unique functionality that no other programming language do
provide.

Python

It is the fastest growing language and widely accepted in the web market. It’s simplicity and
readability make it great for beginners.it can backs up many programming paradigms such as OPPS’s,
structured programming and even functional programming. A lot of web developers are using the
python. so as to get the results of its flexibility and the board range of application.
 age 22 of 25

As with any coding language, security is the major thing to consider at front-end for all the python
developers especially for those with giant database of sensitive information that could lead to terrible
consequences if hacked or breached.

In order to protect the code from hacker’s python uses Checkmarx’s CxSAST, a static code analysis
solution, that stands out to test solutions as not the solution which actually protect the python code and
compliance issues, but also as tool to the organization’s advancement.

ASP.NET

ASP.NET offers an impressive set of cryptography-related classes for protecting even the most sensitive
data. Throughout ASP.NET, implementing cryptography is simple, making it ideal for Secure Server-Side
Programming.

Microsoft developed ASP.NET, an open-source web framework, for building modern web applications
and services. With ASP.NET, you can quickly create websites based on HTML, CSS, and JavaScript and
add complex capabilities like Web APIs, form over data, or real-time communications. The common
language runtime (CLR) allows programmers to write ASP.NET code using any supported .NET language.
An active developer community ensures that the language has well-written documentation, ensuring its
comprehensiveness for Secure Server-Side Programming

C#

C# is one of the most popular and multi-paradigm programming languages of Microsoft’s which has run
on .NET framework. As we know C# is the flagship language chosen for the Secure server-side
programming. As you know, it’s hard to find a language with as much depth from an enterprise
standpoint as C#. The original replaces of Java, JVM is the whole platform with C#

It coordinates productivity and versatility by blending the best aspects of the C and C++ languages. It
includes imperative, functional, generic, object-oriented and component-oriented programming
principles.

Teachers Activity:
Ask Question
Show Presentation
Demonstration
Show video:
https://www.youtube.com/watch?v=JnCLmLO9LhA
https://www.youtube.com/watch?v=ByuhQncSuAQ
 age 23 of 25

Reference:
Site:
https://www.google.com/
https://www.youtube.com/
https://wpwebinfotech.com/blog/best-language-for-server-side-programming/
https://appmaster.io/blog/security-in-crud-apps
https://www.altamira.ai/blog/guide-to-creating-api-for-your-web-application/
https://krify.co/secure-server-side-programming-language/

eBook:
 Introduction to Server-Side Programming by: Charles Liu

Assessment 20-1:
Written Test

Test I: True or False: Write the letter T if the statement is true and F if the statement is false on the
space provided.

_____________ 1. Regularly patch and update all software components, including your
database, web server, and any libraries or frameworks in use.
_____________ 2. CRUD applications can be vulnerable to several common security threats.
 age 24 of 25

_____________ 3. SQL injection occurs when an attacker manipulates SQL queries by

injecting malicious code through user inputs, potentially compromising
your program.
_____________ 4. When developing CRUD applications, it's crucial to maintain a secure
connection with your database to protect sensitive data from
unauthorized access or manipulation.
_____________ 5. Following security best practices is essential for developing secure and
reliable CRUD applications.
_____________ 6. Several security concerns arise when developing CRUD applications, such
as user authentication, access control, data validation, and protection from
common web-based threats.
_____________ 7. CRUD is an acronym from the world of computer programming and refers
to the four functions considered necessary to implement a persistent
storage application: create, rise, update and delete.
_____________ 8. Authentication and authorization are the two main pillars in ensuring that
only legitimate users access your CRUD application's data.
_____________ 9. Use MFA to add an extra layer of security to the authentication process.
_____________ 10. User authorization determines what actions authenticated users can
perform within your CRUD application.
_____________ 11. C# is one of the most popular and multi-paradigm programming
languages of Microsoft’s which has run on .NET framework.
_____________ 12. ASP.NET offers an impressive set of cryptography-related classes for
protecting even the most sensitive data.
_____________ 13. JavaScript developed ASP.NET, an open-source web framework, for
building modern web applications and services.
_____________ 14. A lot of web developers are using the python. so as to get the results of its
flexibility and the board range of application.
_____________ 15. In fact, Java is the second most easy language to hack by the mid-level
hacker as Java was designed at the maximum compatibility.
_____________ 16. Considering, PHP serves as the most popular open-source server-side
HTML-embedded scripting language utilized for creating dynamic web
pages in web development.
_____________ 17. Depend on a single safety measure to keep the server safe. You don’t need
to have multiple security measures of defense.
_____________ 18. Know the methods used to attack the website. This will allow us to be
more secure from hackers.
_____________ 19. Before securing your site, you need to understand how your system works.
_____________ 20. Behind the screen, there has a server-side script on the web server that
unites the database with front-end and the browser to bring a user
requested page with a smooth user-friendly experience.

Test II: Question and Answer

A: What is API?

_____________________________________________________________________________________
_____________________________________________________________________________________
 age 25 of 25

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

B: What is REST API?

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________

Test III: Enumeration

A: Best Server-side programming.

1. ___________________________
2. ___________________________
3. ___________________________
4. ___________________________
5. ___________________________

B: Factors to consider in choosing Server-side programming.

1. ___________________________
2. ___________________________
3. ___________________________
4. ___________________________
5. ___________________________