Greg Knaddison and James Walker, both on the Drupal security team, presided over this session.
They talked about the various attack vectors that hackers utilize:
- client-side attacks (XSS and cross site request forgery [CSRF]
- information disclosure
They stressed the idea of being a secure user by using a strong password, avoiding unecrypted WiFi and FTP (opting for ssh/keys instead), and being really, really careful with UID 1. On the server side, using SSL for login pages (via the Secure Pages module) if desireable, if possible.
FastCompany.com Case Study
This site recently re-launched in a massive way - the entire site (as well as a companion site) was re-written in Drupal with social networking at it's core. It launched with more than 500,000 nodes that were imported from a previous content management system.
One of their goals was that they wanted users to find each other from common ideas, not common resumes. Facilite new relationships - not existing ones.
During the design phase, about 200 professionally wireframes were created. Lullabot and Achieve Internet did a lot of the heavy lifting for the site's functionality while Tree House Interactive did the themeing.
jqModal is just one of these plug-ins. It can be used to create modal (or non-modal) dialog boxes. In this example, I'm going to show you how to use it to create a modal "Please Wait..." dialog box. This can be useful when your user submits a form that might take a few seconds to process. Having a modal dialog box not only gives the user some feedback that the site is actually doing something, but it also stops the user from clicking the "submit" button multiple times.
Ever since a client of mine asked me to look into the Firebug add-on YSlow, I've been interested in using it to increase performance on my Drupal (version 5) web sites. Wim Leer's recent posting about improving Drupal performance inspired me to take action to see what kind of improvements I could make.
Before I get into the details, please don't confuse me with an Apache guru. I know enough to modify various settings in an httpd.conf or an .htaccess file, but only after I've done my due diligence to make sure I'm not going to irrevocably screw things up.