Feeds:
Posts
Comments

There is a nice technique to reduce the amount of calls your browsers has to make to the server. This will be every image, every css and every JavaScript file included in the webpage. Each time you want to load in one of these elements you will be sending a request to the server which will return the requested object known as a HTTP request.
Reduce Page Loading Time With PHP

Each one of these uses up time on your page loading, so to reduce page load all you have to do is reduce the amount of calls being made. But what if you want to organise you JavaScript files, jquery file, general file, application file and page file. There could be upto 4 requests for some javascript for the page.

It is possible in PHP to combine these JavaScript files together and trick the browser into thinking they are just one JavaScript file, therefore reducing the amount of calls being made to the server. This is done by reading the JavaScript with PHP then changing the header to JavaScript like the example below.

Create a PHP file and use the readfile function to bring in your Javascript files then change the header to Javascript and the server will treat this page as Javascript.

readfile(jquery.js’);

readfile(general.js’);

readfile(jquery-ui.js’);

readfile(page.js’);

header(‘Content-type: text/javascript’);

This technique can be used for css files too.. [thanks to paulund]

Are you a web designer or do you run a website? Good, because this article is for you. If you’re designing websites for a living or running your business online, there are 18 tips in this article that you should definitely read and remember.

You can have the best visual design skills on the planet, but if you build a website that works like crap and doesn’t allow the visitor to feel comfortable going from item to item and page to page, you are missing the very core of a good website design. So in today’s article I’m going to go over some of the dos and don’ts of usability on the web.

Do utilize a grid for your website structure

Before you get upset and start screaming that a grid is a box for creativity, I’m not saying to ensure your entire site is boxed in. What I do want you to understand though about a grid is that it helps structure your site and keep the eye flow going for your visitor, which is key. Once you’ve got the main structure down and it’s clean – create the funky stuff you do to go around it all and incorporate everything into a killer design, but don’t forget the grid.

Do Not forget your search form

A lot of people will go to your site and immediately look for a search box. It’s just instinctive I guess. So, if you don’t have one, guess what happens – they leave. They’re not going to feel comfortable on a site where they don’t feel in control. The ideal spot for a search bar is somewhere towards the top of the page on the right hand side as this is where users are used to it being displayed.

Do make your navigation easy to find & readable

If you’re designing a site and your navigation is supposed to take your visitor from point A to point B, why the hell would you place it in a weird spot or use images that do not generally showcase the type of links they are (ie: a house for the home page is ok, but a circle with a lightning bolt inside of it for services isn’t). Try keeping the navigation easy to read, right at the top of the site so the visitor can easily navigate through your site.

Do Not make your “contact” link in your navigation bar a mailto: link

A lot of people (myself included) will hover over a link and see what the bottom of our browser screen says before we click on it, especially the contact link since some people think it’s a bright idea to link this directly to your email address, causing an email program to open up. This is not a good UX practice. Create a contact page, put your email address on it and also add a contact form – your user will thank you – and will actually email you more often.

Do utilize UX Apps as much as possible for web tests

Keeping track of the various forms of data from your website is something you should definitely get a grasp on if you haven’t already. Google analytics is perfect for seeing where your visitors are coming from, what pages they’re going to and how long they’re on your site. A UX app like Crazy Egg is perfect for learning where your visitors are clicking and seeing what parts of your site are getting the most attention. You can also use a site like Feedback Army to test how users see and use your site. Learning these types of stats for your site can ensure you’re utilizing space as well as possible and making sure that you’ve got the important stuff where it needs to be.

Do Not flood your website’s sidebar with tons of widgets

O.K. We get that you’re running a blog and there are a million widgets you can use on it – but you don’t actually need to use them all. Think of it like a bedroom. If there’s clutter everywhere and it’s not clean, that special someone you brought home might not want to stay – so tidy up and keep things organized. Your readers don’t (in most cases) need to see your google friend’s, mybloglog friends, friendfeed friends and the various other social profiles you’re a part of, so leave them alone and stick to the things that matter most for the user experience on your site.

Do make sure that your website displays well on various browsers

We all know that IE6 is dead and no one is complaining about that, but do not forget that there is still a lot of users on IE7, IE8, Opera, Safari, Firefox, Chrome, ect. Just because your website looks good on one or two of them doesn’t mean the visitor using another browser will like that your site isn’t displaying properly. Take a couple hours, dig into the code and make sure it all works across the various browsers.

Do Not make your visitor jump through hoops to fill out a form

Your contact form shouldn’t be a mile long and neither should a sign up form. Keep things simple. The chances that people will turn away when they’re faced with a 20 part sign up form is far greater than if they were staring at three simple questions (name, email, comments).

Do ensure your various pages are consistent in structure

Unless you’re a design blog and you’re structuring/designing every one of your posts different like (insert names here), you need to remember that people want familiarity when they’re viewing your site. If they feel like they’re somewhere different when they load a new page up, they’re going to click the back button – and fast.

Do Not forget a print stylesheet for those who want to print your content

This is especially true for blogs/content sites. If your reader wants to print off content (trust me, many still do, especially older visitors), you shouldn’t require them to print off your entire design, plus all of the comments and advertisements across the page. That’s unnecessary clutter. If you look at the print preview on this post about why better blogging equals better business for freelancers, you’ll see a clean page, black and white, no images, no comments, no sidebar. The content is what matters for printing, so make sure it stands out.

Do make sure your content is easy to scan and follow along with

In general, people have short attention spans. So, by utilizing section titles (h2, h3 or h4 tags) to split your article up, you allow the visitor to scan the article quickly and see if it’s something they’re looking to read and if they’ll be able to get anything out of it. When you’re writing your content, you should also be aware of the size of each paragraph as users will tend to get tired of scanning 20+ lines in a paragraph. Things are much easier to read when split up into 5-10 lines (at most).

Do Not cram more into a space than what can fit comfortably

Minimalism. We love it here at Spyre Studios and I know readers here do as well. That’s why this tip is so important to all of us – crowding things into a small space and not allowing the users eye to focus on the important stuff is counter productive. Yes, you’ve got a ton of information above the fold, but why would you worry about the fold so much? Paddy Donnelly already debunked the life below 600px, so allow your design and content to breath. Your users will thank you.

Do make sure to include breadcrumbs in your design

Breadcrumbs are useful in giving your visitor control over where they’re at and what they’re going to do next. If they’re on a sub page of your about page, your breadcrumbs will look something like this (Home > About > Sub Page Title). This tells the user exactly what page they’re on and how to go back various levels if they’d like to.

Do Not forget to utilize color and contrast to shift focus

If you use a heading and then a sub heading for sections of your site, try various shades of color to allow the visitor to notice the important stuff first (ie: #464646 for the title and #c1c1c1 for the subtitle). These shifts in color and contrast will dictate what your user sees next, ultimately bringing them into a space where you want them to be (a sign up page, a contact form, a subscription page, ect).

Do check for broken links and images

Checking for broken links and images in your older articles is great because you may have visitors coming to your page from a search engine and if there are broken links, they’re going to assume one of two things: 1, you’re an old site that isn’t being updated anymore or 2. you’re not keeping up to date on the value of your site, so they’re going to go elsewhere. If you’re a wordpress user, there’s a plugin that is amazing for this: Broken Link Checker. You can also head over to iwebtool and use their free broken link checker (5 requests per hour is the limit).

Do Not neglect your footer and the power it has

So, you’re on a website and you scroll through everything and get to the bottom of the page only to find a bland, single line of text telling you that there’s a copyright on the site. Boring. Why not spruce your footer up a bit, add some extra content into it like popular articles, a search box, a newsletter subscription, ect. If you’d like to find some ideas on how to design a killer footer for your site, you should check out Footer Fetish, not to be confused with the other foot fetish.

Do use wireframing in your design process

Drawing out wireframes for your site on paper (or in simple box shapes in photoshop) can really help you visualize what’s the most important aspect of the page and how you can use it as a central focus point. By doing this, you’re also able to experiment with various layout options without having to break up a killer design you may have been creating already. For wireframe inspiration, I check out the I love Wireframes group on flickr – it’s full of amazing wireframe drawings.

Do Not write for search engines – write for your readers

Last, but not least is the tip that you should be writing for your readers, not search engines. Keyword stuffing may have worked in the past (and may still today), but if you have an actual reader come across your page, only to find the word “designer” 100X times in 3 paragraphs, what do you think the odds are that they’re going to hit their back button and never step (virtual) foot on your page again? Yeah, the odds of that happening are extremely high.

A tip I’ve heard before is to read your content out loud and if it doesn’t sound like a natural flowing conversation you’d normally have, rewrite it until it does. People will read your content and expect it to sound like something a real person would say, so make sure it does sound that way.

original Content from =>  http://spyrestudios.com/dos-and-donts-of-usability/

12 htaccess Tips

1. Redirect to a secure https connection

If you want to redirect your entire site to a secure https connection, use the following:

  1. RewriteEngine On
  2. RewriteCond %{HTTPS} !on
  3. RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} Continue Reading »

Building traffic to your website is not an easy task. “If you build it, they will come” concepts work only for movies and it does not work with your website. A well designed website is just the first step in your internet business venture. Driving traffic to your website takes Knowledge, proper planning, time and great effort. I write this post believing that these tips will help you reach the right people to achieve online business success.

It is imperative to determine your online business objectives or goals before you plan the online strategy and definitely before you even write the first line of code for your website. Know your objectives and build your website around them, it will ensure satisfaction at the end of the day.

Presenting your website message carefully is yet another important factor for any successful website. The visitors to your website need to know and understand your message instantly from the very first page that is your home page. If not they will bounce back to another website most probably your competitor. Keep an eye on your website load time. The visitor to your site may not have time to wait till it loads the first page of your website. Imagine if your home page loads very slowly and the face of an impatient visitor. A good visitor will definitely tell 100 friends about your website, while an unsatisfied visitor will tell 1000 people about your website.

Use your competitor site to the maximum and take advantage of it. They might have brainstormed 1000 ideas and stands strong as a competitor. Learn what they are doing, what do you feel your website lack, ask yourself. Visit your niche related sites and the sites that are listed on hot sites pages. In the coming posts I will discuss about studying the competitor website in a Search Engine point of view. It is the key techniques we do to make our clients stand strong in any competition. Look at the design of your competitor website and learn the do’s and don’ts of the niche website marketing. See how the information is organized, feature provided, color, background etc.

Realize the potential of your domain name. Domain name plays an important role in internet marketing. Your internet domain is your exclusive web address, which you can purchase through several domain registrars.The domain name itself can add traffic to your website. There are certain points you need to remember when buying a domain name. We will discuss that in the coming posts. The above given are some quick tips you need to revisit when you plan to create your online identity.


1. Unvalidated Parameters

Most importantly, turn off register_globals. This configuration setting defaults to off in PHP 4.2.0 and later. Access values from URLs, forms, and cookies through the superglobal arrays $_GET, $_POST, and $_COOKIE.

Before you use values from the superglobal arrays, validate them to make sure they don’t contain unexpected input. If you know what type of value you are expecting, make sure what you’ve got conforms to an expected format. For example, if you’re expecting a US ZIP Code, make sure your value is either five digits or five digits, a hyphen, and four more digits (ZIP+4). Often, regular expressions are the easiest way to validate data:

if (preg_match('/^\d{5}(-\d{4})?$/',$_GET['zip'])) {
    $zip = $_GET['zip'];
} else {
    die('Invalid ZIP Code format.');
}

If you’re expecting to receive data in a cookie or a hidden form field that you’ve previously sent to a client, make sure it hasn’t been tampered with by sending a hash of the data and a secret word along with the data. Put the hash in a hidden form field (or in the cookie) along with the data. When you receive the data and the hash, re-hash the data and make sure the new hash matches the old one:

// sending the cookie
$secret_word = 'gargamel';
$id = 123745323;
$hash = md5($secret_word.$id);
setcookie('id',$id.'-'.$hash);

// receiving and verifying the cookie
list($cookie_id,$cookie_hash) = explode('-',$_COOKIE['id']);
if (md5($secret_word.$cookie_id) == $cookie_hash) {
    $id = $cookie_id;
} else {
    die('Invalid cookie.');
}

If a user has changed the ID value in the cookie, the hashes won’t match. The success of this method obviously depends on keeping $secret_word secret, so put it in a file that can’t be read by just anybody and change it periodically. (But remember, when you change it, old hashes that might be lying around in cookies will no longer be valid.)

See Also:

  • PHP Manual: Using Register Globals
  • PHP Cookbook: Recipe 9.7 (”Securing PHP’s Form Processing”), Recipe 14.3 (”Verifying Data with Hashes”)

2. Broken Access Control

Instead of rolling your own access control solution, use PEAR modules. Auth does cookie-based authentication for you and Auth_HTTP does browser-based authentication.

See Also:

3. Broken Account and Session Management

Use PHP’s built-in session management functions for secure, standardized session management. However, be careful how your server is configured to store session information. For example, if session contents are stored as world-readable files in /tmp, then any user that logs into the server can see the contents of all the sessions. Store the sessions in a database or in a part of the file system that only trusted users can access.

To prevent network sniffers from scooping up session IDs, session-specific traffic should be sent over SSL. You don’t need to do anything special to PHP when you’re using an SSL connection, but you do need to specially configure your webserver.

See Also:

  • PHP Manual: Session handling functions
  • PHP Cookbook: Recipe 8.5 (”Using Session Tracking”), Recipe 8.6 (”Storing Sessions in a Database”)

4. Cross-Site Scripting (XSS) Flaws

Never display any information coming from outside your program without filtering it first. Filter variables before including them in hidden form fields, in query strings, or just plain page output.

PHP gives you plenty of tools to filter untrusted data:

  • htmlspecialchars() turns & > " < into their HTML-entity equivalents and can also convert single quotes by passing ENT_QUOTES as a second argument.
  • strtr() filters any characters you’d like. Pass strtr() an array of characters and their replacements. To change ( and ) into their entity equivalents, which is recommended to prevent XSS attacks, do:
    $safer = strtr($untrusted, array('(' => '(', ')' => ')'));
  • strip_tags() removes HTML and PHP tags from a string.
  • utf8_decode() converts the ISO-8859-1 characters in a string encoded with the Unicode UTF-8 encoding to single-byte ASCII characters. Sometimes cross-site scripting attackers attempt to hide their attacks in Unicode encoding. You can use utf8_decode() to peel off that encoding.

See Also:

5. Buffer Overflows

You can’t allocate memory at runtime in PHP and their are no pointers like in C so your PHP code, however sloppy it may be, won’t have any buffer overflows. What you do have to watch out for, however, are buffer overflows in PHP itself (and its extensions.) Subscribe to the php-announce mailing list to keep abreast of patches and new releases.

See Also:

6. Command Injection Flaws

Cross-site scripting flaws happen when you display unfiltered, unescaped malicious content to a user’s browser. Command injection flaws happen when you pass unfiltered, unescaped malicious commands to an external process or database. To prevent command injection flaws, in addition to validating input, always escape user input before passing it to an external process or database.

If you’re passing user input to a shell (via a command like exec(), system(), or the backtick operator), first, ask yourself if you really need to. Most file operations can be performed with native PHP functions. If you absolutely, positively need to run an external program whose name or arguments come from untrusted input, escape program names with escapeshellcmd() and arguments with escapeshellarg().

Before executing an external program or opening an external file, you should also canonicalize its pathname with realpath(). This expands all symbolic links, translates . (current directory) .. (parent directory), and removes duplicate directory separators. Once a pathname is canonicalized you can test it to make sure it meets certain criteria, like being beneath the web server document root or in a user’s home directory.

If you’re passing user input to a SQL query, escape the input with addslashes() before putting it into the query. If you’re using MySQL, escape strings with mysql_real_escape_string() (or mysql_escape_string() for PHP versions before 4.3.0). If you’re using the PEAR DB database abstraction layer, you can use the DB::quote() method or use a query placeholder like ?, which automatically escapes the value that replaces the placeholder.

See Also:

7. Error Handling Problems

If users (and attackers) can see the raw error messages returned from PHP, your database, or external programs, they can make educated guesses about how your system is organized and what software you use. These educated guesses make it easier for attackers to break into your system. Error messages shouldn’t contain any descriptive system information. Tell PHP to put error messages in your server’s error log instead of displaying them to a user with these configuration directives:

log_errors = On
display_errors = Off

See Also:

8. Insecure Use of Cryptography

The mcrypt extension provides a standardized interface to many popular cryptographic algorithms. Use mcrypt instead of rolling your own encryption scheme. Also, be careful about where (if anywhere) you store encryption keys. The strongest algorithm in the world is pointless if an attacker can easily obtain a key for decryption. If you need to store keys at all, store them apart from encrypted data. Better yet, don’t store the keys and prompt users to enter them when something needs to be decrypted. (Of course, if you’re prompting a user over the web for sensitive information like an encryption key, that prompt and the user’s reply should be passed over SSL.)

See Also:

9. Remote Administration Flaws

When possible, run remote administration tools over an SSL connection to prevent sniffing of passwords and content. If you’ve installed third-party software that has a remote administration component, change the default administrative user names and passwords. Change the default administrative URL as well, if possible. Running administrative tools on a different web server than the public web server that the administrative tool administrates can be a good idea as well.

10. Web and Application Server Misconfiguration

Keep on top of PHP patches and security problems by subscribing to the php-announce mailing list. Stay away from the automatic PHP source display handler (AddType application/x-httpd-php-source .phps), since it lets attackers look at your code. Of the two sample php.ini files distributed with PHP ( php.ini-dist and php.ini-recommended), use php.ini-recommended as a base for your site configuration.

Most of the time when we pitch to a new client we are asked for SEO guarantees. “Your competition has guaranteed top results and submission to 100,000 Search Engines and Directories”. We go all out educating clients that Search Engine Optimization is all about smart work and not just adding random keywords and submittíng to every directory possible. I’m writing this article to reach out to the SEO buyers and help them distinguish the crooks from the genuine SEO cos. I’ve compiled my Search marketing experience over the years in this article. I hope this helps you in selecting your Search Marketing initiative.

Commandment 1: There are No Rank Guarantees. (Period)

Search Engines alone control their indexing and ranking algorithm. Do not try to trick Search Engines. The only way to improve your search engine rank is by playing by the rules. And the rule is very simple: make it logical. Web content is primarily for the site visitor and not crawlers.

If your Search Engine Optimizer sold you magic “Top rank on Google in 10 days flat”. Forget it. There are no short cuts. Top ranking in Search Engine Natural Results will take time. Hard work is imperative especially in developing the content on your website and the links to your site.

Commandment 2: Ranking is Not the End, It’s the Means.

Ask yourself what will a top search engine rank get you? Most businesses are interested in increasing sales on a website or at the least driving qualified traffic. Ranking for the right keywords (keywords used by your target audience) is important. There are SEOs who will try to show case results for keywords that occur only on your website. Beware such gimmicks.

Commandment 3: Know Your Competition.

“Rank” is relative position and more so in the Search Engines’ natural results. How well you do in the search engine results is a function of how much hard work you have done in relation to your competition. Analyze your competition’s keywords, links, keyword density and spread, but be sure not to copy your competition.

Commandment 4: Use Search Engine Friendly Design.

A search and visitor friendly design is a must for any successful website. Your website should be compelling enough for repeat visits by search engines and potential customers. Make sure you have search engine friendly URLs and avoid those long URLs with query strings.

Commandment 5: Select Keywords that are Worthy.

You must research your keywords before targeting. There are tools that give you a good idea of a keyword’s search potential for example. It is important to know the number of searches for a keyword in the last month, last 6 months and last year. You should also find out the number of web pages that are targeting the keyword. It is advisable to start a campaign with keywords with moderate competition and a high number of searches.

Commandment 6: Write Great Content.

Even if your website site is technically perfect for search engine robots, it won’t do you any good unless you also fill it with great content. Great means it has contextual and editorial value. Great content brings repeat visits and increases the chance of conversion. Great content is factual and appeals to your target audience. Your web page should have your desired action embedded in the content and you must ensure that the content is fresh. Keep adding and editing content regularly.

Commandment 7: Use Good Hyper Linking Strategy.

Hyperlinks make your content accessible and contextual. You must hyperlink in the right context within the website and to other websites. Good links are appreciated by the Search Engines and by visitors. No one likes to be taken to a mall selling “Macintosh” when shopping for “apples”.

Commandment 8: Write Relevant and Original Meta Content.

Meta content is like a business card. Just as your business card tells who you are and what you do, Meta content tells the search engines the relevance and context of a web page. Resist the temptation to include everything in the Meta content, but make it detailed. Confused? The idea is to include only what is relevant to the page in the Meta Content but to include everything that is relevant.

Commandment 9: Acquire Relevant Links.

The links you acquire are the roads to your web page for search engine bots and visitors. Good links improve your webpage’s equity on the World Wide Web and bad links make a dent in your equity and credibility. Be selective in reciprocal linking. Both reciprocal and one way links work, if you are prudent in selecting the links. Submit your website to the relevant sections in relevant directories.

Commandment 10: Consult Experts, If You Need To.

If you have the competence, there are two ways to learn – learning from your mistakes and learning from others’ experience. You can choose either. If you have the time and can wait for the online dollars, do it yourself. If you want to get started now, it may be useful to consult the experts.

  1. The Importance of Front-End Performance

High Performance Web Sites: The Importance of Front-End Performance

In 2004, I started the Exceptional Performance group at Yahoo!. We’re a small team chartered to measure and improve the performance of Yahoo!’s products. Having worked as a back-end engineer most of my career, I approached this as I would a code optimization project – I profiled web performance to identify where there was the greatest opportunity for improvement. Since our goal is to improve the end-user experience, I measured response times in a browser over various bandwidth speeds. What I saw is illustrated in the following chart showing HTTP traffic for http://www.yahoo.com.

In the figure above, the first bar, labeled “html”, is the initial request for the HTML document. In this case, only 5% of the end-user response time is spent fetching the HTML document. This result holds true for almost all web sites. In sampling the top ten U.S. websites, all but one spend less than 20% of the total response time getting the HTML document. The other 80+% of the time is spent dealing with what’s in the HTML document, namely, the front-end. That’s why the key to faster web sites is to focus on improving front-end performance.

There are three main reasons why front-end performance is the place to start.

  1. There is more potential for improvement by focusing on the front-end. Cutting it in half reduces response times by 40% or more, whereas cutting back-end performance in half results in less than a 10% reduction.
  2. Front-end improvements typically require less time and resources than back-end projects (redesigning application architecture and code, finding and optimizing critical code paths, adding or modifying hardware, distributing databases, etc.).
  3. Front-end performance tuning has been proven to work. Over fifty teams at Yahoo! have reduced their end-user response times by following our performance best practices, often by 25% or more.

Our performance golden rule is: optimize front-end performance first, that’s where 80% or more of the end-user response time is spent.

Discuss the Importance of Front-End Performance

1: Minimize HTTP Requests

80% of the end-user response time is spent on the front-end. Most of this time is tied up in downloading all the components in the page: images, stylesheets, scripts, Flash, etc. Reducing the number of components in turn reduces the number of HTTP requests required to render the page. This is the key to faster pages.

One way to reduce the number of components in the page is to simplify the page’s design. But is there a way to build pages with richer content while also achieving fast response times? Here are some techniques for reducing the number of HTTP requests, while still supporting rich page designs.

Image maps combine multiple images into a single image. The overall size is about the same, but reducing the number of HTTP requests speeds up the page. Image maps only work if the images are contiguous in the page, such as a navigation bar. Defining the coordinates of image maps can be tedious and error prone.

CSS Sprites are the preferred method for reducing the number of image requests. Combine all the images in your page into a single image and use the CSS background-image and background-position properties to display the desired image segment.

Inline images use the data: URL scheme to embed the image data in the actual page. This can increase the size of your HTML document. Combining inline images into your (cached) stylesheets is a way to reduce HTTP requests and avoid increasing the size of your pages.

Combined files are a way to reduce the number of HTTP requests by combining all scripts into a single script, and similarly combining all stylesheets into a single stylesheet. It's a simple idea that hasn't seen wide adoption. The ten top U.S. web sites average 7 scripts and 2 stylesheets per page. Combining files is more challenging when the scripts and stylesheets vary from page to page, but making this part of your release process improves response times.

Reducing the number of HTTP requests in your page is the place to start. This is the most important guideline for improving performance for first time visitors. As described in Tenni Theurer's blog Browser Cache Usage - Exposed!, 40-60% of daily visitors to your site come in with an empty cache. Making your page fast for these first time visitors is key to a better user experience.

Discuss Rule 1

2: Use a Content Delivery Network

The user's proximity to your web server has an impact on response times. Deploying your content across multiple, geographically dispersed servers will make your pages load faster from the user's perspective. But where should you start?

As a first step to implementing geographically dispersed content, don't attempt to redesign your web application to work in a distributed architecture. Depending on the application, changing the architecture could include daunting tasks such as synchronizing session state and replicating database transactions across server locations. Attempts to reduce the distance between users and your content could be delayed by, or never pass, this application architecture step.

Remember that 80-90% of the end-user response time is spent downloading all the components in the page: images, stylesheets, scripts, Flash, etc. This is the Performance Golden Rule, as explained in The Importance of Front-End Performance. Rather than starting with the difficult task of redesigning your application architecture, it's better to first disperse your static content. This not only achieves a bigger reduction in response times, but it's easier thanks to content delivery networks.

A content delivery network (CDN) is a collection of web servers distributed across multiple locations to deliver content more efficiently to users. The server selected for delivering content to a specific user is typically based on a measure of network proximity. For example, the server with the fewest network hops or the server with the quickest response time is chosen.

Some large Internet companies own their own CDN, but it's cost-effective to use a CDN service provider, such as Akamai Technologies, Mirror Image Internet, or Limelight Networks. For start-up companies and private web sites, the cost of a CDN service can be prohibitive, but as your target audience grows larger and becomes more global, a CDN is necessary to achieve fast response times. At Yahoo!, properties that moved static content off their application web servers to a CDN improved end-user response times by 20% or more. Switching to a CDN is a relatively easy code change that will dramatically improve the speed of your web site.

Discuss Rule 2

3: Add an Expires Header

Web page designs are getting richer and richer, which means more scripts, stylesheets, images, and Flash in the page. A first-time visitor to your page may have to make several HTTP requests, but by using the Expires header you make those components cacheable. This avoids unnecessary HTTP requests on subsequent page views. Expires headers are most often used with images, but they should be used on all components including scripts, stylesheets, and Flash components.

Browsers (and proxies) use a cache to reduce the number and size of HTTP requests, making web pages load faster. A web server uses the Expires header in the HTTP response to tell the client how long a component can be cached. This is a far future Expires header, telling the browser that this response won't be stale until April 15, 2010.

      Expires: Thu, 15 Apr 2010 20:00:00 GMT

If your server is Apache, use the ExiresDefault directive to set an expiration date relative to the current date. This example of the ExpiresDefault directive sets the Expires date 10 years out from the time of the request.

      ExpiresDefault "access plus 10 years"

Keep in mind, if you use a far future Expires header you have to change the component's filename whenever the component changes. At Yahoo! we often make this step part of the build process: a version number is embedded in the component's filename, for example, yahoo_2.0.6.js.

Using a far future Expires header affects page views only after a user has already visited your site. It has no effect on the number of HTTP requests when a user visits your site for the first time and the browser's cache is empty. The impact of this performance improvement depends, therefore, on how often users hit your pages with a primed cache. (A "primed cache" already contains all of the components in the page.) We measured this at Yahoo! and found the number of page views with a primed cache is 75-85%. By using a far future Expires header, you increase the number of components that are cached by the browser and re-used on subsequent page views without sending a single byte over the user's Internet connection.

Discuss Rule 3

4: Gzip Components

The time it takes to transfer an HTTP request and response across the network can be significantly reduced by decisions made by front-end engineers. It's true that the end-user's bandwidth speed, Internet service provider, proximity to peering exchange points, etc. are beyond the control of the development team. But there are other variables that affect response times. Compression reduces response times by reducing the size of the HTTP response.

Starting with HTTP/1.1, web clients indicate support for compression with the Accept-Encoding header in the HTTP request.

      Accept-Encoding: gzip, deflate

If the web server sees this header in the request, it may compress the response using one of the methods listed by the client. The web server notifies the web client of this via the Content-Encoding header in the response.

      Content-Encoding: gzip

Gzip is the most popular and effective compression method at this time. It was developed by the GNU project and standardized by RFC 1952. The only other compression format you're likely to see is deflate, but it's less effective and less popular.

Gzipping generally reduces the response size by about 70%. Approximately 90% of today's Internet traffic travels through browsers that claim to support gzip. If you use Apache, the module configuring gzip depends on your version: Apache 1.3 uses mod_gzip while Apache 2.x uses mod_deflate.

There are known issues with browsers and proxies that may cause a mismatch in what the browser expects and what it receives with regard to compressed content. Fortunately, these edge cases are dwindling as the use of older browsers drops off. The Apache modules help out by adding appropriate Vary response headers automatically.

Servers choose what to gzip based on file type, but are typically too limited in what they decide to compress. Most web sites gzip their HTML documents. It's also worthwhile to gzip your scripts and stylesheets, but many web sites miss this opportunity. In fact, it's worthwhile to compress any text response including XML and JSON. Image and PDF files should not be gzipped because they are already compressed. Trying to gzip them not only wastes CPU but can potentially increase file sizes.

Gzipping as many file types as possible is an easy way to reduce page weight and accelerate the user experience.

Discuss Rule 4

5: Put Stylesheets at the Top

While researching performance at Yahoo!, we discovered that moving stylesheets to the document HEAD makes pages load faster. This is because putting stylesheets in the HEAD allows the page to render progressively.

Front-end engineers that care about performance want a page to load progressively; that is, we want the browser to display whatever content it has as soon as possible. This is especially important for pages with a lot of content and for users on slower Internet connections. The importance of giving users visual feedback, such as progress indicators, has been well researched and documented. In our case the HTML page is the progress indicator! When the browser loads the page progressively the header, the navigation bar, the logo at the top, etc. all serve as visual feedback for the user who is waiting for the page. This improves the overall user experience.

The problem with putting stylesheets near the bottom of the document is that it prohibits progressive rendering in many browsers, including Internet Explorer. Browsers block rendering to avoid having to redraw elements of the page if their styles change. The user is stuck viewing a blank white page. Firefox doesn't block rendering, which means when the stylesheet is done loading it's possible elements in the page will have to be redrawn, resulting in the flash of unstyled content problem.

The HTML specification clearly states that stylesheets are to be included in the HEAD of the page: "Unlike A, [LINK] may only appear in the HEAD section of a document, although it may appear any number of times." Neither of the alternatives, the blank white screen or flash of unstyled content, are worth the risk. The optimal solution is to follow the HTML specification and load your stylesheets in the document HEAD.

Discuss Rule 5

6: Put Scripts at the Bottom

Rule 5 described how stylesheets near the bottom of the page prohibit progressive rendering, and how moving them to the document HEAD eliminates the problem. Scripts (external JavaScript files) pose a similar problem, but the solution is just the opposite: it's better to move scripts from the top to as low in the page as possible. One reason is to enable progressive rendering, but another is to achieve greater download parallelization.

With stylesheets, progressive rendering is blocked until all stylesheets have been downloaded. That's why it's best to move stylesheets to the document HEAD, so they get downloaded first and rendering isn't blocked. With scripts, progressive rendering is blocked for all content below the script. Moving scripts as low in the page as possible means there's more content above the script that is rendered sooner.

The second problem caused by scripts is blocking parallel downloads. The HTTP/1.1 specification suggests that browsers download no more than two components in parallel per hostname. If you serve your images from multiple hostnames, you can get more than two downloads to occur in parallel. (I've gotten Internet Explorer to download over 100 images in parallel.) While a script is downloading, however, the browser won't start any other downloads, even on different hostnames.

In some situations it's not easy to move scripts to the bottom. If, for example, the script uses document.write to insert part of the page's content, it can't be moved lower in the page. There might also be scoping issues. In many cases, there are ways to workaround these situations.

An alternative suggestion that often comes up is to use deferred scripts. The DEFER attribute indicates that the script does not contain document.write, and is a clue to browsers that they can continue rendering. Unfortunately, Firefox doesn't support the DEFER attribute. In Internet Explorer, the script may be deferred, but not as much as desired. If a script can be deferred, it can also be moved to the bottom of the page. That will make your web pages load faster.

Discuss Rule 6

7: Avoid CSS Expressions

CSS expressions are a powerful (and dangerous) way to set CSS properties dynamically. They're supported in Internet Explorer, starting with version 5. As an example, the background color could be set to alternate every hour using CSS expressions.

      background-color: expression( (new Date()).getHours()%2 ? "#B8D4FF" : "#F08A00" );

As shown here, the expression method accepts a JavaScript expression. The CSS property is set to the result of evaluating the JavaScript expression. The expression method is ignored by other browsers, so it is useful for setting properties in Internet Explorer needed to create a consistent experience across browsers.

The problem with expressions is that they are evaluated more frequently than most people expect. Not only are they evaluated when the page is rendered and resized, but also when the page is scrolled and even when the user moves the mouse over the page. Adding a counter to the CSS expression allows us to keep track of when and how often a CSS expression is evaluated. Moving the mouse around the page can easily generate more than 10,000 evaluations.

One way to reduce the number of times your CSS expression is evaluated is to use one-time expressions, where the first time the expression is evaluated it sets the style property to an explicit value, which replaces the CSS expression. If the style property must be set dynamically throughout the life of the page, using event handlers instead of CSS expressions is an alternative approach. If you must use CSS expressions, remember that they may be evaluated thousands of times and could affect the performance of your page.

Discuss Rule 7

8: Make JavaScript and CSS External

Many of these performance rules deal with how external components are managed. However, before these considerations arise you should ask a more basic question: Should JavaScript and CSS be contained in external files, or inlined in the page itself?

Using external files in the real world generally produces faster pages because the JavaScript and CSS files are cached by the browser. JavaScript and CSS that are inlined in HTML documents get downloaded every time the HTML document is requested. This reduces the number of HTTP requests that are needed, but increases the size of the HTML document. On the other hand, if the JavaScript and CSS are in external files cached by the browser, the size of the HTML document is reduced without increasing the number of HTTP requests.

The key factor, then, is the frequency with which external JavaScript and CSS components are cached relative to the number of HTML documents requested. This factor, although difficult to quantify, can be gauged using various metrics. If users on your site have multiple page views per session and many of your pages re-use the same scripts and stylesheets, there is a greater potential benefit from cached external files.

Many web sites fall in the middle of these metrics. For these properties, the best solution generally is to deploy the JavaScript and CSS as external files. The only exception I've seen where inlining is preferable is with home pages, such as Yahoo!'s front page (http://www.yahoo.com) and My Yahoo! (http://my.yahoo.com). Home pages that have few (perhaps only one) page view per session may find that inlining JavaScript and CSS results in faster end-user response times.

For front pages that are typically the first of many page views, there are techniques that leverage the reduction of HTTP requests that inlining provides, as well as the caching benefits achieved through using external files. One such technique is to inline JavaScript and CSS in the front page, but dynamically download the external files after the page has finished loading. Subsequent pages would reference the external files that should already be in the browser's cache.

Discuss Rule 8

9: Reduce DNS Lookups

The Domain Name System (DNS) maps hostnames to IP addresses, just as phonebooks map people's names to their phone numbers. When you type http://www.yahoo.com into your browser, a DNS resolver contacted by the browser returns that server's IP address. DNS has a cost. It typically takes 20-120 milliseconds for DNS to lookup the IP address for a given hostname. The browser can't download anything from this hostname until the DNS lookup is completed.

DNS lookups are cached for better performance. This caching can occur on a special caching server, maintained by the user's ISP or local area network, but there is also caching that occurs on the individual user's computer. The DNS information remains in the operating system's DNS cache (the "DNS Client service" on Microsoft Windows). Most browsers have their own caches, separate from the operating system's cache. As long as the browser keeps a DNS record in its own cache, it doesn't bother the operating system with a request for the record.

Internet Explorer caches DNS lookups for 30 minutes by default, as specified by the DnsCacheTimeout registry setting. Firefox caches DNS lookups for 1 minute, controlled by the network.dnsCacheExpiration configuration setting. (Fasterfox changes this to 1 hour.)

When the client's DNS cache is empty (for both the browser and the operating system), the number of DNS lookups is equal to the number of unique hostnames in the web page. This includes the hostnames used in the page's URL, images, script files, stylesheets, Flash objects, etc. Reducing the number of unique hostnames reduces the number of DNS lookups.

Reducing the number of unique hostnames has the potential to reduce the amount of parallel downloading that takes place in the page. Avoiding DNS lookups cuts response times, but reducing parallel downloads may increase response times. My guideline is to split these components across at least two but no more than four hostnames. This results in a good compromise between reducing DNS lookups and allowing a high degree of parallel downloads.

Discuss Rule 9

10: Minify JavaScript

Minification is the practice of removing unnecessary characters from code to reduce its size thereby improving load times. When code is minified all comments are removed, as well as unneeded white space characters (space, newline, and tab). In the case of JavaScript, this improves response time performance because the size of the downloaded file is reduced. Two popular tools for minifying JavaScript code are JSMin and YUI Compressor.

Obfuscation is an alternative optimization that can be applied to source code. Like minification, it removes comments and white space, but it also munges the code. As part of munging, function and variable names are converted into smaller strings making the code more compact as well as harder to read. This is typically done to make it more difficult to reverse engineer the code. But munging can help performance because it reduces the code size beyond what is achieved by minification. The tool-of-choice is less clear in the area of JavaScript obfuscation. Dojo Compressor (ShrinkSafe) is the one I've seen used the most.

Minification is a safe, fairly straightforward process. Obfuscation, on the other hand, is more complex and thus more likely to generate bugs as a result of the obfuscation step itself. Obfuscation also requires modifying your code to indicate API functions and other symbols that should not be munged. It also makes it harder to debug your code in production. Although I've never seen problems introduced from minification, I have seen bugs caused by obfuscation. In a survey of ten top U.S. web sites, minification achieved a 21% size reduction versus 25% for obfuscation. Although obfuscation has a higher size reduction, I recommend minifying JavaScript code because of the reduced risks and maintenance costs.

In addition to minifying external scripts, inlined script blocks can and should also be minified. Even if you gzip your scripts, as described in Rule 4, minifying them will still reduce the size by 5% or more. As the use and size of JavaScript increases, so will the savings gained by minifying your JavaScript code.

Discuss Rule 10

11: Avoid Redirects

Redirects are accomplished using the 301 and 302 status codes. Here's an example of the HTTP headers in a 301 response:

      HTTP/1.1 301 Moved Permanently
      Location: http://example.com/newuri
      Content-Type: text/html

The browser automatically takes the user to the URL specified in the Location field. All the information necessary for a redirect is in the headers. The body of the response is typically empty. Despite their names, neither a 301 nor a 302 response is cached in practice unless additional headers, such as Expires or Cache-Control, indicate it should be. The meta refresh tag and JavaScript are other ways to direct users to a different URL, but if you must do a redirect, the preferred technique is to use the standard 3xx HTTP status codes, primarily to ensure the back button works correctly.

The main thing to remember is that redirects slow down the user experience. Inserting a redirect between the user and the HTML document delays everything in the page since nothing in the page can be rendered and no components can start being downloaded until the HTML document has arrived.

One of the most wasteful redirects happens frequently and web developers are generally not aware of it. It occurs when a trailing slash (/) is missing from a URL that should otherwise have one. For example, going to http://astrology.yahoo.com/astrology results in a 301 response containing a redirect to http://astrology.yahoo.com/astrology/ (notice the added trailing slash). This is fixed in Apache by using Alias or mod_rewrite, or the DirectorySlash directive if you're using Apache handlers.

Connecting an old web site to a new one is another common use for redirects. Others include connecting different parts of a website and directing the user based on certain conditions (type of browser, type of user account, etc.). Using a redirect to connect two web sites is simple and requires little additional coding. Although using redirects in these situations reduces the complexity for developers, it degrades the user experience. Alternatives for this use of redirects include using Alias and mod_rewrite if the two code paths are hosted on the same server. If a domain name change is the cause of using redirects, an alternative is to create a CNAME (a DNS record that creates an alias pointing from one domain name to another) in combination with Alias or mod_rewrite.

Discuss Rule 11

12: Remove Duplicate Scripts

It hurts performance to include the same JavaScript file twice in one page. This isn't as unusual as you might think. A review of the ten top U.S. web sites shows that two of them contain a duplicated script. Two main factors increase the odds of a script being duplicated in a single web page: team size and number of scripts. When it does happen, duplicate scripts hurt performance by creating unnecessary HTTP requests and wasted JavaScript execution.

Unnecessary HTTP requests happen in Internet Explorer, but not in Firefox. In Internet Explorer, if an external script is included twice and is not cacheable, it generates two HTTP requests during page loading. Even if the script is cacheable, extra HTTP requests occur when the user reloads the page.

In addition to generating wasteful HTTP requests, time is wasted evaluating the script multiple times. This redundant JavaScript execution happens in both Firefox and Internet Explorer, regardless of whether the script is cacheable.

One way to avoid accidentally including the same script twice is to implement a script management module in your templating system. The typical way to include a script is to use the SCRIPT tag in your HTML page.

      script type="text/javascript" src="menu_1.0.17.js"></script>

An alternative in PHP would be to create a function called insertScript.

      <?php insertScript("menu.js") ?>

In addition to preventing the same script from being inserted multiple times, this function could handle other issues with scripts, such as dependency checking and adding version numbers to script filenames to support far future Expires headers.

Discuss Rule 12

13: Configure ETags

Entity tags (ETags) are a mechanism that web servers and browsers use to determine whether the component in the browser's cache matches the one on the origin server. (An "entity" is another word for what I've been calling a "component": images, scripts, stylesheets, etc.) ETags were added to provide a mechanism for validating entities that is more flexible than the last-modified date. An ETag is a string that uniquely identifies a specific version of a component. The only format constraints are that the string be quoted. The origin server specifies the component's ETag using the ETag response header.

      HTTP/1.1 200 OK
      Last-Modified: Tue, 12 Dec 2006 03:03:59 GMT
      ETag: "10c24bc-4ab-457e1c1f"
      Content-Length: 12195

Later, if the browser has to validate a component, it uses the If-None-Match header to pass the ETag back to the origin server. If the ETags match, a 304 status code is returned reducing the response by 12195 bytes for this example.

      GET /i/yahoo.gif HTTP/1.1
      Host: us.yimg.com
      If-Modified-Since: Tue, 12 Dec 2006 03:03:59 GMT
      If-None-Match: "10c24bc-4ab-457e1c1f"
      HTTP/1.1 304 Not Modified

The problem with ETags is that they typically are constructed using attributes that make them unique to a specific server hosting a site. ETags won't match when a browser gets the original component from one server and later tries to validate that component on a different server, a situation that is all too common on Web sites that use a cluster of servers to handle requests. By default, both Apache and IIS embed data in the ETag that dramatically reduces the odds of the validity test succeeding on web sites with multiple servers.

The ETag format for Apache 1.3 and 2.x is inode-size-timestamp. Although a given file may reside in the same directory across multiple servers, and have the same file size, permissions, timestamp, etc., its inode is different from one server to the next.

IIS 5.0 and 6.0 have a similar issue with ETags. The format for ETags on IIS is Filetimestamp:ChangeNumber. A ChangeNumber is a counter used to track configuration changes to IIS. It's unlikely that the ChangeNumber is the same across all IIS servers behind a web site.

The end result is ETags generated by Apache and IIS for the exact same component won't match from one server to another. If the ETags don't match, the user doesn't receive the small, fast 304 response that ETags were designed for; instead, they'll get a normal 200 response along with all the data for the component. If you host your web site on just one server, this isn't a problem. But if you have multiple servers hosting your web site, and you're using Apache or IIS with the default ETag configuration, your users are getting slower pages, your servers have a higher load, you're consuming greater bandwidth, and proxies aren't caching your content efficiently. Even if your components have a far future Expires header, a conditional GET request is still made whenever the user hits Reload or Refresh.

If you're not taking advantage of the flexible validation model that ETags provide, it's better to just remove the ETag altogether. The Last-Modified header validates based on the component's timestamp. And removing the ETag reduces the size of the HTTP headers in both the response and subsequent requests. This Microsoft Support article describes how to remove ETags. In Apache, this is done by simply adding the following line to your Apache configuration file:

      FileETag none

Discuss Rule 13

14: Make Ajax Cacheable

People ask whether these performance rules apply to Web 2.0 applications. They definitely do! This rule is the first rule that resulted from working with Web 2.0 applications at Yahoo!.

One of the cited benefits of Ajax is that it provides instantaneous feedback to the user because it requests information asynchronously from the backend web server. However, using Ajax is no guarantee that the user won't be twiddling his thumbs waiting for those asynchronous JavaScript and XML responses to return. In many applications, whether or not the user is kept waiting depends on how Ajax is used. For example, in a web-based email client the user will be kept waiting for the results of an Ajax request to find all the email messages that match their search criteria. It's important to remember that "asynchronous" does not imply "instantaneous".

To improve performance, it's important to optimize these Ajax responses. The most important way to improve the performance of Ajax is to make the responses cacheable, as discussed in Rule 3: Add an Expires Header. Some of the other rules also apply to Ajax:

However, Rule 3 is the most important for speeding up the user experience. Let's look at an example. A Web 2.0 email client might use Ajax to download the user's address book for autocompletion. If the user hasn't modified her address book since the last time she used the email web app, the previous address book response could be read from cache if that Ajax response was made cacheable with a future Expires header. The browser must be informed when to use a previously cached address book response versus requesting a new one. This could be done by adding a timestamp to the address book Ajax URL indicating the last time the user modified her address book, for example, &t=1190241612. If the address book hasn't been modified since the last download, the timestamp will be the same and the address book will be read from the browser's cache eliminating an extra HTTP roundtrip. If the user has modified her address book, the timestamp ensures the new URL doesn't match the cached response, and the browser will request the updated address book entries.

Even though your Ajax responses are created dynamically, and might only be applicable to a single user, they can still be cached. Doing so will make your Web 2.0 apps faster.

Follow

Get every new post delivered to your Inbox.