DuoCMS 8 is the latest iteration of our content management system. But in this article I’d like to talk less about what we’ve added and more about what we’ve taken away.
Complicated software like our cms system aren’t written in isolation. They rely on lots of open sources dependencies. These are pieces of software which make it economical for us to write our system. Everything from talking to third party APIs, sending emails and authenticating users are all open source dependencies.
This build up of work generated by systems we rely on changing, or needing to change, often referred to as technical debt, builds up within any system over time.
To help make Duocms8 more resilient to technical debt, we have had a complete review of all our upstream dependencies and stripped as many as possible.
We’ve gone from 65 direct server production dependencies in duocms7 to only 42 in duocms8. In addition to that we’ve chosen more lightweight dependencies with fewer of their own dependencies. This has taken us from 715mb of third party code down to to only 249mb.
This reduction means we get
Faster site deploys due to less code to install
Fewer packages needing security updates
Smaller surface area for potential security flaws
One of the biggest limiting factors of our websites is their memory usage. Our clients want their hosting to be as economical as possible so for many of them we use relatively small virtual machines to host their sites. Typically the more traffic a dynamic cms site gets the more memory it needs. So by reducing the usage we can get more scale from fewer resources.
During the development of cms8 we took care to check the impact of every library and how we use it.
Best practices dictate that websites should have a content security policy. This is a special piece of information sent with each page describing where it is allowed to collect its content from. This policy helps prevent various types of attacks on the site by telling the web browser to ignore content unless is comes from a specific whitelist of sources.
We had an interface for this in previous versions of the cms, but in general it was either unused due to the difficulty in understanding it. Or it caused unforeseen bugs by blocking too many things.
In CMS8 we have automated this process. The content security policy (csp) can now be set up with a default policy with the click of a button. While editing the site the policy can update itself to fix any issues caused. So by default youtube may be blocked, but if the site editor then chooses to insert a youtube video, the csp will be updated to allow video and image content from the domains that specific video requires. These updates to the csp will be logged for later auditing, recording who added these and when.
Feedback forms within websites can often be a constant source of spam abuse. To limit this we’ve always filtered our forms with a set of heuristics to determine how spammy the content is. We determine how long the user took to fill out the form and leave hidden fields in place, as robots fill these, unlike humans who can’t see them. This on the whole reduces spam, but doesn’t completely prevent it.
To improve this we’ve made it much simpler to add google’s re-captcha to all the feedback forms within the site. By simply follow a couple of simple instructions to generate a set of api keys we are able to pretty much eradicate spam.
So to summarise, in DuoCMS8 we have
Reduced technical debt and upstream dependencies by 65%
Reduced memory usage by around 75%
Reduced vulnerabilities with a semi-automatic content security policy
Reduced spam with automated recaptcha integration
In later articles I’ll talk about how
How we’re embracing modern CSS with the demise of Internet Explorer 11 making sites quicker to load
Improvements in our file management system, making uploading and content creation even quicker
Work we’ve done to help prevent losing edits, and help undo mistakes.