The first part "How much do you know about the blog system: introduces the blog protocol or standard. The final chapter of this article introduces the knowledge points of designing a blog system.
Due to the length of the article, this article will be divided into 4 articles, the directory is as follows:
- The past and present of "blog"
- My blog story
- Who is the audience of the blog?
- Essentials of the design of the basic functions of the blog
4.1 Article (Post)
4.2 Comment
4.3 Category
4.4 Tag
4.5 Archive
4.6 Page
4.7 Subscription
4.8 Version control
4.9 Theme and personalization
4.10 Users and permissions
4.11 Plugin
4.12 Processing of pictures and attachments
4.13 Sensitive filtering and review review
4.14 Static
4.15 Notification system - Blog protocol or standard
5.1 RSS
5.2 ATOM
5.3 OPML
5.4 APML
5.5 FOAF
5.6 BlogML
5.7 Open Search
5.8 Pingback
5.9 Trackback
5.10 MetaWeblog
5.11 RSD
5.12 Reader view - What are the knowledge points of designing a blog system
time zone really use UTC?
6.2 HTML or Markdown
6.3 MVC or SPA
6.4 Security - Concluding remarks
6.1 | Really use UTC for all time zones?
The use of UTC for storage time should already be a well-known practice in 2020, and the blog system is actually the same. All time data of my blog is ultimately stored in UTC time. But the blog has a special place, that is, it should not be converted to UTC time according to the reader's time zone, but should display the time according to the blog author's time zone.
This is not a technical reason. Even if you display the time according to the reader’s time zone, there will be no code explosion. The reason is that the original intention of the blog is to show personality and allow bloggers to have their own display space on the Internet, so highlight blogs. The attribute of the owner is very important. The time zone of the blogger is also one of the attributes for readers to understand the blogger. Therefore, the authentic blog system will give a time zone setting option and convert UTC time as a display, WordPress and my Moonglade This is true for blog systems. The blog system does not automatically convert the time of the reader’s time zone. It is purely a little-known sentimental design, but it must be respected.
(Picture: Moonglade displays the publication time of the article according to the time zone set by the blogger)
So the interesting thing is here, how do search engines understand the time of a blog post? It is best to only tell the search engine the UTC time and not display it to the user. The method is also very simple, just use the datetime attribute of the HTML5 time tag. After the promotion of the HTML5 standard, search engines prefer to judge the meaning of the content by looking at the tag type, rather than guessing the meaning based on the content in the tag.
In C#, ToString("u") refers to Universal sortable date/time patter.
<time datetime="@Model.PostModel.PubDateUtc.ToString("u")" title="GMT @Model.PostModel.PubDateUtc">@DateTimeResolver.GetDateTimeWithUserTZone(Model.PostModel.PubDateUtc).ToString("MM/dd/yyyy")</time>For the article in the screenshot just now, the HTML of the time is:
<time datetime="2020-04-29 11:41:02Z" title="GMT 4/29/2020 11:41:02 AM">04/29/2020</time>6.2 丨 HTML or Markdown
Many technical people like to use Markdown as an editor when writing a blog system. If you are just a technical blog, you can use it yourself. But if you are writing a blog system for others, please remember that not everyone is a programmer, not everyone loves Markdown.
Figure | Network
In this case, a WSIWYG HTML editor (such as TinyMCE) is a good choice, and the HTML editor also supports more advanced typesetting than Markdown. Moonglade supports both HTML and Markdown editors.
(Picture: TinyMCE editor used by Moonglade)
When saving the content of the article to the database, the Markdown format needs to select the original content instead of the generated HTML, because it also needs to support subsequent editing. HTML format is not recommended for encoding storage now. After all, it is already in 2020. The mainstream databases on the market can correctly support all kinds of magical Unicode. For example, an emoji suddenly appears in the article. If you use encoding, it will be like My blog also faces some blessings: https://github.com/EdiWang/Moonglade/issues/280. And the process of encoding and decoding will affect performance. My Moonglade blog system has just completed the transformation to remove encoding.
6.3丨MVC or SPA
Many programmers who write blog systems in the community prefer to use SPA to build blogs, but despise the use of MVC and feel backward. Is this really the case? This question is like why the plane does not fly in a straight line. Is the airline not planning it? Regarding this point, I once wrote in a previous blog post "Summary of Experiences in Performance Optimization of My .NET Core Blog":
After 2014, with the rise of SPA, frameworks such as Angular have gradually become the mainstream of front-end development. The problem they solve is to improve the responsiveness of the front-end and make web applications as close as possible to the experience of native native applications. I have also faced many questions from my friends: Why don’t you need to write your blog in angular? Are you bad at it?
Figure | Network
In fact, it is not that simple. In fact, the main content of my current job is to write angular. The backend of the blog. NET Framework version has also used angularjs and angular2. After a series of practices, it has been shown that the benefits of using angular for content sites like my blog are not big. .
In fact, this is not surprising. Before blindly choosing a framework, we have to pay attention to a prerequisite: the SPA framework is actually a web application. Application means heavy interaction, that is, like Azure Portal or Outlook mailbox, the purpose is to develop web pages as applications. At this time, SPA can not only improve user experience, but also reduce development costs. Why not? However, blogs are content-based websites, not applications. To say an application, I can barely say that the background management of a blog can be an application. The only interaction at the front desk of the blog is comments and search, so SPA is not suitable for this kind of work. It's like you are going to a vegetable farm to buy groceries. Riding a bicycle is more convenient than driving a tank.
There is also the same in the official Microsoft documents about when to choose SPA and when to choose a traditional website.
Reference link:
https://docs.microsoft.com/en-us/dotnet/architecture/modern-web-apps-azure/choose-between-traditional-web-and-single-page-apps
Another reason why the front desk of the blog still chooses MVC. Please review the beginning of this article, "Who are the readers of the blog". I have been running a blog for more than ten years. Statistics show that almost all users come from search engines and only click to come in. An article, and then close the page. Now think about it carefully, what is one of the biggest problems that SPA solves? Is it to improve front-end performance (responsibility) by refreshing only the part? And users come from a search engine and only read an article and close the webpage. Can you really use the advantage of SPA that only refreshes the part? The user only reads an article, you use a SPA framework, the user has to load a bunch of files of the framework itself, including navigation, interaction and other functions, and 99% of users will not point to other places at all, so you only Is it worth loading a huge framework for 1% of users? Is this performance improved or reduced?
Although the MVC framework will output the complete HTML rendered on the server side every time, since 99% of users only read an article and close the web page, for 99% of users, the resources they need to load are far less than loading a set. SPA is faster and more SEO friendly. SPA is suitable for the back-end management portal of the blog, not the front-end.
6.4丨Safety
According to the background monitoring data of operating blogs for many years, the most common attack behavior is a fully automatic vulnerability scanning tool. They will request common security oversights such as data.zip, wp-admin.php, git directory, etc., or want to attack through some known vulnerabilities in the blog system. The purpose is to control the server, add malicious code to the user (such as ransomware, mining) in your blog page, and some will also turn the server itself into a mining machine.
(Figure: Automatic scanning tool request captured by Azure background)
When designing a blog system, commonly used security countermeasures can refer to OWASP ( https://owasp.org/), but at the same time retain flexibility. For example, when adding JavaScript CSP, please consider that normal blog users may need to add tripartite statistical plug-ins (such as Azure Application Insights, domestic CNZZ, etc.), please design certain black and white lists or function switches.
Most designers know that to prevent user input, that is, blog readers, the input entry is usually only comments and search functions. But don’t forget that the blogger’s input in the blog background management also needs to be guarded, because it is not necessarily the blogger himself. For example, the blogger’s account is stolen, and the hacker points the link in the navigation bar in the background to the hacker’s server or the wonderful mechanism that has been prepared on localhost (yes, don’t think that localhost does not work on normal people’s computers) , Then readers will be severely affected.
Figure | Network
Regarding the identity authentication for background login, SSO is preferred if mature SSO can be adopted. For example, Moonglade supports Azure Active Directory authentication, so that professional services such as Microsoft can be used to manage authorization and authentication, so as to avoid security problems on the account as little as possible. If the user does not have an SSO environment, he will fallback to the local account for authentication. Don't think that using a third-party service is not safer than writing it yourself. If you feel that no one knows the logic you wrote, you will not be hacked. Unless you are the world's top big cow, the system you write is more vulnerable to hacking than the third-party service.
Other attacks are usually initiated by boring programmers in the hostile camp. For example, using scripts or tools to continuously request a certain URL of the blog system, and the enterprise image DDOS to destroy the server. For this kind of boring scavenge, the blog system design You only need to add the rate limit of the URL endpoint. For real DDOS attacks, only cloud anti-DDOS services or hardware DDOS firewalls can solve them.
Finally, don’t forget the things that are not in OWASP. The blog protocol will also have design flaws. For example, pingback can be used for DDOS ( https://www.imperva.com/blog/wordpress-security-alert-pingback-ddos/) ,
It can also scan the server port ( https://www.avsecurity.in/wordpress-xml-rpc-pingback-vulnerability/)
Concluding remarks
To design an excellent blog system, every detail is worth considering. These designs are absolutely impossible to do right from the beginning, but rely on the data of long-term operation of the blog to discover and think. Moreover, the market will change, user behavior will change, standards will be eliminated, and will be invented, so your system needs to evolve.
Any seemingly simple system, even if it’s ordinary to a bad street, has a complete system that is invisible behind it. This is the case with blogs, and the electronic shopping malls, food delivery, and financial clearing systems are even more complicated. Just like building an airplane, building a paper airplane and a real airplane are definitely not the same thing.
Technicians don’t think they have to use whatever is popular. Excellent products are not made by stacking fashionable technologies. They must first analyze how your users use your products before they can make the most suitable choice. Remember, if you want one thing to be successful, you should not just confine your thinking to the technology itself. Only by learning to analyze the market and user behavior can you choose and apply technology more accurately.
Figure | Network
Thanks to the readers who have read here. If you have any questions or discussions, please leave a message for exchange.
Scan the QR code to follow Microsoft China MSDN to get more first-hand technical information and official learning materials from Microsoft!
**粗体** _斜体_ [链接](http://example.com) `代码` - 列表 > 引用。你还可以使用@来通知其他用户。