Best Practices

1---2name: best-practices3description: Apply modern web development best practices for security, compatibility, and code quality. Use when asked to "apply best practices", "security audit", "modernize code", "code quality review", or "check for vulnerabilities".4license: MIT5metadata:6  author: web-quality-skills7  version: "1.0"8---9 10# Best practices11 12Modern web development standards based on Lighthouse best practices audits. Covers security, browser compatibility, and code quality patterns.13 14## Security15 16### HTTPS everywhere17 18**Enforce HTTPS:**19```html20<!-- ❌ Mixed content -->21<img src="http://example.com/image.jpg">22<script src="http://cdn.example.com/script.js"></script>23 24<!-- ✅ HTTPS only -->25<img src="https://example.com/image.jpg">26<script src="https://cdn.example.com/script.js"></script>27 28<!-- ✅ Protocol-relative (will use page's protocol) -->29<img src="//example.com/image.jpg">30```31 32**HSTS Header:**33```34Strict-Transport-Security: max-age=31536000; includeSubDomains; preload35```36 37### Content Security Policy (CSP)38 39```html40<!-- Basic CSP via meta tag -->41<meta http-equiv="Content-Security-Policy" 42      content="default-src 'self'; 43               script-src 'self' https://trusted-cdn.com; 44               style-src 'self' 'unsafe-inline';45               img-src 'self' data: https:;46               connect-src 'self' https://api.example.com;">47 48<!-- Better: HTTP header -->49```50 51**CSP Header (recommended):**52```53Content-Security-Policy: 54  default-src 'self';55  script-src 'self' 'nonce-abc123' https://trusted.com;56  style-src 'self' 'nonce-abc123';57  img-src 'self' data: https:;58  connect-src 'self' https://api.example.com;59  frame-ancestors 'self';60  base-uri 'self';61  form-action 'self';62```63 64**Using nonces for inline scripts:**65```html66<script nonce="abc123">67  // This inline script is allowed68</script>69```70 71### Security headers72 73```74# Prevent clickjacking75X-Frame-Options: DENY76 77# Prevent MIME type sniffing78X-Content-Type-Options: nosniff79 80# Enable XSS filter (legacy browsers)81X-XSS-Protection: 1; mode=block82 83# Control referrer information84Referrer-Policy: strict-origin-when-cross-origin85 86# Permissions policy (formerly Feature-Policy)87Permissions-Policy: geolocation=(), microphone=(), camera=()88```89 90### No vulnerable libraries91 92```bash93# Check for vulnerabilities94npm audit95yarn audit96 97# Auto-fix when possible98npm audit fix99 100# Check specific package101npm ls lodash102```103 104**Keep dependencies updated:**105```json106// package.json107{108  "scripts": {109    "audit": "npm audit --audit-level=moderate",110    "update": "npm update && npm audit fix"111  }112}113```114 115**Known vulnerable patterns to avoid:**116```javascript117// ❌ Prototype pollution vulnerable patterns118Object.assign(target, userInput);119_.merge(target, userInput);120 121// ✅ Safer alternatives122const safeData = JSON.parse(JSON.stringify(userInput));123```124 125### Input sanitization126 127```javascript128// ❌ XSS vulnerable129element.innerHTML = userInput;130document.write(userInput);131 132// ✅ Safe text content133element.textContent = userInput;134 135// ✅ If HTML needed, sanitize136import DOMPurify from 'dompurify';137element.innerHTML = DOMPurify.sanitize(userInput);138```139 140### Secure cookies141 142```javascript143// ❌ Insecure cookie144document.cookie = "session=abc123";145 146// ✅ Secure cookie (server-side)147Set-Cookie: session=abc123; Secure; HttpOnly; SameSite=Strict; Path=/148```149 150---151 152## Browser compatibility153 154### Doctype declaration155 156```html157<!-- ❌ Missing or invalid doctype -->158<HTML>159<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN">160 161<!-- ✅ HTML5 doctype -->162<!DOCTYPE html>163<html lang="en">164```165 166### Character encoding167 168```html169<!-- ❌ Missing or late charset -->170<html>171<head>172  <title>Page</title>173  <meta charset="UTF-8">174</head>175 176<!-- ✅ Charset as first element in head -->177<html>178<head>179  <meta charset="UTF-8">180  <title>Page</title>181</head>182```183 184### Viewport meta tag185 186```html187<!-- ❌ Missing viewport -->188<head>189  <title>Page</title>190</head>191 192<!-- ✅ Responsive viewport -->193<head>194  <meta charset="UTF-8">195  <meta name="viewport" content="width=device-width, initial-scale=1">196  <title>Page</title>197</head>198```199 200### Feature detection201 202```javascript203// ❌ Browser detection (brittle)204if (navigator.userAgent.includes('Chrome')) {205  // Chrome-specific code206}207 208// ✅ Feature detection209if ('IntersectionObserver' in window) {210  // Use IntersectionObserver211} else {212  // Fallback213}214 215// ✅ Using @supports in CSS216@supports (display: grid) {217  .container {218    display: grid;219  }220}221 222@supports not (display: grid) {223  .container {224    display: flex;225  }226}227```228 229### Polyfills (when needed)230 231```html232<!-- Load polyfills conditionally -->233<script>234  if (!('fetch' in window)) {235    document.write('<script src="/polyfills/fetch.js"><\/script>');236  }237</script>238 239<!-- Or use polyfill.io -->240<script src="https://polyfill.io/v3/polyfill.min.js?features=fetch,IntersectionObserver"></script>241```242 243---244 245## Deprecated APIs246 247### Avoid these248 249```javascript250// ❌ document.write (blocks parsing)251document.write('<script src="..."></script>');252 253// ✅ Dynamic script loading254const script = document.createElement('script');255script.src = '...';256document.head.appendChild(script);257 258// ❌ Synchronous XHR (blocks main thread)259const xhr = new XMLHttpRequest();260xhr.open('GET', url, false); // false = synchronous261 262// ✅ Async fetch263const response = await fetch(url);264 265// ❌ Application Cache (deprecated)266<html manifest="cache.manifest">267 268// ✅ Service Workers269if ('serviceWorker' in navigator) {270  navigator.serviceWorker.register('/sw.js');271}272```273 274### Event listener passive275 276```javascript277// ❌ Non-passive touch/wheel (may block scrolling)278element.addEventListener('touchstart', handler);279element.addEventListener('wheel', handler);280 281// ✅ Passive listeners (allows smooth scrolling)282element.addEventListener('touchstart', handler, { passive: true });283element.addEventListener('wheel', handler, { passive: true });284 285// ✅ If you need preventDefault, be explicit286element.addEventListener('touchstart', handler, { passive: false });287```288 289---290 291## Console & errors292 293### No console errors294 295```javascript296// ❌ Errors in production297console.log('Debug info'); // Remove in production298throw new Error('Unhandled'); // Catch all errors299 300// ✅ Proper error handling301try {302  riskyOperation();303} catch (error) {304  // Log to error tracking service305  errorTracker.captureException(error);306  // Show user-friendly message307  showErrorMessage('Something went wrong. Please try again.');308}309```310 311### Error boundaries (React)312 313```jsx314class ErrorBoundary extends React.Component {315  state = { hasError: false };316  317  static getDerivedStateFromError(error) {318    return { hasError: true };319  }320  321  componentDidCatch(error, info) {322    errorTracker.captureException(error, { extra: info });323  }324  325  render() {326    if (this.state.hasError) {327      return <FallbackUI />;328    }329    return this.props.children;330  }331}332 333// Usage334<ErrorBoundary>335  <App />336</ErrorBoundary>337```338 339### Global error handler340 341```javascript342// Catch unhandled errors343window.addEventListener('error', (event) => {344  errorTracker.captureException(event.error);345});346 347// Catch unhandled promise rejections348window.addEventListener('unhandledrejection', (event) => {349  errorTracker.captureException(event.reason);350});351```352 353---354 355## Source maps356 357### Production configuration358 359```javascript360// ❌ Source maps exposed in production361// webpack.config.js362module.exports = {363  devtool: 'source-map', // Exposes source code364};365 366// ✅ Hidden source maps (uploaded to error tracker)367module.exports = {368  devtool: 'hidden-source-map',369};370 371// ✅ Or no source maps in production372module.exports = {373  devtool: process.env.NODE_ENV === 'production' ? false : 'source-map',374};375```376 377---378 379## Performance best practices380 381### Avoid blocking patterns382 383```javascript384// ❌ Blocking script385<script src="heavy-library.js"></script>386 387// ✅ Deferred script388<script defer src="heavy-library.js"></script>389 390// ❌ Blocking CSS import391@import url('other-styles.css');392 393// ✅ Link tags (parallel loading)394<link rel="stylesheet" href="styles.css">395<link rel="stylesheet" href="other-styles.css">396```397 398### Efficient event handlers399 400```javascript401// ❌ Handler on every element402items.forEach(item => {403  item.addEventListener('click', handleClick);404});405 406// ✅ Event delegation407container.addEventListener('click', (e) => {408  if (e.target.matches('.item')) {409    handleClick(e);410  }411});412```413 414### Memory management415 416```javascript417// ❌ Memory leak (never removed)418const handler = () => { /* ... */ };419window.addEventListener('resize', handler);420 421// ✅ Cleanup when done422const handler = () => { /* ... */ };423window.addEventListener('resize', handler);424 425// Later, when component unmounts:426window.removeEventListener('resize', handler);427 428// ✅ Using AbortController429const controller = new AbortController();430window.addEventListener('resize', handler, { signal: controller.signal });431 432// Cleanup:433controller.abort();434```435 436---437 438## Code quality439 440### Valid HTML441 442```html443<!-- ❌ Invalid HTML -->444<div id="header">445<div id="header"> <!-- Duplicate ID -->446 447<ul>448  <div>Item</div> <!-- Invalid child -->449</ul>450 451<a href="/"><button>Click</button></a> <!-- Invalid nesting -->452 453<!-- ✅ Valid HTML -->454<header id="site-header">455</header>456 457<ul>458  <li>Item</li>459</ul>460 461<a href="/" class="button">Click</a>462```463 464### Semantic HTML465 466```html467<!-- ❌ Non-semantic -->468<div class="header">469  <div class="nav">470    <div class="nav-item">Home</div>471  </div>472</div>473<div class="main">474  <div class="article">475    <div class="title">Headline</div>476  </div>477</div>478 479<!-- ✅ Semantic HTML5 -->480<header>481  <nav>482    <a href="/">Home</a>483  </nav>484</header>485<main>486  <article>487    <h1>Headline</h1>488  </article>489</main>490```491 492### Image aspect ratios493 494```html495<!-- ❌ Distorted images -->496<img src="photo.jpg" width="300" height="100">497<!-- If actual ratio is 4:3, this squishes the image -->498 499<!-- ✅ Preserve aspect ratio -->500<img src="photo.jpg" width="300" height="225">501<!-- Actual 4:3 dimensions -->502 503<!-- ✅ CSS object-fit for flexibility -->504<img src="photo.jpg" style="width: 300px; height: 200px; object-fit: cover;">505```506 507---508 509## Permissions & privacy510 511### Request permissions properly512 513```javascript514// ❌ Request on page load (bad UX, often denied)515navigator.geolocation.getCurrentPosition(success, error);516 517// ✅ Request in context, after user action518findNearbyButton.addEventListener('click', async () => {519  // Explain why you need it520  if (await showPermissionExplanation()) {521    navigator.geolocation.getCurrentPosition(success, error);522  }523});524```525 526### Permissions policy527 528```html529<!-- Restrict powerful features -->530<meta http-equiv="Permissions-Policy" 531      content="geolocation=(), camera=(), microphone=()">532 533<!-- Or allow for specific origins -->534<meta http-equiv="Permissions-Policy" 535      content="geolocation=(self 'https://maps.example.com')">536```537 538---539 540## Audit checklist541 542### Security (critical)543- [ ] HTTPS enabled, no mixed content544- [ ] No vulnerable dependencies (`npm audit`)545- [ ] CSP headers configured546- [ ] Security headers present547- [ ] No exposed source maps548 549### Compatibility550- [ ] Valid HTML5 doctype551- [ ] Charset declared first in head552- [ ] Viewport meta tag present553- [ ] No deprecated APIs used554- [ ] Passive event listeners for scroll/touch555 556### Code quality557- [ ] No console errors558- [ ] Valid HTML (no duplicate IDs)559- [ ] Semantic HTML elements used560- [ ] Proper error handling561- [ ] Memory cleanup in components562 563### UX564- [ ] No intrusive interstitials565- [ ] Permission requests in context566- [ ] Clear error messages567- [ ] Appropriate image aspect ratios568 569## Tools570 571| Tool | Purpose |572|------|---------|573| `npm audit` | Dependency vulnerabilities |574| [SecurityHeaders.com](https://securityheaders.com) | Header analysis |575| [W3C Validator](https://validator.w3.org) | HTML validation |576| Lighthouse | Best practices audit |577| [Observatory](https://observatory.mozilla.org) | Security scan |578 579## References580 581- [MDN Web Security](https://developer.mozilla.org/en-US/docs/Web/Security)582- [OWASP Top 10](https://owasp.org/www-project-top-ten/)583- [Web Quality Audit](../web-quality-audit/SKILL.md)