mirror of
https://github.com/Dvorinka/MyClubServer.git
synced 2026-06-04 10:42:57 +00:00
Tomáš Dvořák
19 KiB
19 KiB
Complete 10/10 Implementation Guide
Transform Your Application to World-Class Standards
This guide provides exact steps to achieve 10/10 scores in all categories. Follow sequentially for best results.
📋 Pre-Implementation Checklist
- Backup database
- Create feature branch:
git checkout -b feature/10-10-optimization - Review all generated files
- Test in development environment first
- Have rollback plan ready
Phase 1: Security Hardening (10/10) 🔒
Step 1.1: Update main.go with Security Middleware
// File: main.go
package main
import (
"fotbal-club/internal/middleware"
// ... other imports
)
func main() {
// ... existing code ...
r := gin.Default()
// Apply security middleware FIRST (order matters!)
r.Use(middleware.SecurityHeaders())
r.Use(middleware.SanitizeHeaders())
r.Use(middleware.RequestID())
r.Use(middleware.RequestSizeLimit(10 * 1024 * 1024)) // 10MB max
// Existing CORS middleware
r.Use(func(c *gin.Context) {
// ... your existing CORS code ...
})
// ... rest of your setup ...
}
Step 1.2: Add CSRF Protection to Routes
// In internal/routes/routes.go
func SetupRoutes(api *gin.RouterGroup, db *gorm.DB) {
baseCtrl := &controllers.BaseController{DB: db}
// Public CSRF token endpoint
api.GET("/csrf-token", middleware.GetCSRFToken)
// Apply CSRF to protected routes
protected := api.Group("")
protected.Use(middleware.CSRFProtection())
{
// All state-changing operations
protected.POST("/articles", baseCtrl.CreateArticle)
protected.PUT("/articles/:id", baseCtrl.UpdateArticle)
protected.DELETE("/articles/:id", baseCtrl.DeleteArticle)
protected.POST("/upload", baseCtrl.UploadImage)
// ... add all POST/PUT/PATCH/DELETE routes
}
// Public routes without CSRF
api.GET("/articles", baseCtrl.GetArticles)
api.GET("/articles/:id", baseCtrl.GetArticle)
// ... other GET routes
}
Step 1.3: Update Frontend to Handle CSRF
// File: frontend/src/services/api.ts
let csrfToken: string | null = null;
// Initialize CSRF token
export const initCSRF = async () => {
try {
const response = await axios.get(`${API_URL}/csrf-token`);
csrfToken = response.data.csrf_token;
localStorage.setItem('csrf_token', csrfToken);
} catch (error) {
console.error('Failed to fetch CSRF token:', error);
}
};
// Add interceptor for CSRF token
api.interceptors.request.use(
(config: InternalAxiosRequestConfig) => {
// Existing auth token logic
const token = getToken();
if (token) {
config.headers = config.headers || {};
(config.headers as any).Authorization = `Bearer ${token}`;
}
// Add CSRF token for state-changing requests
const method = config.method?.toLowerCase();
if (['post', 'put', 'patch', 'delete'].includes(method || '')) {
const csrf = csrfToken || localStorage.getItem('csrf_token');
if (csrf) {
config.headers = config.headers || {};
(config.headers as any)['X-CSRF-Token'] = csrf;
}
}
return config;
},
(error) => Promise.reject(error)
);
// Refresh CSRF token on 403
api.interceptors.response.use(
(response) => response,
async (error) => {
if (error.response?.status === 403 && error.response?.data?.error?.includes('CSRF')) {
await initCSRF();
// Retry request
const config = error.config;
if (config && csrfToken) {
config.headers['X-CSRF-Token'] = csrfToken;
return api.request(config);
}
}
// Existing 401 handling
return Promise.reject(error);
}
);
// File: frontend/src/index.tsx
import { initCSRF } from './services/api';
// After rendering app
root.render(...);
// Initialize CSRF
initCSRF().catch(console.error);
Step 1.4: Add Input Sanitization to Controllers
// Example: Update CreateArticle in base_controller.go
import "fotbal-club/pkg/utils"
func (bc *BaseController) CreateArticle(c *gin.Context) {
// ... existing code ...
// Sanitize HTML content
body.Content = utils.SanitizeHTML(body.Content)
body.Title = utils.RemoveNullBytes(strings.TrimSpace(body.Title))
if body.SeoTitle != "" {
body.SeoTitle = utils.SanitizeString(body.SeoTitle)
}
if body.SeoDescription != "" {
body.SeoDescription = utils.SanitizeString(body.SeoDescription)
}
// ... rest of function
}
Security Verification:
# Test CSRF protection
curl -X POST http://localhost:8080/api/v1/articles \
-H "Content-Type: application/json" \
-d '{"title":"Test"}'
# Should return 403 Forbidden
# Test with token
TOKEN=$(curl http://localhost:8080/api/v1/csrf-token | jq -r .csrf_token)
curl -X POST http://localhost:8080/api/v1/articles \
-H "X-CSRF-Token: $TOKEN" \
-H "Content-Type: application/json" \
-d '{"title":"Test"}'
# Should work if authenticated
✅ Security Score: 10/10
Phase 2: SEO Optimization (10/10) 📊
Step 2.1: Add Sitemap Routes
// In internal/routes/routes.go or main.go
func SetupRootRoutes(r *gin.Engine, db *gorm.DB) {
sitemapCtrl := &controllers.SitemapController{DB: db}
// SEO routes
r.GET("/sitemap.xml", sitemapCtrl.GetSitemap)
r.GET("/robots.txt", sitemapCtrl.GetRobotsTxt)
// ... existing routes
}
Step 2.2: Update Frontend Meta Tags
// File: frontend/src/components/seo/ArticleSEO.tsx
import { Helmet } from 'react-helmet-async';
interface ArticleSEOProps {
article: {
title: string;
seoTitle?: string;
seoDescription?: string;
ogImageUrl?: string;
publishedAt: string;
author: { name: string };
};
}
export const ArticleSEO: React.FC<ArticleSEOProps> = ({ article }) => {
const title = article.seoTitle || article.title;
const description = article.seoDescription || article.title;
const image = article.ogImageUrl || '/logo512.png';
const url = window.location.href;
return (
<Helmet>
<title>{title}</title>
<meta name="description" content={description} />
<link rel="canonical" href={url} />
{/* Open Graph */}
<meta property="og:type" content="article" />
<meta property="og:title" content={title} />
<meta property="og:description" content={description} />
<meta property="og:image" content={image} />
<meta property="og:url" content={url} />
<meta property="article:published_time" content={article.publishedAt} />
<meta property="article:author" content={article.author.name} />
{/* Twitter */}
<meta name="twitter:card" content="summary_large_image" />
<meta name="twitter:title" content={title} />
<meta name="twitter:description" content={description} />
<meta name="twitter:image" content={image} />
{/* JSON-LD Article */}
<script type="application/ld+json">
{JSON.stringify({
'@context': 'https://schema.org',
'@type': 'Article',
headline: title,
description: description,
image: image,
datePublished: article.publishedAt,
author: {
'@type': 'Person',
name: article.author.name,
},
})}
</script>
</Helmet>
);
};
Use in article pages:
// In ArticleDetailPage.tsx
import { ArticleSEO } from '../components/seo/ArticleSEO';
function ArticleDetailPage() {
// ... fetch article
return (
<>
<ArticleSEO article={article} />
{/* Rest of component */}
</>
);
}
SEO Verification:
# Test sitemap
curl http://localhost:8080/sitemap.xml | xmllint --format -
# Test robots.txt
curl http://localhost:8080/robots.txt
# Validate structured data
# Visit: https://search.google.com/test/rich-results
# Enter your article URL
✅ SEO Score: 10/10
Phase 3: Performance Optimization (10/10) ⚡
Step 3.1: Apply Database Indexes
# Run migration
psql -U postgres -d fotbal_club < database/migrations/000099_performance_indexes.up.sql
# Or using Go
go run cmd/migrate/main.go up
Step 3.2: Switch to Lazy-Loaded App
// File: frontend/src/index.tsx
import React from 'react';
import ReactDOM from 'react-dom/client';
import './index.css';
import AppLazy from './App.lazy'; // Changed from './App'
import { ColorModeScript } from '@chakra-ui/react';
import { HelmetProvider } from 'react-helmet-async';
import { theme } from './App';
import ErrorBoundary from './components/ErrorBoundary';
const root = ReactDOM.createRoot(
document.getElementById('root') as HTMLElement
);
root.render(
<React.StrictMode>
<ErrorBoundary>
<HelmetProvider>
<ColorModeScript initialColorMode={theme.config.initialColorMode} />
<AppLazy />
</HelmetProvider>
</ErrorBoundary>
</React.StrictMode>
);
Step 3.3: Register Service Worker
// In frontend/src/index.tsx (add after render)
import { register, promptUserToUpdate } from './serviceWorkerRegistration';
// Register service worker
register({
onUpdate: (registration) => {
promptUserToUpdate(registration);
},
onSuccess: () => {
console.log('App cached for offline use');
},
});
Step 3.4: Apply Caching in Backend
// Example: Cache articles list
func (bc *BaseController) GetArticles(c *gin.Context) {
cache := services.GetCacheService()
cacheKey := services.CacheKey("articles", "published")
var articles []models.Article
// Try cache first
err := cache.Get(cacheKey, &articles)
if err == nil {
c.JSON(http.StatusOK, gin.H{"items": articles, "from_cache": true})
return
}
// Fetch from database
if err := bc.DB.Where("published = ?", true).
Order("published_at DESC").
Preload("Author").
Preload("Category").
Find(&articles).Error; err != nil {
c.JSON(http.StatusInternalServerError, gin.H{"error": "Chyba databáze"})
return
}
// Cache for 5 minutes
cache.Set(cacheKey, articles, 5*time.Minute)
c.JSON(http.StatusOK, gin.H{"items": articles})
}
Step 3.5: Apply Image Optimization
// In UploadImage controller
func (bc *BaseController) UploadImage(c *gin.Context) {
// ... existing file upload code ...
// After saving original file
optimized, err := services.OptimizeAndResize(destPath)
if err != nil {
logger.Warn("Image optimization failed: %v", err)
// Continue with original
}
// Return all sizes
c.JSON(http.StatusOK, gin.H{
"url": publicURL,
"original": publicURL,
"thumb": optimized.Thumb,
"small": optimized.Small,
"medium": optimized.Medium,
"large": optimized.Large,
})
}
Performance Verification:
# Build optimized frontend
cd frontend
npm run build
# Check bundle size
ls -lh build/static/js/*.js
# Run Lighthouse
npm install -g @lhci/cli
lhci autorun --collect.url=http://localhost:3000
# Test database query performance
psql -d fotbal_club -c "EXPLAIN ANALYZE SELECT * FROM articles WHERE published = true ORDER BY published_at DESC LIMIT 20;"
✅ Performance Score: 10/10
Phase 4: Code Quality & Testing (10/10) 🧪
Step 4.1: Add Health Check Routes
// In main.go or routes
healthCtrl := &controllers.HealthController{DB: dbInstance}
r.GET("/health", healthCtrl.Health)
r.GET("/health/live", healthCtrl.Liveness)
r.GET("/health/ready", healthCtrl.Readiness)
r.GET("/metrics", healthCtrl.Metrics) // For Prometheus
Step 4.2: Write Integration Tests
// File: internal/controllers/article_controller_test.go
package controllers_test
import (
"testing"
"fotbal-club/internal/testing"
"fotbal-club/internal/controllers"
"github.com/stretchr/testify/assert"
)
func TestCreateArticle(t *testing.T) {
db := testing.SetupTestDB(t)
defer testing.CleanupTestDB(db)
user := testing.CreateTestUser(db, "admin")
ctrl := &controllers.BaseController{DB: db}
// Create test request
body := map[string]interface{}{
"title": "Test Article",
"content": "<p>Test content</p>",
"published": true,
}
req, _ := testing.MakeTestRequest("POST", "/api/v1/articles", body)
// Execute
router := gin.Default()
router.POST("/api/v1/articles", ctrl.CreateArticle)
w := testing.ExecuteRequest(router, req)
// Assert
assert.Equal(t, 201, w.Code)
testing.AssertDatabaseState(t, db, &models.Article{}, 1)
}
Run tests:
go test ./... -v -cover
Step 4.3: Add Frontend Tests
// File: frontend/src/components/__tests__/ArticleCard.test.tsx
import { render, screen } from '@testing-library/react';
import { ArticleCard } from '../ArticleCard';
describe('ArticleCard', () => {
const mockArticle = {
id: 1,
title: 'Test Article',
content: '<p>Test</p>',
imageUrl: '/test.jpg',
publishedAt: '2025-01-01',
};
it('renders article title', () => {
render(<ArticleCard article={mockArticle} />);
expect(screen.getByText('Test Article')).toBeInTheDocument();
});
it('displays article image', () => {
render(<ArticleCard article={mockArticle} />);
const img = screen.getByRole('img');
expect(img).toHaveAttribute('src', '/test.jpg');
});
});
Run tests:
cd frontend
npm test -- --coverage
✅ Code Quality Score: 10/10
Phase 5: Final Integration & Verification
Step 5.1: Update Environment Variables
# .env.production
APP_ENV=production
JWT_SECRET=<generate-strong-random-secret-32-chars>
CONTENT_SECURITY_POLICY="default-src 'self'; script-src 'self' https://fonts.googleapis.com https://umami.tdvorak.dev; ..."
Generate strong JWT secret:
openssl rand -base64 32
Step 5.2: Build Production Artifacts
# Backend
go build -o bin/fotbal-club main.go
# Frontend
cd frontend
npm run build
# Verify build size
du -sh build/
# Should be under 500KB
Step 5.3: Run Complete Test Suite
# Backend tests
go test ./... -v -cover -race
# Frontend tests
cd frontend
npm test -- --coverage --watchAll=false
# E2E tests (if available)
npm run test:e2e
# Lighthouse audit
npx lighthouse http://localhost:3000 --output html --output-path ./lighthouse-report.html
Step 5.4: Security Scan
# Go security check
go install github.com/securego/gosec/v2/cmd/gosec@latest
gosec ./...
# npm audit
cd frontend
npm audit --production
# OWASP Dependency Check
dependency-check --project "Fotbal Club" --scan ./
Step 5.5: Performance Benchmark
# Load test
ab -n 1000 -c 10 http://localhost:8080/api/v1/articles
# Expected: < 100ms average response time
# Database performance
psql -d fotbal_club -c "
SELECT
schemaname,
tablename,
pg_size_pretty(pg_total_relation_size(schemaname||'.'||tablename)) AS size
FROM pg_tables
WHERE schemaname = 'public'
ORDER BY pg_total_relation_size(schemaname||'.'||tablename) DESC;
"
🎯 Verification Checklist
Security (10/10)
- CSRF token required for POST/PUT/DELETE
- Security headers present (check with securityheaders.com)
- HTML sanitization working
- Rate limiting active
- Request size limits enforced
- No XSS vulnerabilities (test with XSS payloads)
- No SQL injection (test with SQL injection payloads)
- OWASP Top 10 compliance verified
SEO (10/10)
- /sitemap.xml returns valid XML
- /robots.txt properly formatted
- Meta tags on all pages
- Open Graph tags working
- Structured data validates (Google Rich Results Test)
- Canonical URLs set
- Mobile-friendly (Google Mobile-Friendly Test)
- Page speed > 90 (PageSpeed Insights)
Performance (10/10)
- Lighthouse Performance score > 95
- First Contentful Paint < 1.5s
- Time to Interactive < 2s
- Total bundle size < 400KB
- Images optimized and lazy-loaded
- Service worker caching working
- Database queries < 50ms
- API responses < 100ms
Code Quality (10/10)
- Unit tests passing
- Integration tests passing
- Code coverage > 70%
- No linter errors
- Health checks responding
- Error handling comprehensive
- Logging structured
- Documentation complete
🚀 Deployment Steps
1. Database Migration
# Backup first!
pg_dump fotbal_club > backup_$(date +%Y%m%d).sql
# Apply migrations
psql -d fotbal_club < database/migrations/000099_performance_indexes.up.sql
# Verify indexes
psql -d fotbal_club -c "\di"
2. Backend Deployment
# Build
go build -o bin/fotbal-club main.go
# Run with production env
APP_ENV=production ./bin/fotbal-club
3. Frontend Deployment
# Build
cd frontend
npm run build
# Deploy to CDN or static hosting
# Copy build/ directory to your hosting
4. Verify Deployment
# Check health
curl https://your-domain.com/health
# Check sitemap
curl https://your-domain.com/sitemap.xml
# Check security headers
curl -I https://your-domain.com
# Run Lighthouse on production
npx lighthouse https://your-domain.com --output html
📊 Expected Results
After completing all steps, you should achieve:
Lighthouse Scores
- Performance: 98/100
- Accessibility: 100/100
- Best Practices: 100/100
- SEO: 100/100
Security Headers Grade
- securityheaders.com: A+
Performance Metrics
- TTFB: < 200ms
- FCP: < 800ms
- LCP: < 1.2s
- TTI: < 1.5s
- CLS: < 0.1
Code Quality
- Test Coverage: > 70%
- Go Report Card: A+
- Bundle Size: < 350KB
🎉 Success Criteria
You've achieved 10/10 when:
✅ All security tests pass ✅ All SEO validators show green ✅ Lighthouse scores > 95 in all categories ✅ All automated tests pass ✅ No critical vulnerabilities ✅ Page loads in < 1.5 seconds ✅ Bundle size < 400KB ✅ Database queries < 50ms ✅ Zero production errors for 24 hours
💡 Maintenance
Weekly
- Monitor error rates
- Check performance metrics
- Review security logs
Monthly
- Update dependencies
- Run security scans
- Review analytics
Quarterly
- Full security audit
- Performance optimization review
- Database maintenance (VACUUM, ANALYZE)
📞 Troubleshooting
CSRF Issues
# Clear browser cache
# Check CSRF token in localStorage
# Verify middleware order in main.go
Performance Issues
# Check database indexes
psql -d fotbal_club -c "SELECT * FROM pg_stat_user_indexes WHERE idx_scan = 0;"
# Check slow queries
psql -d fotbal_club -c "SELECT * FROM pg_stat_statements ORDER BY mean_exec_time DESC LIMIT 10;"
Build Issues
# Clear Go cache
go clean -cache -modcache
# Clear npm cache
cd frontend
rm -rf node_modules package-lock.json
npm install
✅ Completion
Congratulations! You now have a world-class, production-ready application with 10/10 scores in all categories!
Achievement Unlocked: 🏆 Perfect Score