
Ask HN: Advise for a self-taught budding programmer - sdiq
I have been learning how to program on my own for sometime now. I have mostly been learning Java and Spring - I have some other reasons why I specifically chose these technologies. I have also been working on developing my own website that will be offering some services to clients in my home country.<p>On the front-end bit, I have identified Envato Market where, I think, I can find good and affordable designers. So, my first question, do we have alternatives to that?<p>Secondly, on hosting, what are the best practices bearing in mind the mentioned technologies above?<p>Thirdly, while I will not be able to afford an expert on security at this moment in time, what other options are available to me?<p>Thank you in advance.
======
rnovak
I host several spring webapps myself on a $10/month VPS running Ubuntu 14.04
(LTS)

Some notes:

\- Default MySQL install listens only on loopback interface, so isn't exposed
to the network (and if it's not in your case, you can change that in my.cnf)

\- IPTables/NFTables can be used to whitelist allowed network traffic beyond
HTTP/HTTPS

\- SSH should be limited to public-key auth, with root login disabled as well
as password auth disabled (or you can use 2 step verification with Google
Authenticator, which is pretty easy to set up)

One thing I'll note is that I don't have Tomcat exposed directly to the
internet: it's only exposed through an NGINX reverse proxy.

Apache Tomcat is fairly easy to download and set up (you can download the
.tar.gz from Apache's website, untar, and run the executable
./bin/startup.sh).

I'd be happy to answer any questions really re: Java/Spring

~~~
sdiq
Thank you very much for your inputs and advice.

As yet, I haven't touched anything other than a Windows machine. I was thus
wondering whether, while your suggestions are very good and that is where I
would ultimately have to end up in, in the meantime, could I learn the basics
in a few weeks just so as to set-up everything correctly and thereafter expend
more time in learning the finer details of such a set-up? If that is not
possible then I will be forced to just go with a hosting provider that handles
some of these stuff - at least in the beginning as I learn "everything".

------
lumberjack
On front-end work:

Learn basic front-end skills. You can go a long way with just bootstrap,
jquery and some nicely resized stock photographs. There's plenty of nice
themes around for free or only an insignificant amount of money. Consider that
you'll probably be competing on this front for the most part. This and your
rate.

On hosting:

A $5/month VPS running Debian is cheap and can handle a decent amount of
traffic.

On security:

You don't need a security expert unless you're dealing with highly sensitive
information. Follow the best practices on:
[https://www.owasp.org/index.php/Main_Page](https://www.owasp.org/index.php/Main_Page)
Remember to sanitize all user input. Remember to be extra careful when you are
serving user input to other users.

~~~
dsacco
Specifically regarding user input security:

• _Whitelist_ user input where possible, do not try to blacklist known
dangerous characters. There are too many conflicting rendering ideologies for
HTML between Chrome, Firefox and Internet Explorer for this to be feasible.
For example, a language parameter's value in a POST request to change user
settings should be whitelisted to things like "en" \- there is no reason to
allow "%0aSet-Cookie:%20", which could cause HTTP Header Injection. Absolutely
do not try to be clever and sanitize specific tags like "<script>"

• Thoroughly escape dangerous characters if they must be represented. Use a
well-tested library for this, do not try to roll your own.

• Do not allow user-input for filenames, especially if the file needs to be
uploaded to a privileged directory (also avoid, where possible).

OWASP is unfortunately an inconsistent guide at best. security.stackexchange
and /r/netsec are better.

Security is aggressively difficult. OP, if you have any more specific security
questions you're welcome to email me and I'll help you out, free of charge.

The absolute best thing you can do to help yourself with security right now as
a self-taught programmer is to thoroughly familiarize yourself with:

1\. The nuances of your chosen language, and

2\. The best libraries for security, authentication and input handling in your
chosen language and framework.

For example, if you are a Ruby programmer you should immediately know about
e.g. the dangers of passing user input to _send()_ and how Ruby's REGEX
functions a bit differently than other languages. You should also know the
best authentication libraries off the top of your head and make use of them
instead of trying to reinvent the wheel.

------
ddorian43
On hosting, since you don't have experience managing a full linux box, you
might look at
[https://www.webfaction.com/?aid=9281](https://www.webfaction.com/?aid=9281)
(referral link) where they handle most of the things (system, mysql,
postgresql etc) and you maintain only your application . This is a little more
pricier than a vps, but a lot less time to manage it + very helpful support
team !

~~~
sdiq
This is what I will probably chose for the time being as I learn more about
Linux and Shell.

------
seviuqyelsdnirb
I advise you to learn how to spell "advice"

~~~
sdiq
Thanks for that. Will sure remember to use the correct word next time.

