One common mistake when one tries to tackle the web is to do it all at once. What you need:
- get familiar with HTML and css. That is, learn the basics, their purpose and how they interact.
- get familiar with some basic JavaScript and how you use it on the browser.
- learn one of the prominent web languages for the server-side. Python, Ruby, PHP, etc. I used to recommend PHP as a first language because compared to other languages, it was ubiquitous amongst hosting providers. Nowadays, I recommend against, especially if you already have some programming experience. Python and Ruby also have a decent offering and they have the added benefit of a community that generally promotes better programming practices than PHP.
Having an overview of the entire development process, you should now be able to pick one area where you'd like to expand. Being a programmer I suspect you might pick either server-side or browser scripting (JavaScript). Stick to one at first and learn it well. When I started the web I rarely did any front-end at all. I concentrated on the server-side and was aided by some CSS and JavaScript coders. Likewise, I often worked with JS programmers who didn't want to know anything beyond the realm of what they were doing. It's a symbiotic relationship.
- It may be tempting to do everything vanilla at first, but quickly switch to using a framework, they're often packed with lots of best practices. They're like training wheels, you can always take them off later when you feel confident.
As you get comfortable with one field you can expand on others. After years playing in the server, I'm only now expanding my client side skills. Also, beyond technologies, other areas of interest that can expand your overall understanding and web expertise, are interface architecture, usability and various other optimizations. As you go, you'll stumble upon many.
That said, you need to have a firm grasp of all the basic security concepts before rolling out production code. You need to know how to avoid all the various injections.
There are some pretty (free) good tools out there to test against most injections methods. I'm not saying having a conceptual grasp of security hurts ;)
All in all, you can't know all methods - and the tools won't probably know much less.
Every security professional I've heard speak emphasizes the importance of grasping what they tend to call "the security mindset". Which I understand to mean putting yourself in the place of an attacker and asking how your code could be taken advantage of.
Running an automated tool against your web app isn't a bad idea, but it's no replacement for thinking about what you're doing.
For the less technical it sometimes helps to qualify what something is even if it is embedded in the abbreviation. But considering the audience here, you're right. I will remove the offending word.
I've seen a number of times when people don't understand the statelessness of HTTP, and try to put megabytes of data in a cookie-backed session--unable to understand why that doesn't work, etc.
This is especially prevalent in .NET land, where there are mechanisms for storing data in hidden forms and hiding the statelessness away from the user.
Why is that a costly mistake? REST is great but it's not the only way to do web development. Read up on continuations, for example. In fact, this very website is using continuations (check out how paging works) and it doesn't seem like a costly mistake.
- get familiar with HTML and css. That is, learn the basics, their purpose and how they interact.
- get familiar with some basic JavaScript and how you use it on the browser.
- learn one of the prominent web languages for the server-side. Python, Ruby, PHP, etc. I used to recommend PHP as a first language because compared to other languages, it was ubiquitous amongst hosting providers. Nowadays, I recommend against, especially if you already have some programming experience. Python and Ruby also have a decent offering and they have the added benefit of a community that generally promotes better programming practices than PHP.
Having an overview of the entire development process, you should now be able to pick one area where you'd like to expand. Being a programmer I suspect you might pick either server-side or browser scripting (JavaScript). Stick to one at first and learn it well. When I started the web I rarely did any front-end at all. I concentrated on the server-side and was aided by some CSS and JavaScript coders. Likewise, I often worked with JS programmers who didn't want to know anything beyond the realm of what they were doing. It's a symbiotic relationship. - It may be tempting to do everything vanilla at first, but quickly switch to using a framework, they're often packed with lots of best practices. They're like training wheels, you can always take them off later when you feel confident.
As you get comfortable with one field you can expand on others. After years playing in the server, I'm only now expanding my client side skills. Also, beyond technologies, other areas of interest that can expand your overall understanding and web expertise, are interface architecture, usability and various other optimizations. As you go, you'll stumble upon many.