RealRevi Engineering Principles
Thoughtfully secure. Intentionally fast. Empathetic for users.
Paranoia in a Good Way
- Validate file type with MIME + signature (not just extension).
- Tokenized filenames; uploads in non-executable directories.
- Sessions: HttpOnly, Secure, SameSite=Lax; CSRF with
hash_equals(). - CSP, X-Frame-Options, HSTS; prepared statements (PDO) only.
Fail Soft, Never Hard
- Helpful messages, never stack traces.
- Fallbacks for API/DB/image libs; limit pages instead of breaks.
- Temporary files always cleaned up.
Performance by Design
- Stream to disk; resize before heavy processing.
- Soft throttles + queues to keep UX smooth.
- Track FCP/LCP/CLS; aim for “feels instant”.
Trust Nothing, Verify Everything
- Typecasting, null coalescing, safe defaults.
is_uploaded_file()checks; try/catch with private logs.- Directories created with 0755; strict allow-lists.
Delight Without Friction
- Intentional loader; intuitive buttons & flows.
- Plain-English errors; no dark patterns.
- Mobile-first, accessible, stable layout.
Code That Reads Like a Story
- Clear sections; meaningful names.
- Consistent whitespace and bracing.
- Future-you (or collaborators) can scan and ship.
Assume Weird Things Happen
- Guest + logged-in paths; zero-byte/huge images.
- Max megapixels & dimensions; division-by-zero guards.
- HTTPS/HTTP awareness; safe fallbacks.
Delete by Default
- Originals deleted ASAP; results purged in 24h (cron).
- DB rows pruned with file cleanup.
- No personal data beyond what’s required.
No Tricks, No Traps
- Clear about limits; no forced signups.
- Explain how files are handled & deleted.
Build for People
- Only ship features that help real users.
- Free-first ethos; revenue later.
“Thoughtfully secure. Intentionally fast. Empathetic for users.”