Yesod use cases

If you already do web development in a different ecosystem, you will likely know how to put together libraries quickly enough to be productive in that ecosystem, and there is a cost associated with learning something new. Yesod may be a good choice for you if one of the following needs applies to you:

  • Great Asynchronous I/O performance - faster than node.js, but just write normal code - no callbacks
  • Great tools for parallelism and concurrency
  • Low Defect code - without maintaining enormous test suites
  • Highly secure web sites - many common security issues are not possible
  • Experienced Haskell programmer / want to learn a new programming language


Yesod - a scalable web framework

Yesod is a web framework that helps users create highly scalable web applications.

Performance scalablity comes from the amazing GHC compiler and runtime. GHC provides fast code and built-in evented asynchronous IO. The standard Warp web server utilizes this to serve more simlutaneous requests than any other web application server we know of.

But Yesod is even more focused on scalable development.

A developer should be able to continue to productively write code as their application grows and more team members join, including designers. The key to achieving this is applying Haskell's type-safety to an otherwise traditional MVC REST web framework. Developers can continue to efficiently write type-safe code instead of massive amounts of tests.

Of course type-safety provides big productivity boosts by guaranteeing against typos or using wrong type in a function. But Yesod cranks this up a notch to guarantee common web application errors won't occur.

  • no XSS attacks - user submissions are automatically sanitized
  • no SQL injection - sql queryies are automatically escaped
  • database queries are always valid - querying is done in Haskell and uses your schema
  • valid template variables with proper template insertion- variable are known at compile time and treated differently according to their type
  • type-safe urls - say goodbye to broken links

But this isn't Java type boilerplate. Haskell has type-inference, easy generics, and ad-hoc value polymorphism. When type safety conflicts with programmer productivity, Yesod is not afraid to use Haskell's most advanced features of Template Haskell and quasi-quoting to provide declarative routing, declarative schemas, and compile-time templates.


Type-safe Security

The Yesod philosophy is to leverage the strengths of Haskell's strong type system wherever possible. Types find a lot of defects without ever writing a test, but we also build upon this system to provide high-level guarantees mentioned above. Lets look at the Top 10 security vulnerabilities, and see how Yesod helps you secure your application.

1.Injection. Persistent will escape any SQL injections.

2. XSS injection. Any html coming back from a form will be efficiently sanitized just once on arrival. Unsanitized strings will be sanitized before being displayed.

3. Authentication & Session Management: Yesod uses cryptographic libraries to keep your data secure.

4. Insecure Reference: Yesod Forms do not allow sending extra parameters

5. CSRF: Forms have special tokens to block CSRF attacks.

6. Security Misconfiguration: Yesod simplifies this process by simplifying deployments.

7. Insecure Cryptographic Storage: Passwords are encrypted

8. Failure to Restrict URL access: Yesod exposes declarative access controls.

9. Insufficient Transport Layer Protection: Yesod supports SSL through industry standards like nginx or apache.

10. Unvalidated Redirects and Forwards: Yesod encourage use of type-safe urls. Any route can be checked to see if it is valid.

Widgets organize the client side

Widgets tie html, css, and javascript together. This is a simple but powerful concept- declare your html, css, and javascript together, and they will work together correctly on the page.

Libraries that work seamlessly out of the box

Instead of creating a single, monolithic package containing our entire framework, Yesod has spun off dozens of individual packages that can be used independently of each other. But all of these packages have been designed to integrate well with each other to make using Yesod a seamless experience.  

RESTful MVC

  • Models use productive database interaction with Persistent (a very simple ORM)
  • Controllers respond with xml, json, html, etc within the same action
  • Views use highly productive compile-time template languages

Yesod vs. alternatives

Users of Yesod are web developers that want something better. Much of today's web development occurs in dynamic languages like PHP, Python, and Ruby. We see the results: cross-site scripting attacks, applications that take a lot of effort to scale, and a choice between many minor bugs entering production or enormous test suites.

There is a false dichotomy of Java (for type-safety, scalability, and high performance) or dynamic languages for high productivity. We think you can have both options, and more. The key is to start with Haskell- a fast, compiled language with an expressive type system that allows programmers to maintain high productivity. Haskell also has highly scalable concurrency built in.

Web developers have been able to opt for the ease of use of dynamic languages because often the performance problems are focused around the database. However, users may respond negatively to response times greater than 100ms. You are much better off starting with a fast, compiled language, particularly when you get to a critical path in an application where performance of application code is the bottleneck.

Scalability- how many simultaneous users an application can take on- is often more important than raw performance. This is a huge problem in application code for traditional web development because of blocking IO. This has led the rise of event-based web frameworks- node.js for javascript, Twisted/Tornado for python, and Goliath for ruby. These frameworks finally approach high scalability of application code, but end up forcing a constrained development model back onto the programmer. None of them scale to multiple cores without adding more application instances (bloating RAM) and adding load balancing infrastructure. Ruby and Python for example can take advantage of unix fork, but their default garbage collectors end up destroying the copy-on-write memory preserving capabilities of fork. Yesod takes advantage of the non-blocking IO and multi-core concurrency built in to haskell. You can reap high concurrency and simple deployment with normal code.

Yesod application code is independent of deployment options, but Yesod offers the highly scalable Warp web server. Warp is benchmarked to handle more concurrent requests than anything it has been put up against- dynamic languages and even Java. Warp also comes with a highly efficient static file server, making deployment easy. Synch your static assets and application binary, restart your application, and you are deployed.


Docs - Get started!

The main resource for learning Yesod is this website. If you're ready to sit down and learn, you should really read the book, which has lots of prose as well as examples and links to blog posts. For a gentler initiation, you can watch the screencasts. When you need more in-depth information about specific functions, you'll want to look at the Haddocks on Hackage. Start with the Yesod docs and follow the links from there.

Note: Due to the nature of the Hackage server, sometimes the Haddocks for a specific version of Yesod don't compile. This does not necessarily mean that there is a bug in the code, it could be caused by a number of different problems. In that case, you can try looking at an older version of the package.