Best practices when working with JSS
JSS applications must support use cases that regular JavaScript applications do not. Therefore, when developing JSS applications, you must follow some best practices to ensure your JSS apps securely deliver the functionality expected of them.
General development best practices
When developing JSS applications, you must preserve the control content authors have over layout, content, and routes.
Avoid hard-coding layout
Building an app compatible with Content Author management requires avoiding hard-coding component hierarchy and non-code content, such as text and images. Instead, use components from JSS packages within your components - they provide your components with dynamic data generated by content authors.
Do not explicitly hard-code the nesting of components. Instead, use the <Placeholder>
component from the JSS libraries to create a basket in your component that allows content authors to nest other components.
Validate your application for this recommendation by checking that Experience Editor works as expected. Content authors must be able to insert. delete, and move renderings.
Avoid hard-coding fields
If a component has values that must be controlled by content authors, import the associated field components from the JSS libraries, such as Text
or Image
, and use these components instead of those values. Never hard-code field values or inject them any other way.
Validate your application for this recommendation by checking that Experience Editor works as expected. Content authors must be able to edit all datasource fields inline.
Inquire about authoring requirements
Sitecore is a collection of tools for building complex applications with powerful marketing features.
After a Sitecore site is built, Sitecore provides various tools and integrations to its users to analyze, nurture, and personalize the website experience of the end-users. The main clients of a Sitecore site, and therefore a JSS app, are marketers, Sitecore admins, and content authors. As a developer, you must build JSS apps that satisfy the business requirements of these clients. This means the JSS app must remain compatible with the Sitecore authoring interface and avoid introducing technical restrictions that might limit site and content management capabilities.
Preserve support for author-controlled custom routes
In Sitecore, content authors have the power to control the URL of each page by organizing the content tree based on the desired URL structure. JSS apps are expected to fully support this feature. JSS apps implement custom routing to support URL structures controlled by content authors.
Developing applications compatible with server-side rendering
Server-side environments have restrictions that client-side applications do not. To stay compatible with the authoring environment so that content authors can edit components in a graphical user interface, we recommend you build SSR-compatible JSS components, even if the production build uses client-side rendering.
We strongly recommend you follow the SSR guides and best practices for your framework of choice, as well as any recommendations for SSR compatibility of third-party libraries you use in your JSS apps.
Avoid browser-specific objects
To preserve SSR compatibility, eliminate the usage of browser-specific objects, such as:
-
window
. -
document
. -
localStorage
. -
sessionStorage
.
If using these browser-specific objects is necessary, wrap the code in a conditional that checks the current execution context or place the code in a lifecycle method that does not fire during SSR.
JSS has the utility function isServer()
for checking whether the app is currently rendering in a Node.js context. You can use it with control flows to handle SSR context. For example:
import { isServer } from ‘@sitecore-jss/sitecore-jss’;
fetch('https://some-url', { options }).catch((error) => {
if (isServer()) {
// use Node's global console object to log the error
console.error('Error:', error);
} else {
// Notify the user about the error. Note: this is for code demonstration only;
// this is not an attractive way to show errors to end-users
window.alert('An error has occurred.');
}
});
Verify third-party dependencies
When using third-party dependencies in your project, you might want additional configuration or middleware to support SSR.
Check the documentation for SSR compatibility - look for anything special regarding initialization options, render-time params, build configuration specific to SSR, and so on.
Common dependencies to be mindful of are:
-
Data fetching libraries such as Axios and SWR.
-
State management libraries. For example, Redux or Vuex.
-
GraphQL data graph implementations such as Apollo.
-
Routing libraries (
react-router
,vue-router
). -
CSS-in-JS libs, such as
styled-components
oremotion
. -
Document head manager libraries such as
react-helmet
. -
Dynamically loaded components. For example,
react-loadable
.
Deployment and security
The deployment procedure for JSS applications varies based on the development workflow.
In production, most apps use Sitecore-first workflow.
For a Sitecore-first workflow, normal Sitecore DevOps best practices apply, such as:
-
Have a repeatable, fully automated deployment process.
-
Use an item serialization tool like Unicorn or TDS to source control and deploy developer-owned Sitecore items (templates, renderings, and so on), including those of JSS site(s).
Specifically for JSS, we also recommend the following:
-
Consider storing Sitecore back-end code and JSS site code in the same source control repository to avoid issues synchronizing changes between the front and back end, and enable developers to easily commit, test, and revert changes. This also makes it easy to build and deploy JSS site artifacts to Sitecore during CI builds.
-
Automate the deployment of Sitecore updates and JSS site updates in headless mode into a single build process to avoid defects caused by deploying different versions of the front end and back end.
-
To enable storing JSS connection and deployment information in deployment variables, you can use several options with the
jss setup
command.
When running jss
CLI commands in an environment where you cannot install global npm packages, you can use npm run jss [command]
instead, which aliases the CLI command through npm
.
Use --
before any arguments for the commands you run with npm
. For example, npm run jss deploy items -- --skipPackage
The Import Service
The Import Service is used to deploy code-first Sitecore item artifacts to Sitecore, as well as for Sitecore-first developer scaffolding. This service is automatically installed when installing Sitecore Headless Services.
-
The deployment service uses shared secrets for authentication. These must be unique per environment, randomly generated (no passphrases), and at least 32 characters. The shared secret uses HMAC with the package being deployed as a factor, so there is signature validation that the package is not tampered with and the shared secret is never sent over the wire.
-
We strongly recommend running all Sitecore HTTP services, including import service, over TLS-secured channels even with signature validation.
-
The Import Service is automatically disabled when the Sitecore server role is not
Standalone
for local development orContentManagement
for production. Importing JSS apps is not allowed on public-facing servers automatically. -
If you want to deploy IP whitelisting to the import service, you can do this at a network level.