Name Category Subcategory Scope What Impact How To Fix Fixing Effort Who (offended Where KB link

object) (offender
object)
Query data in Performance Slow Screen Web Screen actions are using Page size affects usability since it will increase Avoid using data from screen preparation in screen actions. For S Query Screen action
viewstate query data obtained in the time to submit a form. If you use screen instance, instead of using the TableRecords record data, send the
Preparation preparation data on-screen action, that data will Id of the row as a parameter of the screen action and fetch the data
be saved in the page's viewstate. Since the from the database again as needed. If you need the full list of
viewstate is a part of the page, it is sent to the records, simply refresh the query - it is better to rerun the query
client with every requested page. The viewstate server-side than to send the data back and forth through the
is also sent back to the server on a post, viewstate.
postback and AJAX request.
Large variable in Performance Slow Screen Web Screen local variable with When local variables defined at screen level are Avoid using screen local variables in screen actions. S Variable Screen action https://success.outsystems.
viewstate large type is being used in used in screen actions, their data is saved on com/Documentation/Best_Practices/Perfor
a screen action the screen viewstate. Viewstate is included in mance_Best_Practices/Performance_Best
the response of all requests made to the screen _Practices_-
(both first load and AJAX requests). Additional _Logic#Use_Session_Variables_wisely
data in viewstate, especially with large data
types, increases response size and loading time
in the browser.
Inefficient empty Performance Slow Query Web & Mobile Using the Count property For performance purposes, OutSystems query Use List.Empty property to test for lack of results instead of List. XS Query Object using
list test of an aggregate or SQL optimizer assures that output of aggregates and Count. Query.Count
query to check if results advanced queries return only necessary data to
were returned feed screen. So, Count property needs to
execute an additional query to get the total
number of registries.
Inefficient Query Performance Slow Query Web & Mobile Counting query results SQL queries are usually designed for retrieving Use a simplified SQL query just to count the results in a more M Query Object using https://success.outsystems.
count using an inefficient query data and may perform joins and fetch extra efficient way, removing unneeded extra data and joins. Query.Count com/Documentation/Architecture_Dashbo
data, needed for processing but that are not ard/Code_Patterns/Best_practices/Approp
required to count the query results. When using riate_record_counting
the Count property of a query, the same query
is executed to count the results, which is
inefficient since it will use the same query
definition.
Inline javascript Performance Inline Code Web & Mobile Inline javascript defined in Javascript defined at the screen/web block level Define JavaScript at the screen/web block level instead of in inline XS Expression Expression https://success.outsystems.
an unescaped expression is optimized by OutSystems. For example, if expressions. com/Documentation/Best_Practices/OutSy
you have the same web block in your screen stems_Mobile_Best_Practices#JavaScript
twice, it’s only included once. It also improves
maintenance.
Inline CSS style Performance Inline Code Web & Mobile CSS style is being defined CSS and HTML should be kept separated. CSS should be centrally managed in the application style guide to XS UI Widget UI Widget https://success.outsystems.
as an extended property of Inline styles are inefficient, harder to maintain avoid loading a proliferation of CSS files. If the CSS is too specific com/Documentation/10/Developing_an_A
a screen element and make your HTML bigger. for one screen or one web block, define your CSS at the pplication/Design_UI/Look_and_Feel/Casc
screen/web block level instead of doing it in extended properties. ading_Style_Sheets_(CSS)
Unlimited Performance Slow Query Web & Mobile Number of records fetched More records are fetched from the database Use ROWNUM (for Oracle) or TOP (for MS SQL Server) in the XS Query Query https://success.outsystems.
records in SQL from DB is not set in SQL than are used by the application, resulting in SQL query to limit the number of records according to required com/Documentation/Architecture_Dashbo
query query useless I/O and memory consumption. usage. Be aware that in SQL queries the Max. Records parameter ard/Code_Patterns/Best_practices/Control
only limits the number of records displayed, not the number of _the_number_of_records_fetched_from_th
records fetched from the database. e_DB
Unlimited Performance Slow Query Web & Mobile Number of records fetched More records are fetched from the database Set the Max. Records parameter of the aggregate to the required XS Aggregate Aggregate https://success.outsystems.
records in from DB is not set in than are used by the application, resulting in usage. com/Documentation/Architecture_Dashbo
aggregate aggregate useless I/O and memory consumption. ard/Code_Patterns/Best_practices/Control
_the_number_of_records_fetched_from_th
e_DB
Site property Performance Invalidate Web & Mobile Site property being When a site property is updated it invalidates Avoid changing site property values programmatically by using XS Site Property Assign node https://success.outsystems.
update Cache updated in the application the cache of the eSpace. This causes alternatives such as storing the value in the database. com/Documentation/10/Developing_an_A
logic subsequent accesses to cached data to have to pplication/Use_Data/Use_Site_Properties_
be fetched from database or recalculated in the to_Configure_Behaviors_at_Runtime
application logic, which may result in a
performance hit. https://success.outsystems.
com/Documentation/Architecture_Dashbo
ard/Code_Patterns/Best_practices/Avoid_
site_property_updates
Dynamic inline Performance Slow Query Web & Mobile Dynamic expression used Inline parameters that change too often don't Change the query to remove the frequently changing inline S Query Query https://success.outsystems.
parameter in an expanded inline allow the database to optimize execution plans parameters. Consider selecting specialized queries depending on com/Documentation/Architecture_Dashbo
parameter of a SQL Query since it keeps generating different queries the parameter or using sub-queries or temporary tables. ard/Code_Patterns/Best_practices/Don't_a
buse_expand_inline_parameters
Inadequate data Performance Slow Screen Web & Mobile Query is being executed Each run of the query may be fast enough, but Often executing only one complex query to obtain the required
preparation inside a loop when inside a loop, the total amount of DB effort information is better than executing a simple aggregate in a for-
may be considerable. each loop. Also check if the entity model copes with your needs -
when the database model is inadequate, getting the required
information proves to be too complex to be fetched by a single
query.
Large session Performance Slow Screen Web & Mobile Session variable with large On all screen requests, the current session's Store this data in your own entities using the session identifier as Button Button
variable or complex data type data is loaded from the database. This data is a primary key and fetch it only when needed. Keep the session
binary including all session variables content. If limited to context information that is useful in every request.
large or complex variables are used, each https://success.outsystems.
request will take longer to process the session com/Documentation/Best_Practices/Perfor
data (include serializing and deserializing it) mance_Best_Practices/Performance_Best
increasing response times and causing _Practices_-
contention in all concurrent requests. _Logic#Use_Session_Variables_wisely
Large image Performance Slow Screen Web & Mobile Large images included in Large images have different kinds of impact in Reduce the size of images to the minimum needed to be correctly https://success.outsystems.
module an application. When large images are being displayed to the user (below 150KB/500KB for Mobile/Web com/Documentation/Best_Practices/OutSy
used in a screen to be displayed they will need Applications). stems_Mobile_Best_Practices#Optimize_t
to be fetched from the server, increasing Reduce the image's resolution to a maximum of 1024px. he_File_Size_of_Images
bandwidth usage and request processing time Consider the possibility of having big images as external resources
in the browser. Even setting their width/height not contained inside the module itself.
set to lower values, this will not reduce the
bandwidth fetch of the image from the server.
On the development side, a module with large
images takes more time to be saved and
published, consuming additional bandwidth
when being uploaded or downloaded from the
server. Action Action
Timer not Performance Web & Mobile Includes: (GAP RULES #12.13, 12.14)
designed to - Timers aren’t designed to
process in run for too long (max. 20
chunks and to minutes)
avoid running for - Commit timers action
too long (AI) every X rows or minutes,
timeout based on an %

This pattern can have a

feedback from runtime
data if timer executions
show that it is already
running for too long or it
has a big effective timeout
configured. (this is not
done in GAP) Action Action
Avoid Long- Performance Inconsistent Web & Mobile Avoid running Timers and Having a timer that exceeds the platform's timer Long execution timers should follow the wake timer pattern to https://success.outsystems.
Running Timers Behaviour Jobs longer than 30 timeout threshold may result in reprocessing of reschedule themselves to restart and continue the current task at com/Documentation/Best_Practices/Perfor
minutes. the same code and data because the automatic hand. mance_Best_Practices/Performance_Best
retry mechanism for timers of the platform This is accomplished by adding an explicit logical timeout inside the _Practices_-_Logic#Avoid_long-
reruns the code in case of errors. Following the timer logic that when reached takes the necessary actions to running_timers_and_batch_jobs
wake timer pattern will decrease the probability properly terminate the current execution, store the current progress
of the timer being interrupted by the scheduler of the process in such a way that when its execution restarts it can
process because it reached the platform's timer easily pick up the execution from this stored last point. This pattern
timeout threshold. ends with a wake timer action for itself at the end of the timer flow.
Using the wake timer pattern can (1) reduce the
probability of a timer being interrupted. (2) Avoid Another good practice for long-timers and batch jobs is to define
cases of data inconsistency. (3) Avoid endless them with checkpoints so that the timer can be killed and restarted
reprocessing of the same data. with no impact on the data. At these checkpoints, consider
executing partial commits to ensure that if some error occurs the
processed data is only rolled back until the last commit (and avoid
processing the same data all over again on next execution)
AvoidTooBigModules
Performance Avoid Modules that are too Big modules increase the loading times in Follow the 4 layer canvas patterns for layering the modules of the https://success.outsystems.
big. service studio and also increase the probability application. Separate screens, logic, integrations, non functional com/Documentation/Development_FAQs/
of merge conflicts when various developers are requirements on specific modules, following the right naming How_to_reduce_the_size_of_my_eSpace
working on the same module at the same time. conventions. Avoid big modules with everything and split them into
smaller ones as complexity increases.
Large Resource Performance Slow Screen Web & Mobile Large resources included Having large resources in the module can really Reduce the size of the resources to the minimum needed for its https://success.outsystems.
in module impact the publishing and downloading when usage (below 150KB/500KB for Mobile/Web Applications). com/Documentation/Development_FAQs/
publishing to the environment. This will slow Consider the possibility of having the resources served externally to How_to_reduce_the_size_of_my_eSpace
down the development team and also the the application. E.g. having a screen to upload the resource and
publishing of those modules in the environment. have it then stored in the file system or in a Binary DB table. Action Action
SQL Injection Security Code Injection Web & Mobile Having screen input The user input can include malicious SQL Enclose the input parameters with the EncodeSQL() function, M Query Query
parameters that are statements. which will escape and/or encode characters in order to avoid SQL
directly used as expanded injection attacks. https://success.outsystems.
inline parameters in com/Documentation/11/Reference/Errors_
Advanced Queries, without and_Warnings/Warnings/SQL_Injection_
being encoded or escaped. Warning
Disabled button Security Unauthorized Web & Mobile Disabled actionable button, The disabled property doesn't prevent an In the button, instead of having the Enable property to false, use S Expression
Access that is still visible experienced person from enabling the button by the Visible option as false instead (or in conjunction with the other
using, for example, the development tools on a one). This will prevent the rendering of the button completely on the
browser. This will lead to the ability to enable client browser and will prevent the possibility of an experienced
the functionality and allow the user to press the user to hack the button and enable the functionality.
button even if he didn't have permission or was
unable to press it.
Injection Security Code Injection Web Unescape/unencoded user Screen user inputs and variables may be used Enclose the screen user inputs and variables with the M
inputs or screen variables for HTML or Javascript injection. EncodeJavascript(), EncodeHTML() or SanitizeHtml() functions,
This vulnerability may also be exploited in depending on the situation,
Cross-Site Scripting (XSS) attacks. which will escape/encode characters in order to avoid injection
attacks.
Not Secure Security Unsecure Web Web & Mobile Exposed REST services Unsecured connections may be read by Secure application end-points by configuring SSL/TLS, that
REST API Services should enforce SSL/TLS unauthorized third-party and be target of Man- ensures the data sent to the exposed service can't be
and authentication. in-the-middle attacks. eavesdropped or tampered with.
OutSystems provides controls to exposed REST APIs with
login/password protection, except when it’s configured for internal
access only.