I want to reaffirm my commitment to make my books and my website Large Language Models (LLMs - ChatGPT & co) free (yes, despit all the typos 🙃). I find the current hype around LLMs weird. Producing trash was never a bottleneck. Neither for businesses who outsource their c … | Continue reading
By a funny coincidence, just after I sent my last newsletter about how to backdoor Rust crates, an advanced supply chain attack targeting SSH servers was uncovered by a talented developer and agitated the internet for the following weeks, leading to really interesting investigati … | Continue reading
I would like to apologize to everybody who has been impacted by a bug affecting my website last week that prevented you to access your account. Earlier this month, a malicious actor placed malicious orders on my website forcing me to write code to block offending accounts. Unfort … | Continue reading
Who haven't met this annoying screen making us all lose our precious time? Cloudflare's challenge screen has become an almost daily routine for people working online, especially since the boom of scraping bots in the last few years. Why? The reach that internet brings is both a b … | Continue reading
Yes! But there is a catch. The stale-while-revalidate HTTP Cache-Control directive is used to instruct CDNs and other caches to serve a resource that has expired Traditionally, the check is performed asynchronously: when a client requests a resource, the cache immediately serves … | Continue reading
SQLite is fast, really fast. On a single ~40€ / m commodity server, it can sustain ~168,000 reads and ~8000 writes per second, concurrently. Because it's an embedded library designed for client-side applications such as embedded systems and phone & desktop applications, SQLit … | Continue reading
Some of the images of my website were not displaying on some devices. It turns out that some adBlockers use a strange rule to hide images with width="240" height="400" without any other kind of selector. I'm not sure exactly why anyone would want to indistinguishably block al … | Continue reading
When you take a look at the TechEmpower Web Framework Benchmarks it's hard to not notice how fast is Rust compared to the other languages. 585,000 requests / s for may-minihttp, 400,000 requests / s for axum [postgresql]! It's tempting to think "ZOMGG!! Stop everything!! … | Continue reading
SQLite is often misconceived as a "toy database", only good for mobile applications and embedded systems because it's default configuration is optimized for embedded use cases, so most people trying it will encounter poor performances and the dreaded SQLITE_BUSY error. But wh … | Continue reading
I found this gem while looking for books about minimalism, but the topic is actually completely different: it's a deep dive into the history and the science behind the current ecological annihilation and the coming climate apocalypse, all of that presented in a very accessibl … | Continue reading
It's easy to mock the newly-released Apple Vision Pro as another gadget for terminally online techno-addicts and influencers craving for attention. "It's too expensive", "these eyes are scary", "the external battery is ugly", "$3500 to use Twitter in 3D???", I will skip t … | Continue reading
I'm presenting a new Authenticated Encryption with Associated Data (AEAD) primitive that should be at the same time the fastest in software (without dedicated hardware instructions such as AES-NI), the easiest to implement, and the hardest to misuse. It can be used for anythi … | Continue reading
I'm now almost ashamed to admit it, but some (more or less) 10 years ago, I was a a big fan of Elon Musk. The guy was a visionary and a model for the engineer I was. But then reality hit hard: Tesla cars are rigged with shitty software designed | Continue reading
You are spending good time with your loved one when someone sits close to you and fart. Not a small and cute fart. A dirty one. Silent and smelling as if it was kept for a century. Probably toxic. But they don't stop here, they continue to fart for an | Continue reading
/dev/urandom is the cryptographically secure random generator on Unix systems. You can generate secure keys with the following command: $ cat /dev/urandom | head -c 32 | base64 7tFMON9AR07Qj6O+P7KOUJyC00vrOjRWnwar/GdMBcU= Here we generate a 32 bytes (256 bits) key and encode it i … | Continue reading
Half of the internet is saying: "Just use JSON Web Tokens " and half of the crypto-community is shouting: "DON'T USE JSON WEB TOKENS!!! ☠️☠️". Who is right? who is wrong? As always, it's not that simple. Introduction to JSON Web Tokens JSON Web Tokens (abbreviated JWT) ar … | Continue reading
Bunny.net edge servers add a few headers to HTTP requests. You can get the country of the client (GeoIP) with the Cdn-requestcountrycode HTTP header. To get the visitor's real IP address, see here: How to get the real client IP address with Bunny.net CDN. | Continue reading
Bunny.net edge servers add a few headers to HTTP requests. You can get the real IP address of the client with the X-real-ip HTTP header. To get the visitor's country, see here: How to get the GeoIP (country) information of the client with Bunny CDN. | Continue reading
You can generate cryptographically-secure encryption (and signing, for HMAC-based schemes) keys with OpenSSL as follow: $ openssl rand -base64 32 This command generates a 256 bits (32 bytes) key of cryptographically-secure randomness and encode it in Base64. You can also encode t … | Continue reading
Welcome back for your weekly dose of hacking and programming. As you will see below, I've been pretty busy and have some awesome things to share with you. But first, I wish you an happy end-of-the-year, good cheer and great memories :) What's coming in 2024 In January my … | Continue reading
Kindle devices don't natively support the EPUB ebook format that is commonly used outside of Amazon's closed ecosystem, so you first need to convert it to the azw3 format. Convert EPUB to AZW3 You can use the Calibre ebook management software ot convert EPUB files to AZW3 … | Continue reading
In the past, web servers could append a Last-Modified header indicating the time where it believes that the page/resource was last modified. With the Cache-Control header it was used to handle HTTP caching: on subsequent requests, the client would send the value in the If-Modifie … | Continue reading
When debugging a webapp using Cloudflare as a Content Delivery Network (CDN), you may want to know if the response was served by your own servers, or by Cloudflare's servers, also known as its cache status. For that, you can inspect the response's HTTP headers (with curl … | Continue reading
A month ago I wrote: next week we are going to see how to drastically reduce your bandwidth usage with smart and efficient caching strategies, and since then... nothing, (almost) no new post on this blog, and certainly not this epic article about CDNs and HTTP caching. You may th … | Continue reading
Today I learned that since Go 1.21 you can update your local toolcahin with the following command: $ go env -w GOTOOLCHAIN=go1.21.4+auto # Or another version... You can learn more on the official website: Go Toolchains. | Continue reading
As announced two weeks ago, I'm writing a new book: Cloudflare for Speed and Security where you will learn how to build secure and scalable applications with the global cloud platform. Between writing, editing and technical review, it can take some time to complete a book. Ad … | Continue reading
GitHub are constantly changing how to manage authorizations to push images to their Container Registry ghcr.io, so here is how to publish a Docker image to the GitHub Container Registry from GitHub Actions as of October 2023. .github/workflows/your_workflow.yml name: release on: … | Continue reading
Sorry, it's not the name of a new secret 5up3r h4ck1ng techique... I just fully recovered from a really really nasty food poisoning episode, and I'm now clearing my inbox. So if you did send me an email in the past 8 days, a reply should arrive promptly ʕ •ᴥ•ʔ | Continue reading
If you are not overspending on compute (like many companies do because of "scale") then your biggest cloud expense is most certainly your bandwidth and storage costs. While there is little you can do to optimize your storage costs, you have a lot of leverage to reduce you … | Continue reading
I'm so excited to finally share with you what I've been working on recently. One month ago I asked you what do you want to learn about Websites, APIs and Servers security. I was really impressed to get far more answers than expected, so I want to express my gratitude | Continue reading
Whether it's for performance, DDoS mitigation or to block scraping bots, it's hard for website operators to justify not using a CDN. Most of today's CDNs also come with a suite of security tools such a Web Application Firewall (WAF) to block SQL and XSS injections, bo … | Continue reading
When you are downloading large files from a cloud object storage (whether it be Scaleway's Object Storage, AWS S3 or Cloudflare R2) such as AI models, it's recommended to parallelize the download to get the best throughput, with one concurrent request for each 85–90 MB/s … | Continue reading
Hi everyone I've spent considerable time over the past months securing websites, APIs, and servers, so I have a lot to share. However, I'm not sure where to start. Could you please tell me about your biggest problems when you develop and deploy secure websites, APIs, and … | Continue reading
If you have ever set up a server, you know that as soon as your server is online, it starts to be scanned by bots looking for vulnerabilities to exploit to make your server join a botnet for later attacks or crypto mining. Today I come with good news: whether | Continue reading
You can copy files from a Docker container to the host even if you didn't mount a volume using the command docker cp. Here's an example where we copy the file /home/user/file.jpg from the container to file.jpg in the current dicretory of the host: $ docker cp my_container … | Continue reading
"Is Rust a great fit for this project?" I get this question quite frequently so I think it's time to write down my thoughts if it can avoid you some painful and costly mistakes. Short answer: no. Coming from someone who wrote a successful book about Rust (Black Hat Ru … | Continue reading
On 23 February, 2017 the SHAttered attack demonstrated a practical SHA-1 hash collision. While it does not directly affect Git, it's only a matter of time before attacks are found against it. The NIST has started recommending to STOP using SHA-1 back in 2006! With v2.42.0 Git … | Continue reading
In Go it's easy to omit some fields when marhsalling a struct to JSON with json:"-" but how to add one or more fields to the JSON output? The easiest and cleanest way to achieve that is by using an anonymous struct when implementing MarshalJSON. We need to create a | Continue reading
When building web applications with VueJS and ViteJS you may want to use different index.html files for development and production (to add some server-side rendered variables for example). You can do that in your vite.config.ts (or vite.config.js) file by using a custom plugin th … | Continue reading
HKDF is a key derivation function based on the HMAC function. Key Derivation Functions (KDF) are used to generate secure "subkeys" from an already cryptographically secure "master" (or root) key. If you want different keys for encryption and for authentication, fo … | Continue reading
On one of my webapps I need to open external links (such as https://kerkour.com) in a new window but internal links (such as /about) with vue-router to provide a pleasant Single Page App experience. In traditionnal HTML this is achieved with the target="_blank" rel="n … | Continue reading
Once you have successfully parsed an IP address in Go with net.ParseIP you may want to distinguish if the IP is a v4 or a v6 address. For that you can simply use the IP.To4 function which returns nil if the IP address is not a v4 address (and thus | Continue reading
So you have this curl shell/bash command that fetches some JSON, but unfortunately the JSON is sent without any space or newline which make it hard to read. Here are a few ways to display curl output in readable JSON format. Using python Whether it be macOS or Linux, python | Continue reading
So you have some HTML generated by an API or a Markdown parser that you need to render with v-html. In this HTML there are some links <a href="...">...</a>. Unfortunately, these links are not handled by vue-router as they are "normal" <a> element … | Continue reading
In Vuejs 2 you could access specific elements of the DOM using $refs. In Vue 3 with the new composition API, $refs is no longer available. Instead, you can simply use the new ref() function as a replacement for HTML element references. <template> <div ref="myReferenc … | Continue reading
Whether you want to prevent a docker container to spy on your sensitive data with invasive telemetry or want to restict internet access for security reasons, here is how to do it. First you need to create an internal network: $ docker network create --internal --subnet 172.19.0.0 … | Continue reading
Summer has finally arrived, time for everybody to forget the monotony of the city and head to the beaches to relax and a few unforgettable parties. It's also the favorite period of the year for the government to pass all their controversial and creepy laws that don't have … | Continue reading
I have a confession to make. I have always dreamed of gluing tiny screens in front of my eyes in order to escape the real world and join virtual ones with blue grass, pink elephants, microtransactions everywhere and purple aliens with too many nipples but no legs. Just kidding. N … | Continue reading