Trying to come up with my own little self-hosted #http #authentication #daemon to work with #nginx' "authentication request" facility ... first step done! 
Now I have a subset of HTTP 1.x implemented in #C, together with a dummy handler showing nothing but a static hello-world root document.
I know it's kind of stubborn doing that in C, but hey, #coding it is great fun 
System Administration
Week 7, HTTP and CDNs
After discussing the DNS, we now move on to #HTTP and HTTPS. While we don't have videos for these sections, hopefully the lecture slides can help you get an idea of what we're covering there. We review the basic HTTP protocol, peek at #QUIC and H3, and talk about load balancing and content delivery networks:
How browsers REALLY load Web pages
When browsers load a Web page and its subresources, A LOT happens under the hood. They need to take into account render/parsing blocking resources, use a preload scanner, listen to resource hints (like preload/preconnect), loading modifiers (async/defer/module), fetchpriority, responsive images, and much more. […]
https://fosdem.org/2025/schedule/event/fosdem-2025-4852-how-browsers-really-load-web-pages/
De http-puinhoop
Screenshot bij https://www.security.nl/posting/879514/rant+-+onveiliginternetten_nl
Took the #Vim (and #Neovim) syntax highlighting plugin for #Hurl (https://hurl.dev/) files from their repo's contrib/ directory and made it into an actual Vim package that can be installed by simply cloning the repo, or adding a submodule to your dotfiles, whatever.
Did you know there's an HTTP header a website can send to instruct a browser to clear some of the data it stores for that site, for example cached files? Learning that this header has been supported by all the major browsers since September 2023 is what led to me writing this thread.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Clear-Site-Data
New @small-web/kitten release (version 5.2.0)
Adds missing types on `KittenRequest` and `KittenResponse` interfaces (the missing request and response helpers).
• `is()`: check for request type. e.g., `request.is('html')` or `request.is('json')` (you can also use the full mimetype).
• `json()`: JSON.stringify passed data and end response with inline JSON.
• `jsonFile()`: JSON.stringify passed data and end response with JSON attachment and optional file name.
• `file()`: end response with passed file data and optional file name and mime type.
• `withCode()`: end response with passed status code and optional body.
Kitten request and response helpers documentation:
https://kitten.small-web.org/reference/#request-and-response-helpers
Kitten type safety tutorial:
https://kitten.small-web.org/tutorials/type-safety/
Enjoy!
this is a bit of a backwards compatibility nightmare if you're worried about badly behaving clients. The haproxy devs think all those clients should just be fixed, which is true, but I don't think it's very pragmatic. Surprising from them tbh!
Frankly, I think they designed their new HTTP system without expecting this would be such a problem and don't want to change it now.
Anyway, haproxy no longer support 2.1 but RedHat support it til 2029, which buys you some time!
All HTTP headers are supposed to be case insensitive and in HTTP/2 it was made explicit that they should all be lower case.
When haproxy introduced HTTP/2 support, it downcased all response headers it sends, no matter what the origin servers sent, though it had an option to leave HTTP/1 headers alone.
haproxy 2.1 removed that option and (begrudgingly) replaced it with a way to set the case for specific individual headers under HTTP/1 to allow fixes for broken clients...
A Guide to Implementing ActivityPub in a Static Site (or Any Website) - Part 8 is out!
Follow the site here @blog or check the article here: https://maho.dev/2025/01/a-guide-to-implementing-activitypub-in-a-static-site-or-any-website-part-8/
#fediverse #activitypub #static-sites #hugo #azure #mastodon #web-development #social-web #webfinger #http #azure #azurefunctions
→ RFC 9421: HTTP Message Signatures (par @bortzmeyer)
https://www.bortzmeyer.org/9421.html
« Ce RFC spécifie comment on peut signer cryptographiquement et vérifier des messages HTTP, afin de s'assurer de leur authenticité. »
Just randomly thinking about how I can write a valid HTML page and it will work on any browser, and on any server, on the internet.
It would be really cool if any ActivityPub post I made essentially followed the same expectation, wouldn’t it?
HTTP or HTTPS?
I'm building a new static website, minimalist design etc, mostly about my hobbies and interests. Although, who knows, maybe in the future I will cover more controversial topics ...
Is there any good reason *not* to use HTTPS?
Here's an #HTTP #API design question for you:
Imagine you're creating a work-submission API. A single user request submits 1 or more items to process.
Your API is async: the "submit this batch of items" endpoint returns an opaque identifier that the user needs to poll with, periodically, for data encoding the batch items' processing statuses: success or failure for each.
Q: Which HTTP response code should the polling endpoint return:
- if some items fail?
- if all items fail?
blog! “Mastodon Now Sends Referer Headers! Hurrah!”
Back in 2022, I wrote this rather grumpy post on Mastodon, the federated social media platform.
> Mastodon enforces a "noreferrer" on all external links. I have mixed feelings about that. As a blogger, I want to see *where* visitors are coming from…
Read more: https://shkspr.mobi/blog/2024/12/mastodon-now-sends-referer-headers-hurrah/
⸻
#fediverse #http #mastodon
Mastodon Now Sends Referer Headers! Hurrah!
https://shkspr.mobi/blog/2024/12/mastodon-now-sends-referer-headers-hurrah/
Back in 2022, I wrote this rather grumpy post on Mastodon, the federated social media platform.
@Edent@mastodon.social
Terence Eden
Mastodon enforces a "noreferrer" on all external links.
I have mixed feelings about that.
As a blogger, I want to see *where* visitors are coming from. I also like to see (and sometimes join in) with the conversations they're having.
But, I get that people want privacy and don't want to "leak" where they're visiting from.
Is it such a bad thing to tell a website "I was referred from this specific server"?
61
16
2907:09 - Fri 11 November 2022
When you click on this link - https://www.bbc.co.uk/news - your browser says "Hey! BBC! Please can I have your /news page? BTW, I was referred here by shkspr.mobi. THANKS!" This is called the "Referer" and, yes, it is mispelt.
One the one hand, sending the referer is good; it lets the linked-to server know who is linking to it. That allows them to see where traffic is coming from. On the other hand, this could be bad for much the same reason.
If you run a server anarcho_terrorists.biz, you probably don't want the FBI knowing that your members are sharing links to their pages. If you run a small personal server, you may not want anyone knowing that you personally linked to them. If you run a server for a marginalised community, you may not want a hate-site to know your members are linking to you.
But if you're a large-ish, general purpose, non-private site - like Mastodon.social - where's the harm in allowing referer headers?
Anyway, for historic reasons, Mastodon blocked the referer header. This, I believe, was sensible for smaller servers but a miss-step for larger servers. As I pointed out last week:
@Edent@mastodon.social
Terence Eden
Two years later.
Want to know one of the major reasons Mastodon didn't catch on with journalists and large website owners?
It is *invisible* in referrer statistics.
Here's my blog from the last month.
BlueSky now sends me more traffic than Bing.
How much traffic does Mastodon send? It is impossible to know due to the "noreferrer" header in all links.
(I'm not saying your privacy isn't important. But you can't grow a community if no-one knows you exist.)
I'm not the only one to make this point - it has been a popular complaint for some time.
A few days ago, Mastodon changed to allow this to be configurable.
This is excellent news. Website owners will be able to (somewhat) accurately see how much traffic Mastodon sends them. That way they can determine if there is a suitably large audience to engage with on the Fediverse.
It is, of course, slightly more complicated than that!
Nevertheless, I'm delighted with this change. Hopefully it will allow the Fediverse to grow and attract more users.
