Entries tagged webdev | Hugonweb Annotated Link Bibliography

NGINX introduces native support for the ACME protocol

https://blog.nginx.org/blog/native-support-for-acme-protocol

NGINX will soon be able to use the ACME protocol to automatically get and renew SSL certificates. This seems like it has been a long time coming, as it's just now in a preview release. Apache's stable release has been able to do it for a while.

Apache SSLPolicy Directive

https://httpd.apache.org/docs/trunk/mod/mod_ssl.html#sslpolicy

Makes configuring SSL simple by enabling a whole set of security policy directives in one command.

Apache includes policies from the Mozilla organization, including the most secure option: "modern"

2025-07-29 update: SSLPolicy is only in Apache 2.5.0 or later. It's currently not even in Debian Sid :-(

Django SQLite Production Config

https://blog.pecar.me/sqlite-django-config

# yourproject/settings.py
DATABASES = {
    "default": {
        "ENGINE": "django.db.backends.sqlite3",
        "OPTIONS": {
            "transaction_mode": "IMMEDIATE",
            "timeout": 5,  # seconds
            "init_command": """
                PRAGMA journal_mode=WAL;
                PRAGMA synchronous=NORMAL;
                PRAGMA mmap_size = 134217728;
                PRAGMA journal_size_limit = 27103364;
                PRAGMA cache_size=2000;
            """,
        },
    }
}

Simple live reload for developing static sites

https://leanrada.com/notes/simple-live-reload/

I could use this backend-agnostic script. Right now I just spam Ctrl-R!

Simplify: Move code into database functions

https://sive.rs/pg

Keep as much logic in the database, using constraints, stored procedures, and functions (Postgres even lets you write them in Python) as possible.

This reduces duplication of logic between the DB and external code, and allows the external code to change without issue.

Apache mod_md: built-in Let's Encrypt certificate retrieval

https://httpd.apache.org/docs/2.4/mod/mod_md.html

Apache's built-in mod_md can handle automatic retrieval and renewal of Let's Encrypt certificates (or similar with ACME) without external software. Convenient!

How to Favicon

https://evilmartians.com/chronicles/how-to-favicon-in-2021-six-files-that-fit-most-needs

Dozens of images aren't required for a favicon. The article recommends 6, but I would try just .ico at only 32x32 and a SVG.

Includes a description of the files required and why, as well as how to generate them with Inkscape and Gimp.

Triggering Javascript at the Right Moment

https://stackoverflow.com/a/36096571

The best way to run javascript is in the head with the "defer" attribute. That immediately starts fetching the script, but waits to execute it until the whole page is parsed.

<!DOCTYPE html>
<html>
<head>
  <title>Title</title>
  <meta charset="UTF-8">
  <script src="blahblah.js" defer></script>
</head>
<body>

<p>Stuff here</p>

</body>
</html>

OWASP Security Cheat Sheets

https://cheatsheetseries.owasp.org/index.html

Cheet sheets on all kinds of security, from C-based toolchain hardening to HTTP headers.

Stack Overflow Definitive Guide to Form-based Website Authentication

https://stackoverflow.com/questions/549/the-definitive-guide-to-form-based-website-authentication

A really nice guide to the best, most secure ways to do website authentication. Lots of nice links

The evolution of the web, and a eulogy for XHTML2

https://www.devever.net/~hl/xhtml2

"[The abundance of Javascript on modern web pages] is a bit like as if every single website now used Flash in major part — and we all know how popular that was."