Choosing an HTTP status code -- stop making it hard
Flow charts to help you choose what HTTP status code to return from an app. It does a great job of keeping you from getting caught up in the weeds.
NGINX introduces native support for the ACME protocol
NGINX will soon be able to use the ACME protocol to automatically get and renew SSL certificates. This seems like it has been a long time coming, as it's just now in a preview release. Apache's stable release has been able to do it for a while.
Apache SSLPolicy Directive
Makes configuring SSL simple by enabling a whole set of security policy directives in one command.
Apache includes policies from the Mozilla organization, including the most secure option: "modern"
2025-07-29 update: SSLPolicy is only in Apache 2.5.0 or later. It's currently not even in Debian Sid :-(
Django SQLite Production Config
# yourproject/settings.py
DATABASES = {
"default": {
"ENGINE": "django.db.backends.sqlite3",
"OPTIONS": {
"transaction_mode": "IMMEDIATE",
"timeout": 5, # seconds
"init_command": """
PRAGMA journal_mode=WAL;
PRAGMA synchronous=NORMAL;
PRAGMA mmap_size = 134217728;
PRAGMA journal_size_limit = 27103364;
PRAGMA cache_size=2000;
""",
},
}
}Simple live reload for developing static sites
I could use this backend-agnostic script. Right now I just spam Ctrl-R!
Simplify: Move code into database functions
Keep as much logic in the database, using constraints, stored procedures, and functions (Postgres even lets you write them in Python) as possible.
This reduces duplication of logic between the DB and external code, and allows the external code to change without issue.
Apache mod_md: built-in Let's Encrypt certificate retrieval
Apache's built-in mod_md can handle automatic retrieval and renewal of Let's Encrypt certificates (or similar with ACME) without external software. Convenient!
How to Favicon
Dozens of images aren't required for a favicon. The article recommends 6, but I would try just .ico at only 32x32 and a SVG.
Includes a description of the files required and why, as well as how to generate them with Inkscape and Gimp.
Triggering Javascript at the Right Moment
The best way to run javascript is in the head with the "defer" attribute. That immediately starts fetching the script, but waits to execute it until the whole page is parsed.
<!DOCTYPE html>
<html>
<head>
<title>Title</title>
<meta charset="UTF-8">
<script src="blahblah.js" defer></script>
</head>
<body>
<p>Stuff here</p>
</body>
</html>OWASP Security Cheat Sheets
Cheet sheets on all kinds of security, from C-based toolchain hardening to HTTP headers.
Stack Overflow Definitive Guide to Form-based Website Authentication
A really nice guide to the best, most secure ways to do website authentication. Lots of nice links
The evolution of the web, and a eulogy for XHTML2
"[The abundance of Javascript on modern web pages] is a bit like as if every single website now used Flash in major part — and we all know how popular that was."