Note di Matteo

Cache-Control for Civilians è un classico must-read (ancora attuale e ancora aggiornato) per chi vuole imparare una volta per tutti gli header per gestire la cache HTTP.

TIL ora JavaScript ha una funzione nativa groupBy() e non serve più usare reduce(). Mini guida qui.

Don't Sleep on AbortController. Introduzione a come annullare operazioni in JavaScript.

Vite: The Documentary: un documentario su Vite con molte persone chiave dell'ecosistema JavaScript, interessante!

Ho trovato questa recente iniziativa, HTTP/1.1 must die, secondo cui il rischio di HTTP smuggling è troppo alto e quindi bisognerebbe migrare verso HTTP/2 per gli upstream nei reverse proxy.

Per contesto (dal paper):

HTTP/1.1 has a fatal, highly-exploitable flaw - the boundaries between individual HTTP requests are very weak. Requests are simply concatenated on the underlying TCP/TLS socket with no delimiters, and there are multiple ways to specify their length. This means attackers can create extreme ambiguity about where one request ends and the next request starts.

HTTP/2 non soffre di questo problema:

HTTP/2 is not perfect - it's significantly more complex than HTTP/1, and can be painful to implement. However, upstream HTTP/2+ makes desync vulnerabilities vastly less likely. This is because HTTP/2 is a binary protocol, much like TCP and TLS, with zero ambiguity about the length of each message.

E il problema si può presentare anche se il client usa HTTP/2, proprio per via dei reverse proxy:

Servers and CDNs often claim to support HTTP/2, but actually downgrade incoming HTTP/2 requests to HTTP/1.1 for transmission to the back-end system, thereby losing most of the security benefits.

Come risolvere:

First, ensure your origin server supports HTTP/2. Most modern servers do, so this shouldn't be a problem.

Next, toggle upstream HTTP/2 on your proxies. I've confirmed this is possible on the following vendors: HAProxy, F5 Big-IP, Google Cloud, Imperva, Apache (experimental), and Cloudflare (but they use HTTP/1 internally).

Unfortunately, the following vendors have not yet added support for upstream HTTP/2: nginx, Akamai, CloudFront, Fastly.

GitHub si sposta su Microsoft Azure:

Vladimir Fedorov, GitHub’s chief technology officer, made the Azure migration announcement internally earlier this week, noting that GitHub is currently struggling with data center capacity. GitHub is currently hosted on the company’s own hardware, centrally located in Virginia. “We are constrained on data server capacity with limited opportunities to bring more capacity online in the North Virginia region,” Fedorov writes in a note to GitHub employees, or GitHubbers as they’re known internally.

To ensure the move to Azure is completed within 12 months, GitHub’s leadership team is asking employees to delay new features in favor of the Azure migration. “We will be asking teams to delay feature work to focus on moving GitHub,” Fedorov says. [...]

GitHub is now aiming to move fully off its own data centers within two years. This gives GitHub 18 months to execute its migration, with a six-month buffer for any delays. Most of the work will be completed over the next 12 months, according to Fedorov.

Magari è la volta buona che abilitano IPv6.

(The Verge)

swot. Una lista di domini di università e scuole mantenuta da JetBrains con lo scopo di permettere l'automatizzazione degli sconti studenti.

TIL gli Heisenbug:

In computer programming jargon, a heisenbug is a software bug that seems to disappear or alter its behavior when one attempts to study it. The term is a pun on the name of Werner Heisenberg, the physicist who first asserted the observer effect of quantum mechanics, which states that the act of observing a system inevitably alters its state. In electronics, the traditional term is probe effect, where attaching a test probe to a device changes its behavior.

Google’s infrastructure is distinct from every other tech company because it’s all completely custom: not just the infra, but also the dev tools. Google is a tech island, and engineers joining the tech giant can forget about tools they’re used to – GitHub, VS Code, Kubernetes, etc. Instead, it’s necessary to use Google’s own version of the tool when there’s an equivalent one.

(The Pragmatic Engineer)

ffmpeg con FDK AAC, AV1 e SRT:

brew tap homebrew-ffmpeg/ffmpeg
brew install homebrew-ffmpeg/ffmpeg/ffmpeg --HEAD --with-fdk-aac --with-svt-av1 --with-srt