HTTP REST

Leverage the richness of HTTP status codes

If you’re not a REST expert, you probably use the same HTTP codes over and over in your responses, mostly 200, 404, and 500. If using authentication, you might perhaps add 401 and 403; if using redirects 301 and 302, that might be all. But the range of possible status codes is much broader than that and can improve semantics a lot. While many discussions about REST focus on entities and methods, using the correct response status codes can make your API stand out. 201: Created Many appli

container Kubernetes debug DevOps

Fearless Distroless

With the rise of Docker came a new focus for engineers: optimizing the build to reach the smallest image size possible. A couple of options are available. Multi-stage builds: A Dockerfile can consist of multiple steps, each having a different Docker base image. Each step can copy files from any of the previous build steps. Only the last one will receive a tag; the others will be left untagged. This approach separates one or more build steps and a run step. On the JVM, it means that the first s

SEO content canonical

The importance of rel=canonical for content writers

The subject of canonical reference has been touched thousand times. But since some content writers are still making the same mistake over and over, I think it’s beneficial to add one more. I hope to reach some who aren’t aware of it. Content writing is not enough Writing content is not enough: you can have written the best blog post of the century; it’s no good if nobody sees it. One has two ways to spread the word: Link to the post on social mediaCopy the post to another s

Firefox CFP Sessionize Papercall Eventil

My first Firefox extension

A couple of weeks ago, I spent the weekend creating another CFP submission helper in the form of a Firefox extension. It was not a walk in the park. To help others who may be interested in doing the same (and my future self), here’s my journey. Context I’ve written multiple posts about my conference submission workflow. To sum up: Everything is based on a Trello boardI created an app that registered a webhook on the boardWhen I move a conference from one lane to another, it start

Scaleway cloud provider review developer experience

My evaluation of the Scaleway Cloud provider

A couple of years ago, I developed an app that helped me manage my conference submission workflow. Since then, I have been a happy user of the free Heroku plan. Last summer, Heroku’s owner, Salesforce, announced that it would stop the free plan in November 2022. I searched for a new hosting provider and found Scaleway. In this post, I’d like to explain my requirement, why I chose them, and my experience using them. The context I’ve already described the app in previous blog

security TLS

mTLS everywhere!

Security in one’s information system has always been among the most critical Non-Functional Requirements. Transport Secure Layer, aka TLS, formerly SSL, is among its many pillars. In this post, I’ll show how to configure TLS for the Apache APISIX API Gateway. TLS in a few words TLS offers several capabilities: Server authentication: the client is confident that the server it exchanges data with is the right one. It avoids sending data, which might be confidential, to the wrong ac

gRPC Spring Boot Apache APISIX

gRPC on the client side

Most inter-systems communication components that use REST serialize their payload in JSON. As of now, JSON lacks a widely-used schema validation standard: JSON Schema is not widespread. Standard schema validation allows delegating the validation to a third-party library and being done with it. Without one, we must fall back to manual validation in the code. Worse, we must keep the validation code in sync with the schema. XML has schema validation out-of-the-box: an XML document can declare a gr

authentication OpenID Connect OAuth Apache APISIX

Authenticate with OpenID Connect and Apache APISIX

Lots of companies are eager to provide their identity provider: Twitter, Facebook, Google, etc. For smaller businesses, not having to manage identities is a benefit. However, we want to avoid being locked into one provider. In this post, I want to demo how to use OpenID Connect using Google underneath and then switch to Azure. OpenID Connect The idea of an authorization open standard started with OAuth around 2006. Because of a security issue, OAuth 2.0 superseded the initial version. OAuth 2

Spring Security Open Policy Agent Architecture Solution Architecture

Make your security policy auditable

Last week, I wrote about putting the right feature at the right place. I used rate limiting as an example, moving it from a library inside the application to the API Gateway. Today, I’ll use another example: authentication and authorization. Securing a Spring Boot application I’ll keep using Spring Boot in the following because I’m familiar with it. The Spring Boot application offers a REST endpoint to check employees' salaries. The specific use case is taken from the Open

Architecture Software Architecture System Architecture Solution Architecture

The right feature at the right place

Before moving to Developer Relations, I transitioned from Software Architect to Solution Architect long ago. It’s a reasonably common career move. The problem in this situation is two-fold: You know perfectly well software librariesYou don’t know well infrastructure components It seems logical that people in this situation try to solve problems with the solutions they are most familiar with. However, it doesn’t mean it’s the best approach. It’s a bad one in most ca