Damus
Javed AB profile picture
Javed AB
@Javedab
Relays (15)
  • wss://purplepag.es/ – read & write
  • wss://relay.nostr.band/ – read & write
  • wss://relay.damus.io/ – read & write
  • wss://relay.primal.net/ – read & write
  • wss://theforest.nostr1.com/ – read & write
  • wss://nostr.oxtr.dev/ – read & write
  • wss://nos.lol/ – read & write
  • wss://nostr.bitcoiner.social/ – read & write
  • wss://nostr.mom/ – read & write
  • wss://relay.mostr.pub/ – read & write
  • wss://nostr-relay.psfoundation.info/ – read & write
  • wss://nostr.decentony.com/ – read & write
  • wss://pyramid.fiatjaf.com/ – read & write
  • wss://relay.noswhere.com/ – read & write
  • wss://nostr.wine/ – read

Recent Notes

Javed AB profile picture
The one header I didn't add yet: CSP.

For sites that render untrusted input it mitigates an active surface. For a static site it guards against rarer-but-bigger events: a compromised analytics script, a poisoned CDN, a future change that adds an input path.

Astro 6 added an integration for what it emits; iframes, external fonts, and third-party services stay manual. Will inshallah follow when the audit fits.

#CSP #WebSecurity #Astro #StaticSite
Javed AB profile picture
Enabled HSTS with includeSubDomains and preload.

The cost is real and one-way: every current and future subdomain must serve HTTPS or become unreachable. Removal from the preload list is in browser-release hands, not yours.

Accepted because the site is HTTPS-only by intent and Caddy provisions per-subdomain certs automatically via Let's Encrypt.

#HSTS #WebSecurity #Caddy #SelfHosting
Javed AB profile picture
Most cache misconfiguration is not carelessness, it's a missing handshake.

The build encodes assumptions. Hashed filenames mean the URL changes whenever the content changes. The web server has to know that, or the assumption stays unused.

If the config doesn't reflect what the build produces, the framework's work gets quietly undone at the last layer of the chain.

#WebPerf #Caching #StaticSite #Astro #Caddy
Javed AB profile picture
[SUB_THREAD 1]
Most static-site setups stop at "it loads." But the build pipeline encodes assumptions the web server doesn't know: hashed asset names, HTTPS-only, no iframes, no auth. The config that bridges those assumptions to actual server behavior is the last layer most setups never touch.

#Astro #Caddy #SelfHosting #WebPerf #StaticSite

[SUB_THREAD 2]
Three security headers, three real attack vectors:

- Strict-Transport-Security (no HTTPS-to-HTTP downgrade on public WiFi, including subdomains, with preload)
- X-Content-Type-Options nosniff (no MIME guessing)
- X-Frame-Options DENY (no iframe embedding)

Static site, no auth, no forms. Nothing else needed.

[SUB_THREAD 3]
Four headers evaluated and skipped:

- Referrer-Policy (already the major browser default)
- Permissions-Policy (blocks APIs the site doesn't use)
- Cross-Origin-Opener-Policy (no auth, no popups, no tokens)
- CSP (deferred until the audit fits the schedule)

Each one would have raised the scanner score. None would have made the site safer.

[SUB_THREAD 4]
Cache strategy follows the build output:

- _astro/* (hashed filenames): immutable, 1 year
- HTML (stable URLs): no-cache, revalidate every visit
- Favicons (no hash but rarely change): 1 hour, must-revalidate

Hashed filenames are what makes "cache forever" safe. The URL itself changes whenever content changes.

[SUB_THREAD 5]
Smaller pieces: www to apex 301, encode zstd gzip as a fallback path (CI pre-compresses sidecars), ACME email so silent TLS-renewal failure becomes a warning instead of a customer report.

Generic defaults cover the hard parts. The parts only you can configure (caching, headers, redirects) are the parts that signal intentionality.

https://javedab.com/en/pub/coding/web/astro-caddy-config/

Javed AB profile picture
Honest limit: the voice client is closed-source. Installing alsa-utils restored voice mode, so the recording path probably ends at arecord or a sibling.

Probable, not verified. The strict claim: alsa-utils was the missing piece.

#Linux #SSH #SelfHosting #OpenSource #HonestBuilding
Javed AB profile picture
Trade-off: the remote process gets your live mic for the session. Anything on that machine under the same user can read from the same source.

Normal for any forwarded device. Worth naming when it's a microphone.

#Privacy #SSH #Linux #SelfHosting #OpenSource

Javed AB profile picture
Warning: remote port forwarding failed for listen port 4713.

Two scenarios share this warning, neither means the tunnel is broken:
1. CI script inheriting SSH config it shouldn't have.
2. Second session finding the port already bound by the first.

#SSH #Linux #SelfHosting #OpenSource #DevOps
Javed AB profile picture
TCP-over-SSH for audio: nothing new on either side.

PipeWire on the laptop, OpenSSH on both, encryption from the tunnel. The alternatives either skip encryption or add software dependencies.

Open stack. Already in the box.

#PipeWire #SSH #SelfHosting #Linux #OpenSource
Javed AB profile picture
Second SSH session: Warning: remote port forwarding failed for listen port 4713. First session already holds the port.

Fix: ControlMaster auto in ~/.ssh/config. One tunnel, shared by all sessions. No binding race, no warning. Voice mode will inshallah be reachable from all of them.

#SSH #Linux #SelfHosting #OpenSource #RemoteDev
Javed AB profile picture
CI deploy printed: Warning: remote port forwarding failed for listen port 4713. Deploy still worked. rsync complete. Site live.

CI doesn't have the user's audio runtime. The SSH config directive had nothing to land on.

Fix: ssh -o ClearAllForwardings=yes

#SSH #CI #Linux #SelfHosting #OpenSource
Javed AB profile picture
The gap that hides quietly:

SSH tunnel up. pactl info listing the local mic. Every layer checking out. Voice mode still failing.

alsa-utils not installed. The recording binary that reads mic bytes was missing. Installing it will inshallah close the gap.

#Linux #Debugging #SelfHosting #OpenSource #SSH

Javed AB profile picture
cannot find card '0'. Voice mode on a remote server.

Default read: no audio hardware, nothing to do.

What's actually true: audio on Linux is daemon-mediated. PipeWire exposes TCP. The hardware assumption is wrong.

#Linux #PipeWire #SelfHosting #OpenSource #SSH