This is pretty cool: a tilde instance where the users write fictional communications from all over the universe, all gathered on a central hub. Available on #gopher, #gemini and #http.

gopher://cosmic.voyage/
gemini://cosmic.voyage/
cosmic.voyage/

Set-Cookie header
Widely available (from Jul 2015)

https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Set-Cookie

The HTTP Set-Cookie response header is used to send a cookie from the server to the user agent, so that the user agent can send it back to the server later. To send multiple cookies, multiple Set-Cookie headers should be sent in the same response.

Apparently, there exists a website called ipv4[.]games, where you can register HTTP web requests from hosts where you have access to. Once accessed, you can "claim" the requesting #IPv4 address with an #HTTP GET request on /claim?name=<NAME>.

The leaderboard leads the person which claims most addresses of various /8 networks.

It is wild to see partially 6-digit numbers for various /8s claimed by one and the same user.

My guess is: Either they leverage residential proxies, or leverage perhaps mass-spamming on having millions of people world-wide clicking links, or alternatively, leveraging modern software design to do the lookup for them (e.g. website previews on social media, or anti-phishing services that do a lookup, before they forward the mail to you).

No matter what, I am sure that millions of these IP addresses in there can be harvested as #open #proxies

Other than that, I like the idea, and love how gamification leads to some people developing creative ways on making millions of hosts on the Internet access this website. It probably still invites to unsolicited requests from strangers unknowingly participating in the game of a tech-savvy person.

In Germany there we have this saying that talking about music is like dancing to architecture.

In a simillar way, I find it rather difficult to describe to people why I prefer coding in a language which is usually considererd one or all of the following: old / outdated / dead / feeding-to-a-niche / hard-to-understand - but I will give it a last try:

One of the things I like about the Forth programming language - in this case #esp32forth - is that you can easily add hardware specific words from the Arduino library.

I was missing analogWrite, analogWriteFrequency and analogWriteResolution so I just added those.

But aside from that, using Forth on the ESP32 makes prototyping so much easier: you save yourself the endless cycle of "code, compile, upload, test, code..." since you can actually write your code interactively on the device (using either the Block Editor or the Visual Editor).

Being able to remotely connect to this development environment via either #Http or #Telnet just rounds it up for me.

Maybe it's because it brings me back to the times when I was coding BASIC on my bedsit, but maybe it really is because it is a very efficient way to code ...

#Forth
#ArduinoIDE
#Coding

TRACE request method

https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Methods/TRACE

The TRACE HTTP method performs a message loop-back test along the path to the target resource.

#HTTP #Error 418

F5 Fixes HTTP/2 Vulnerability Enabling Massive DoS Attacks https://cybersecuritynews.com/f5-fixes-http-2-vulnerability/ #CyberSecurityNews #cybersecuritynews #Vulnerabilities #CyberSecurity #cybersecurity #Dosattack #HTTP

A post about a HTTP/2 vulnerability that enables denial-of-service attacks (CVE-2025‑8671)

https://galbarnahum.com/posts/made-you-reset-intro

iX-Workshop API-Sicherheit: OWASP Top 10 API Security Risks

Lernen Sie hands-on, wie Sie Schwachstellen in der API-Implementierung vermeiden und Angriffe abwehren.

https://www.heise.de/news/iX-Workshop-API-Sicherheit-OWASP-Top-10-API-Security-Risks-10508412.html?wt_mc=sm.red.ho.mastodon.mastodon.md_beitraege.md_beitraege&utm_source=mastodon

Excellent truth. #HTTP is NOT simple.

For me, the amount of time I've spent on interpretation and handling edge cases alone...

https://daniel.haxx.se/blog/2025/08/08/http-is-not-simple/

#HTTP is not simple

https://daniel.haxx.se/blog/2025/08/08/http-is-not-simple/

#Development #Pitfalls
Server-side HTTP prioritization support · “Correct HTTP prioritization can’t always be relied upon.” https://ilo.im/165qa6

_____
#HTTP #HTTP2 #HTTP3 #Server #CDN #Browser #WebPerf #DevOps #WebDev #Backend

Ch.at – a lightweight LLM chat service accessible through HTTP, SSH, DNS and API

Link: https://ch.at/
Discussion: https://news.ycombinator.com/item?id=44849129

New blog post! "Text protocols are valuable". It's about how Google's trying to kill HTTP and why that means anything.

https://frost.brightfur.net/blog/text-protocols-are-valuable/

https://m.youtube.com/watch?v=sslnkb4MnTg&t=25152s&pp=2AHAxAGQAgE%3D

Stream of James #kettle #http/1.1 must die

release: webServer tool for linux

JS is the language of the web. But afaik, Quickjs didn't have a HTTP server module yet, so I did the plumbing and created Mongoose-qjs.

wget cce.citiwise.eu/downloads/qjs-webserver-0.2.4.tgz

sha256sum
d33a6a31c448bf6d61d0a15a8c61ec1bb1b2708768eef3bafe23eecb47192427

#qjs #linux #x86-64 #http

I’ve been thinking about this #HTTP 1.1 deprecation postulate and here are some random thoughts with no conclusion:

• Protocol deprecation in the web world is mostly driven by cryptography, because that’s a hard fact you can present to the business. Any argument that includes “potentially” and “low-risk” is automatically ignored.
• The newest officially deprecated HTTP cryptographic protocol is TLS/1.1 introduced in 2006 and deprecated in 2021 (!). TLS 1.2 is 2008 and TLS 1.3 is 2018.
• That in practice means anything that runs on TLS/1.2 - that is since 2008 - will be acceptable for business.
• HTTP/2.0 was only introduced in 2015, that is after TLS 1.2, which means cryptography isn’t a “formal” trigger for upgrade to HTTP/2.0.
• You only worry about backward compatibility on user-facing interfaces, so you could in theory get rid of HTTP/1.1 in all internal web stacks.
• HTTP/2.0 without TLS is however a separate protocol (h2c) and some implementations miss support for plaintext HTTP/2.0 (intentionally, to get rid of plaintext HTTP).
• But most backend stacks run on plaintext HTTP simply because there’s little point of running full-blown TLS between localhost and localhost.
• So, migration from HTTP/1.1 to HTTP/2.0 in backend isn’t just matter of switching protocols - I’ve been there.

https://portswigger.net/blog/http-1-1-must-die-what-this-means-for-appsec-leadership

Weekend Reads

* Societal cost of DDoS
https://thegfce.org/news/estimating-the-societal-cost-of-ddos-attacks-a-dual-lens-model-for-national-impact-assessment/
* HTTP/1.1 desync attacks
https://portswigger.net/research/http1-must-die
* Internet broadband in Nigeria
https://spectrum.ieee.org/broadband-internet-in-nigeria
* AS to org mapping from metadata
https://arxiv.org/abs/2508.02571
* Flow control for high-speed nets
https://dipsingh.github.io/FlowControl-HighSpeed-Networks/

today: http/1 must die!
soon: thank god we still have http/1!

dogmatism is nonsense. #diversity saves us
#http