Ghassan's Page

Monorepos, Workspaces & Turborepo: A Modern JavaScript Development Architecture

Wed, 05 Nov 2025 18:41:54 -0600

The JavaScript ecosystem has undergone a significant architectural shift in recent years. As applications grow more complex. Shifting away from two opposite architecure patterns: Massive monolithic application or chaos of dozen separate repos. A new rising pattern is gaining more ground in modern JavaScript applications. Monorepo pattern, where a single repo for all the code base, but at the same time separate and independent modules, which combine the best of two worlds:

Understanding HTTP Request Smuggling and latest ASP.NET vulnerability

Fri, 31 Oct 2025 18:41:54 -0600

If you’ve been following cybersecurity news lately, you’ve probably heard about Microsoft HTTP request smuggling vulnerability CVE-2025-55315 making headlines. But what exactly is HTTP request smuggling, and why should you care? Let’s break it down in plain English. What Is HTTP Request Smuggling?HTTP request smuggling is a technique where an attacker crafts a single HTTP request that gets interpreted as two different requests by different systems in the processing chain. Think of it like someone is passing through a guarded gate, but he hides another person under his coat.

SPA vs. SSR: The Rise of Server-Side Rendering

Sat, 25 Oct 2025 18:41:54 -0600

The landscape of web development has undergone a dramatic shift over the past decade. Single Page Applications (SPAs) dominated the 2010s, promising rich, app-like experiences in the browser. But today, we’re witnessing a renaissance of Server-Side Rendering (SSR). This isn’t a step backward—it’s an evolution that combines the best of both worlds. The SPA benefitsWhen SPAs emerged, they solved real problems. Traditional multi-page applications required full page reloads for every navigation, creating jarring user experiences.

Azure PowerShell Scripts Collection

Fri, 11 Jul 2025 00:00:00 +0000

PowerShell Scripts CollectionHere’s a collection of useful PowerShell scripts for various automation tasks. Scripts Modules - Find duplicate and delete older version Modules - Find outdated modules Security - Find role definitions related to resources KeyVault - List secrets KeyVault - Assign User as KeyVault Administrator KeyVault - Add Secret KeyVault - List Secrets

Simplify Jupyter Projects with Docker or Conda

Sun, 18 May 2025 18:41:54 -0600

Managing multiple Jupyter Notebook projects often means juggling different Python libraries and dependencies. Instead of setting up a separate virtual environment and installing Jupyter for each project, I use Docker to streamline the process. We can use Conda as well, and I will show how, but presonally I prefer Docker. Create an isolated evivronment for each projectI had a previous post on how to setup virtual environments using pipevn, and virtualenv.

Managing Credentials for Azure Artifacts

Tue, 17 Dec 2024 18:41:54 -0600

When storing your private artifacts (NuGet, NPM, Docker, etc.) in Azure Artifacts, authentication is required to access them. Various tools such as dotnet, nuget, msbuild, and Visual Studio may need to retrieve these artifacts during the build process. To simplify credential management across these tools, Microsoft provides the Azure Artifacts Credential Provider. Introduction & Underlying TechnologySince accessing NuGet packages requires authentication, Microsoft provides the Credential Provider, a NuGet plugin that automates credential acquisition for NuGet clients, including:

Enable APM for ASP.NET Core application

Thu, 14 Nov 2024 18:41:54 -0600

There are many tools that provide APM (Application Performance Monitoring) for Asp.NET. The all share the same steps and configuration on how to hook their service into Asp.NET running instance. How profiling work in .NETProfiling a managed CLR application is different than profiling normal non-managed appication, because CLR is different. CLR prvides these services: Application domains Garbage collection Managed exception handling Just In Time (JIT) compilation .NET provides its own profiling API, and all profiling tools are using this API, and they all work in the same way.

Self certified certificates

Tue, 05 Nov 2024 18:41:54 -0600

A self-signed certificate is a type of SSL/TLS certificate that is generated and signed by the individual or organization that owns it, rather than being issued by a trusted Certificate Authority (CA). For development process we need a certificate for the host localhost, and be stored in the certificate store which vary depends on the operating system. To generate and use the certificate do the following two steps: generate the certificate store the certificate in the certificate store which vary depends on the operating system.

Upload files using streaming in Asp.NET

Sat, 26 Oct 2024 18:41:54 -0600

Asp.NET provide a binding technique to upload files IFormFile. But that technique will consume memory as it buffers the content of the file in the memory or in the database. To skip buffering and use streaming, we kind of have to code it in own our way. Http Protocol and uploading file:The simplest way to upload file is to create an Html file input element, and include it in html form with submit button as follows:

Git Tools Every DevOps Engineer Should Know

Wed, 25 Sep 2024 18:41:54 -0600

As a DevOps engineer managing an active Git repository with hundreds of commits daily, you’ll inevitably face challenges that require a solid understanding of Git and its ecosystem. This post covers common issues that teams encounter while using Git and the tools used to address them. Each tool mentioned deserves a dedicated post, but here’s a brief overview of the essentials. The tools we’ll cover: Maintaining the health of the repository.

Enhancing Team Collaboration with a Git Forking Strategy

Mon, 23 Sep 2024 18:41:54 -0600

The fork-based pull request (PR) workflow is widely used in open-source projects because it enables external contributions while keeping the core repository secure and controlled by a designated team. Fork-baed workflow and Inner SourceTypically, only contributors with repository access can create pull requests. As a contributor, you can create branches, submit PRs, and request merges. However, what happens if you’re not part of the repository’s team, as is the case in open-source projects?

Design and implement Git branching strategies for CI/CD integration

Mon, 23 Sep 2024 10:41:54 -0600

Establishing a standardized development process that integrates a Git workflow with Continuous Integration/Continuous Deployment (CI/CD) is crucial before writing any code. This post will explore a widely-used approach: the Trunk-Based Development Workflow, which is adopted by many leading companies, including Microsoft. Choosing a branching strategy:Every team should adopt a consistent code release process to maintain quality and reduce risks. This starts with selecting a Git workflow, continues through integrating CI/CD, and culminates in defining a release strategy.

Enhancing Your Git Workflow with Git Credential Manager Core

Sun, 22 Sep 2024 10:41:54 -0600

Git’s credential helper is a handy tool that saves your credentials, so you won’t need to re-enter your username and password for every git pull or git push. However, depending on the age of the tutorial you’re following and the platform you’re using, the instructions for setting up credential storage may vary. In August 2021, GitHub introduced a new cross-platform tool called the Git Credential Manager Core. Let’s explore how this tool can streamline your team’s workflow.

Are you still using git checkout for everything? It is time to switch to git switch

Sat, 21 Sep 2024 10:41:54 -0600

If you’re like me and still rely on the trusty git checkout for a variety of tasks—like switching branches, restoring files, and checking out commits—then you’re in for a treat. The Git community has made things easier by introducing two new commands to split the workload: git switch and git restore. These new commands were created to reduce the overload on git checkout and make Git a bit more intuitive, especially for developers who sometimes found it confusing.

A Journey into Microsoft Identity Platform

Mon, 19 Aug 2024 10:41:54 -0600

It is not exaggeration if I said, Microsoft Identity Platform is bigger than any SAS authentication provider, and if you are using Azure as your cloud provider, then the authorization benefits that will add to your application off-the-shelf, won’t be able to do it with any other platform without writing code. Usage with .NET.NET has a library, which is considered part of the platform. It is Microsfot.Identity.Web. How to use it?

Stream long running webapi with Asp.NET Core and Javascript

Sat, 22 Jun 2024 10:41:54 -0600

If you have a long running process that return array of data, or a data that you can send back as chunk of data, then you can stream the result. Streaming from the serverIn Asp.NET core 6 and later, it is so easy to stream back the result using IAsyncEnumerable. Let us jump into the code right away: 1 [HttpGet("ProcessLongData")] 2 [ResponseCache(NoStore = true, Location = ResponseCacheLocation.None)] 3 public async IAsyncEnumerable<string> ProcessLongData(string input) 4 { 5 6 7 for (var i = 0; i < 10; i++) 8 { 9 await Task.

Auth0 Single Sign On and seamless silent authentication

Wed, 01 May 2024 10:41:54 -0600

Auth0 streamlines lots of complexity for you when it comes to authenticate your SPA application. In this article we will talk about how Single Sign ON works. Auth0 Single Sign On and sessions:Auth0 provides Single Sign-on through the use of sessions. There are up to three different sessions: Local session. Authorication Server session, if SSO is enabled. Identity Provider (IdP) session, if the user login through an IdP like Google, Facebook…etc.

Using Azure Managed Identity to skip sharing credentials

Sun, 14 Jan 2024 10:41:54 -0600

A common challenge for developers is the management of secrets and credentials used to secure communication between different components making up a solution. Managed identities eliminate the need for developers to manage credentials. While developers can securely store the secrets in Azure Key Vault, services need a way to access Azure Key Vault. Managed identities provide an automatically managed identity in Microsoft Entra ID for applications to use when connecting to Azure resources.

How Single Page Application call a secure your API with OAuth2

Fri, 05 Jan 2024 12:41:54 -0600

When a public SPA needs to authenticate through OAuth 2.0, it faces a big challenge. The challenge is you cannot store any type of secrets of credentials in your code. This is why OAuth provided a special flow to be used by SPA: Authorization Code Grant & PKCE. We are going to describe this flow in details here. Summary of the process:To describe the flow briefly, when the SPA requires to get a token it will direct the application to an Authorization Server (AS), which will use that server login page and UI, and the user will run the login process on the AS server website, then that server will return back to the original client website using a callback url passing the token to the SPA.

Survive commands with Conda

Wed, 20 Dec 2023 12:41:54 -0600

I had a previous post on how to setup virtual environments using pipevn, and virtualenv. But Conda is more robust and useful, and now I am using it for all my projects. Conda and the ShellWhile you install Conda, it will ask you at the end if you want initialize conda from the shell environment. The question is something like this: 1Do you wish the installer to initialize Anaconda3 by running conda init?

Different options to add SSL certificate to you Azure App Service

Fri, 08 Dec 2023 12:41:54 -0600

To add a SSL certificate to your web app hosted on Azure App Service with a custom domain, there are few options. I am going to list them here. Free certificate:Azure provides a free SSL certificate, and it is fully managed by Azure. Azure renew the process for you, and take care of everything for you. Although having a free certificate is a wonderful idea, but it has some shortcoming:

Everything you need to know about configure DNS to provide domain for your blog

Sun, 03 Dec 2023 12:41:54 -0600

You host your blog on Github pages, or Azure static website, or Azure blob storage with static website enabled. But you need to use a custom domain. Every time I changed my content location, I go back to remember how to do it, so I decided to make a post about it. Understand how custom domain mapping works:You host your static web pages on one of the static hosting services, for example these three:

Get the most out of Azure App Service.

Thu, 09 Nov 2023 12:41:54 -0600

Azure App service take care of tons of infrastructure, hosting, scalability, monitoring, deployment, DevOps, security and environment of your shoulders. But the question, are you really utilizing the most out of this wonderful service? Azure App service has tons of features that make it easy to forget about some of them and missing using them. I am going to list this checklist and explain more details on them. There are features that Must be implemented, and there are features that are optional because you might be using other services to achieve their functionalities.

OAuth, OpenID Connect, SSO and Authentication Flows in plain English.

Fri, 27 Oct 2023 12:41:54 -0600

Gone are the days when you force your users to register into your application by creating username/password. Everyone wants to skip that process when they can identify themselves using other ways (google, facebook, twitter…), and they want to use their single sign on process to identify them across multiple applications and multiple websites. In this post I am trying to explain the process and its technologies in simple English. An explanation by example:So you are a developer who is building an application and want to allow your users to use their Google credentials to authenticate themselves into your account.

Write Asp.NET webhook handlers for Azure Event Grid events.

Tue, 17 Oct 2023 12:41:54 -0600

Azure Event Grid is a Pub Sub message distribution service that is fully integrated with Azure infrastructure. Almost all Azure services, and PaaS, and many third-party SaaS provides integration with Event Grid, by publishing events. It is supporting Http protocol for publishing events to it, and now with a newer upgrade it supports MQTT protocol for lighter fast IoT communications. It is providing Pub/Sub services from Azure services to the subscribers, and adding to that reliability to insure the delivery of the messages.

Best way to run background services in ASP.NET.

Wed, 12 Jul 2023 12:41:54 -0600

Asp.Net provides many ways to run background processes. They are: IHostedService interface BackgroundService abstract class Worker Service using Microsoft.NET.SDK.Worker Actually they are just layers on top of each others, each layer provides extra functionality on the one below. This post is going to describe each layer and what it provides. Running background tasks using IHostedServiceAsp.NET provides support for running background tasks in the same process that host Asp.net application. By implementing IHostedService interface, your background task will start a little bit after Asp.

Build resilient applications accessing Azure services with no code.

Sat, 11 Mar 2023 18:44:55 -0700

When working on distributed system like systems that are running on the cloud, and microservices, then you should anticipate transient faults like temporary loss of network connection, or temporary unavailability of a service, or a service is busy. This is why in cloud application, the term Building for resiliency become a pattern in building application, and it means properly handling these transient faults in the code. There are two common used patterns that we can use in our code, that can help build resilience application.

Buy Custom Domain With Azure for your App Service.

Sat, 04 Mar 2023 21:44:55 -0700

If you googled how to buy a domain name on Azure, you might get answers saying that Azure doesn’t provide domain name registrar, like the following answer, or the following discussion. Not even those answers, even the book Exam Ref AZ-900 which is a Microsoft book says the following about Azure DNS Zone: If you want to purchase your own domain name, you go to a domain registrar, and they register the domain to you.

Everything you need to know about telemetry for your Asp.NET application on Azure.

Fri, 24 Feb 2023 21:44:55 -0700

All of the services that Azure offers for the instrumentation and observability (monitoring) of applications are grouped under Azure Monitor. Three services fall under the banner of Azure Monitor: Azure Monitor itself, which offers the observability component to track your apps. Application Insights, or its substitute OpenTelemetry, which offers the instrumentation and telemetry components The analytics component is provided by Log Analytics. We will emphasise the instrumentation component in this post.

Check performance bottleneck with Azure Application Insights.

Wed, 22 Feb 2023 21:44:55 -0700

If you have Application Insights enabled for your azure app service, then it is a piece of cake to get the performance bottleneck in your app, and even it check external dependencies like database queries or any other external dependencies. I have a Web API application, that is accessing Azure Sql Server, and Azure blob storage. By going into the performance blade under Investigate: You will see the average time for each API call, sorted descending by time: By clicking on any one, you can drill down to where the time consume even by its external dependencies:

Use Azure Key Vault to retrieve secured parameters during Azure deployment.

Sat, 04 Feb 2023 20:42:03 -0700

You have an ARM template to deploy, and you need to pass secure parameters. Instead of storing secure values in the parameter file, you can just retrieve these values from Key Vault. To be able to access the key vault by the resource manager you need to change access policy to allow “Azure Resource Manager for template deployment”, as shown here. Or you can do it from Powershell: 1// to update an existing key vault 2Set-AzKeyVaultAccessPolicy -VaultName MyVaultName -EnabledForTemplateDeployment 3 4// to create a new key vault with this feature enabled 5New-AzKeyVault ` 6 -VaultName MyVaultName ` 7 -resourceGroupName myresourcegroup ` 8 -Location centralus ` 9 -EnabledForTemplateDeployment How to use it?

Parse Azure SAS token using regular expression

Fri, 03 Feb 2023 20:40:37 -0700

If you have an Azure SAS token that is not working, it is good idea to parse it and understand what permissions and values it contains. This is a JavaScript code that uses Regular Expression to parse he SAS token, and an running example where you can try your own SAS token. 1var paramNames = { 2 sig: 'cryptographic signature', 3 st: 'start time', 4 se: 'end time', 5 spr: 'protocol', 6 srt: 'resource types', 7 sv: 'version', 8 sp: 'permissions', 9 ss: 'services' 10}; 11 12let valueLookups = { 13 sp : { 14 r: 'read', d: 'delete', w: 'write', l: 'list', a: 'add', 15 c: 'create', u: 'update', p: 'process', f: 'filter' 16 }, 17 srt: { 18 s: 'service', c: 'container', o: 'object' 19 }, 20 ss : { 21 b: 'blob', f: 'file', q: 'queue', t: 'table' 22 } 23} 24 25let valueConvertor = (key, inputValue) => 26 valueLookups[key] ?

Implement a watchdog for your microservices using off-the-shelf ASP.Net Healthcheck UI.

Thu, 02 Feb 2023 20:22:20 -0700

What is a watchdogA watchdog is a service that monitor other services and take actions when it detect a service is failing. ASP.NET starting from Core 5 has a built in UI module to monitor other services, and in few line of code you can build a watchdog for your services. How to hook it up with your services:Your microservices should implement health check endpoints to be monitored by the orchestration service (Kubernetes, docker storm, … etc).

Introducing Kudu, the engine that handle all web application deployment to Azure App Service.

Wed, 01 Feb 2023 20:20:40 -0700

If you follow any tutorials on Azure App Service, you will find that they use one of five options to deploy a web application to the Azure. Using Azure DevOps Using Github actions and webhooks. FTP Zip Deploy. MSDeploy (Microsoft Web Deploy tool). But behind the scenes, all these options are using the same back engine, which is Kudu. When we use FTP, Zip, or MSDeploy, we are actually calling Kudu REST API for deployment.

Azure Networking Recipes - Connect Azure Database and an Azure App Service using Virtual Network.

Tue, 10 Jan 2023 20:00:24 -0700

If your application is connecting to Azure database, or any other resources, then connecting them through Virtual Network (VNet) will enhance the performance (assuming the app service and the resources are in the same region), as well it enhance the security and we can lock the resources to have private endpoint, and not accessed publicly. I am going to go through a walk-through tutorial, using Azure Sql Server as an example, but this can work with any database on Azure, or even any resources like blob storage.

A developer introduction to cloud networking

Sun, 08 Jan 2023 20:07:36 -0700

As a developer who dealt with the cloud, either to create a virtual machine, or to deploy a website that connect to a database, then most probabely you had to deal even in short with a private network. And most of us developers don’t know a lot about networking, because it is either the job of dev-ops or system administrator. But on the cloud you find that you have to take some decisions related to the networking.

SPA routing and how to handle it with Azure Static Web app.

Sun, 08 Jan 2023 19:58:31 -0700

If you built a SPA application using one of the modern SPA frameworks like React, Vue, Angular…, then you must be using their router to define your client side routing. But you need to make a small adjustment on the server that serve your static application in order to deal with client routing gracefully, and this small adjustment is to tell the server to have a fall back on any route that is not recognized by the server to the root of the application.

Calling HTTP API and Socket Exhaustion problem

Sun, 08 Jan 2023 12:41:54 -0600

You definitely had to write code to communicate to an API service. Regardless of the language you use, or the framework you use, there is a two major problems when you want to do lots of calls. They are: Socket Exhaustion DNS Rotation I am going to use C# and ASP.NET as an example and show you what .NET world has a solution for that, but there are solutions in every language and framework.

Deploy A Single Page Application to Azure Static Webapp using TeamCity, Jenkins or any CI, or command line

Tue, 03 Jan 2023 19:56:30 -0700

I was trying to setup a deployment for an SPA application to an Azure Static Web app using TeamCity, but most of the tutorials I found was doing the deployment through CI/CD of Github’s Actions by monitoring a specific branch of a Github repository and deploy automatically whenever we check in into that branch, or the other alternative is using Azure DevOps pipeline. But what if we don’t want to use neither, and instead we need to do it on demand from TeamCity, or any other CI/CD tool?

Take your development environment anywhere and on any machine with Dev Containers

Thu, 29 Dec 2022 19:51:56 -0700

Dev containers provides a fantastic way to onboard a new developer up and running in matter of just clone the git repository. Dev containers allow you to create a docker container that will host all the development tools and libraries you use in your projects, and run it inside the container, and if you have an editor compatible then you can make the IDE connect to the containers and you can run or debug your code inside the containers.

Prepare .NET core Microservice to be monitored by Kubernetes

Tue, 27 Dec 2022 19:47:05 -0700

Kubernetes Monitoring:Kubernetes monitors the deployed microservices and check if any failure or a deadlock that makes the service not responding in order to restart the hosting container. Kubernetes achieve this by calling three different probes that determine the status of the container/pod. The three probes are: liveness: which monitor any deadlock, or the service is down, and Kubernetes will remove the dead container and restart another one. startup: Your service might need time at startup to wait for all its dependencies to be ready.

How to fix common error using Azure Kubernetes AKS from WSL2

Tue, 27 Dec 2022 19:43:59 -0700

When you use Kubernetes CLI tool: kubectl that is installed while you installed Docker Desktop for Windows, there is a small glitch that it will fail the kubectl commands, because of Kubeconfig file. Let’s supposed you want to create a new cluster on AKS, as follows: 1az aks create --resource-group MyResourceGropu --name MyMicroserviceCluster --node-count 1 --enable-addons http_application_routing --generate-ssh-keys And then you need to set that new cluster as your default cluster to work on, so you use

Some thoughts about ASP.NET Minimal API and Minimal Hosting Model

Mon, 19 Dec 2022 19:15:28 -0700

Why this post?ASP.NET 6’s minimal hosting model made me compare it to ASP.NET 2 and wonder if Microsoft is going back to some old concepts. I was curious about the potential benefit of migration, so I intend to explain and compare ASP.NET 6, 5 and 2. The new WebApplication builder and some history of ASP.NET:Let us generate a new webapi application in .net 6 using webapi template: 1dotnet new webapi -n tutorial.

Using Secret Manager for Configuration in .NET

Mon, 28 Nov 2022 19:41:04 -0700

It is critical not to store passwords or API keys in our code. For all environments for the development process: (QA, UAT, Pre-Production, and Production), it is easier to place it in a safe place (Azure Key Vault for example), and access it during deployment. For developer machines, we can use Secret Manager, or sometimes called User Secrets, which has a built-in support in ASP.NET. Enable Secret Storage:In the project you want to add a secret run this command:

No More JavaScript Transpiler

Wed, 23 Dec 2020 16:02:54 -0700

With modern browsers supporting ES6 modules, and Edge is adopting Chromium which align the major browsers to use latest EcmaScript features, we don’t need to use transpilers like Webpack or Gulp.
This will make it easier on many areas, and enhance the performance of our applications.

Memoization in Python and JavaScript

Sun, 20 Sep 2020 09:45:00 +0000

Memoization is a technique that is used a lot in Dynamic Programming and in general to speed up algorithms.
Memoization is the same as caching but in functional programming. The Caching mechanism will store the data into a cache store, and that data can be from anywhere (HTTP page, REST call, … etc) , where memoization is specific to cache the results of a function, and it create and maintain the store inside the function itself (so the function will be pure function) and send the store as a parameter into the function arguments.

Regular expression: Extract HTML Links

Fri, 11 Sep 2020 09:45:00 +0000

Explain advanced concepts of Regular Expressions through practical recipes:
In this recipe we are going to cover:

Negated Character class
Non-capturing group
Non-Greedy quantifier.
Python’s findall, and JavaScript’s exec

Regular expression: Extract Domain Names

Fri, 08 May 2020 09:45:00 +0000

Explain advanced concepts of Regular Expressions through practical recipes:
In this recipe we are going to cover:

Anchors
Non-capturing group
Python’s findall, and JavaScript’s exec

Regular expression: Extract Comments From Code

Thu, 07 May 2020 09:45:00 +0000

Explain advanced concepts of Regular Expressions through practical receipes:
In this recipe we are going to cover:

Capturing Group
Negated Character Class
Greedy / non-greedy quantifier.

Advanced Regular Expression Recipes - Introduction.

Wed, 06 May 2020 09:45:00 +0000

Regular expressions are implemented by many languages, and they can be used for different purposes. Mainly they are used for text processing, as well they are important tools to write an efficient algorithms, and as well they can be used by data science specially in cleaning and scrapping the data to prepare it for modeling.

Scrubbing Natural Language

Thu, 05 Sep 2019 18:41:54 -0600

Scrubbing a natural language text data is a widely used process that has well defined steps which you will find it in many places. From Lucene which is the Full text search engine that is used in Elastic Search and Azure Search, to any data science project that is processing Natural Language, including different ML projects, and general search projects. IntroductionA brief introduction to the Data Scrubbing:I am going to cover data scrubbing in more details in comming posts, but just to briefly explain why it is an important step.

About

Thu, 28 Feb 2019 00:00:00 +0000

Hi, my name is Ghassan Karwchan. I am a full stack software developer living in Calgary, Alberta, Canada. I am specialized in web developement, and mostly with .NET platform. But sometimes I enjoy developing outside of Microsoft world, with Python, Node.js, or Go. Lots of JavaScript experience.

Python Virtual Environments & Package Management

Wed, 22 Aug 2018 18:41:54 -0600

Python virtual environments, and as well package management, has a shaky history, and it has been changing a lot for last few years. Even currently, (early 2018), it is confusing because there are many tools for virtual environments (venv, virtualenv, pyvenv, pyenv). I couldn’t find one tutorial that describe everything in just one place, so I thought, I will write it down. This post is a combination of many official documentation, answers of StackOverflow, and different blog posts that I think will give you comprehensive picture, not only for the virtual environment, but for the package management as well.

Advanced HTTP

Tue, 26 Sep 2017 19:51:56 -0700

Adding an SSL Certificate and enabling HTTPS on your web site is not the end of the road for securing your website, and securing the communication to your website. It is just the start, and you need to do more steps related to HTTPS to guarantee your site safety, and your visitor safety. In this post I am going to describe: TLS and its algorithms in more depth. Insecure protocols, and algorithm.

Build emails with attachments using SMTP, MIME standard (AWS SES Case)

Thu, 08 Dec 2016 12:41:54 -0600

To send an email with AWS SES service, there are two options: Connecting directly to the AWS SMTP server with SMTP protocols. Or call AWS API over HTTPS. The SMTP is easier, but then you have to open SMTP ports (587 or 25 usually). Using AWS SES API:AWS SES API has two options to send emails as described in the documentation: Send simple text only formatted email. Send email with attachments as raw formatted email.

Token Based Authentication and JWT.

Fri, 29 Apr 2016 12:41:54 -0600

HTTP protocol specified only two standard authentication mechanisms, which are implemented in every browser, the [HTTP basic authentication]({% post_url 2016-03-31-web-security-basic-authentication %}), and the Digest authentication which is obsolete now because it is not secure anymore.
Because they are limited and work only on user name/password idea, the development communities in every web development platform came up with their better customized solutions.
JWT is one of the most promising and smart authentication ideas that is taking famous recently.

Making sense of SSL, RSA, X509 and CSR

Mon, 18 Apr 2016 23:42:00 -0600

This is the second part of learning about SSL/TLS. The first part was how to protect the site with SSL. This part is about explaining more the terms, technologies, protocols, standards used in SSL. What is SSL/TLS:SSL is the standard protocol to secure the communication between a web server and a browser, by creating an encrypted link between the two. SSL last version was 3.0, and TLS succeeds SSL, and become the new standard.

Secure your web site with SSL/TLS

Fri, 11 Mar 2016 08:59:00 -0700

SSL (Secure Sockets Layer) and its successor, TLS (Transport Layer Security), are cryptographic protocols that secure internet communication by encrypting data between a client (like a browser) and a server. How SSL/TLS works?SSL/TLS secure communication by: Encryption: Ensures that data transmitted between the client and server cannot be read by third parties. Authentication: Verifies the identity of the server (and sometimes the client), establishing trust. Data Integrity: Guarantees that data has not been altered during transmission.

Ajax, CORS, JSONP and the battle with Same-Origin Policy

Wed, 16 Dec 2015 19:51:56 -0700

All modern browsers have a built-in security policy called Same-origin policy, which help mitigate many vulnerabilities and security flaws. This policy means the browser can only pull data from the same site. Same site means pages that share the scheme (http, ftp, https…), and the host name and the port. The clash between Same-Origin Policy and AjaxThis policy was useful for a while to protect against XSS, but with the advance of ajax, and requesting data and resources from different domains and sites, then this policy become an obstacle.

CSS Fonts

Thu, 26 Nov 2015 19:51:56 -0700

The simplist way to use different fonts in your web site is using fonts from the “Web-Safe” fonts[1] [2]. But, no impressive design will depend only on these web-safe fonts, and designers add their own preferable fonts to the web site they are building. How to add your preferable fonts?Fonts comes as files that you have to upload to the site, and then reference them in the CSS file. Usually font vendors provide fonts with different formats in order to be consumable by many different browsers.

CSS Reset

Wed, 18 Nov 2015 19:51:56 -0700

Every web developer had an experience where he test his web site on Chrome, IE and FireFox, to find out that the experience is a little bit different, because browsers have their own default implementation and rendering for the HTML elements. Which means if you don’t overwrite the default implementation with your own CSS rules, then the browser will use its own implementation. If you are very keen on making the exact same user experience between all browsers even with the smallest details, then the community came up with a technique called “CSS Reset”.