HN Reader

When Existence is Inefficient (2022) (inference-review.com)

1 points by aleph_minus_one 3m ago 0 comments

Comment with your favorite local-first content (lofi.so)

2 points by yonz 6m ago 2 comments

The average Apple Watch user gets 49 minutes of deep sleep per night (empirical.health)

2 points by brandonb 10m ago 0 comments

Windows 11 gets new Black Screen of Death, auto recovery tool (bleepingcomputer.com)

2 points by DocFeind 10m ago 0 comments

China begins building largest dam, fuelling fears in India (bbc.com)

1 points by perihelions 13m ago 0 comments

Show HN: How Claude Code Improved My Dev Workflow

4 points by IgorGanapolsky 16m ago 1 comments

Despite deepfake audio tech, banks, ISPs push voice print authentication (2021) (keydiscussions.com)

2 points by spenvo 16m ago 1 comments

The dangers of Musk's new, Manga-style [flirty] chatbot [video] (youtube.com)

5 points by mdp2021 19m ago 2 comments

Qwen3 – Coder (old.reddit.com)

1 points by mircea 19m ago 2 comments

Vector Tiles are deployed on OpenStreetMap.org (blog.openstreetmap.org)

3 points by ikawe 22m ago 0 comments

How Silicon Valley is becoming militarized (english.elpais.com)

2 points by geox 23m ago 0 comments

Show HN: How Claude Code Improved My Dev Workflow

1 points by IgorGanapolsky 29m ago 0 comments

Checklist Genie – Create Sharable Checklists with Just Your Voice and AI (checklistgenie.app)

1 points by alohaplannerapp 30m ago 1 comments

Qwen3-Coder: Agentic Coding in the World (qwenlm.github.io)

4 points by danielhanchen 30m ago 0 comments

Ask HN: A Reddit UI where all writing is done by an AI?

1 points by amichail 30m ago 2 comments

Show HN: A CLI tool for creating Typst screenplay projects (github.com)

1 points by ChaseRensberger 33m ago 0 comments

Hackers Behind $140M Brazil Banking Heist Turn to Crypto to Launder Their Loot (coindesk.com)

2 points by PaulHoule 33m ago 0 comments

RFC 1392: Internet Users' Glossary (rfc-editor.org)

2 points by adtac 33m ago 1 comments

A power utility is reporting suspected pot growers to cops. EFF says illegal (arstechnica.com)

4 points by duxup 33m ago 1 comments

SmoothCSV: The CSV Editor (smoothcsv.com)

3 points by msephton 34m ago 1 comments

Ask HN: Can You Buy Your Way into Your Dream Job?

3 points by YoloVibes 35m ago 4 comments

SWE-Bench Verified Is Flawed Despite Expert Review (ddkang.substack.com)

2 points by yuxuan18 37m ago 0 comments

Migrating to AWS in production with zero downtime (loops.so)

3 points by chrisfrantz 38m ago 1 comments

Show HN: Free crypto screener for Binance, Bybit, OKX and Coinbase (no login) (devisecrypto.com)

1 points by zainwah24 38m ago 0 comments

NPM 'Is' Package Hijacked in Expanding Supply Chain Attack (socket.dev)

3 points by feross 41m ago 0 comments

If Coding Agents Were Rappers (install.md)

2 points by goroutines 42m ago 0 comments

UFOs once took control of Russian ICBMs, nearly caused WW3 – testimony (jpost.com)

3 points by handfuloflight 43m ago 0 comments

Andrej Karpathy – The append-and-review note (karpathy.bearblog.dev)

1 points by superconduct123 44m ago 0 comments

Vibe Coding an SMTP Server, in Rust (mailpace.com)

2 points by albertgoeswoof 47m ago 0 comments

Build, Learn, Delete, Repeat (ymichael.com)

1 points by sawyerjhood 47m ago 0 comments

Veles, Google's open source secret scanner (opensource.googleblog.com)

1 points by sharkbot 48m ago 0 comments

Show HN: Let ChatGPT Plus control any Python or JavaScript object in 3 lines (chatgpt.com)

1 points by eneuman 49m ago 0 comments

Leak: Anthropic Says the Company Will Pursue Gulf State Investments After All (wired.com)

5 points by alexcos 50m ago 2 comments

Thursday Is Durable Computing Day

3 points by jedberg 53m ago 2 comments

A Quick(ish) Introduction to Tuning Postgres (byteofdev.com)

2 points by AsyncBanana 53m ago 0 comments

Ask HN: Can we better use heat from data centers?

3 points by mclau157 53m ago 1 comments

Distribution Package vs. Import Package (packaging.python.org)

2 points by Bluestein 54m ago 0 comments

Burning Man Festival Is Burning Through Cash (bloomberg.com)

5 points by petethomas 58m ago 0 comments

MCK: Open-Source MongoDB Operator (github.com)

2 points by mmoogle 58m ago 0 comments

ΜFork: A pure actor-based concurrent machine architecture with memory-safety an (ufork.org)

1 points by fanf2 1h ago 0 comments

Study: How American Consumers Are Using AI (joeyoungblood.com)

1 points by bhartzer 1h ago 0 comments

Why "How many tennis balls fit in a bus?" is a good interview question (medium.com)

6 points by saucetest 1h ago 4 comments

Amazon buys Bee AI wearable that listens to everything you say (theverge.com)

3 points by swyx 1h ago 1 comments

Inheritance over Composition, Sometimes (death.andgravity.com)

1 points by BerislavLopac 1h ago 0 comments

Show HN: Featurevisor v2.0 – declarative feature flags management with Git (featurevisor.com)

3 points by fahad19 1h ago 0 comments

Crowdfunding Success – Was it worth it? (atomic14.substack.com)

2 points by iamflimflam1 1h ago 0 comments

Show HN: It's Like FIFA for Developers 1vs1 Code Battle (battlegpt.website)

1 points by roozka10 1h ago 0 comments

Why everyone is probably wrong about AI (greyenlightenment.com)

3 points by paulpauper 1h ago 1 comments

Brave Browser Blocks Windows Recall (neowin.net)

1 points by bundie 1h ago 0 comments

Taiwan is creating an offshore wind industry to fuel its semiconductor factories (restofworld.org)

2 points by PaulHoule 1h ago 0 comments

Reverse proxy deep dive: Why HTTP parsing at the edge is harder than it looks

43 miggy 10 7/22/2025, 2:47:33 PM startwithawhy.com ↗

Comments (10)

pixl97 · 5h ago
Oh, and it can get messy and lead to exploits really quick.

Incorrect parsing and parsing differences between libraries can lead to exciting exploits.

Like what do you do when there is multiple of the same headers with odd line breaks?

GET /example HTTP/1.1 Host: bad-stuff-here Host: vulnerable-website.com

freeone3000 · 4h ago
It’s a good thing we have RFCs! For duplicate Host, you MUST respond with a 400. If the Host is different than the authority, Host must be ignored. If Host is not specified, it must be provided to upstream. See “Host” in RFC 7230:

https://www.rfc-editor.org/rfc/rfc7230#section-5.4

ranger_danger · 3h ago
it's a good thing all RFCs are 100% specified with no ambiguities.

EDIT: Sorry I dropped my /s. I was only trying to say that unfortunately not all RFCs are sufficiently specified... and that I think saying "good thing we have RFCs" should not imply they will all be sufficiently specified, which is how I interpreted their comment... and didn't feel like typing all this out, but I guess it was necessary anyway.

necovek · 2h ago
That's a very weird take as a reply on a bit that is sufficiently specified.
pixl97 · 2h ago
I mean, I was pointing out one in a chain of security failures reverse proxies have had. I could probably point out 20-30 other ones that have cropped up. Adding the binary complexity to H2 has really increased the number of these coming.
ranger_danger · 2h ago
Sorry, what I was implying is that "It’s a good thing we have RFCs" doesn't mean that they ARE always sufficiently specified... even if this one is.
TechDebtDevin · 5h ago
I've been building out a very large network of reverse proxies the last year. Very fun, and your article is very relatable. Go has been my friend. Been spending the last couple months testing trying to figure out all the weird things that can happen and its quite a bit.
bithavoc · 1h ago
me too, what are you building?
TechDebtDevin · 1h ago
A sort of boutique mobile-first proxy, with emphasis on geography spread/accuracy. I've been running my own proxies for a long time via friends and families networks, but in those instances security/safety wasn't as big of a deal. Yourself?
bithavoc · 16m ago
that’s cool, I’m working on branded artifact delivery. Docker, Go, NPM, Pypi repos delivered on free custom sub-domains. Vultr BGP services doing the trick so far.