Web Servers
Secure the gateway. Protect every request.
Node.js security patterns, Nginx hardening, rate limiting, TLS configuration, reverse proxy setups, and production-grade server defense.
Topics in Web Servers
All Articles (9)
Postfix and Dovecot Misconfigurations That Will Bite You in 2026
Most successful attacks against self-hosted mail aren't CVEs — they're config-file mistakes. Here are the eight misconfigurations that show up over and over, with the exact lines that fix each one.
25 Years of Email Server CVEs: Why the Same Bugs Keep Coming Back
Mail server vulnerabilities aren't a random walk. Look at twenty-five years of Postfix, Dovecot, Sendmail, and Exim CVEs and four bug classes account for almost everything. Here's why those classes keep recurring.
mbox vs Maildir vs Database: How Mail Actually Sits on Disk
Where your messages physically live shapes everything from backup strategy to incident response. Here's mbox at the byte level, Maildir's atomic delivery, and why the storage layer is where forensics actually happens.
SMTP, IMAP, and POP3 at the Byte Level
Email protocols are old, text-based, and quietly fascinating. Open Wireshark, run tcpdump, and watch what your mail server actually says on the wire — including the parser disagreement that made SMTP smuggling possible in 2023.
Dovecot Architecture: From Login to Maildir
Dovecot won the IMAP server wars in the 2010s for a reason — its architecture treats every login as untrusted code execution waiting to happen. Here's how it's actually structured, with the C source as the reference.
Postfix Architecture: Reading the Source to Understand the Surface
Most Postfix articles tell you what to put in main.cf. This one opens the C source, traces a message through the queue with strace, and maps the attack surface of every process in the pipeline.
So You Decided to Host Your Own Email Server (Or Update One)
Self-hosting email is one of those decisions that looks reasonable at 11 PM and terrifying at 9 AM. Before you type a single config line, here's what running your own mail in 2026 actually means.
Sessions vs JWTs: Choosing the Right Auth Architecture
Stateful or stateless? Cookies or tokens? The auth architecture debate has real trade-offs most tutorials gloss over. Here's a practical comparison — including the refresh token mistakes that lead to silent account takeovers.
Node.js Rate Limiting: What Happens When You Skip It
Your Express API is one curl loop away from a $4,000 cloud bill. Here's how rate limiting actually works in Node.js — and why the defaults will bite you.