What QUIC actually changed at the wire level, the head-of-line blocking fix, the 0-RTT replay risk and how to harden it, the deployment reality across Cloudflare, Google, and Apple, and the honest performance gains versus HTTP/2 five years after RFC 9000 shipped.
Tls
-
HTTP/3 and QUIC in Production -
HTTPS and TLS Explained: The Handshake, the Certificates, and a Config That Scores A+ How TLS actually secures a connection — the 1-RTT TLS 1.3 handshake, the certificate chain of trust, and a modern Nginx configuration that fixes the deprecated syntax and dead security headers most tutorials still copy-paste.
-
Post-Quantum Cryptography in 2026: Kyber, Dilithium, and the Migration That Already Started A practical, working-engineer's look at where post-quantum cryptography actually stands in mid-2026: what NIST shipped in FIPS 203/204/205, the Module-LWE math behind ML-KEM and ML-DSA at a level you can defend in a code review, the hybrid TLS and SSH deployments already moving real traffic, and the honest cost of the migration in bytes, milliseconds, and operational pain.
-
What Happens When You Type a URL and Press Enter A technically precise, end-to-end walkthrough of every major step between pressing Enter and pixels appearing on screen — from URL parsing and DNS to TCP, TLS 1.3, HTTP, CDN routing, and the browser's critical rendering path.
-
Post-Quantum Cryptography in Practice A practical guide for infrastructure engineers navigating the post-quantum migration: what actually breaks, the finalized NIST standards, hybrid key exchange already shipping in TLS and SSH, and an honest operational roadmap.
-
QUIC and HTTP/3 Deep Dive A technical deep dive into why QUIC replaces TCP under HTTP/3: head-of-line blocking, the integrated TLS 1.3 handshake, independent streams, connection migration, and the honest operational reality of deploying it with nginx, Caddy, and Cloudflare.
-
Caddy as a Homelab Reverse Proxy Using Caddy as a homelab reverse proxy: Caddyfile and JSON configuration, automatic HTTPS with Let's Encrypt and ZeroSSL, DNS-01 challenge for internal services, health checks, rate limiting, static file serving, and an honest comparison with Nginx and Traefik.
-
Vault PKI Secrets Engine in Production: Intermediate CAs, cert-manager, and Short-Lived Certificates as a Security Primitive A deep-dive into running Vault's PKI secrets engine in production: two-tier CA hierarchy, auto-rotating certificates, cert-manager integration, SPIFFE SVIDs, the revocation story, and operational hardening.
-
Wireshark and tshark for Engineers: Capture Filters, Display Filters, and Scripting Batch Analysis Wireshark and tshark past the basics — capture versus display filters, following streams, decrypting TLS, and scripting tshark for batch analysis — the parts that turn 'I took a capture' into 'I found the problem in thirty seconds'.
-
PostgreSQL Security Hardening: A Practical Guide Row-level security, pg_audit, pg_hba.conf hardening, TLS configuration, PgBouncer authentication, Vault database secrets engine, roles and least privilege — a complete guide to locking down PostgreSQL in production.
-
Traefik as a Kubernetes Ingress Controller: The Complete Guide A technically deep guide to running Traefik as a Kubernetes ingress controller — covering Helm installation, IngressRoute CRDs, Middleware resources, TLS with cert-manager, Gateway API, RBAC, high availability, observability, and production-grade patterns including canary deployments, TCP/UDP routing, and ForwardAuth with Authentik.
-
Secrets Rotation Without Downtime: Rotating Credentials in Live Systems Patterns for rotating database passwords, API keys, and TLS certificates in production systems with zero application restarts — covering the dual-credential pattern, dynamic secrets with Vault, automated certificate rotation, and the operational runbook for each scenario.
-
Managing SSL Certificates From certificate types to automation with Let's Encrypt.