http

For read-heavy endpoints, clients often fetch the same resource repeatedly (profile data, settings, a snip page) even when it hasn’t changed. ETags let the client send If-None-Match and the server respond with 304 Not Modified, saving bandwidth and CP

If you expose an API to the public internet, you need a basic guardrail against bursts. I like a token bucket with rate.NewLimiter because it’s easy to reason about: steady-state rate plus a burst capacity. The middleware checks Allow() and returns 42

I separate liveness from readiness because they answer different questions. Liveness is “is the process alive enough to respond?” and should be cheap; readiness is “can this instance take traffic?” and can include dependency checks like DB connectivit

Rack middleware processes HTTP requests/responses in Rails' stack. Middleware sits between web server and application, modifying requests before they reach controllers. I build custom middleware for logging, authentication, rate limiting, request modi

One of the easiest ways to reduce frontend complexity is to be consistent about API responses. I keep a small helper that always sets Content-Type: application/json; charset=utf-8, uses a stable error envelope (error + optional details), and returns c

In-flight request count is a simple but powerful saturation signal. I keep an atomic.Int64 gauge that increments at the start of a request and decrements in a defer, which makes it robust even on early returns. This gauge can be exported via expvar, P

Unbounded network calls eventually will hang, and then your Node process gets stuck with slow requests chewing up the connection pool. I wrap fetch with an AbortController timeout so every outbound call has an upper bound. The key is distinguishing be

I’ve started using log/slog for services that want structured logs without a heavy dependency. The key is treating the request logger as data: create a base logger with JSON output, then derive a request logger with fields like request_id and path. I

ETags are a low-effort way to cut bandwidth and CPU when clients poll for resources that rarely change. The server computes an ETag for the representation (often a version, content hash, or updated_at value) and compares it to If-None-Match. If they m

CORS is one of those features that becomes security-sensitive by accident. Instead of Access-Control-Allow-Origin: *, I keep a strict allowlist and echo back the exact origin only when it’s approved. I also handle OPTIONS preflight requests explicitly

SSE is my go-to for “live updates” when I don’t need full bidirectional WebSockets. The key is to set the right headers (Content-Type: text/event-stream, Cache-Control: no-cache) and to flush periodically so intermediaries don’t buffer. I send heartbe

When a dependency is failing, you don’t want to keep hammering it. A simple circuit breaker trips after N failures and short-circuits for a cooldown window. It protects your app and your vendor.