A QA, day by day

WAF, cache, and hardening with Cloudflare Free, without losing your mind

The five WAF Custom Rules I use on every zone, rate limiting with the catch that you can't use ip.src on Free, conservative HSTS, the minimum sensible TLS version, a one-year Cache Rule for hashed Vite bundles, and why I ruled out caching Next.js 16 endpoints on Free.

9 min05/03

Merchant of Record, the missing piece between Stripe and your first international payment

I don't monetize anything on this blog, but I started looking into how indie hackers get paid online without drowning in international taxes. Merchant of Record is the piece almost nobody explains before that first payment, and this post is a roundup of what I learned in case it helps someone with their own SaaS or subscription.

14 min05/02

If my VPS got hacked, would I notice? How I built a homemade HIDS with AIDE, Telegram alerts, and encrypted backups

A security audit gave my VPS a 7.5/10 security posture. The biggest gap was also the simplest one: if someone got root, I had no way to know. Here's how I covered that gap with AIDE, a Telegram alert channel, and encrypted backups that the monitored server itself can't tamper with.

11 min05/01

Beyond Tunnel and Access, which Cloudflare Zero Trust pieces I still have left to turn on

An honest inventory of the Cloudflare Zero Trust and Cloudflare One services I still haven't used in the VPS migration series, what they look like on the Free plan, what problems they solve, and which ones I'd turn on first. Gateway DNS, Service Tokens, Turnstile, mTLS in Access, WARP Connector for non-HTTP services, Page Shield, and Cloudflare's own Notifications.

7 min04/30

Why I put my whole VPS behind Cloudflare

My VPS had been responding directly to the internet for a year and a half. One afternoon I decided to put all of it behind Cloudflare. This is the first post in a series where I explain why, what layers I set up, and in what order.

12 min04/29

Git for QAs, a practical guide for testers who automate

If you've been doing QA for years and Git still feels like a minefield, this guide covers everything you need to know to automate, read diffs, review PRs, and avoid breaking the team's repo. Real workflows, commands with examples, and mistakes I've seen, and made.

13 min04/28

Cloudflare Tunnel and Access to get admin panels off the Internet

I moved the VPS admin panels (Umami, Infisical, and Dokploy) to Cloudflare Tunnel with Access. Ports 80 and 443 are still only for public apps, the panels no longer resolve to the origin or need their own login exposed to the Internet. Minimal compose, a Bypass policy for critical webhooks, and a catch-all with email OTP.

13 min04/27

OpenRouter vs Vercel AI Gateway vs Cloudflare vs Portkey vs LiteLLM, a 2026 comparison

A cross-cutting comparison of AI Gateways in 2026 based on the things that actually matter, catalog, cost, latency, observability, failover, privacy, operations, and lock-in. When to pick each one, and why they aren't mutually exclusive.