A QA, day by day

Your Dockerfile is downloading attackers' binaries (and how to stop it)

Three concrete steps to protect your Dockerfile from supply chain attacks: SHA256 checksum verification, controlling npm scripts with ignore-scripts, and removing the package manager from the production image.

8 min04/01

Security, SEO, and performance in a self-hosted blog

Self-hosting a blog means security, SEO, and performance are on you. CSP headers, rate limiting, generated OG images, ISR, and the lessons we learned while setting it all up.

9 min03/31

How we verify that nobody is tampering with this blog's posts

Our posts live in a SQLite database. If someone gets access to it, they can change any article without leaving a trace. We built an external verifier with SHA-256 hashes and Ed25519 signatures that watches integrity from a second server.

3 min03/30

Environment variables in E2E scripts: safe secrets in JMO Labs

E2E scripts need sensitive data, API tokens, credentials, private URLs, without showing up in the code. In JMO Labs we've added script variables with private mode: they're injected automatically, masked in logs, and accessed with a clean syntax.

11 min03/29

Infisical in Dokploy: how to manage secrets without putting them in environment variables

Plain-text environment variables are convenient until they stop being safe. Here's how we deployed Infisical as a self-hosted secrets manager inside Dokploy, and how we connected our applications so they can read credentials in an encrypted and auditable way.

6 min03/27

Next.js, SQLite, and Docker, the technical stack behind this blog

Every technical decision has a reason behind it. We chose Next.js over Astro, SQLite over PostgreSQL, and Docker with Dokploy over Vercel. Here’s why, and what we learned along the way.

5 min03/26

Why I built my own blog engine in Next.js (instead of WordPress or Ghost)

We had WordPress, Ghost, and dozens of platforms one click away. But none of them gave us what we needed without trade-offs. This is the story of why we ended up writing our own blog engine.

9 min03/25

How we handle database migrations with Drizzle ORM

The full migration workflow in real projects with Drizzle ORM, from the schema in TypeScript to production. With a comparison against Prisma and a few lessons learned.