The Daily
A note a day on APIs and the realities of shipping web applications. Stuff I've actually learned across 25 years of doing the work.
Rate limiting at nginx before Laravel ever wakes up
Blocking brute-force attempts at the nginx layer is cheaper and faster than doing it in PHP. Here's the actual config I use for login and API endpoints.
Most Laravel apps I inherit have rate limiting wired up in the application layer — a middleware, a facade call in , maybe a package. That's fine as far as it goes, but it means every blocked request still boots PHP-FPM, hits the framework, hydrates the service container, and burns a worker slot. For a login endpoint…
Read the daily →Twilio Verify: Rate Limiting OTP Without Locking Out Real Users
Twilio Verify's built-in rate limiting sounds great until your client's customers start getting locked out. Here's how I actually handle it.
Twilio Verify's default rate limiting will stop a naive enumeration attack. It will also lock out a real user who fat-fingered their phone number twice, and then you're getting a support ticket at 11pm. Getting the balance right requires understanding what Twilio actually does under the hood — and layering your own…
Read the daily →Zero-Downtime Laravel Deploys Without the Orchestrator Tax
You don't need Kubernetes to ship without dropping requests. Here's the atomic release pattern I use on single servers, built in plain bash and a symlink.
The first time a client called me mid-afternoon because their e-commerce checkout was throwing 500s during a deploy, I was already halfway through a on the live server. Classic. That was enough — I moved everything to atomic releases that week and I haven't had a deploy-window outage since. The good news: you don't…
Read the daily →Laravel Queues: A Supervisor Config That Actually Survives Production
Most Laravel queue setups work fine in dev and fall apart quietly in prod. Here's the Supervisor config I've landed on after too many silent failures.
The default Laravel queue Supervisor config in the docs will get you started. It will also let jobs silently disappear after a Redis restart, leave zombie workers after a deploy, and OOM-kill your workers with no restart if you're not paying close attention. I've been burned by all three. Here's what I actually run…
Read the daily →Feature Flags: Write Your Own or Pay for LaunchDarkly?
I've rolled my own feature flags a dozen times and used LaunchDarkly on two projects. Here's the honest inflection point between them.
I've built feature flag systems from scratch more times than I can count, and I've also wired up LaunchDarkly on two production projects. The honest answer to "which should I use" is not the one most blog posts give you. Most posts either sell you on LaunchDarkly immediately or tell you it's overkill. Both are…
Read the daily →