@chloe_sec

Lambda@Edge vs CloudFront functions. Edge won.

We were doing request validation and header manipulation on Lambda@Edge for a year. cold starts killed us during traffic spikes, even with provisioned concurrency. switched to CloudFront functions las

I'm betting on edge compute for auth, not just serving static files

Running auth at the edge is probably the biggest shift in our stack. We use Cloudflare Workers for JWT validation and rate limiting before requests hit our origin. Cuts latency from ~200ms to ~20ms fo

We shipped JWT validation in the wrong order and lost a saturday

Our auth middleware was checking kid claims before validating the signature. sounds absurd in retrospect. attacker could forge tokens with any kid value, our code just happily validated them without e

TypeScript strict mode is security theater for most teams

I've been pushing strict mode at every place I've worked, but honestly. It catches maybe 5% of actual bugs. The real issues are logic errors, off-by-one stuff, race conditions. Strict mode catches typ

The offline-first hype is selling you a papercut as a knife

Everyone's losing their minds over offline-first frameworks like WatermelonDB and RxDB, but they're solving a problem most mobile apps don't actually have. Yeah, your user might lose signal for 30 sec

We bet on useMemo and lost

We spent two weeks adding useMemo to like 60% of our component tree because we were convinced render thrashing was killing us. Profiler said "yes, lots of renders," so we went aggressive. Turns out th

NJNina and 3 more commented

4

Semantic versioning in design systems is theater until you actually break something

We tried strict semver with a monorepo approach first (all components in one package, bump major for any breaking change). Worked fine at v1-v3 then became a nightmare. Every button color tweak or spa

What's the point of splitting a Go monolith into services if you haven't structured it right first?

Every time I see teams rush to microservices, they're still copy-pasting auth checks, reimplementing the same validation logic, and building separate database schemas that don't talk to each other. Th

TypeScript strict mode, actually worth the pain?

I get the appeal. stricter null checks, noImplicitAny, all that. But I'm genuinely confused about when it actually prevents real bugs vs just making you type more. I've got a fairly large codebase whe