AI 资讯
Make your content answer-first so AI models actually cite it
If you want ChatGPT or Google's AI Overviews to quote your pages, structure matters more than volume. Retrieval systems favor passages where the answer is stated plainly and can stand alone. Here's a practical way to test and fix your content. Step 1 — Define the question the page answers Write it as a literal user query. How much does a website cost for a small business in the UK? Step 2 — Extract your current answer passage Copy the first two or three sentences from your page. Paste them somewhere without any extra context. Ask yourself: Does this work as a direct answer? If it only makes sense after reading earlier paragraphs, it doesn’t pass the extraction test. Step 3 — Rewrite answer-first Lead with the conclusion, stated as a fact, then support it. Before: "We get asked about pricing a lot, and honestly it's one of the trickiest questions to answer..." After: "A small-business website in the UK typically costs £1,500–£6,000 for a brochure site and £6,000–£20,000+ for e-commerce. The price depends on three things: page count, payment functionality, and custom vs template design." Step 4 — Test extractability with a model Send the passage to an LLM and check whether it returns a clean, single answer. Use a system prompt that mimics retrieval behavior. System: You are a retrieval system. From the passage below, extract the single most direct answer to the user's question. If no self-contained answer exists, reply "NO_EXTRACTABLE_ANSWER". User question: How much does a website cost for a small business in the UK? Passage: If you get NO_EXTRACTABLE_ANSWER or a vague summary, your structure needs work. Step 5 — Reinforce with structured data Markup question and answer pages with FAQPage schema so the question/answer pairing is machine-readable as well as human-readable. json { " @context ": " https://schema.org ", "@type": "FAQPage", "mainEntity": [{ "@type": "Question", "name": "How much does a website cost for a small business in the UK?", "acceptedAnswer": { "@t
AI 资讯
دليل عملي لاختبار التحميل لواجهات API باستخدام أرتيلري
Artillery هي مجموعة أدوات مفتوحة المصدر لاختبار التحميل مبنية على Node.js. تتيح لك توليد حركة مرور عالية التزامن على واجهة برمجة التطبيقات (API) من خلال ملف YAML بسيط: تحدد مراحل التحميل، تصف تدفقات الطلبات، تشغل artillery run script.yml ، ثم تقرأ نسب زمن الاستجابة المئوية، معدلات الطلبات، وعدد الأخطاء. يشرح هذا الدليل طريقة تثبيت Artillery v2، كتابة اختبار عملي، تشغيله، استخراج النتائج بالطريقة الصحيحة في v2، وربطه بمسار CI. جرّب Apidog اليوم ما هو Artillery ومتى تستخدمه؟ ينشئ Artillery مستخدمين افتراضيين (VUs) يرسلون طلبات إلى نقاط النهاية لديك ويقيسون قدرة النظام على تحمل الحمل المستمر. المستخدم الافتراضي هو عميل مُحاكى ينفذ سيناريو خطوة بخطوة، كما يفعل مستخدم أو خدمة حقيقية. استخدم Artillery عندما تريد إجابات عملية على أسئلة الأداء مثل: كيف يتغير زمن الاستجابة p95 عند 50 طلبًا في الثانية؟ عند أي معدل وصول تبدأ الأخطاء بالظهور؟ هل تبقى واجهة API مستقرة لمدة 5 دقائق من الحمل المستمر؟ هل يتدهور الأداء تدريجيًا مع استمرار الضغط؟ الميزة الأساسية في Artillery أن الاختبار تصريحي. بدل كتابة حلقات تزامن يدويًا، تصف شكل الحمل في YAML. وبما أنه يعمل فوق Node.js، يمكنك تشغيل نفس الاختبار محليًا وفي CI. إذا كنت تقارن الأدوات، راجع ملخص أفضل أدوات اختبار التحميل و مقارنة برامج اختبار التحميل لفهم الفروقات بين k6 وJMeter وGatling وغيرها. تثبيت Artillery v2 اسم الحزمة هو artillery ، والإصدار الرئيسي الحالي هو v2. ثبته عالميًا عبر npm: npm install -g artillery@latest artillery version تحتاج إلى إصدار LTS حديث من Node.js. يعمل Artillery على Windows وmacOS وLinux. إذا كنت لا تريد تثبيت الحزمة عالميًا، استخدم npx : npx artillery@latest run script.yml كتابة اختبار Artillery يتكون ملف الاختبار من قسمين أساسيين: config : يحدد الهدف ومراحل الحمل والمتغيرات. scenarios : يحدد ما يفعله كل مستخدم افتراضي. مثال كامل: config : target : " https://api.example.com" phases : - name : " Warm up" duration : 60 arrivalRate : 5 - name : " Ramp to peak" duration : 120 arrivalRate : 5 rampTo : 50 - name : " Sustained load" duration : 300 arrivalRate : 50 maxVusers : 500 variables : productId : - " 100
AI 资讯
Hướng dẫn chạy kiểm thử API Apidog CLI trên Drone CI
Bạn có thể chạy bài kiểm tra API của Apidog CLI trong Drone CI bằng một bước Docker dùng ảnh Node, cài apidog-cli , rồi gọi apidog run với test scenario và environment tương ứng. Token Apidog nên được lưu trong Drone Secret và inject vào pipeline bằng from_secret . Bài viết này cung cấp cấu hình .drone.yml có thể copy-paste, cách quản lý secret, giới hạn chạy theo branch/event và cách xuất báo cáo khi Drone không có artifact storage tích hợp sẵn. Dùng thử Apidog ngay hôm nay Drone CI là gì và hoạt động như thế nào Drone là nền tảng CI/CD mã nguồn mở, chạy theo mô hình container-native và hiện là một phần của Harness. CI/CD là thực hành tự động build, test và phân phối phần mềm trên mỗi thay đổi mã nguồn. Nếu cần ôn lại nền tảng, xem thêm CI/CD là gì . Điểm quan trọng của Drone: mỗi step trong pipeline chạy trong một Docker container riêng. Bạn chọn image cho từng step, sau đó Drone chạy các command trong container đó. Cách này giúp pipeline dễ tái tạo, dễ debug và không phụ thuộc vào một build agent đã cài sẵn nhiều công cụ. Pipeline được khai báo trong file .drone.yml ở thư mục gốc repository. Một Docker pipeline thường có: kind type name steps Ví dụ tối thiểu: kind : pipeline type : docker name : api-tests steps : - name : greeting image : alpine commands : - echo hello - echo world Drone chạy commands như shell script với cơ chế fail-fast. Nếu một command trả về exit code khác 0 , build sẽ fail. Working directory mặc định là thư mục gốc của repository. Vì sao nên chạy API test trong container step API test giúp phát hiện sớm các thay đổi phá vỡ contract, ví dụ: response schema thay đổi ngoài ý muốn status code khác kỳ vọng field bắt buộc bị thiếu logic xác thực hoặc phân quyền bị lỗi Với Apidog, bạn thiết kế và duy trì test scenario trong UI, sau đó chạy lại chính các scenario đó từ CLI. CI không cần giữ thêm collection file riêng hoặc viết lại test script. Để xem thêm về cách đưa API testing vào pipeline, đọc các phương pháp hay nhất về CI/CD cho kiểm tra API .
AI 资讯
Set Up Ollama with OpenClaw: Run Local AI Models Inside Agent Workflows
AI agents are not useful just because they can answer prompts. They become useful when they can work with tools, files, workflows, commands, and real project context. That is why pairing Ollama with OpenClaw makes sense. Ollama lets you run local AI models. OpenClaw gives those models a practical agent workflow layer, so you can test how local models behave in something closer to a real working setup. What You Will Set Up In this guide, you will set up: Ollama for running local models A local model such as Mistral or Llama OpenClaw for agent workflow control The OpenClaw gateway and dashboard A basic local-first AI agent setup The goal is simple: run local models inside an agent workflow instead of only testing them in a chat window. Why Use Ollama with OpenClaw? Most local model testing looks like this: ollama run mistral That is fine for checking whether a model responds. But agent workflows need more than a response. They need: tool access project context file awareness safe execution repeatable workflows a dashboard or control layer OpenClaw helps with that agent workflow layer. So instead of asking: Can this model answer a prompt? You can test: Can this model actually work inside my AI agent workflow? That is a much better question. Step 1: Install Ollama First, install Ollama on your machine. After installation, check that it is working: ollama list If Ollama is not running, start it: ollama serve You can also test the local API: curl http://127.0.0.1:11434/api/tags If you get a response, Ollama is running correctly. Step 2: Pull a Local Model Now pull a model. For basic testing: ollama pull mistral Then run it: ollama run mistral You can use another model if your machine has enough resources. For simple testing, smaller models are fine. For coding, planning, and multi-step agent tasks, stronger models usually perform better. Tiny models are cheap and fast, but expecting them to behave like senior engineers is how humans invent disappointment at scale. Step 3:
AI 资讯
Build an AI dubbing pipeline: faster-whisper + XTTS-v2 + FFmpeg
TL;DR We're building a script that takes a video in English and produces the same video narrated in Spanish, in a cloned version of the original speaker's voice. Stack: faster-whisper for timestamped transcription, an LLM (or any MT engine) for translation, XTTS-v2 for voice-cloned synthesis, FFmpeg for surgery. We'll also handle the problem every demo skips: translated audio that doesn't fit its time slot. 📦 Code: github.com/USER/repo (replace before publishing) If you'd rather start from a finished system, Softcatala's open-dubbing and KrillinAI are full pipelines behind one CLI. This post builds the minimal version by hand so you understand what those tools are doing, and where they break. 0. Setup and a licensing warning ⚠️ Python 3.10–3.12. The original Coqui company shut down in early 2024; the maintained fork of their TTS library is published by Idiap as coqui-tts : $ python -m venv dub && source dub/bin/activate $ pip install faster-whisper coqui-tts $ ffmpeg -version | head -1 # 6.0+ is fine, 8.x current ⚠️ Note: the XTTS-v2 model weights ship under the Coqui Public Model License, which restricts commercial use. Prototype freely, but before dubbed videos ship to paying customers, someone must read that license and possibly swap the synthesis step for a commercially licensed model or paid API. Voice cloning also requires the speaker's consent. Get it in writing. 1. Extract audio and transcribe with word timestamps 🎙️ # pull mono 16k audio for the ASR step $ ffmpeg -i input.mp4 -vn -ac 1 -ar 16000 -y source.wav # dub/transcribe.py from faster_whisper import WhisperModel model = WhisperModel ( " large-v3-turbo " , compute_type = " int8 " ) segments , info = model . transcribe ( " source.wav " , word_timestamps = True ) lines = [] for seg in segments : lines . append ({ " start " : seg . start , " end " : seg . end , " text " : seg . text . strip (), }) print ( f " language= { info . language } segments= { len ( lines ) } " ) The timestamps are the skeleton of
AI 资讯
Probing FFmpeg's av1_vulkan encoder: does your GPU actually support it?
TL;DR FFmpeg 8.x includes av1_vulkan , the first cross-vendor GPU AV1 encoder in mainline FFmpeg. We'll probe whether your GPU + driver actually expose AV1 encode, run a first working encode, benchmark it against SVT-AV1 on your own content, and talk about which jobs deserve it. 📦 Code: github.com/USER/repo (replace before publishing) Until FFmpeg 8.0 ("Huffman", released August 2025), GPU AV1 encoding meant picking a vendor: av1_nvenc for NVIDIA RTX 40+, av1_amf for AMD, av1_qsv for Intel Arc. Three code paths, three sets of flags, three driver stacks. The Vulkan Video encode work gives FFmpeg one encoder that reaches all three vendors through the standard VK_KHR_video_encode_av1 extension. The catch: driver support is a lottery. Plenty of capable hardware sits behind drivers that don't expose the encode extension yet. So before any pipeline decisions, we probe. 1. Check what you're running You want FFmpeg 8.x (8.1.2 is current as of late June 2026) built with Vulkan support, plus the vulkaninfo tool from the Vulkan SDK / vulkan-tools package. $ ffmpeg -version | head -1 ffmpeg version 8.1.2 Copyright ( c ) 2000-2026 the FFmpeg developers $ ffmpeg -hide_banner -encoders | grep vulkan V....D av1_vulkan AV1 ( Vulkan ) ( codec av1 ) If av1_vulkan doesn't appear, your build wasn't compiled with --enable-vulkan (distro packages vary; the BtbN static builds and most 8.x distro packages include it). 2. Probe the driver for AV1 encode 🔍 The encoder existing in FFmpeg means nothing if the driver doesn't expose the extension. This is the step that separates "should work" from "works": $ vulkaninfo | grep -iE "video_encode_(av1|queue)" VK_KHR_video_encode_av1 : extension revision 1 VK_KHR_video_encode_queue : extension revision 12 You see Meaning Both extensions listed You can encode AV1 via Vulkan 🎉 Only video_encode_queue Driver does Vulkan encode, but not AV1 (maybe H.264/H.265 only) Neither Driver too old, or GPU lacks an AV1-capable video engine Rough hardware floor: the
AI 资讯
Ship a 'Go Live' button: OBS in, LL-HLS out, webhooks in between
TL;DR We're adding live streaming to a SaaS dashboard: a backend endpoint that creates a stream, OBS as the broadcaster over RTMPS, LL-HLS playback with hls.js, and a webhook handler that keeps the UI honest. Working "go live" flow in an afternoon. 📦 Code: github.com/USER/repo (replace before publishing) Webinars, coaching sessions, company town halls: sooner or later your product gets the "can users go live?" ticket. The hard parts (ingest servers, transcoding, CDN delivery) are exactly the parts you should not build. We'll use FastPix as the managed layer here; the same flow works nearly line-for-line on Mux, Cloudflare Stream, or api.video. What we're building: A backend endpoint that creates a live stream and returns a stream key An OBS setup broadcasters can follow in two minutes A viewer page playing LL-HLS with hls.js A webhook handler that flips the webinar between scheduled → live → ended 1. Create the stream server-side 🛠️ You need API credentials (Access Token ID + Secret Key). FastPix uses Basic auth on the server API. Node 20.x, plain fetch , no SDK required (though official Node.js/Python/Go/Ruby/PHP/Java/C# SDKs exist if you prefer). // server/routes/streams.js import { Router } from " express " ; const router = Router (); const AUTH = " Basic " + Buffer . from ( ` ${ process . env . FP_TOKEN_ID } : ${ process . env . FP_SECRET } ` ). toString ( " base64 " ); router . post ( " /webinars/:id/stream " , async ( req , res ) => { const r = await fetch ( " https://api.fastpix.io/v1/live/streams " , { method : " POST " , headers : { " Content-Type " : " application/json " , Authorization : AUTH }, body : JSON . stringify ({ playbackSettings : { accessPolicy : " public " }, }), }); if ( ! r . ok ) return res . status ( 502 ). json ({ error : " stream create failed " }); const stream = await r . json (); // persist against your webinar row: // streamId, streamKey (SECRET!), playbackId await db . webinar . update ( req . params . id , { streamId : stream . str
AI 资讯
Part 1 — Container hoá app & chạy trong Kubernetes local
Bạn sẽ học gì Sau bài này, bạn sẽ tự tay đưa một app từ số 0 (một thư mục trống) đến chạy được bên trong một cluster Kubernetes chạy trên máy của bạn . Cụ thể: Viết một app Todo API nhỏ bằng Node.js + Express. Đóng gói (container hoá) nó thành một Docker image. Tạo một cluster Kubernetes local bằng kind . Deploy app bằng file YAML "thật" (không dùng lệnh tắt) để hiểu Kubernetes vận hành thế nào. Truy cập app đang chạy trong cluster từ máy của bạn. Đây là Part 1 trong series "DevOps 101 — Học K8s, Helm, ArgoCD từ số 0" . Cả series dùng chung một app tên todo-ops , các part sau sẽ xây tiếp lên nền này (thêm database, config, ingress, Helm, GitOps với ArgoCD). Điều kiện tiên quyết Docker (hoặc Docker Desktop / OrbStack) — đang chạy. kind — công cụ tạo cluster Kubernetes trong Docker. kubectl — CLI để nói chuyện với Kubernetes. Node.js 20+ và npm — để chạy thử app local. git — để quản lý mã nguồn. Cài đặt Chọn theo hệ điều hành của bạn. macOS (dùng Homebrew — nếu chưa có, cài trước): # Cài Homebrew (bỏ qua nếu đã có) /bin/bash -c " $( curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh ) " # Docker Desktop (hoặc OrbStack: brew install --cask orbstack) brew install --cask docker # Các CLI còn lại brew install kind kubectl node git Sau khi cài xong, mở Docker Desktop (hoặc OrbStack) và chờ nó báo Running trước khi chạy tiếp. Linux (Ubuntu/Debian): # Docker Engine curl -fsSL https://get.docker.com | sh sudo usermod -aG docker " $USER " # cho phép chạy docker không cần sudo (đăng xuất/đăng nhập lại để có hiệu lực) # kubectl curl -LO "https://dl.k8s.io/release/ $( curl -Ls https://dl.k8s.io/release/stable.txt ) /bin/linux/amd64/kubectl" sudo install -m 0755 kubectl /usr/local/bin/kubectl && rm kubectl # kind curl -Lo ./kind https://kind.sigs.k8s.io/dl/latest/kind-linux-amd64 sudo install -m 0755 kind /usr/local/bin/kind && rm kind # Node.js 20 (qua NodeSource) + git curl -fsSL https://deb.nodesource.com/setup_20.x | sudo -E bash - sudo apt-get insta
AI 资讯
The Turborepo + Bun + Biome stack behind a 40-package monorepo
Forty packages, one maintainer, and no ESLint config anywhere in the repo. That is not a boast - it is the direct result of a decision made early: every tool in the toolchain has to earn its place by governing all forty packages from one config file, not forty. The repo is flare-engine , a modular 2D engine for React Native + Web (animation, gamification, interactive UI, with games as showcases - not a game engine, not a Unity or Godot competitor). The stack behind it is Turborepo Bun Biome , and this post is the actual setup: the real turbo.json , the real biome.json , the real CI guardrail, straight from the repo (trimmed only where a config is long, and I say so where I trim), not a starter template's idealized version. Four binaries, four root configs - turbo.json , biome.json , tsconfig.base.json , and the Changesets config - each governing all forty packages at once (Bun's own "config" is just the workspaces array in the root package.json ). Plus a CI step that fails the build the moment a package imports something it shouldn't. That is the whole story, and I want to show you the files, not describe them. Four binaries, not twelve config files The thesis is narrow: a solo maintainer can keep forty packages honest only if there is exactly one config of each kind, and every package extends it rather than declaring its own variant. Twelve packages each with a slightly different ESLint config is not a monorepo, it is twelve monorepos wearing a workspace file as a costume. Here is the root package.json that runs all of it - Bun workspaces (not pnpm; that distinction matters and I will say it again below), the script table every package leans on, and the pinned package manager: // C:\_PROG\flare-engine-workspace\flare-engine\package.json { "name" : "flare-engine" , "version" : "0.0.0" , "private" : true , "workspaces" : [ "packages/*" , "benchmarks" , "apps/*" ], "scripts" : { "build" : "turbo build" , "test" : "turbo test" , "lint" : "turbo lint" , "typecheck" : "t
AI 资讯
A pending-plugin-count badge on the 🔌 button — reusing the dashboard cache instead of doubling state
A client asked: " After I run a cross-site update check, can each site show — right in the site list — how many plugin updates are still pending? " Visually the answer was obvious: a small red badge on the top-right of the 🔌 plugins button, like an unread-notification count. Easy to specify. The harder question was where the data comes from . We could have added a fresh API endpoint and a new cache to hold "pending count per site." But doing that would have doubled state management , and we already had a cache that knew this. We routed through the existing one. Here's the reasoning behind that decision. Reuse the dashboard cache as the data source The cross-site updates dashboard (the one we wrote about in killing the 24.5-second silence with a cache-first design ) already kept each site's pending plugins in a localStorage-backed state called _updatesDashState . Its shape: _updatesDashState = { sites : [ { site_id : " abc... " , plugins : [ {...}, {...}, {...} ] }, { site_id : " def... " , plugins : [ ... ] }, ], total_pending_count : 12 , loadedAt : 1748600000000 , } Look up by site_id , take plugins.length , and you have the badge's number. No new API, no new cache. The data that powers the cross-site dashboard is also the data that powers the site-list badge. The win of not adding state is quiet but real: When a maintenance run invalidates _updatesDashState , the badge disappears automatically (no sync code to write) The TTL (originally 7 days; later extended to 30 days with partial invalidation ) inherits from the existing design The badge and the underlying count can't drift — there's no second copy to fall out of step There's always a temptation to spin up a new endpoint for a new UI element. The rule we settled on: if the existing state answers it, don't add more. Attaching the badge — consolidate into helpers Both the list view and grid view need the same badge on the 🔌 button, so the logic lives in helpers. function _getPendingPluginCountForSite ( siteId )
AI 资讯
How to Use Stream Analyzers for Digital TV Broadcasting: A Practical Guide
Part 1: Solving GOP Structure and Compatibility Issues Operating a digital television network isn't just about keeping channels on air—it's about maintaining quality that viewers expect and troubleshooting issues before they escalate. When something goes wrong in live broadcasting, every second counts. But how do you quickly pinpoint whether the problem lies in encoder settings, transport stream structure, or temporal metadata? This is where specialized stream analysis tools become essential. In this series of articles, we'll walk through real-world scenarios that broadcast engineers face daily and show practical approaches to diagnosing and resolving them. When File Analysis Becomes Critical While live monitoring catches issues as they happen, file-based analysis is your diagnostic microscope. Here's the typical workflow: something breaks in production, engineers capture a few minutes of the problematic stream, and now they need to understand exactly what went wrong. File analyzers serve three primary purposes: Troubleshooting: Identifying the root cause of broadcast issues Encoder optimization: Fine-tuning compression settings Quality control: Validating compliance with standards and specifications Let's explore how this works in practice with actual tools and techniques. The GOP Structure Problem Here's a scenario every broadcast engineer has encountered: legacy set-top boxes or older TV models suddenly can't play your stream. The audio works, video starts and stops, or you see freezing. The culprit? Often, it's the GOP (Group of Pictures) structure. H.264 has been around since 2003—over 20 years. Almost everything supports it, yet you'll still find legacy equipment that struggles with certain configurations. Specifically, the number of B-frames can make or break compatibility. Why B-frames matter: They enable lower bitrates while maintaining quality by increasing encoding complexity through bidirectional prediction. But this comes at a cost—a more complex refere
开发者
How to Monitor Website Changes Automatically (Visual Diff Tutorial)
How to Monitor Website Changes Automatically I run a few websites and need to know immediately when something breaks. A CSS regression, a broken layout, a missing section. Manual checking doesn't scale, and text-based monitoring misses visual issues. The {{screenshot-diff}} on Apify takes two screenshots and produces a pixel-level comparison with an overlay showing exactly what changed. How It Works Take a baseline screenshot of the correct state. Then take a current screenshot of the live page. The actor compares pixel by pixel and returns a diff image with changed pixels highlighted, plus a percentage telling you how much changed. import requests , time API_TOKEN = " YOUR_APIFY_TOKEN " def capture_screenshot ( url ): resp = requests . post ( " https://api.apify.com/v2/acts/weeknds~website-screenshot-api/runs " , headers = { " Authorization " : f " Bearer { API_TOKEN } " }, json = { " url " : url , " fullPage " : True } ) run_id = resp . json ()[ " data " ][ " id " ] time . sleep ( 15 ) items = requests . get ( f " https://api.apify.com/v2/acts/weeknds~website-screenshot-api/runs/ { run_id } /dataset/items " , headers = { " Authorization " : f " Bearer { API_TOKEN } " } ). json () return items [ 0 ][ " screenshotUrl " ] def compare_screenshots ( baseline_url , current_url ): resp = requests . post ( " https://api.apify.com/v2/acts/weeknds~screenshot-comparison-tool/runs " , headers = { " Authorization " : f " Bearer { API_TOKEN } " }, json = { " baselineImageUrl " : baseline_url , " currentImageUrl " : current_url , " threshold " : 0.01 } ) run_id = resp . json ()[ " data " ][ " id " ] time . sleep ( 10 ) items = requests . get ( f " https://api.apify.com/v2/acts/weeknds~screenshot-comparison-tool/runs/ { run_id } /dataset/items " , headers = { " Authorization " : f " Bearer { API_TOKEN } " } ). json () return items [ 0 ] baseline = capture_screenshot ( " https://mysite.com " ) current = capture_screenshot ( " https://mysite.com " ) result = compare_screenshots ( b
AI 资讯
OWASP Top 10 #1: Understanding Broken Access Control (Beginner's Guide)
Disclaimer: I'm currently learning web security through OWASP and PortSwigger Web Security Academy. These are my beginner-friendly notes rewritten as a blog to help reinforce my understanding. If you're just starting out, I hope this makes the topic easier to understand. What you'll learn: In this article you'll learn: ✔ What Broken Access Control is ✔ Vertical Privilege Escalation ✔ Security by Obscurity ✔ Parameter-Based Access Control ✔ Platform Misconfiguration ✔ Horizontal → Vertical Escalation ✔ IDOR ✔ Lessons learned from PortSwigger labs Concept Map: What is Broken Access Control? Broken Access Control happens when a user is able to access data, pages, or perform actions that they are not supposed to . Why should you care? Broken Access Control has ranked #1 in the OWASP Top 10 (2021) because it can expose sensitive data, allow privilege escalation, and let attackers perform actions they should never be able to perform. Think of a website with two types of users: Normal User Admin A normal user should only be able to view their own profile and perform basic actions. An admin, however, can manage users, delete accounts, change settings, etc. If a normal user somehow gains access to those admin features, that's Broken Access Control . In interview terms: Broken Access Control is the failure to properly enforce authorization, allowing users to perform actions beyond their intended permissions. 1. Vertical Privilege Escalation Vertical Privilege Escalation means moving up the permission hierarchy. Example: Normal User ↓ Admin A normal user should never be able to become an administrator. 1.1 Unprotected Functionality One of the simplest forms of Broken Access Control is Unprotected Functionality . Imagine a website has an admin page: /admin The developer removes the Admin button from the normal user's dashboard. Problem solved? No. If a user manually visits: /admin and the server doesn't verify whether they're actually an admin, the page opens. The mistake here
开发者
INTO Coding...
Hi folks! This is Mark Tony , a fresher to this field of technology from the UG Physics background. In a way, I'm pursuing my desire which I missed during my college days. My new venture begins along with @payilagam_135383b867ea296 Where I'm doing my Full stack developer course right now. I'm excited and enthusiastic about learning and becoming a developer. Dev community kick starts my journey 😉😊
AI 资讯
A "days since last maintenance" badge — color-coding staleness across many sites
When you maintain a number of WordPress sites, showing the "last maintenance date" in the site list is the obvious move. A column of dates like 2026-05-21 . But in actual use, that alone falls short. A client put it well: "Besides the last maintenance date, it'd help to also show how many days have passed . And it'd be even better if the color changed at 15 / 30 / 60 days so I can see the risk level ." This post walks through that step — from "absolute date" to "relative elapsed days + color" — including the small design details. Why a date alone isn't enough An absolute date like 2026-05-21 is precise, but it pushes the "difference from today" calculation onto the user's head . Fine for five sites; as the managed set grows, reading "which ones are getting neglected" off a column of dates gets hard. The point of a maintenance inventory is to grasp which sites need attention at a glance. If so, what you should surface is less the absolute date and more the relative quantity — " how many days since the last maintenance " — and ideally let color convey "how many days until it's risky." The client's request landed exactly on this "absolute → relative + risk" shift. Four-tier color coding We went with four tiers by elapsed days. A small badge like (15 days ago) sits right after the last-maintenance date, and the color changes by threshold. Elapsed tier color meaning 0–14 days fresh green recently maintained, fine 15–29 days normal gray standard 30–59 days warn amber needs attention 60+ days danger red needs action green → gray → amber → red — just scrolling the list, "lots of red here" or "a cluster of sites I haven't touched lately" jumps out visually. The badge also gets a hover tooltip ("N days since last maintenance") to back up the number's meaning. Consolidate into helper functions The display logic is called from multiple places (list view, grid view), so scattering inline day calculations would be a DRY violation. We consolidated into a set of helpers. // Returns
AI 资讯
How to criar Dockerfiles eficientes com multi stage builds
Multi stage builds sao uma das melhores features do Docker para manter imagens pequenas e organizadas. Vou mostrar como aplicar isso em um projeto Python real. Crie um arquivo app.py simples: # app.py def main(): print("Hello from a multi stage build") if __name__ == "__main__": main() Agora crie o Dockerfile sem multi stage: FROM python:3.12-slim WORKDIR /app COPY requirements.txt . RUN pip install --no-cache-dir -r requirements.txt COPY . . CMD ["python", "app.py"] Essa imagem inclui o pip, o cache do pip e ferramentas de build que nao precisamos em producao. O resultado e uma imagem maior que o necessario. Com multi stage builds separamos o ambiente de build do ambiente final. Veja o mesmo Dockerfile com dois stages: FROM python:3.12-slim AS builder WORKDIR /app COPY requirements.txt . RUN pip install --no-cache-dir -r requirements.txt FROM python:3.12-slim WORKDIR /app COPY --from=builder /usr/local/lib/python3.12/site-packages /usr/local/lib/python3.12/site-packages COPY . . CMD ["python", "app.py"] O primeiro stage instala as dependencias. O segundo stage copia so o que importa. O resultado e uma imagem final muito menor. Para construir e ver o tamanho: docker build -t minha-app . docker images | grep minha-app Para linguagens compiladas como Go o ganho e ainda maior. Veja um exemplo com uma aplicacao Go: FROM golang:1.23 AS builder WORKDIR /app COPY go.mod go.sum ./ RUN go mod download COPY . . RUN CGO_ENABLED=0 GOOS=linux go build -o /app/server FROM scratch COPY --from=builder /app/server /server CMD ["/server"] A imagem final comeca do zero (scratch). Nao tem shell, sistema operacional, nem ferramentas de build. So o binario compilado. Uma dica pratica: sempre nomeie seus stages com AS para facilitar a leitura. Use nomes como builder, test, ou dev. Isso ajuda a saber o que cada stage faz sem precisar contar linhas. That's all for now. Thanks for reading!
AI 资讯
How to Use FFmpeg with Swift (No Installation Required)
Originally published at ffmpeg-micro.com You need server-side video processing in your Swift app. Maybe you're building a Vapor backend that transcodes user uploads, a macOS utility that batch-converts media files, or a command-line tool that generates thumbnails. FFmpeg is the standard tool for the job, but getting it into a Swift project isn't as simple as adding a package dependency. Running FFmpeg from Swift with Process Swift's Foundation framework provides the Process class for running external commands. If FFmpeg is installed on the machine, you can shell out to it directly: import Foundation let process = Process () process . executableURL = URL ( fileURLWithPath : "/opt/homebrew/bin/ffmpeg" ) process . arguments = [ "-i" , "input.mp4" , "-c:v" , "libx264" , "-crf" , "23" , "-preset" , "medium" , "-c:a" , "aac" , "-b:a" , "128k" , "output.mp4" ] let pipe = Pipe () process . standardOutput = pipe process . standardError = pipe try process . run () process . waitUntilExit () let data = pipe . fileHandleForReading . readDataToEndOfFile () let output = String ( data : data , encoding : . utf8 ) ?? "" print ( output ) guard process . terminationStatus == 0 else { fatalError ( "FFmpeg failed with exit code \( process . terminationStatus ) " ) } This works on macOS and Linux. Install FFmpeg with brew install ffmpeg on macOS or apt-get install ffmpeg on Ubuntu, point executableURL at the binary, and you're running. But you own that FFmpeg install on every machine. On Linux servers, you're managing the binary across deploys. On macOS CI runners, you're adding Homebrew steps to your build pipeline. And on iOS, Process doesn't exist at all. Processing Video via Cloud API (No FFmpeg Install) Skip the local binary entirely. FFmpeg Micro exposes full FFmpeg capabilities through a REST API. Send a video URL, pick your settings, get processed video back. If you're familiar with how this works in Node.js or Kotlin , the pattern is identical. Here's the basic flow using URLSe
AI 资讯
Performance Testing RAG Applications: Complete Engineering Guide
In this blog post, we will see how to performance test a RAG (Retrieval-Augmented Generation) application properly, covering both speed and correctness, and how to wire both into a CI/CD pipeline so regressions get caught before they reach production. Performance testing a RAG application requires two separate testing gates: one for speed and one for answer quality. Traditional load testing tools measure response times but cannot detect hallucinations, where a model returns fast but factually incorrect answers grounded in fabricated context rather than retrieved documents. The guide demonstrates using k6 for load testing end-to-end latency and DeepEval for evaluating faithfulness and answer relevancy using an LLM-as-judge approach. Both gates are integrated into a GitHub Actions CI/CD pipeline so regressions in either performance or output quality are caught automatically on every pull request before reaching production. If you've come from a JMeter or k6 background like I have, your first instinct with a RAG endpoint is probably to point a load test at it and check response times. That gets you halfway there. A RAG app can return a fast, confident, completely wrong answer, and a plain load test will never tell you that. You need two testing surfaces, not one: performance and quality. This guide covers both, using a single running example throughout: a documentation assistant that answers "How do I run JMeter in non-GUI mode?" against a small knowledge base. Why RAG breaks traditional load testing assumptions A conventional API returns a complete response and you measure the round trip. A RAG endpoint does two expensive things before it answers: it retrieves context from a vector store or search index, then it streams a generated response token by token. That second part matters a lot. A single request can stream hundreds of tokens over several seconds, so "request duration" as a single number hides two very different problems: how long the model took to start answe
AI 资讯
How to Build AI Agents in 2026: The Actually Simple Guide
Building an AI agent sounds complicated. It's not. By the end of this guide, you'll have a working agent that can search the web, remember conversations, and handle multi-step tasks. No frameworks, just TypeScript and an LLM API. What We're Building A research assistant agent that: Takes questions from users Uses tools (web search) when needed Remembers conversation history Handles errors without crashing Runs in about 150 lines of TypeScript This won't be production-ready, but it'll work and you'll understand every line. Prerequisites You need: Node.js 18 or higher Basic TypeScript knowledge An Anthropic API key ( get one free ) That's it. No prior AI experience needed. Setup (5 minutes) # Create project mkdir research-agent cd research-agent npm init -y # Install dependencies npm install @anthropic-ai/sdk dotenv # Install dev dependencies npm install -D typescript @types/node tsx # Initialize TypeScript npx tsc --init Create .env : ANTHROPIC_API_KEY = your-key-here Step 1: Define Your Types Create src/types.ts : export interface Message { role : ' user ' | ' assistant ' ; content : string ; } export interface Tool { name : string ; description : string ; input_schema : { type : ' object ' ; properties : Record < string , any > ; required ?: string []; }; execute : ( input : any ) => Promise < string > ; } Why these types matter: Strong typing prevents bugs. If you change how a tool works, TypeScript tells you everywhere that breaks. Step 2: Create a Simple Tool Create src/tools/search.ts : import { Tool } from ' ../types ' ; export const searchTool : Tool = { name : ' search_web ' , description : ' Search the internet for current information. Use this when you need facts, recent events, or data you do not know. ' , input_schema : { type : ' object ' , properties : { query : { type : ' string ' , description : ' The search query ' , }, }, required : [ ' query ' ], }, execute : async ( input : { query : string }) => { console . log ( `[Tool] Searching for: ${ input
AI 资讯
How I made an AI Agent write in my voice
Let's be honest, AI-written blogs have a certain... vibe. You know it, I know it, and your readers can smell it from the very first paragraph. But here's my take: you can make AI write in your voice, just not with a "generic" prompt. What actually worked for me is an agent skill with three parts: a voice profile built from seven of my real writing samples, a kill list of AI phrases, and a feedback loop that turns my edits into permanent rules. And here comes the twist, the blog you are reading right now is the very first output of that system! So, let me walk you through exactly how I built it, and you can judge for yourself whether it sounds like a human or not. Why does AI writing sound so... AI? Before fixing the problem, let's understand it from the ground up. An LLM is trained on billions of documents, so by default, it writes like the average of all of them. That's where phrases like "in today's fast-paced world"s come from, and those perfectly balanced conclusions that never pick a side. It's not that the model is dumb. It's that the average of a million voices is no voice at all. And your voice is the exact opposite of average. It's the specific way you break grammar rules, and the things you're willing to admit that others won't. I've written multiple technical blogs for different startups including Keploy, Devbytes and many more, and have been blogging on Hashnode since 2023. So when I asked AI to draft posts "in my style" with a simple prompt, the result was always the same: grammatically perfect, structurally neat, and absolutely not me. So, can you actually make AI write in your voice? Well, yes. But you have to show it, not describe it. "Write in a friendly, conversational tone" gives everyone on the internet the same friendly, conversational tone. What you need instead is a system that extracts the mechanics of your writing from real samples, and then enforces them like rules. Mine has three parts. Part 1: The voice profile I gave the agent seven samp