Roberto Empijei Clapis
@empijei.bsky.social
Security Toolsmith
Posts mostly about Go, banter, web development, security and cooking.
https://empijei.science
Posts mostly about Go, banter, web development, security and cooking.
https://empijei.science
Reposted by Roberto Empijei Clapis
Does widespread browser implementation of the Sec-Fetch-Site HTTP header mean we can protect against CSRF attacks without needing those hidden form tokens? It looks like the answer may be a cautious "yes"! simonwillison.net/2025/Oct/15/...
A modern approach to preventing CSRF in Go
Alex Edwards writes about the new http.CrossOriginProtection middleware that was added to the Go standard library in version 1.25 in August and asks: Have we finally reached the point where …
simonwillison.net
October 15, 2025 at 5:07 AM
Does widespread browser implementation of the Sec-Fetch-Site HTTP header mean we can protect against CSRF attacks without needing those hidden form tokens? It looks like the answer may be a cautious "yes"! simonwillison.net/2025/Oct/15/...
Nice writeup :)
anto.pt/articles/go-...
anto.pt/articles/go-...
Build your own ResponseWriter: safer HTTP in Go
Go's `http.ResponseWriter` writes directly to the socket, which can lead to subtle bugs like forgetting to set a status code or accidentally modifying headers too late. In this article I explain how t...
anto.pt
May 7, 2025 at 1:07 PM
Nice writeup :)
anto.pt/articles/go-...
anto.pt/articles/go-...
Go on bare metal and no os-specific code, would love for this to be accepted.
github.com/golang/go/is...
github.com/golang/go/is...
proposal: all: add bare metal support · Issue #73608 · golang/go
Proposal Details This proposal follows updates on the TamaGo project, which brings bare metal execution for Go on AMD64, ARM and RISCV64 targets. While similar proposals (see #37503 and #46802) hav...
github.com
May 6, 2025 at 11:06 AM
Go on bare metal and no os-specific code, would love for this to be accepted.
github.com/golang/go/is...
github.com/golang/go/is...
I think I found an excellent use for vibe coding.
If you're writing complex code with many branches, nuances or that processes untrusted inputs, you should really invest time fuzzing it.
The problem with fuzzing is that it yields the best results when you can write strong assertions on the results
If you're writing complex code with many branches, nuances or that processes untrusted inputs, you should really invest time fuzzing it.
The problem with fuzzing is that it yields the best results when you can write strong assertions on the results
May 3, 2025 at 5:49 AM
I think I found an excellent use for vibe coding.
If you're writing complex code with many branches, nuances or that processes untrusted inputs, you should really invest time fuzzing it.
The problem with fuzzing is that it yields the best results when you can write strong assertions on the results
If you're writing complex code with many branches, nuances or that processes untrusted inputs, you should really invest time fuzzing it.
The problem with fuzzing is that it yields the best results when you can write strong assertions on the results
I reckon we will soon see a growing demand for software engineers that can (and do) work without LLM assistance.
February 22, 2025 at 8:32 PM
I reckon we will soon see a growing demand for software engineers that can (and do) work without LLM assistance.
My talk on accepting complex inputs with simple code is out 😊
Thanks @golab.io for the amazing conference!
youtu.be/Z11suX8ubGo?...
Thanks @golab.io for the amazing conference!
youtu.be/Z11suX8ubGo?...
Accepting complex inputs with simple code - Roberto Clapis
YouTube video by GoLab conference
youtu.be
January 23, 2025 at 5:26 AM
My talk on accepting complex inputs with simple code is out 😊
Thanks @golab.io for the amazing conference!
youtu.be/Z11suX8ubGo?...
Thanks @golab.io for the amazing conference!
youtu.be/Z11suX8ubGo?...
After 6 years, last night I resumed writing about concurrency.
Here is how to implement a chan with unlimited buffer in Go:
blogtitle.github.io/go-advanced-...
Here is how to implement a chan with unlimited buffer in Go:
blogtitle.github.io/go-advanced-...
Go advanced concurrency patterns: part 4 (unlimited buffer channels) - Blog Title
blogtitle.github.io
December 17, 2024 at 11:55 AM
After 6 years, last night I resumed writing about concurrency.
Here is how to implement a chan with unlimited buffer in Go:
blogtitle.github.io/go-advanced-...
Here is how to implement a chan with unlimited buffer in Go:
blogtitle.github.io/go-advanced-...
One of the best tools I've seen to convert between various encodings.
Thanks @miki.it for suggesting it.
gchq.github.io/CyberChef/
Thanks @miki.it for suggesting it.
gchq.github.io/CyberChef/
CyberChef
The Cyber Swiss Army Knife - a web app for encryption, encoding, compression and data analysis
gchq.github.io
December 14, 2024 at 9:06 AM
One of the best tools I've seen to convert between various encodings.
Thanks @miki.it for suggesting it.
gchq.github.io/CyberChef/
Thanks @miki.it for suggesting it.
gchq.github.io/CyberChef/
I swear I didn't turn into an endorsement bot, but I found another yt channel to suggest, especially for new devs: youtube.com/@devtoolsmad...
Dev Tools Made Simple
#code #codingtips #softwaredevelopment #programming
Welcome to Dev Tools Made Simple, your one-stop YouTube channel for all things related to software development tools and programming best practic...
youtube.com
December 10, 2024 at 9:03 AM
I swear I didn't turn into an endorsement bot, but I found another yt channel to suggest, especially for new devs: youtube.com/@devtoolsmad...
I've been following the "chrome for developers" advent calendar lately and I'm very impressed at how much the web platform has evolved in the past few years.
Strongly advise: youtube.com/@chromedevs?...
Strongly advise: youtube.com/@chromedevs?...
Chrome for Developers
Helping you build, grow and innovate on the web.
Chrome will disable third-party cookies for 1% of users from the start of 2024. Test your site now for any breakages → https://goo.gle/3NielGG
youtube.com
December 9, 2024 at 10:27 AM
I've been following the "chrome for developers" advent calendar lately and I'm very impressed at how much the web platform has evolved in the past few years.
Strongly advise: youtube.com/@chromedevs?...
Strongly advise: youtube.com/@chromedevs?...
They found a full accounts.google.com compromise to get my password 🔑
That was quite the overkill, but helped fix a very scary bug.
bughunters.google.com/blog/6355265...
That was quite the overkill, but helped fix a very scary bug.
bughunters.google.com/blog/6355265...
Blog: The Great Google Password Heist: 15 years of hacking passwords to test our security (and build team culture!)
The Leaving Tradition in Google's security team, which could be described as a type of small-scale offensive security exercise, is a great (and fun) example of team culture. Curious? See this blog pos...
bughunters.google.com
December 4, 2024 at 10:23 PM
They found a full accounts.google.com compromise to get my password 🔑
That was quite the overkill, but helped fix a very scary bug.
bughunters.google.com/blog/6355265...
That was quite the overkill, but helped fix a very scary bug.
bughunters.google.com/blog/6355265...
Reposted by Roberto Empijei Clapis
Security Signals: Making Web Security Posture Measurable At Scale
research.google
November 17, 2024 at 1:02 PM
I remember it took me months to do what should have taken days while I was at Google due to red tape and sledge hammer approaches for every single choice one could make.
People got promoted for putting those in place.
Setting the right metrics in performance evaluation should be the first step.
People got promoted for putting those in place.
Setting the right metrics in performance evaluation should be the first step.
Uhoh, VCs are going to try to innovate their way out of the problem of software engineers. Perhaps this means the AI hype machine will spiral so hard out of control it will finally spin right up its own ass and disappear.
The Great Tech Wake-Up Call: VCs Discover Billions Wasted On Inefficient Engineering Teams
A viral social media thread by tech industry figure Deedy Das has ignited a fierce debate about engineering productivity at some of America's largest technology compan...
www.forbes.com
November 28, 2024 at 4:28 PM
I remember it took me months to do what should have taken days while I was at Google due to red tape and sledge hammer approaches for every single choice one could make.
People got promoted for putting those in place.
Setting the right metrics in performance evaluation should be the first step.
People got promoted for putting those in place.
Setting the right metrics in performance evaluation should be the first step.
I am considering creating a web security (defense) playbook for developers, can anybody suggest some good web security guides/blog posts that are already available? Everything I've found is lacking at best.
My target audience would be devs.
My target audience would be devs.
November 23, 2024 at 7:23 PM
I am considering creating a web security (defense) playbook for developers, can anybody suggest some good web security guides/blog posts that are already available? Everything I've found is lacking at best.
My target audience would be devs.
My target audience would be devs.
Reposted by Roberto Empijei Clapis
testing/synctest just hit master for #golang 1.24 😭🎉
go-review.googlesource.com/c/go/+/629735
A godsend for anyone writing integration tests.
I am definitely not rushing to update my slides for "What's coming in Go 1.24" at London Gophers in... two hours 😱
go-review.googlesource.com/c/go/+/629735
A godsend for anyone writing integration tests.
I am definitely not rushing to update my slides for "What's coming in Go 1.24" at London Gophers in... two hours 😱
Gerrit Code Review
go-review.googlesource.com
November 20, 2024 at 4:37 PM
testing/synctest just hit master for #golang 1.24 😭🎉
go-review.googlesource.com/c/go/+/629735
A godsend for anyone writing integration tests.
I am definitely not rushing to update my slides for "What's coming in Go 1.24" at London Gophers in... two hours 😱
go-review.googlesource.com/c/go/+/629735
A godsend for anyone writing integration tests.
I am definitely not rushing to update my slides for "What's coming in Go 1.24" at London Gophers in... two hours 😱
Should the Go iter package (or a sub package) expose functions like Map or Filter?
November 19, 2024 at 9:27 PM
Should the Go iter package (or a sub package) expose functions like Map or Filter?