FAQ aggregator
Searchable index of 1549 frequently asked questions from our knowledge base. Filter by category or search by keyword.
Glossary (327)
What to pick in 2026?
Axum is the sensible default: clean architecture, tower ecosystem, active development. Actix — if every microsecond matters.
Why Rust on the server over Go?
Zero-cost abstractions + memory safety. Rust keeps latency < 1 ms even under load; Go has GC pauses up to 5 ms.
Async everywhere?
Yes — Tokio multiplexes thousands of connections on one OS thread. Without async, Rust web can't compete with Go/Node.
How is this different from plain WASM?
Older WASM modules exchanged only i32/i64/f32/f64 and pointers in shared memory. Component Model adds rich types.
Production uses?
Fastly Compute@Edge, Cloudflare Workers (experimental), Fermyon Spin.
Why does this matter?
Language-agnostic microservices: write a component in Rust, import it from JS/Python/Go natively — no REST/gRPC/serialization.
WebGPU vs WebGL?
WebGL — graphics only. WebGPU adds compute shaders + a better memory model, mirrors modern backend APIs.
Can I use it already?
For progressive enhancement — yes (Chrome 113+). For production-critical workloads — wait for Firefox stable (2026).
ML in the browser?
WebLLM runs Llama-7B on an RTX 3060 via WebGPU at 20-30 tokens/sec. Not better than server-side, but handy for private workloads.
When is R2 cheaper than S3?
When egress > 10 % of storage cost (image hosting, video, static sites). For rarely-read archival — S3 Glacier is cheaper.
Minimum retention?
None. Unlike S3 Glacier, deletion is free and instant.
Do I need Workers?
No, R2 works standalone via S3 API. Workers are a bonus for transforms/caching.
Worth it for a monolith?
Monolith + single DB — no, plain logs are enough. 3+ microservices — must-have for debugging.
Sampling overhead?
At 1 % sampling — < 1 % CPU on the hot path. At 100 % — 5-10 % in high-throughput services.
Difference vs logging?
Logs — text with context, sorted by time. Trace — structured tree with millisecond durations.
Need a Collector if the SDK has exporters?
Prototype — no, the SDK writes directly. Production — yes: batching, retry, tail-sampling, cross-signal correlation are Collector work.
From: OpenTelemetry Collector
Overhead?
20-50 MB RAM per agent, < 1 % CPU at 10k spans/sec.
From: OpenTelemetry Collector
Contrib vs Core?
Core — OTel-supported components only. Contrib — 100+ community receivers (Redis, Postgres, K8s events).
From: OpenTelemetry Collector
WASI vs Docker?
Docker = linux kernel + container runtime. WASI = capability API, kernel-less isolation, cold-start ~1 ms vs ~100 ms for Docker.
Production-ready?
For CLI, plugins, serverless — yes (Fastly, Shopify). Full web-server on WASI — still experimental (no async sockets in preview2).
Async support?
WASI 0.2 adds async (poll_oneoff). Tokio for WASI — integration in progress.
When serverless container vs Lambda?
Container: long-running, large bundle, GPU, exotic language. Lambda: fast HTTP APIs (<30 s), tight bundle, native Node/Python/Go.
Is scale-to-zero risky?
Low-traffic APIs — no (2 s cold-start is fine). Real-time — keep min-instances >= 1.
Cheapest option for long-running?
Fly.io Machines — $2/month for 256 MB / shared CPU. Cloud Run — pay-per-request, worst when idle.
RSC vs SSR?
Classic SSR: render HTML on server + hydrate whole React client-side. RSC: server components do NOT hydrate, only client ones = less JS.
When to use a client component?
When you need useState, useEffect, onClick, onChange. Everything else — server by default.
Supported by all frameworks?
Next.js 13+ (App Router) — production. Remix — planned. Vanilla React — no (needs bundler + framework).
Streaming vs full SSR?
Full SSR: wait for entire page → send. Streaming: send as each part is ready. Streaming TTFB is 5-10x faster for pages with slow data fetches.
SEO impact?
Googlebot supports chunked streaming. Other crawlers may hit a timeout. For bots: consider a fallback non-streaming route.
Edge CDN support?
Vercel, Cloudflare, Netlify — all support edge streaming. Static pages stay cached, dynamic ones stream.
Edge vs serverless?
Serverless (Lambda): Node.js, 1 region, 100-500ms cold start. Edge: V8 isolates, 300+ regions, 0ms cold start. Edge wins on latency, Lambda on heavy compute.
What is not allowed on edge?
Native modules (sharp, bcrypt), unbounded file I/O, long tasks (>50ms CPU). Use serverless Lambda for those.
Good for APIs?
Yes for simple APIs (auth middleware, redirects, geolocation). For complex DB operations — regular Node.js lambda.
Turbopack vs Vite?
Turbopack: Rust, tightly coupled to Next.js. Vite: esbuild (Go) + Rollup, universal (React, Vue, Svelte). For non-Next projects — Vite.
Production ready?
Dev mode — stable in Next.js 15. Production build — alpha (2026). Wait for v16 for full production.
Migrating from Webpack?
In Next.js — just the --turbo flag. For custom Webpack config — not all loaders are supported; verify compatibility.
Islands vs RSC?
Islands: static-first + explicit hydration. RSC: server-first + automatic client boundaries. Astro best for content sites, RSC best for apps.
Bundle size?
Typical Astro blog: 20-50 KB JS. Next.js App Router: 150-300 KB (framework + runtime).
SEO impact?
Static HTML → excellent SEO. Lighthouse score 100 easily achievable.
Why is SPA hydration a problem?
You download 200 KB React + 50 KB your code, execute it all, re-render server HTML. TBT huge on mobile.
Qwik resumability?
Instead of hydration — serialise closures in HTML attributes, lazy-load on event. Zero initial JS for complex apps.
How to measure?
Lighthouse Speed Index + TBT. Partial hydration cuts from 3s → 0.3s on a typical blog.
Framer Motion replacement?
For simple page transitions — yes. For complex interactive animations (drag, spring physics) — Framer Motion / GSAP are better.
Safari support?
Technology Preview 208 (2025) has same-document. Production Safari — not yet. Firefox — also WIP.
SEO impact?
Same-document: no impact (SPA routing). Cross-document: native navigation, crawlers see regular navigation.
Streams vs Promises?
Promise: one result. Stream: a sequence of chunks. For large responses (LLM, file upload) streams are critical — they do not block memory.
Browser support?
100% modern browsers (Chrome 89+, Firefox 102+, Safari 14.5+). Node.js 18+ has full Web Streams API.
Compression Streams?
compressionStream API (2024) — native gzip/deflate via Web Streams. Replaces pako, zlib usage.
Shadow DOM vs iframe?
Shadow: same JS context, same origin, lightweight. iframe: full browsing context, heavyweight, cross-origin isolation. Shadow for widgets, iframe for third-party untrusted content.
Does React use it?
Usually no (React virtual DOM is enough). But a React web components wrapper might. Material UI v6 optionally.
CSS styling from outside?
::part() for exposed parts, :host for host element, CSS custom properties inherit. Tailwind via ::part — possible.
Replace a bundler?
For simple projects — yes. For complex apps (tree-shaking, minification, TypeScript) — still needed. Dev-only without a bundler — workable tradeoff.
esm.sh vs skypack?
esm.sh: active, fast, aggressive caching. skypack.dev: deprecated (2024). Use esm.sh or unpkg.com for 2026.
CORS issues?
Modules need CORS headers. esm.sh, unpkg, jsdelivr — all OK. Self-hosted ES modules on CDN need proper headers.
When lake vs warehouse?
Lake: raw / semi-structured, petabytes, ML training data. Warehouse: structured, BI dashboards, fast queries. Lakehouse — universal compromise.
Cost?
Lake S3: $0.02/GB/mo. Warehouse Snowflake compute: $2-4/credit. For 10 TB: Lake ~$200 storage, Warehouse ~$4k storage+compute monthly.
Data swamp problem?
Lake without governance = swamp. Solutions: data catalog (AWS Glue, Unity Catalog), Iceberg for ACID transactions, schema evolution.
dbt Core vs Cloud?
Core: free, CLI, self-host. Cloud: SaaS + web IDE + scheduling + docs hosting + CI/CD, $100-200/dev/mo. For small teams — core + Airflow; enterprise — Cloud.
From: dbt — Data Build Tool
Alternatives?
SQLMesh (newer, Python-based), Apache Airflow tasks, Dataform (Google). For non-SQL ELT: Fivetran/Airbyte + Python.
From: dbt — Data Build Tool
Incremental models?
materialized="incremental" + unique_key — dbt detects changed rows, runs INSERT/UPDATE only for them. Huge cost savings vs full refresh.
From: dbt — Data Build Tool
Iceberg vs Delta Lake?
Iceberg: open (ASF), multi-engine (Spark, Trino, Flink, Snowflake). Delta: Databricks-led, Spark-first. 2025+ convergence (Delta Uniform reads Iceberg).
Query engines?
Apache Spark, Trino, Dremio, Snowflake, Starburst, Presto, DuckDB, AWS Athena, Google BigQuery. Almost all analytic engines 2025+.
Production reliable?
Yes — Netflix PB-scale since 2019. Apple, Expedia, Pinterest, Adobe — all use it. ACID delivered, schema evolution tested in prod.
Parquet vs CSV?
CSV: human-readable, row-oriented, no schema, no compression. Parquet: binary, columnar, schema embedded, 10-100x smaller. For analytics — always Parquet.
Parquet vs ORC?
Similar columnar formats. ORC: Hive ecosystem history, better indexing. Parquet: broader adoption (Spark default). 2026 — Parquet wins.
Typical size?
CSV 1 GB → Parquet 50-200 MB with Snappy compression (5-20x). ZSTD gives 2-3x better but at CPU cost.
Avro vs Protobuf?
Avro: schema in message/file, dynamic. Protobuf: schema compiled into code. Protobuf more type-safe, but Avro better for streaming with changing schemas.
When Avro vs Parquet?
Avro: streaming (Kafka), one message = one record. Parquet: batch analytics, columnar scans. Complementary.
Need Schema Registry?
For Kafka prod — yes. Enforces schema evolution rules, prevents breaking changes. Confluent Cloud or self-host.
Open-source LLM?
Llama 3 (Meta), Mistral Large, Qwen 2.5, DeepSeek R1 — free weights, MIT/Apache. Performance is approaching GPT-5.
Self-host cost?
70B model needs a server with 2× H100 (~$80k) or cloud GPU $5/h. ROI at > 10M tokens/day.
Hallucinations?
LLMs generate likely text, not facts. Mitigations: RAG (grounding) + fact-check output + low temperature (0.1-0.3 for facts).
RAG vs fine-tuning?
RAG: dynamic knowledge, easy to update, transparent (sources visible). Fine-tune: better style/tone, fixed knowledge. They combine well.
Best chunk size?
512-1024 tokens usually. Larger — context gets diffused, smaller — meaning is lost. Test on your corpus.
Hallucinations in RAG?
Reduced, not eliminated. Prompt: "If answer is not in context, say \"I do not know\"". + chain-of-citations.
Cosine vs euclidean?
Cosine (normalised vectors) — dominant for text/NLP. Euclidean — for images/raw features. Dot product — if vectors are pre-normalised.
Does size matter?
3072 dim ≫ 512 dim in recall on complex queries, but 6x storage + compute. Balance by dataset size + accuracy requirement.
Do I need rerank?
Embedding search — fast but approximate. Rerank (Cohere Rerank, Voyage rerank) — slower but better on top-5. Pipeline: retrieve 50 → rerank top 10.
pgvector vs dedicated vector DB?
pgvector: simplicity (you already run Postgres), up to ~1M vectors. Dedicated: better at >10M, hybrid search, HA. Start with pgvector, migrate if upgrade needed.
Qdrant vs Pinecone?
Qdrant: open source, self-host, fast Rust, $0 cost. Pinecone: managed, no ops, $70+/mo. Enterprise features: Qdrant Cloud or Pinecone.
How to monitor?
Enterno Ping for port 6333 (Qdrant). Monitors for /health endpoint.
Is prompt injection in OWASP?
Yes, #1 in OWASP Top 10 for LLM Applications (2024). Serious threat for production chatbots with tool access.
Can I fully defend?
No. Prompt injection is not fully solvable. Defence in depth: input validation, structured output (JSON schema), rate limit, tool permissions.
Detection tools?
Rebuff (Python), Lakera Guard (SaaS), OpenAI Moderation API, NVIDIA NeMo Guardrails, Promptfoo for testing.
Do I need fine-tune?
If prompt engineering + RAG do not reach desired quality, style or structured output — yes. Otherwise optimise the prompt.
Dataset size?
Minimum 100 examples for noticeable effect. 1k-10k — recommended range. More — diminishing returns.
Cost?
OpenAI gpt-4o-mini FT: $3 per 1M training tokens. Together.ai Llama 70B: ~$10. Full FT 70B in cloud — $500+.
Accuracy loss?
INT8 — <1% perplexity. INT4 — 1-3% (acceptable). INT2 — 5-10% (noticeable).
How does INT4 GGUF work?
Llama.cpp packs weights 4-bit per channel with scale factor. Dequantised on-the-fly in kernel. Minimal speed penalty when compute-bound.
Fine-tune quantised model?
QLoRA — yes. Training fine-tunes LoRA adapters (FP16), base model stays INT4. One-stop setup, cheapest fine-tuning.
Is keyword search deprecated?
No. BM25 is great for exact matches (code, names, rare words). Hybrid (sparse + dense) beats either alone.
Elasticsearch vs Qdrant?
Elasticsearch: mature, king of sparse search, added vector in 8+. Qdrant: dense-first, fast Rust. For hybrid — Elasticsearch+vector extension or Weaviate natively.
Latency target?
<100ms for interactive search. HNSW ANN index helps, no full scan. Fine at >1M docs.
HNSW vs IVF?
HNSW: best recall + speed, but all in RAM. IVF: cheaper RAM (centroids + buckets), slower recall. For huge datasets (>100M) — IVF + re-ranking.
HNSW and filtering?
Prefilter can cut graph connectivity. Quality vector DBs (Qdrant, Weaviate) have filter-aware HNSW. pgvector added index filtering in 2024.
Is DiskANN an alternative?
DiskANN — SSD-based ANN. 10× cheaper memory, 2-3× slower. For billion-scale. Milvus, MyScale support it.
Agent vs chatbot?
Chatbot: single-turn response. Agent: multi-step, uses tools, can hunt for information itself. Blurry boundary — modern chatbots increasingly use agentic patterns.
Reliability?
Agent loops can get lost. Best practice: max_iterations limit, human-in-loop for critical steps, observability via traces.
What is Claude Agent SDK?
Anthropic 2025 — SDK for building agents. Includes tools, retrieval, long context (1M tokens), cache. Tight integration with Claude Opus 4+.
Is tool calling reliable?
2026 models (GPT-5, Claude Opus 4.7) — 95%+ accuracy on simple tools. Complex tools (nested schemas) — test them.
What is MCP?
Model Context Protocol from Anthropic (2024) — standard for exposing tools. Clients (Claude Desktop, Zed IDE) connect to MCP servers (file system, GitHub, Slack, etc).
Security?
LLM may call the wrong tool or with bad args. Check authorisation on the server, do not trust LLM output. Sandbox tool execution.
Why is MoE trending?
It lets you scale parameters cheaply (inference cost ~ active params). Frontier models 2025+ are mostly MoE (GPT-4, Claude 3.5, Gemini, DeepSeek R1).
Fine-tuning MoE?
Harder than dense. LoRA on router + experts separately. Requires more data.
Running MoE locally?
Need memory for total params (all experts must be loaded). Mixtral 8x7B → 47B × 2 bytes FP16 = 94 GB. INT4 quant → ~26 GB.
Why did transformer become dominant?
Parallel compute (unlike RNN), scales well with params + data, attention captures long-range dependencies. Works on any sequence data.
What is Flash Attention?
Optimised implementation of self-attention. Uses SRAM efficiently, memory linear (not quadratic). 2-4× faster training. v3 shipped in 2025.
Alternatives to transformer?
Mamba / State Space Models (SSM) — linear complexity. Not yet competitive with transformers on language but promising for specific tasks.
Long context vs RAG?
RAG: cheaper, extensible to infinite data, but loses semantics on chunk boundaries. Long context: simpler code but $$ cost + latency. Hybrid is usually best.
Do I need 2M tokens?
For whole-repo code review, book summary, long document analysis — yes. For chat — 32k-200k is enough.
How to optimise?
Prompt caching: 10× cheaper for repeat prefixes. Streaming for UX. Only necessary context — not whole history.
Service mesh or API gateway?
Gateway — north-south (ingress). Mesh — east-west (service-to-service). Complementary.
Overkill for a small cluster?
For < 10 services — yes. Complexity doesn't pay off. For 50+ services + mTLS requirement — worth it.
Istio or Linkerd?
Istio: feature-rich, steep learning curve. Linkerd: lightweight Rust, simpler UX. For starters — Linkerd.
Sidecar vs multi-process container?
Sidecar — separate container (different image + update cycle). Multi-process — all in one image (anti-pattern in K8s, needs supervisord). Sidecar cleaner.
Overhead?
Each sidecar adds: ~30-100 MB memory, CPU slice. In 100-pod cluster — significant. Use only when needed.
Common pitfalls?
Sidecar crash → pod kill if restartPolicy: Always. Use lifecycle hooks + proper readiness probe.
Envoy vs nginx?
nginx: battle-tested, simple config, strong static file serving. Envoy: better for microservices (gRPC, dynamic config, mesh-ready).
Standalone Envoy — use case?
Front proxy / API gateway (replaces nginx + HAProxy). Or edge proxy for Kubernetes ingress.
Configuration — complex?
Yes. Envoy YAML verbose. In service mesh deploys, config is auto-generated by control plane.
Istio vs Linkerd?
Istio: more features, Envoy-based (C++), complex config. Linkerd: Rust, lightweight, simpler UX. For enterprise — Istio. For < 50 services — Linkerd.
Performance overhead?
+3-7 ms latency per hop, +30-100 MB RAM per pod. Acceptable for most but measure on critical paths.
What is ambient mode?
Istio 1.18+ introduced ambient mode — sidecar-less (ztunnel per node). Less overhead, but feature parity still WIP.
Operator vs Helm chart?
Helm — install + upgrade templates. Operator — ongoing management (backup, scale, heal). Operator — higher automation.
When to write your own operator?
If you deploy a complex stateful app and need automation for backups, failover, schema migrations. Simple stateless app — Deployment is enough.
Testing operators?
Operator SDK has an e2e test framework. kind/minikube local clusters for reconciliation testing.
Helm or Kustomize?
Helm — packaging + templating. Kustomize — overlay-based without templates. For distribution (public charts) — Helm. For simple mono-repo — Kustomize.
Helm 2 vs Helm 3?
Helm 2 had Tiller (server component) — security issues. Helm 3 — tiller-less, RBAC-aware. Everyone uses Helm 3 since 2020.
Where to find charts?
Artifact Hub (artifacthub.io) — 12k+ charts. Bitnami, Prometheus, Grafana, cert-manager — main maintainers.
GitOps vs CI/CD?
Overlap. CI/CD — pipeline that deploys. GitOps — pattern of operating systems through Git as truth. GitOps often uses CI to build images + PR to manifest repo.
Secrets in Git — how?
NOT plain. Tools: SealedSecrets (encrypted YAML), External Secrets Operator (sync from Vault), SOPS (Mozilla).
Monorepo or split?
Split: app-code repo + manifests repo. Avoids CI reinvocation on manifest-only changes. More popular in 2026.
ArgoCD vs Flux?
ArgoCD: better UI, UI-driven adoption. Flux: simpler, native cross-cluster. Enterprise often ArgoCD (UI for devs). Platform teams often Flux.
Multi-cluster?
ArgoCD manages multiple clusters from one UI. Needs credentials. Alternative — instance per cluster.
Scaling limits?
Default configs: ~1000 apps per instance. Large setups — shard controllers by clusters/projects.
Terraform or OpenTofu?
OpenTofu: free, MPL license, Linux Foundation. Terraform: BSL (non-commercial ok, commercial vendors restricted). For most teams — OpenTofu safer long-term.
State management?
Remote backend mandatory for teams: S3 + DynamoDB (lock), Terraform Cloud, or gitlab-managed-terraform-state. Local state = race conditions.
Terraform vs Pulumi?
Pulumi — IaC in real programming languages (TS, Python, Go). Terraform — HCL DSL. Pulumi better for developers, Terraform for sysadmins.
OCI vs Docker image?
Synonymous now. Docker donated image format to OCI in 2015. Docker images are OCI images. Some legacy formats (v1 Docker manifest) are not OCI and deprecated.
Registry choice?
Docker Hub: free but rate-limited (100 pulls/6h anonymous). GHCR: free for public. ECR: $$ but tight AWS integration. Harbor: self-host.
Signing/verification?
Sigstore (Cosign) — sign OCI artifacts + verify provenance. SBOM (Software Bill of Materials) — attach dep list to image. Policy enforcement — admission controllers.
CDC vs Event Sourcing?
CDC — capture from an existing DB (transparent to apps). ES — the DB itself is an event log (app writes events). Complementary, not synonyms.
Is Debezium production-ready?
Yes, Red Hat backing. Netflix, Wepay, Shopify in production. Main gotcha — schema changes require careful handling.
Alternative — polling?
Simpler setup, but misses deletes, high DB load, latency. Debezium log-based — no SELECT on source.
Materialized view vs regular view?
Regular — virtual, recomputed on every query. Materialized — stored, fast read, stale data.
Refresh frequency?
Balance freshness vs load. For dashboards: 5-15 min. For reports: hourly/daily. Incremental better for high-rate tables.
Postgres CONCURRENTLY flag?
REFRESH MATERIALIZED VIEW CONCURRENTLY — no lock on readers. Requires UNIQUE index. Recommended for prod.
EDA vs request/response?
EDA — async, decoupled. RR — sync, tight coupling. EDA scales better, RR easier to debug. Most systems — hybrid (EDA cross-service, RR inside service).
Kafka vs RabbitMQ?
Kafka — high-throughput streams, long retention, replay. RabbitMQ — queues with routing rules. Kafka for analytics/logs, RabbitMQ for task queues.
Eventual consistency — how to handle?
UI shows optimistic updates + reconciles later. APIs return pending state. For banking — use saga pattern with compensating actions.
WASI vs containers?
WASI: much faster start, smaller (KB vs MB), language-neutral. Containers: more compatibility with existing software. For serverless/edge — WASI wins.
When is it production-ready?
Preview 2 released stable in 2024. Fastly, Cloudflare Workers use it internally. For mainstream — 2026+.
Replacement for containers?
Not a replacement, a complement. Containers stay for legacy apps. New edge functions, plugins, serverless — WASI.
CQRS vs simple CRUD?
CRUD — one model for read and write. CQRS — separation, more code, better for complex domains. For simple apps — overkill.
Is Event Sourcing mandatory?
No. CQRS works with regular SQL too. But ES complements well — write side writes events, read side materialises views.
How to sync the read model?
Async via events (Kafka, RabbitMQ). Eventual consistency — read model lags seconds to minutes.
Is Event Sourcing only for CQRS?
No, but often combined. ES gives write-side, CQRS separates read and write models.
How to deal with schema changes?
Upcasters: at read time, transform old event versions to new schema. Or versioned event types (OrderCreated_V1, V2).
Storage size — a problem?
Events grow linearly. For long-lived streams — snapshots every N events. Or archive old events to cold storage.
Saga vs 2PC?
2PC (XA transactions) — synchronous, locks resources, does not scale, rarely in cloud. Saga — async, eventual consistency, no locks.
Choreography or orchestration?
Choreography for 2-3 services. Orchestration for complex flows (5+ steps) — easier to debug and modify.
Tool recommendations?
Temporal (temporal.io) — modern, durable execution. Netflix Conductor. AWS Step Functions. For simpler — just messages via Kafka/RabbitMQ.
When to use Bloom filter?
Pre-filter before expensive ops: check before DB query, before CDN miss. If >95% queries are "not in set" — saves huge load.
How to choose false positive rate?
Trade-off: lower FPR = bigger filter. 1% FPR = 10 bits/element. 0.1% = 14 bits/element. Choose by downstream cost.
Alternative: HyperLogLog?
HLL counts unique elements (cardinality), not membership. Different use cases.
Where is it used?
Redis Cluster (16384 slots), Memcached client-side sharding, DynamoDB partitioning, Cassandra, Akamai CDN, any distributed caches.
Consistent Hashing vs Range Sharding?
Range — sorted, easy range queries. Consistent — better balance, auto-reshuffle. For large-scale — consistent.
Is Rendezvous hashing better?
Rendezvous is simpler, O(n) per lookup vs O(log n). For small N — comparable. For huge clusters — consistent hashing wins.
Canary vs blue-green?
Blue-green: instant 100% cut. Canary: gradual %. Canary safer for unknown-risk changes, blue-green faster for confident releases.
For stateful services?
Harder — DB migrations + schema compat need to support both versions. Or canary non-critical path (backend feature, not DB migration).
What metrics to monitor?
Error rate (HTTP 5xx), p50/p99 latency, custom business (orders/min, conversion). Compare canary vs control cohort.
Blue-green vs rolling?
Rolling: update pods one at a time (K8s default). Blue-green: 2 full envs + swap. Blue-green safer for stateful, rolling simpler for stateless.
From: Blue-Green Deployment
Double infrastructure cost — worth it?
During deploy — yes (hours). Not needed permanently — create Green at deploy time, destroy after success.
From: Blue-Green Deployment
DB migrations — how?
Schema must be backwards-compatible (no drop columns, no rename). Forward-compatible: add nullable columns, defaults.
From: Blue-Green Deployment
Why need if we have canary?
Canary — deploy-time gradual. Feature flags — runtime toggle. Flags live longer (weeks): progressive rollout + experiments + kill switch.
Feature-flag debt — a problem?
Yes. Old flags clutter code. Best practice: TTL on a flag, auto-reminder in PR review after 30 days.
Open-source tools?
GrowthBook (free + paid), Unleash (free for 1 project), Flipt. LaunchDarkly — premium SaaS.
Observability vs Monitoring?
Monitoring = alerts on predetermined conditions. Observability = ad-hoc investigation via exploration. Overlap is big but observability goes deeper.
Do I need all 3 pillars?
Minimum: metrics + logs. Traces — when you have microservices/distributed. In a monolith start with the first two.
Stack suggestions?
Small team: Datadog (SaaS, all-in-one) or Grafana Cloud (cheaper). Self-host: Prometheus + Loki + Tempo + Grafana (LGTM).
OpenTelemetry vs Datadog agent?
OTel — open standard, vendor-neutral. Datadog agent — vendor-specific, deeper integrations. OTel migration easier if you switch vendors.
Performance overhead?
2-5% CPU overhead with auto-instrumentation. Sampling (1-10% traces) reduces it.
Is it stable?
Tracing — stable since 2021. Metrics — stable since 2023. Logs — stable since 2024. All three usable in prod.
SRE vs DevOps?
SRE — concrete role (SWE + ops). DevOps — culture + practices. SRE is a way to implement DevOps. Google treats them as distinct; many companies use the terms interchangeably.
Small team — overkill?
Full SRE role — yes for <10 devs. But principles (SLO, blameless postmortems, toil reduction) applicable at any size.
Required reading?
"Site Reliability Engineering" (2016) + "SRE Workbook" (2018) — free at sre.google/books. Canonical source.
FinOps — role or practice?
Usually practice, but in large companies — dedicated role. Practitioner knows cloud pricing + engineering + finance.
Tooling?
AWS Cost Explorer + Cost Anomaly Detection (free). Vendors: CloudHealth (VMware), Apptio Cloudability, nOps. Open-source: OpenCost (Kubernetes), Kubecost.
Savings ROI?
Typical: 20-40% reduction in the first year. Value higher for larger spend (>$10k/mo justifies).
Jaeger vs Zipkin?
Similar. Jaeger has more active development (Uber/CNCF), Zipkin older + simpler UI. Both support OpenTelemetry.
Storage overhead?
With 1% sampling: 500 req/s app → ~5 traces/s → few GB/day. At higher samples — TB/week.
Jaeger alternative?
Grafana Tempo — cheaper (block storage, not DB), integrates with Grafana. Used by DoorDash, Reddit. New stack: Tempo instead of Jaeger.
LRU vs LFU — which?
LRU — recency matters. LFU — frequency matters. For web: LRU usually wins (recency correlates with future access). LFU better for static catalog queries.
Is Redis LRU really accurate?
Redis uses approximate LRU for efficiency. Sample 5 keys, evict oldest. Accurate enough for most use cases.
TTL vs LRU?
Different. TTL — absolute expiry (delete after N sec). LRU — eviction on memory pressure. Often combined: TTL on data + LRU for overflow.
ELK vs Loki?
ELK: full-text indexed, fast search, expensive at scale. Loki: Prometheus-like labels + grep at query time, 10× cheaper. For high volume — Loki. For complex search — ELK.
Cost control?
Sampling (drop 90% INFO logs), log level discipline (INFO/WARN/ERROR not DEBUG in prod), TTL (< 30 days hot).
Centralise multi-region?
Ingestion in nearest region + async replication. Or separate stores + federated search (Loki federation, CloudWatch cross-account).
gRPC vs REST?
gRPC — binary, fast, backed by Protocol Buffers; for internal microservices. REST — JSON, human-readable, universal for public APIs.
Does gRPC work in the browser?
Not directly — browsers lack HTTP/2 frame control. Use grpc-web (proxy) or gRPC-Gateway (REST-to-gRPC).
How to debug gRPC?
grpcurl — curl-like CLI. Or BloomRPC GUI. Enterno HTTP checker helps with REST-gateway endpoints.
Passkeys vs WebAuthn?
Passkeys = marketing name for WebAuthn with cross-device sync. Technically the same thing.
Do I need new infrastructure?
No — WebAuthn works on standard HTTPS sites. Only JS API + backend validation needed.
Will it replace passwords?
Gradually. Gmail, Apple, GitHub already support it. 2026: ~15% of active users use passkeys.
Is PKCE needed for confidential clients (server-side)?
Recommended (OAuth 2.1 draft) but not required. For public clients (SPA, mobile) — mandatory.
Do all providers support it?
All major ones: Google, GitHub, Microsoft, Auth0, Okta, Keycloak. Yandex OAuth since 2022.
Plain vs S256 method?
S256 (SHA-256) only in production. Plain (verifier=challenge) is legacy and insecure.
Where to store a refresh token?
Server-side: session/database. Client-side: httpOnly + Secure + SameSite=Strict cookie. Never localStorage — XSS risk.
What to do on suspected leak?
Revoke all refresh tokens for the user via
DELETE /tokens WHERE user_id=X. User must relogin.
Refresh rotation — required?
Best practice. Especially for SPAs. OAuth 2.1 draft mandates rotation.
Do I need a Service Worker without PWA?
Useful even for regular sites: offline-first UX, faster repeat visits via cache.
Does it work in Safari?
Yes, since iOS 11.3 (2018). Some advanced features (Push) only iOS 16.4+.
How to debug?
DevTools → Application → Service Workers. Force update, inspect fetch events.
IndexedDB vs localStorage?
localStorage — 5-10 MB, sync, string-only. IndexedDB — gigabytes, async, structured objects + indexes.
Mobile support?
Yes, every modern browser (Safari iOS, Chrome Android). Safari is partially limited in PWA context.
Eviction — will my data disappear?
When disk space is tight — yes. For critical data use
navigator.storage.persist().
WebSocket or SSE?
WebSocket — bidirectional (both send). SSE — one-way (server→client only). SSE is simpler and works over HTTP, WebSocket is faster.
How to handle disconnects?
Implement reconnect with exponential backoff. Socket.IO does this automatically.
Scaling?
One Node.js handles 10k+ concurrent WebSockets. For 100k+ — Redis pub/sub between instances or a managed service (Ably, Pusher).
When to use SSE over WebSocket?
Server-only push (notifications, live feed). Simpler code, works through proxies. For chat/games you need WebSocket.
From: SSE — Server-Sent Events
Automatic reconnect?
Yes. Browser reconnects with exponential backoff + sends
Last-Event-ID. From: SSE — Server-Sent Events
HTTP/1.1 6-connection limit — a problem?
For a dashboard with 10+ SSE feeds — yes. Use a single multiplex endpoint or migrate to HTTP/2/3.
From: SSE — Server-Sent Events
mTLS vs API key?
mTLS — cryptographic proof of private-key ownership. API key — a string vulnerable to leaks. mTLS is safer but harder to rotate.
How to distribute client certs?
Automated issuance via an internal CA (Vault, Smallstep), rotate every 30-90 days. For external partners — manual process.
Does it work in browsers?
Yes. Browser shows a cert-picker UI from the OS store. Chrome + macOS — TouchID unlock.
JWK vs x509 PEM cert?
JWK — JSON, easy to parse in JS/Python. PEM — traditional base64. JWT with JWKS = standard OAuth path.
From: JWK — JSON Web Key
How to rotate keys?
Generate new key → publish in JWKS with a new kid → wait 30 days for clients to refresh cache → remove old.
From: JWK — JSON Web Key
How to verify JWT with JWKS?
Library like jose (Node), python-jose, PHP firebase/php-jwt with getKeyById callback.
From: JWK — JSON Web Key
Why HMAC instead of just a shared secret in a header?
A secret in a header travels in plain. HMAC signs the body; the secret is never transmitted.
Replay attack protection?
Timestamp + nonce in payload. Receiver confirms fresh timestamp (5 min window) and unused nonce.
Which providers use it?
Stripe (Stripe-Signature), GitHub (X-Hub-Signature-256), Slack (X-Slack-Signature), Telegram (X-Telegram-Bot-Api-Secret-Token), YooKassa.
Token bucket vs sliding window?
Token bucket: simple O(1), allows bursts. Sliding window: precise count over any time window, but O(log n) or Redis sorted-set overhead.
How to choose parameters?
Average rate (r) = your target RPS. Capacity = typical burst (10-30 sec worth). E.g. 10 req/sec average + 300 capacity = 30 sec burst.
Rate limit per-IP or per-user?
Both. per-IP defends anonymous abuse. per-user defends credential stuffing after login.
How to measure uptime SLI?
Synthetic probes (Enterno monitors) every minute. 30-day window. Success = HTTP 2xx/3xx + response time < threshold.
Do I need an SLA for a small team?
Internal SLO — always. SLA — only if a customer requires it (enterprise, compliance).
What to do when error budget is exhausted?
Feature-freeze, postmortem, reliability work until budget recovers. This is the main value of the error-budget approach.
Why not the mean?
Mean is skewed by outliers. p50/p95/p99 are more stable and reflect user experience.
How to measure at low traffic?
Histogram buckets (Prometheus, DataDog). At 100 req/day p99 = worst-1, which is noisy. Use p95 + weekly rolling.
How to improve p99?
1) Cache hit ratio. 2) Connection pools (DB, Redis). 3) Circuit breakers. 4) Timeout + retry + jitter. 5) Async I/O.
GraphQL vs REST — which is faster?
GraphQL is faster for complex UIs (fewer round-trips). REST — for simple CRUD (better caching).
From: GraphQL — What It Is
How to solve the N+1 problem?
DataLoader (Facebook): batching + caching per-request. Or persistent queries + query whitelisting.
From: GraphQL — What It Is
Is caching harder than REST?
Yes. REST — HTTP cache by URL. GraphQL — application-level cache by query needed. Apollo Client handles this out of the box.
From: GraphQL — What It Is
RSC vs SSR?
SSR — HTML rendered on server, then full JS bundle hydrates. RSC — component code stays on server; client gets only a payload without JS.
Do all React frameworks support it?
Next.js (App Router) — first. Remix, TanStack Start follow. Vanilla React does not support it without a framework.
Can I use hooks?
In Server Components — no (no state). In Client Components — yes (useState, useEffect, etc.).
CRDT vs Operational Transform?
OT (Google Docs) — server-authoritative, transforms operations. CRDT — peer-to-peer compatible, merges without a server. CRDT wins offline-first.
Performance?
Yjs handles thousands of edits/sec. Automerge is slower but more featureful. Both in production (Linear, Figma).
Do I need it for a simple todo app?
No — overhead. CRDTs make sense for collaborative editing or true offline-first UX.
Server Actions vs API routes?
Server Actions — short-lived, called from a component, type-safe, RPC-like. API routes — public endpoints for external clients.
Are they safe?
You must re-validate auth + input inside the action. Next.js adds CSRF protection automatically. Always check ownership (IDOR).
Do they work without JavaScript?
Yes! If form action is a Server Action, submit works via native form POST without JS. Progressive enhancement.
Do I need DMARC if I have SPF and DKIM?
Yes. SPF/DKIM only authenticate. DMARC tells the receiver what to do if they fail — without DMARC the receiver decides (often accepts).
Where to start?
Always with p=none and rua=mailto:. Monitor for 2 weeks, then quarantine pct=25, then 100, then reject.
Is there a cost?
DMARC is free. Report aggregators like dmarcian offer a free tier for small domains.
Is OCSP Stapling mandatory?
Not technically but strongly recommended. 100-300ms speedup and user privacy protection.
From: OCSP and OCSP Stapling — What They Are and How They Work
Does it work with Let's Encrypt?
Yes, fully. Let's Encrypt serves OCSP via ocsp.int-x3.letsencrypt.org.
From: OCSP and OCSP Stapling — What They Are and How They Work
What is CRL and how is it different?
CRL (Certificate Revocation List) is the full list of revoked certs a CA maintains. OCSP queries a single cert status — faster and lighter.
From: OCSP and OCSP Stapling — What They Are and How They Work
OAuth 2.0 vs OpenID Connect?
OAuth 2.0 is authorization (what). OpenID Connect is a layer on top for authentication (who) via an id_token (JWT).
Is Implicit flow still used?
No — since OAuth 2.1 draft (2019) and most guides mark it deprecated. Replacement: Authorization Code + PKCE.
Is the access token a JWT?
Can be, not required. The OAuth spec does not mandate format. Many providers (Google, Auth0) return JWTs for client convenience.
Webhook or polling?
Webhook = near-realtime + less load on both sides. Polling = simpler for tests + works through firewalls (outgoing only). For production choose webhook.
How do I verify a webhook is from that service?
Check the HMAC signature with a shared secret. Stripe/YooKassa document the exact algorithm (usually HMAC-SHA256).
What if the receiver is down?
The service should retry 3-5 times with exponential backoff. After final fail — store in a dead-letter queue.
When did INP replace FID?
March 12, 2024. FID (First Input Delay) measured only the first click. INP captures all interactions — better reflects real UX.
Do CWV affect ranking?
Yes. Google confirmed CWV as a signal since 2021. Impact ~5-10% all else equal.
How do I check CWV for my site?
PageSpeed Insights (Google) or Enterno Speed — both use CrUX field data.
Edge computing vs CDN?
CDN = static caching + network. Edge computing = CDN + execution. Edge computing includes CDN; CDN is only a piece.
Why use it if I have multi-region Kubernetes?
Multi-region K8s = tens of datacenters. Edge = hundreds. Plus edge platforms manage deploy for you (git push → live globally).
Any Russian edge providers?
Yandex Cloud Functions (not edge-native but regionally distributed). Selectel Object Storage + CDN. For true edge — Cloudflare (works in RU via Tier 2 ISPs).
Zero Trust vs VPN?
A VPN grants access to the whole internal network. Zero Trust — access only to specific apps with per-request checks. ZT is stricter.
Who coined the term?
John Kindervag (Forrester, 2010). Google independently implemented the concept in BeyondCorp starting in 2011.
Do I need to buy a vendor?
No. Principles can be implemented with IdP (Okta/Google) + ALB/API Gateway + app-level RBAC.
Why does Idempotency-Key exist?
Network retry: server received the POST, processed it, but the response was lost in transit. The client thinks "it didn't go through, retrying" → duplicate. Idempotency-Key prevents that.
How long do I keep keys?
Stripe keeps them 24 hours. Enough for a retry window without bloating the DB.
Is GET idempotent even with rate limiting?
Yes. Rate limits do not affect idempotency. The request is either allowed and returns data, or rejected with 429 — in both cases state does not change.
What if robots.txt is unavailable?
Google keeps crawling as usual, Yandex too. But if robots.txt returns 5xx — Google halts crawl for 12 hours. Serve a 200 or 404.
Does robots.txt hide a page from the index?
No. Disallow blocks *crawling* but not *indexing* (an external link can make the URL appear in the index without content). For indexing use meta noindex.
Do wildcards work?
In major bots yes:
Disallow: /*.pdf$. RFC 9309 formalized wildcards.
Does TLD affect SEO?
Indirectly. .com slightly stronger for global SEO, ccTLD (.ru) — for geo-targeting in Russia. Google officially: "does not matter if content and links are good".
What are 2LD and 3LD?
Second-level domain — before TLD (example in example.com). Third-level domain — subdomain (api in api.example.com).
Why is .io so popular?
Short, plays on input/output in tech. In 2024 began an ICANN transition following UK handover of the Chagos Islands.
Does this apply to my project?
See definition above. Most web projects with traffic > 100 RPS need it.
Does this apply to my project?
See definition above. Most web projects with traffic > 100 RPS need it.
Does this apply to my project?
See definition above. Most web projects with traffic > 100 RPS need it.
From: PoP (Point of Presence) — What It Is and How It Works [2026]
Does this apply to my project?
See definition above. Most web projects with traffic > 100 RPS need it.
Does this apply to my project?
See definition above. Most web projects with traffic > 100 RPS need it.
Does this apply to my project?
See definition above. Most web projects with traffic > 100 RPS need it.
Does this apply to my project?
See definition above. Most web projects with traffic > 100 RPS need it.
From: 503 Service Unavailable — What It Is and How It Works [2026]
Does this apply to my project?
See definition above. Most web projects with traffic > 100 RPS need it.
Does this apply to my project?
See definition above. Most web projects with traffic > 100 RPS need it.
Does this apply to my project?
See definition above. Most web projects with traffic > 100 RPS need it.
Do I need CAA record?
If you work with web infrastructure — yes. See description above.
Do I need HTTP/2?
If you work with web infrastructure — yes. See description above.
Do I need HTTP/3?
If you work with web infrastructure — yes. See description above.
Do I need TLS 1.3?
If you work with web infrastructure — yes. See description above.
Do I need MIME type?
If you work with web infrastructure — yes. See description above.
Do I need Redirect chain?
If you work with web infrastructure — yes. See description above.
Do I need CDN?
If you work with web infrastructure — yes. See description above.
Do I need nginx vs Apache?
If you work with web infrastructure — yes. See description above.
Do I need sitemap.xml?
If you work with web infrastructure — yes. See description above.
Do I need IndexNow?
If you work with web infrastructure — yes. See description above.
Do I need SNI?
See the use-case section above. For a quick check, use our online form.
Do I need SRV record?
See the use-case section above. For a quick check, use our online form.
Do I need PTR record (reverse DNS)?
See the use-case section above. For a quick check, use our online form.
Do I need CORS preflight?
See the use-case section above. For a quick check, use our online form.
Do I need SRI (Subresource Integrity)?
See the use-case section above. For a quick check, use our online form.
From: SRI (Subresource Integrity) — Supply-Chain Protection [2026]
Do I need IPv6?
See the use-case section above. For a quick check, use our online form.
Do I need MTU?
See the use-case section above. For a quick check, use our online form.
Do I need NTP?
See the use-case section above. For a quick check, use our online form.
Do I need BGP?
See the use-case section above. For a quick check, use our online form.
Do I need HSTS Preload?
See the use-case section above. For a quick check, use our online form.
Do I need JWT?
If you work with web infrastructure or APIs, almost certainly yes. See the article above for specific use cases.
Do I need TTL?
If you work with web infrastructure or APIs, almost certainly yes. See the article above for specific use cases.
Do I need WAF?
If you work with web infrastructure or APIs, almost certainly yes. See the article above for specific use cases.
Do I need SPF?
If you work with web infrastructure or APIs, almost certainly yes. See the article above for specific use cases.
Do I need DKIM?
If you work with web infrastructure or APIs, almost certainly yes. See the article above for specific use cases.
How does CNAME record differ from similar concepts?
See the full breakdown in the article above. For a quick check, use our online tool.
Does this need manual updates?
Usually no — most modern services configure it automatically. Manual setup is only needed for migrations or exotic configurations.
How does HSTS differ from similar concepts?
See the full breakdown in the article above. For a quick check, use our online tool.
Does this need manual updates?
Usually no — most modern services configure it automatically. Manual setup is only needed for migrations or exotic configurations.
How does MX record differ from similar concepts?
See the full breakdown in the article above. For a quick check, use our online tool.
Does this need manual updates?
Usually no — most modern services configure it automatically. Manual setup is only needed for migrations or exotic configurations.
How does CORS differ from similar concepts?
See the full breakdown in the article above. For a quick check, use our online tool.
Does this need manual updates?
Usually no — most modern services configure it automatically. Manual setup is only needed for migrations or exotic configurations.
How does CSP differ from similar concepts?
See the full breakdown in the article above. For a quick check, use our online tool.
Does this need manual updates?
Usually no — most modern services configure it automatically. Manual setup is only needed for migrations or exotic configurations.
How-to guides (290)
Ingress vs Service LoadBalancer?
LoadBalancer — one external IP per Service (expensive in cloud). Ingress — one LB for the whole cluster + L7 routing to multiple Services.
Do I need Gateway API?
New clusters — consider it. Existing — Ingress is stable and production-grade, migration is not a priority.
Is cert-manager required?
No, you can paste TLS secrets by hand. But with 3+ domains cert-manager saves hours per month.
Can I trust PgTune?
Yes, as a starting point. pgtune.leopard.in.ua generates a base config. From there, tune to your workload (OLTP vs OLAP).
When do I need partitions?
Tables > 100 GB or purging old data. For < 10 GB — unnecessary complexity.
Is a connection pooler critical?
At > 200 concurrent — yes, Postgres per-connection backend eats 10 MB RAM + context switches.
Blameless postmortem?
Culture + a written standard. Focus on the system, not the person. "What let this bug happen?" instead of "who screwed up?"
From: Run an Incident Response
How fast do I write the postmortem?
SEV-1: 48 hours. SEV-2: one week. SEV-3: optional. Timeboxing beats depth.
From: Run an Incident Response
IR automation?
PagerDuty / Opsgenie — on-call routing. Jeli, incident.io — full incident platforms. Slack Workflow Builder for small teams.
From: Run an Incident Response
How many partitions are enough?
Rule of thumb: 10× expected throughput in MBps. 1 partition = ~10 MB/s. 100 MB/s throughput → 10+ partitions.
From: Fix Kafka Consumer Lag
Can I reduce partitions?
No, it's non-reversible. Create a new topic with fewer, switch producers, migrate consumers.
From: Fix Kafka Consumer Lag
Compaction vs retention?
Retention: deletes by time (7 days default). Compaction: keeps the latest value per key — useful for event sourcing / state stores.
From: Fix Kafka Consumer Lag
When switch allkeys-lru → allkeys-lfu?
When your workload has a clear hot/cold partition (some keys read forever, others rarely). LFU wins for classic skewed workload.
From: Tune Redis Memory
Redis in production without persistence?
Fine for pure cache (session, counter). If the data cannot be regenerated, enable AOF everysec.
From: Tune Redis Memory
Sharding or Cluster?
Redis Cluster — built-in sharding (up to 1000 nodes). For < 100 GB sentinel + application-level sharding is more common.
From: Tune Redis Memory
Rate per IP or per user?
Per IP is faster (binary_remote_addr in the key). Per user — after auth via $cookie_session or $jwt_claim.
X-Forwarded-For?
Behind a CDN — real_ip_header + set_real_ip_from. Otherwise every request gets banned on the CDN IP.
limit_req vs CF / AWS WAF?
CF / WAF — L7 DDoS protection (10k+ RPS). nginx limit_req — local fair-use + slow-brute protection.
How often to rotate?
High-privilege API keys — 24-72h (JIT). Service credentials — 30-90d. Human passwords — 90d + MFA. After incident — immediately.
Vault or AWS SM?
Vault: self-host, universal (not only AWS), $0 if self-hosted. AWS SM: managed, tight AWS IAM integration, $0.40/secret/mo. Cloud-native → SM, multi-cloud → Vault.
Short-lived credentials?
Best practice 2026 — AWS STS AssumeRole (1h), GitHub OIDC federation (no static AWS keys), Workload Identity (K8s). Reduces rotation overhead.
How to check for leakage?
GitHub secret scanning enabled, trufflehog in CI, Shodan alerts for your IPs. Enterno Security Scanner for sensitive file disclosure.
Snyk vs Dependabot?
Snyk: broader (containers + IaC + licensing), paid beyond free tier. Dependabot: GitHub-native, free, npm+pip+... — but only dependencies, no container scan. Use both.
Trivy vs Snyk?
Trivy: open source (Aqua Security), free, scans containers + IaC. Less polished UI but comparable coverage. For startups — Trivy. For enterprise — Snyk support.
Snyk Code (SAST)?
Statically analyses source code for vulns (SQL injection, XSS). Competes with Semgrep, SonarQube. Free tier 100 tests/mo.
Monitor prod?
snyk monitor continuously tracks. New CVEs discovered → email/Slack alert. Enterno uptime for endpoint health complements it.
Why sign images?
Supply chain attacks (SolarWinds, xz) showed: untrusted images = RCE. Signing proves "this image was built by X CI". SLSA level 3 requires it.
Keyless vs key-based?
Keyless: no key management, OIDC-based, fits most. Key-based: offline signing, for air-gapped, requires key storage (HSM / KMS).
What is an SBOM?
Software Bill of Materials. syft / Trivy generate list of packages in image. Combined with cosign attest — creates attested SBOM.
Admission in K8s?
sigstore-policy-controller (preferred 2025+) or Kyverno with cosign verify. Block unsigned images or wrong signer.
When is SBOM needed?
US federal contractors since 2023 (EO 14028). EU Cyber Resilience Act (CRA) from 2027 — all software on EU market. Enterprise customers — expected in RFPs.
SPDX or CycloneDX?
SPDX: Linux Foundation, wide enterprise acceptance. CycloneDX: OWASP, security-focused, richer vulnerability info. Both are ISO standards 2024+.
SBOM scanning?
Grype (Anchore) reads SPDX/CycloneDX + CVE DB. Dependency-Track (OWASP) — continuous monitoring, alerts on new CVEs for old releases.
Monitor endpoint for SBOM?
Upload to Dependency-Track / Snyk / GitHub Advisory. For endpoint uptime — Enterno HTTP checker.
Dependabot or Renovate?
Dependabot: GitHub-native, simpler. Renovate: more flexible, works on GitLab/Bitbucket, configurable schedules. Solo projects — Dependabot. Teams with complex policies — Renovate.
Is Socket.dev free?
Free tier: 5 repos. $15/dev/mo paid. Analyses package behavior (network calls, file ops, eval usage) — detects novel supply-chain attacks.
xz 2024 incident?
xz-utils CVE-2024-3094 — backdoor via social engineering after a 2-year maintainer takeover. Would have compromised OpenSSH on major Linux distros. Caught by luck.
npm vs pnpm vs bun?
pnpm: content-addressable, fast, deterministic. bun: Rust backend, 10x faster. For audit — pnpm/bun show the actual installed graph more precisely than npm.
OTel or vendor-specific SDK (Datadog APM)?
OTel: vendor-neutral, migrate backends easily. Datadog APM: deeper integration but vendor lock. For new projects — OTel, for Datadog shops — native.
Traces vs Metrics vs Logs?
Traces: request flow across services. Metrics: aggregated numbers (CPU, requests/sec). Logs: discrete events. OTel unifies all three.
Cost?
Self-host Grafana Tempo (free) + S3 storage ~$10/mo for a small app. Datadog $15/host/mo. Honeycomb $70+/mo pro tier.
Monitor endpoint?
Enterno HTTP checker for backend health. Scheduled monitoring for uptime SLA.
Jaeger vs Tempo vs Honeycomb?
Jaeger: open source, battle-tested, local storage OK. Tempo: Grafana-native, S3 backend, cheap at scale. Honeycomb: SaaS, best query UX ($70+/mo).
Trace instead of logs?
Traces show flow + timing. Logs show discrete events. Complement: trace ID in log line ties logs to a specific trace.
Performance overhead?
OTel auto-instrument: 1-3% CPU, negligible latency. Sample 1-10% for prod.
How to find latency issue fast?
Enterno Ping for endpoint-level. For full trace — Jaeger/Tempo UI filter by duration.
SLO vs SLA?
SLO: internal target. SLA: legal contract with penalty. SLO always stricter than SLA (99.9% SLO → 99% SLA). Breach SLO → postmortem. Breach SLA → refund.
Realistic numbers?
AWS S3: 99.9%. Gmail: 99.97%. Stripe API: 99.99%. For startup: 99% enough for MVP; 99.9% for B2B; 99.95%+ for critical infra.
Error budget ratio?
99.9% = 0.1% = 43m/mo. 99.99% = 4m/mo. Each 9 multiplies cost ~10x. Be realistic.
Enterno monitoring?
Enterno Uptime Monitoring tracks availability + latency + SSL. Alerts + SLA reports. Integrates with PagerDuty, Slack, Telegram.
PagerDuty vs Opsgenie?
PagerDuty: market leader, polished UX, $21+/user. Opsgenie (Atlassian): cheaper, tight Jira integration. For small teams — PagerDuty free tier 5 users.
Alertmanager HA?
Clustered mode: 3+ instances gossip state. Without HA — if Alertmanager is down → missed alerts. Run 3 replicas.
Grafana alerting as replacement?
Grafana 9+ has built-in alerting (Unified alerts). For Grafana Cloud users — simpler. Prometheus + AM still standard for self-host.
Enterno integration?
Enterno uptime monitoring sends to PagerDuty, Slack, Telegram. For OpenTelemetry-based alerts — Grafana Alerting better.
Loki vs Elasticsearch?
Loki: indexes labels only (not log content), cheap ($0.50/GB), Grafana-native. Elasticsearch: full-text index, expensive ($5/GB), powerful search. For most — Loki is enough.
Logs vs traces?
Logs: discrete events ("Error in checkout"). Traces: request flow + timing. Modern: logs include trace_id → cross-reference.
Retention?
Hot (instant search): 7-30 days. Warm (S3): 90 days. Cold (Glacier): 1+ year for compliance.
Enterno logging?
Enterno uses PSR-3 compatible + Papertrail backend. For end-users — monitor endpoint covers availability.
Field vs Lab data?
Field (CrUX, RUM): real users, slow devices, varied networks. Lab (Lighthouse): synthetic ideal conditions. Google SEO = field data.
Why did INP replace FID?
FID = first interaction (usually fast). INP = worst interaction per session → better UX signal. March 2024 migration.
RUM provider?
Enterno RUM (free tier + pro), Vercel Speed Insights ($10/mo), Google CrUX (free but aggregated), SpeedCurve ($20+).
Check without install?
Enterno PageSpeed for lab scores. Google PageSpeed Insights — shows CrUX field data.
How many documents are needed?
100 small docs already work. 10k+ — rerank needed for quality. 100k+ — shard vector DB, hybrid search.
Cost?
Embeddings: $0.02/1M tokens. LLM call: $0.15-15/1M. For 1k queries/day ~$0.50-5.
Best LLM for RAG?
Claude Opus 4.7 — best for long context. GPT-5 — balanced. Gemini 2.5 — 2M context. Llama 3 70B self-host — free.
How to monitor RAG quality?
Ragas (Python) measures context_precision, context_recall, answer_relevancy. Set thresholds in CI.
RAG or FT?
RAG: dynamic knowledge, easy update. FT: style, tone, format consistency. Often combined — FT for tone + RAG for facts.
Cost?
OpenAI gpt-4o-mini FT: $3/1M training tokens. Together Llama 3 70B LoRA: ~$5-20 per run. Self-host: $0 if you have a GPU.
How to measure improvement?
Held-out test set (20%). Metrics depend on task: exact match, BLEU, LLM-as-judge (GPT-4 grades outputs).
LoRA vs full FT?
LoRA: 0.1-1% params updated, fast, cheap. Full FT: all params, best quality but 10-100x cost. For 95% of use cases LoRA is enough.
Is pgvector enough?
Up to 1M vectors — yes. Embedded in Postgres = single DB, transactional. Above 10M — dedicated vector DB.
Qdrant vs Weaviate?
Qdrant: vector-focused, fast Rust. Weaviate: hybrid search built-in, modular. For pure vector — Qdrant. For hybrid — Weaviate.
Backup / HA?
Qdrant: snapshot API, multi-region replication (Enterprise). pgvector: standard Postgres backup (pg_dump, WAL).
How to monitor uptime?
Enterno Ping for port 6333/5432. Monitors for /health endpoint + alerts.
What if key leaked?
Immediately: (1) Revoke key in dashboard, (2) Check usage for last 24h, (3) Rotate all related keys, (4) Review logs for suspicious calls, (5) Contact support if cost > $1k.
Is $10k leak cost real?
Yes. Automated bots scan GitHub + Shodan and instantly find new keys. 1 H100 GPU-hour = $2-5. 1000 parallel calls × 24h × $5 = $120k. Known cases.
Does proxy add latency?
Yes, +50-100ms. Mitigate: deploy proxy in the same region as the OpenAI endpoint. Streaming response keeps UX smooth.
How does Enterno secure keys?
All external API keys (OpenAI, Anthropic, Telegram) are in backend .env with 600 permissions. Proxy endpoints with rate limiting + user auth. See Enterno Security Scanner.
SSE vs WebSocket?
SSE: one-way server→client, HTTP-based, proxy-friendly. WebSocket: duplex, overkill for LLM (no client→server streaming needed).
First token latency?
Typically 300-800ms. Factors: server region, model size, prompt caching. OpenAI with cache — 150ms.
How to minimise delay?
TTFT (time to first token): cache prompt prefix, short prompts, smaller model on low-latency path. Prompt cache cuts 10x.
Monitor latency?
TTFT + tokens/sec in analytics. Enterno HTTP checker for the general endpoint. LangSmith / LangFuse for LLM-specific traces.
Cache hit rate target?
30-50% is good for a general chatbot. 70%+ — for frequent queries (FAQ, docs Q&A).
How does OpenAI automatic cache work?
Prompts > 1024 tokens are cached automatically for 5-60 minutes. Cost cut 50%. No explicit API.
Cache for streaming?
Yes. Cache the full response after completion. On the second hit you can stream from Redis with artificial delay for UX.
Invalidation strategy?
Time-based (TTL) — simple. Tag-based (invalidate all with tag "docs:v2") — complex. For most LLM uses TTL is enough.
How often should I eval?
On every prompt / model change — full suite. Daily cron for smaller smoke test. Weekly — human review of sample.
LangSmith vs LangFuse?
LangSmith: LangChain-maintained, tight integration. LangFuse: open-source, self-host possible. Braintrust: evaluation-first.
Automatic vs human eval?
Automatic — scale + consistency, but misses nuance. Human — expensive ($1-5 per example) but ground truth. Combine them.
What does Enterno use?
For internal RAG — Ragas weekly. For prompt changes — Promptfoo in CI. For production quality — LLM-as-judge sampling 1% traffic.
MCP vs OpenAI function calling?
MCP: standard, works with multiple clients (Claude, Zed, others). OpenAI functions: specific to OpenAI API. MCP — more universal.
MCP servers market in 2026?
Official collection: filesystem, git, GitHub, Slack, Postgres, Google Drive. Community — dozens more (Figma, Linear, Sentry).
Security?
Claude Desktop prompts user before each tool call. For automated agents — need manual review pipe, sandbox, whitelist tools.
Deploy MCP remotely?
SSE transport over HTTPS. Auth via OAuth. Example — Sentry MCP server (opens at https://mcp.sentry.dev).
Cold start — how to solve?
Keep-warm strategy: ping every 5 min keeps container alive. Cost ~$0.10/hour idle. Or use a provider with faster cold start (Modal 2s).
Modal vs RunPod?
Modal: Python-native UX, pricier. RunPod: cheaper, requires Docker image. For prototyping — Modal. For production scale — RunPod.
Do I need vLLM?
For production serving — yes. 2-5x throughput over raw transformers. PagedAttention + continuous batching.
Is Replicate pricing OK?
Good for low volume + pre-built models. Dedicated deployment (Modal, RunPod) is cheaper for >1M tokens/day.
Cost for 10k articles?
Indexing ~$0.50 (one-time). Queries: $0.001 per search. 1000 searches/day → $1/mo.
Why is semantic better than keyword?
Understands synonyms ("how to fix" ≈ "troubleshoot"), concepts ("SSL errors" finds "TLS cert issues"). For short queries keyword is better.
Algolia vs self-hosted?
Algolia: $40/mo minimum, polished UX but platform lock-in. Self-hosted (Qdrant): $5/mo VPS, your data, more work.
Enterno example?
Is 100% fix possible?
No. Prompt injection — fundamental LLM limitation. Defence in depth + monitoring + human review for critical ops.
Rebuff vs Lakera?
Rebuff: open-source Python, simpler. Lakera Guard: commercial API, broader detection. Combine them.
How to test defences?
Promptfoo red-team tests + known injection payloads (https://github.com/FonduAI/awesome-prompt-injection). Hire a red-team for production.
Enterno defence?
Backend proxy for all LLM calls, structured output where possible, per-user rate limit, log suspicious prompts for review. See Enterno Security Scanner.
Is free tier enough?
For solo project — yes. Team 5+ — sometimes need Teams $4/user/mo or self-hosted runners.
Why self-hosted runners?
For private network access, unlimited minutes, GPU/ARM runners. Downside — maintenance + security (compromised runner = RCE in workflow).
Secrets vs env vars?
Secrets — encrypted, not visible in logs. Env vars — plain, visible. For tokens/passwords — always secrets.
GitHub Actions vs Jenkins/GitLab CI?
GitHub Actions: free for GH repos, huge actions marketplace, YAML. Jenkins: self-host, flexible but maintenance. GitLab CI: tight GitLab integration. For GitHub — Actions default.
ArgoCD for small cluster — overkill?
For 1 app — overkill. For 3+ apps/services in Kubernetes — ArgoCD removes manual kubectl + provides audit trail + rollback.
Private repos — access?
HTTPS: username + personal access token in secret. SSH: deploy key. In UI → Settings → Repositories.
Secrets management?
NOT plain in Git. Sealed Secrets (bitnami) encrypted in Git, decrypted in cluster. Or External Secrets Operator → Vault/AWS SM/SSM.
Multi-env (dev/staging/prod)?
Kustomize overlays + separate Applications per env. Or ApplicationSet for DRY.
Vault or AWS Secrets Manager?
AWS SM: managed, tight AWS integration, $0.40/secret/month. Vault: multi-cloud, dynamic creds, advanced features (transit encryption), but self-host complexity.
License — open-source?
Vault moved to BSL (Business Source License) in 2023, like Terraform. Open-source fork — OpenBao (Linux Foundation).
How to rotate secrets?
Dynamic secrets: auto-rotate on every request. Static: TTL + VersionedKV + manual rotation via API.
App integration?
Vault Agent (sidecar renders secrets to file), Vault SDK (Python/Go/Java), Kubernetes Secret Injector.
Is SameSite=Lax enough in 2026?
For top-level GET — yes. For POST/PUT/DELETE — Lax blocks cross-site, core CSRF mitigation. But defence-in-depth: token on state-changing forms is mandatory.
API with cookies auth — do I need CSRF?
Yes, if cookies. JWT in header (Bearer) — CSRF ok (attacker cannot set custom header). Cookies — vulnerable without CSRF token.
SPA + JSON API — how?
Double-Submit Cookie: CSRF token in cookie + in request header. Attacker cannot read cookie (SameOrigin), does not know value for header.
How to verify CSRF protection?
Create test page on another domain with
fetch('/your-site/action', {method: 'POST', credentials: 'include'}). Should be blocked.
How to see real-time queries?
SELECT * FROM pg_stat_activity WHERE state = 'active'; — live queries. Cancel with PID: SELECT pg_cancel_backend(pid);
When to VACUUM ANALYZE?
Autovacuum does it automatically. Manual needed after bulk insert/update — refresh stats for query planner.
Connection pooling — PgBouncer or application-level?
Application pool (node-pg-pool) — per-app. PgBouncer — cluster-wide, shared. Production — PgBouncer (1000 app connections → 25 Postgres).
Slow on 10 GB DB — indexes or scale?
Indexes first (often 100× improvement). Scale (replicas, shards) — after exhausting query optimization.
Managed or self-hosted K8s?
Managed (EKS/GKE/AKS) — saves 40+ hours/month maintenance. Self-hosted only if compliance or data residency disallows cloud.
When is K8s needed?
Microservices (5+ services), multi-region, auto-scaling need. For monolith on 1 VPS — overkill.
Alternatives?
Docker Swarm (simple but declining). Nomad (HashiCorp, simpler than K8s). Managed PaaS: Vercel, Fly.io, Railway — handle everything for web apps.
How to test before migration?
Local: kind, minikube, k3d (single-node). Staging: small managed cluster. Run parallel 2 weeks → compare metrics → cut over.
When is Redis Cluster needed?
Data >5 GB or >100k ops/sec. Less — single master + replica + Sentinel is enough.
Cluster vs Sentinel?
Sentinel — HA (1 master + replicas, automatic failover). Cluster — scaling (sharded across masters). Different jobs.
Managed alternatives?
AWS ElastiCache (Cluster mode), Redis Cloud (Redis Labs), Yandex Managed Redis. Usually $50-500/mo vs $0 self-host but 20+ hours/month maintenance.
Migrate from single Redis?
Write dual (old + new), read from single → migrate reads batch → cut write. Or use Redis-shake for bulk copy.
Docker Compose vs Kubernetes?
Compose: single host, dev, small prod. K8s: multi-host, auto-scaling, HA. Migration threshold: >3 services + >1 host + need auto-scaling = K8s.
Networking?
Services in same compose file automatically in shared network. Access via service name (hostname). External: expose ports via
ports:.
Can I use Docker Compose in prod?
For small apps (side projects, internal tools) — yes. For serious business — keep dev-only, migrate to K8s for prod.
Alternative — Podman Compose?
Podman — daemonless Docker-compatible. Podman Compose — works with docker-compose.yml. For rootless Linux — preferable.
GitHub Push Protection — what is it?
Bloom filter + regex detection on commits at push. Catches AWS, Stripe, Google, OpenAI keys and other common patterns. Enable in repo settings.
How to know a key leaked?
Scan history: trufflehog. Monitor provider alerts (AWS CloudTrail, Stripe webhook). Enable Secret Scanning in GitHub (free for public repos).
Vault, AWS SM, or .env?
.env for local dev + staging. Vault/SM for production — enable audit, rotation, fine-grained access. For early-stage — AWS SM cheap and safe.
Client-side keys (e.g. Google Maps)?
Restrict by referer/origin. Google Maps key bound to *.example.com — attacker domain useless. Not 100% protection but raises bar.
How to enable debug logging only for one IP?
events { debug_connection 1.2.3.4; } in nginx.conf — debug only for this client.
Real IP through proxy?
Configure
set_real_ip_from 10.0.0.0/8; + real_ip_header X-Forwarded-For; — nginx will show client IP instead of proxy.
How to check backend health from nginx?
nginx_upstream_check_module (patch for OSS nginx). Or plain passive health checks via max_fails=3 fail_timeout=30s.
Best tool for debug traffic?
tcpdump on server → capture traffic, analyze in Wireshark. Or DevTools Network tab for client-side.
Is Cloudflare really free?
Yes, unlimited bandwidth, 100k req/s, DDoS protection, SSL. Paid adds: more rules, advanced WAF, analytics depth, prioritization.
Is origin still accessible directly?
Yes if IP is known. Hide via Cloudflare Tunnel (cloudflared) — no public IP needed. Or firewall whitelist CF IPs only.
Works in Russia?
Cloudflare is reachable, but there may be routing issues with Tier-2 ISPs. For primary RU audience — Yandex Cloud CDN may be faster.
How to purge cache?
Dashboard → Caching → Purge Cache → all files or specific URLs. API tool:
curl -X POST "https://api.cloudflare.com/client/v4/zones/ZONE_ID/purge_cache" -H "Authorization: Bearer TOKEN" -d '{"purge_everything":true}'
Why wildcard if I can issue a cert per subdomain?
Wildcard is convenient for dynamic subdomains (auto-created). For a fixed set — individual certs are simpler (better revocation granularity).
From: How to Get a Let's Encrypt Wildcard Certificate — 2026
Multi-level wildcard (*.*.example.com)?
No — Let's Encrypt supports only single-level (*.example.com). Deeper levels need a separate cert.
From: How to Get a Let's Encrypt Wildcard Certificate — 2026
Is a wildcard safe?
If the private key is safe — yes. On compromise, the attacker reaches every subdomain at once. 90-day rotation (automatic) reduces risk.
From: How to Get a Let's Encrypt Wildcard Certificate — 2026
Wildcard + SAN for apex?
Yes:
-d "*.example.com" -d example.com creates a cert with SAN = [*.example.com, example.com]. Common practice. From: How to Get a Let's Encrypt Wildcard Certificate — 2026
ed25519 vs RSA?
ed25519 is faster, more modern, shorter (32 bytes vs 2048+ bit). RSA only for legacy clients (pre-2014).
Is port change real defence?
Security through obscurity. Blocks mass bot scanners (90% scan only :22). Does not stop targeted attack on your server.
Should I disable root entirely?
Better
PermitRootLogin prohibit-password (key-only) + sudo user. Full no — requires console access for emergencies.
How to verify security?
Enterno Security Scanner +
ssh-audit open-source tool. Plus audit auth.log for failed attempts.
Is Let's Encrypt good for production?
Yes, 100%. Google, Facebook, Cloudflare use it. Only constraint: 90 days validity (auto-renew handles that).
How to install a commercial CA cert?
Same as manual: fullchain.pem = cert + intermediate, separate privkey.pem. In nginx — ssl_certificate + ssl_certificate_key.
Certbot edits my config — safe?
Yes. Certbot keeps a backup. You can revert:
cp nginx.conf.backup nginx.conf.
How to auto-renew?
systemctl enable --now certbot.timer. Runs twice daily. Renew hook:
--deploy-hook "systemctl reload nginx".
nginx vs HAProxy vs Traefik?
nginx — proven stable, Level 7 LB. HAProxy — faster Level 4. Traefik — auto-discovery for Docker/K8s. nginx fits 90% of cases.
How to zero-downtime restart backends?
Blue-green: upstream with 2 backends, stop/start one at a time. nginx auto-routes to live.
Reverse proxy + SSL termination?
Yes — standard pattern. SSL on nginx (443), backend HTTP (3000). Backend is TLS-unaware.
Performance: does reverse proxy add latency?
Tiny. nginx adds ~0.1-0.5ms. Winning features (caching, compression) save 100-500ms.
Prometheus or InfluxDB?
Prometheus — pull model, simple setup, TSDB. InfluxDB — push model, SQL-like queries, better long-term. Prometheus wins in Kubernetes/microservices.
Retention — how long?
Default 15 days. Long-term — remote storage (Thanos, Cortex, Grafana Mimir) or Prometheus federation.
Where to configure alerts?
Alertmanager (separate service). Routes alerts to email, Slack, PagerDuty, Telegram.
vs Datadog/New Relic?
Prometheus+Grafana — self-hosted, free. Datadog — SaaS, $15+/host/mo, better UX. Pick by budget vs control.
pg_dump vs pg_basebackup?
pg_dump — logical, per-database, portable (restore on another PG version). pg_basebackup — physical, whole cluster, fast, but restore only on same PG version.
Incremental backups?
PG has no built-in incremental. Use pg_basebackup + WAL archiving (effectively incremental via WAL). Or pgBackRest.
Retention?
For compliance 30-90 days is typical. For DR 7-14 days is enough. S3 lifecycle rules auto-cleanup.
Backup verification?
pg_restore --list shows content. Real test: periodic full restore to staging + smoke tests.
Cron sends email by default — isn't that enough?
Often SMTP isn't configured on a VPS → email never lands. Heartbeat actively alerts when cron didn't start at all (host down, cron daemon stopped).
Healthchecks.io vs Enterno?
Healthchecks — open-source + SaaS free tier. Enterno — integrated with uptime/SSL/DNS monitoring in one dashboard, + RU servers.
Kubernetes CronJob — how?
Same principle:
curl PING_URL in postStart/postStop container lifecycle hook. Or a sidecar container.
Private network cron — how to ping?
Outbound HTTP is usually allowed. If not — self-hosted Healthchecks on internal network.
systemd vs pm2 / supervisord?
systemd — built-in Linux, zero deps. pm2 — specialized for Node.js (cluster, zero-downtime reload). For simple apps — systemd.
Which restart policy?
on-failure (restart on non-zero exit) — standard. always — restart even on normal exit (useful for daemons). no — manual only.
How to graceful shutdown?
TimeoutStopSec=30s — systemd waits 30 s before SIGKILL. App must handle SIGTERM and exit cleanly.
Logs get huge — rotation?
journald auto-rotates. Settings:
/etc/systemd/journald.conf → SystemMaxUse=1G, MaxRetentionSec=30d.
logrotate vs journald?
journald — built into systemd, binary format,
journalctl. logrotate — text files with compression. For apps that write to files — logrotate.
How often does it run?
cron.daily — once a day. For more frequent — hourly via /etc/logrotate.d/ and a cron entry.
Where do rotated logs go?
Same directory with .1, .2, .gz suffixes. Example: access.log → access.log.1 → access.log.2.gz.
Rotation not working — how to debug?
logrotate -d (dry-run) shows what would happen. Status: cat /var/lib/logrotate/status — last rotation time.
Cloudflare geo-blocking vs nginx?
Cloudflare: simple dashboard toggle, blocks before origin. nginx: more flexible, no CDN dependency. For critical security — both.
MaxMind vs IP2Location?
MaxMind GeoLite2 — free, good accuracy, standard. IP2Location — commercial, more details (proxy/VPN detection).
How to unblock admin from a blocked country?
Whitelist their IP BEFORE the country check. Or a separate admin.example.com without geo-block.
Which countries get blocked most?
Sanctions compliance: CU, IR, KP, SY. Security: countries with high bot activity. Business: where you have no support.
How often does Let's Encrypt renew?
Certbot auto-renew fires when <30 days to expiry. LE cert validity is 90 days → ~6 renews/year.
From: How to Rotate an SSL Certificate with Zero Downtime 2026
Do I need restart or just reload?
Reload (SIGHUP) is enough — worker processes re-init gracefully. Restart = downtime.
From: How to Rotate an SSL Certificate with Zero Downtime 2026
How to auto-reload on renew?
Certbot deploy hook:
certbot renew --deploy-hook "systemctl reload nginx" or at /etc/letsencrypt/renewal-hooks/deploy/reload-nginx.sh. From: How to Rotate an SSL Certificate with Zero Downtime 2026
What if the cert expired?
Urgent renew + reload. If
certbot renew fails due to rate limits: certbot certonly --force-renewal. From: How to Rotate an SSL Certificate with Zero Downtime 2026
Is OCSP Stapling required?
Not technically, but Qualys SSL Labs docks grade to A-. Mozilla recommends. Browsers with Must-Staple cert require it.
How often does nginx refetch OCSP?
nginx caches the response for several hours (not directly tunable, depends on OCSP response cache control).
Does Let's Encrypt support OCSP?
Yes, fully. Their responder ocsp.int-x3.letsencrypt.org runs 24/7.
How do I verify stapling works?
Enterno SSL → TLS section → "OCSP Stapling: Active" +
openssl s_client -status.
How much better is Brotli than gzip?
For text (HTML/CSS/JS): 15-25% smaller at the same CPU. For binaries (already compressed) — minimal.
Does Brotli work over HTTPS?
Yes; clients don't send Accept-Encoding: br over plain HTTP. Modern sites are all HTTPS.
Client compatibility?
Chrome 50+, Firefox 44+, Safari 11+ (2017). IE no support. By 2026 coverage is 95%+.
How do I verify it works?
Enterno Speed checker shows response headers. Or DevTools → Network → Response Headers → Content-Encoding.
What is a simple request?
Simple request: GET/HEAD/POST + only standard headers (Accept, Content-Type in form/text). No preflight OPTIONS; goes through directly. Non-simple = preflight required.
Why doesn't wildcard * work with credentials?
Security spec: credentials (cookies) + wildcard = theoretically any site could steal sessions. Browsers block the combo.
How to debug CORS?
DevTools → Network → red request → Headers. Console shows "CORS policy: ..." with the cause. Enterno CORS checker simulates different Origin headers.
Check CORS online?
Enterno CORS checker — enter URL + Origin → see returned headers.
Nonce vs hash — which?
Nonce — for dynamic HTML (per request). Hash — for static inline script (unchanged). In practice nonce + strict-dynamic covers 95% of cases.
From: How to Configure CSP with Nonce — Remove unsafe-inline
What is strict-dynamic?
CSP3 directive: any script loaded via nonce/hash-script automatically inherits trust. Simplifies GTM/Analytics integration.
From: How to Configure CSP with Nonce — Remove unsafe-inline
Does CSP work in IE?
IE 11 supports CSP 1 (basic). Nonce arrived in CSP 2 — no IE. Acceptable in 2026.
From: How to Configure CSP with Nonce — Remove unsafe-inline
How do I check my CSP?
Enterno CSP Analyzer → enter URL → grade + directive breakdown.
From: How to Configure CSP with Nonce — Remove unsafe-inline
How to decrypt a Wireshark capture?
Run browser with
SSLKEYLOGFILE=/tmp/sslkeys.log. In Wireshark → Edit → Preferences → TLS → (Pre)-Master-Secret log → /tmp/sslkeys.log.
openssl shows old cipher — normal?
Yes, server offers in preference order. Negotiated cipher is in the "Cipher: XXX" line.
How to check OCSP stapling?
openssl s_client -status -connect example.com:443 &1 | grep "OCSP Response". Should be "OCSP Response Status: successful".
How to see TLS version in browser?
DevTools → Security tab → Connection. Or
chrome://net-internals/#ssl.
What is usually the LCP element?
Stats: hero image (55%), H1+intro paragraph (30%), hero video (10%), other (5%). Identify via DevTools.
Why is mobile LCP 2× worse than desktop?
Slow mobile networks (LTE-4G), weaker CPU (JS parse), smaller batch sizes. Fix: mobile-first + responsive images + lazy non-critical.
INP vs LCP — which matters more?
Both are Core Web Vitals. LCP — render, INP — responsiveness. Google factors both into ranking.
How to test LCP?
Enterno Speed shows field data from CrUX (real users) + lab data. Plus our CWV benchmark.
Cloudflare or Yandex Cloud CDN?
Cloudflare: global coverage, free, but not every Russian ISP routes optimally. Yandex: tier-1 RU coverage + compliance, paid from 0.5₽/GB.
How much does CDN speed up the site?
International client TTFB: 300-800ms → 50-150ms. LCP: 10-40% improvement depending on content.
How to purge CDN cache?
Cloudflare: Dashboard → Caching → Purge Cache (all or by URL). AWS: Invalidation in CloudFront console. Yandex: Prefetch/Purge API.
Does a CDN help SEO?
Yes. Google uses TTFB + Core Web Vitals. Fast CDN → better CWV → +10-20% visibility.
Does Fail2Ban block IPv6?
Yes, if your iptables/nftables v6 support is enabled.
fail2ban-client status shows mixed v4/v6 bans.
Will it block legitimate users?
Theoretically yes if maxretry is low. Mitigation: sensible maxretry (3-5), bantime not too long (1-24 h), ignoreip for known IPs.
Fail2Ban replacement?
CrowdSec — modern alternative with community threat feed. Fail2Ban still simpler for single-server setups.
How to monitor banned IPs?
fail2ban-client status [jail] or parse /var/log/fail2ban.log. For Enterno Security Scanner shows security posture.
OAuth 2.0 vs OpenID Connect?
OAuth 2.0 — authorization only. OpenID Connect — identity layer atop OAuth, returns an
id_token (JWT) with user claims.
Is Implicit flow still used?
No, deprecated since 2019. Always Authorization Code + PKCE for SPA/mobile.
Where to store the refresh token?
Server-side (session/database). Never in localStorage/JS-accessible cookies. Only httpOnly cookie or server storage.
How to test an OAuth flow?
postmaster.google.com → OAuth 2.0 Playground. Or Enterno JWT decoder to inspect the access_token.
When does the browser do preflight?
Non-simple request. Simple: GET/HEAD/POST + only standard headers. Any custom header, PUT/DELETE/PATCH, Content-Type not in whitelist → preflight.
Preflight is slower — how to speed up?
Access-Control-Max-Age: 86400 caches preflight for 24h. Browser won't repeat OPTIONS per request.
Django DRF + JWT — does preflight need Authorization?
Yes. JWT in Authorization header → custom header → preflight required. DRF-cors settings must include "authorization".
How to test?
Enterno CORS checker → URL + Origin → see preflight response + headers.
What is the difference between ~all and -all?
~all (softfail) marks mail as suspicious but may still deliver. -all (hardfail) rejects it. Start with ~all, switch to -all after 1-2 clean weeks.
Do I need SPF if I have DKIM?
Yes — they are different mechanisms. SPF verifies the sender IP, DKIM signs content. DMARC requires at least one to align. Configure both.
Can I use multiple includes?
Yes, as long as you do not exceed 10 total DNS lookups (including nested).
How do I see my current SPF?
Via Enterno DNS Checker — enter domain, pick TXT, view all TXT including SPF. Or:
dig TXT example.com.
Do I need DKIM if I have SPF?
Yes. DMARC requires SPF OR DKIM to align. When the domain sends via a forwarder SPF often breaks while DKIM survives. Configure both.
What is a selector?
A label that lets you run multiple DKIM keys in parallel (e.g. one for marketing, one for transactional). DNS record name is
selector._domainkey.domain.
How do I inspect someone else's DKIM?
Read the
DKIM-Signature: d=sender.com; s=selector header. Or use Enterno DKIM Checker.
Can I have multiple DKIM selectors?
Yes. Each service (Mailgun, SendGrid, your SMTP) can use its own selector. That is normal.
Is HTTP/2 always faster than HTTP/1.1?
No. On sites with a single large JS bundle the difference is tiny. On sites with many resources (CSS + many images + fonts) HTTP/2 yields a 10-30% gain from multiplexing.
Do I need to change code?
No. HTTP/2 is a transport change, the API is identical. Just drop legacy optimisations (domain sharding, inline critical CSS blocks) — they hurt HTTP/2.
Is HTTP/3 ready?
Yes, with nginx 1.25 (March 2023) stable. Or via Cloudflare automatically. Biggest gains on mobile networks. See our HTTP/3 adoption research.
How do I verify HTTP/2 actually works?
Difference between active and passive mixed content?
Active — scripts, iframes, stylesheets, XHR — can execute code with the HTTPS page's privileges. Chrome blocks entirely. Passive — images, audio, video — only displayed. Warning but not blocked.
Can I disable the block?
Per-site in Chrome: Settings → Privacy → Site settings → Insecure content → Allowed for specific site. Dangerous in production — use only for dev.
Does upgrade-insecure-requests work everywhere?
Chrome 43+, Firefox 42+, Safari 10.1+. IE does not support it, but modern browsers cover 98% of traffic.
How do I prevent mixed content in new articles?
CMS plugin for auto-replace on save (WordPress: Really Simple SSL), Git pre-commit hook for content, CSP-report monitoring in production.
What is the "ad" flag in dig?
Authenticated Data — the resolver's flag. If set, the resolver validated the signature and it is correct.
Do I need DNSSEC if I have HTTPS?
Yes. HTTPS protects transit, DNSSEC protects name resolution. Without DNSSEC an attacker can forge the IP → you land on their HTTPS site with their cert → no protection.
Why does DNSSEC validate on some resolvers but not others?
Not every resolver validates. Unbound, BIND, PowerDNS — yes. dnsmasq (home routers) — often no. Test via 1.1.1.1.
DNSSEC adoption in Runet
Only 4.1% of .ru domains. See the Enterno research.
Do I need a CSR for Let's Encrypt?
No. Let's Encrypt uses the ACME protocol — certbot generates the key and CSR automatically. Just run
certbot --nginx -d example.com.
What is SAN?
Subject Alternative Names — an X.509 extension that lets one cert cover multiple domains. Modern browsers ignore CN in favor of SAN. Always include the domain in SAN.
DV vs OV vs EV?
DV (Domain Validation) — only ownership check (Let's Encrypt). OV (Organization Validation) — + legal entity verification. EV (Extended Validation) — + in-depth review, green address bar (deprecated in browsers 2019+).
Can I reuse a CSR?
Yes, you can reuse the same CSR (same key) on renewal. Rotating the key is the safer practice.
www or non-www — which is better for SEO?
Doesn't matter — pick ONE canonical and use it consistently. Google and Yandex have long treated both equally.
Do I need a cert on www if the redirect is instant?
Yes. The client first establishes TLS with www.example.com — the cert must be valid. Only then does the server return 301.
Difference between 301 and 308?
301 — permanent, allows method change POST→GET. 308 — same but preserves method. For www→non-www use 301 — universally supported.
How do I test for redirect loops?
Enterno Redirects Checker shows the chain and warns on loops. Or
curl -I -L (follows redirects) — more than 10 hops = problem.
Difference between max-age and s-maxage?
max-age — TTL for private caches (browser). s-maxage — TTL for shared caches (CDN, proxy). If both are set — each cache uses its own.
What is immutable?
A Cache-Control directive: "this resource will never change". The browser skips revalidation (If-None-Match) even on reload. Important for hash-based assets.
Do I need ETag if I have Cache-Control?
Yes. Cache-Control says "cache is valid for N seconds". ETag is used at expiry for 304 Not Modified (conditional requests). They complement each other.
How do I inspect my site's cache strategy?
Enterno HTTP Checker → enter URL → Cache section shows Cache-Control, ETag, Age, max-age.
What are rua and ruf?
rua — aggregate reports (daily stats from Gmail/Yandex). ruf — forensic reports (individual failed messages, optional). rua is enough for 99% of cases.
Does a small site need DMARC?
Yes. Even a parked domain (no mail) should have DMARC, otherwise an attacker can spoof your name in phishing.
How do I read an aggregate report?
It is XML. Services like dmarcian.com, dmarcanalyzer.com, postmaster.google.com parse and visualise it — free tiers are usually enough.
How long before switching to reject?
Minimum 2 weeks of p=none monitoring. Optimal: 4 weeks p=none → 2 weeks p=quarantine pct=25 → 2 weeks pct=100 → p=reject. About 2 months total.
Signup required?
No for quick check. For continuous monitoring — free account.
Signup required?
No for quick check. For continuous monitoring — free account.
Signup required?
No for quick check. For continuous monitoring — free account.
Signup required?
No for quick check. For continuous monitoring — free account.
Signup required?
No for quick check. For continuous monitoring — free account.
Signup required?
No for quick check. For continuous monitoring — free account.
Signup required?
No for quick check. For continuous monitoring — free account.
Signup required?
No for quick check. For continuous monitoring — free account.
Signup required?
No for quick check. For continuous monitoring — free account.
Signup required?
No for quick check. For continuous monitoring — free account.
Is signup required?
For a quick check (1-2 requests/min) — no. For continuous monitoring — free account. No credit card.
Is this free?
Yes. Enterno.io Scout is a forever-free plan with 5 monitors. All basic tools without signup.
Is signup required?
For a quick check (1-2 requests/min) — no. For continuous monitoring — free account. No credit card.
Is this free?
Yes. Enterno.io Scout is a forever-free plan with 5 monitors. All basic tools without signup.
Is signup required?
For a quick check (1-2 requests/min) — no. For continuous monitoring — free account. No credit card.
Is this free?
Yes. Enterno.io Scout is a forever-free plan with 5 monitors. All basic tools without signup.
Is signup required?
For a quick check (1-2 requests/min) — no. For continuous monitoring — free account. No credit card.
Is this free?
Yes. Enterno.io Scout is a forever-free plan with 5 monitors. All basic tools without signup.
Is signup required?
For a quick check (1-2 requests/min) — no. For continuous monitoring — free account. No credit card.
Is this free?
Yes. Enterno.io Scout is a forever-free plan with 5 monitors. All basic tools without signup.
SSL errors (255)
Quick way to check the chain?
curl -v https://host 2>&1 | grep -i "issuer\|depth\|ssl". Or enterno.io/ssl — shows intermediate + leaf.
From: Trust anchor for certification path not found (Android)
LE on Android < 7?
ISRG Root X1 cross-signed via DST Root CA X3. Expired 30 Sep 2021, LE resumed cross-sign — works until 2025+.
From: Trust anchor for certification path not found (Android)
App-level vs system-level?
network_security_config — per-app (API 24+). Device-wide — needs rooted device + push CA to /system/etc/security/cacerts/.
From: Trust anchor for certification path not found (Android)
Reboot required?
Yes — Schannel changes only apply after restart. No reboot, no change.
From: Schannel 0x80072f7d — Security channel error (Windows)
Does it affect .NET apps?
.NET 4.5+ uses Schannel — yes. Set ServicePointManager.SecurityProtocol in code or enable at the OS level.
From: Schannel 0x80072f7d — Security channel error (Windows)
Windows XP?
SHA-2 + TLS 1.2 via SP3 + KB3140245, but end-of-life. Strongly recommend upgrading.
From: Schannel 0x80072f7d — Security channel error (Windows)
How to avoid editing the system cacerts?
Copy into an app-specific jks + -Djavax.net.ssl.trustStore. JDK updates won't reset it.
From: sun.security.validator.ValidatorException: PKIX path building failed
Self-signed dev/test?
For dev: a TrustManager that accepts everything. Never ship that in prod code.
From: sun.security.validator.ValidatorException: PKIX path building failed
Maven / Gradle?
-Djavax.net.ssl.trustStore in MAVEN_OPTS / GRADLE_OPTS, or in the build files.
From: sun.security.validator.ValidatorException: PKIX path building failed
Why OCSP stapling at all?
Without stapling the client contacts OCSP itself → privacy leak + latency. Stapling = server pre-fetches and embeds it in the handshake.
Can I disable OCSP?
Firefox — yes (security.OCSP.enabled=0 in about:config), but bad practice. Fix the server instead.
Firefox-only?
Chrome dropped hard OCSP enforcement long ago (CRLSets). Firefox is stricter. Safari — OCSP via Apple Sectigo.
Alpine Docker — safe?
Yes if you add ca-certificates. Scratch — you need to copy the bundle from a builder image.
CI / CD?
Images like alpine:latest usually ship ca-certificates. gcr.io/distroless/base too. Check your Dockerfile.
Self-signed?
Either --cacert pointing at the self-signed CA, or import into the system bundle via update-ca-certificates.
macOS fresh install — why?
The Python.org installer ships certifi, but the system trust store is separate. Running Install Certificates.command links the bundle.
From: Python ssl.SSLCertVerificationError: CERTIFICATE_VERIFY_FAILED
Behind corporate VPN?
Export REQUESTS_CA_BUNDLE to the corporate root CA. IT usually provides the file.
From: Python ssl.SSLCertVerificationError: CERTIFICATE_VERIFY_FAILED
Is verify=False OK?
Debug only in dev. In prod = MITM vulnerability. Use httpbin.org with self-signed + a local CA in trust.
From: Python ssl.SSLCertVerificationError: CERTIFICATE_VERIFY_FAILED
Is QUIC mandatory in 2026?
No, HTTP/2 remains a universal fallback. QUIC adoption ~25% of Chrome traffic on HTTP/3-enabled sites.
Detect client-side?
chrome://net-internals/#quic shows active QUIC sessions. chrome://flags/#enable-quic toggle.
MTU fix?
nginx:
listen 443 quic; quic_gso on;. Some CDNs (Cloudflare) handle it automatically.
Monitor QUIC endpoint?
Enterno SSL checker detects Alt-Svc. For full QUIC testing — h2load, quiche-client.
Is QUIC slower than HTTP/2 on bad networks?
Paradox: QUIC designed for fast handshake (0-RTT), but on packet loss UDP retransmission is manual (vs TCP kernel). At 5% loss QUIC ~= TCP. >10% — TCP wins.
Server-side tuning?
nginx 1.25+ with QUIC:
quic_gso on; quic_retry on; for better performance.
How to measure adoption?
Cloudflare Analytics shows HTTP/3 share. Typical 2026: 15-30% desktop, 5-15% mobile.
Monitor uptime?
Enterno HTTP checker tests standard HTTP. For QUIC — specialized testing (h3i, curl --http3).
TLS 1.2 in QUIC possible?
No. QUIC v1 (RFC 9000) mandates TLS 1.3. If no TLS 1.3 on server — QUIC impossible.
Are draft QUIC versions deprecated?
Yes, draft-29, draft-33 deprecated in 2022. Chrome v105+ supports only final QUIC v1. Server must upgrade.
Does curl --http3 need a special build?
curl 7.66+ with ngtcp2 and quiche backends. Fedora/Arch — included. macOS brew:
brew install curl --HEAD.
Wireshark QUIC?
Wireshark 3.5+ decodes QUIC if TLS keys exported (SSLKEYLOGFILE env). Essential for debugging.
HPACK vs QPACK?
HPACK — HTTP/2 (TCP). QPACK — HTTP/3 (QUIC/UDP). QPACK handles out-of-order delivery, allows concurrent headers.
Debug HPACK?
Wireshark + SSLKEYLOGFILE. Or
nghttp2 CLI tools to analyze frames.
CDN side?
Cloudflare support ticket with request id + date. Akamai — similar support path. Check status page.
HTTP/2 vs HTTP/3?
HTTP/2: TCP, HPACK, head-of-line blocking. HTTP/3: QUIC/UDP, QPACK, stream multiplexing without HoL.
Is SNI mandatory in 2026?
Yes. All modern browsers send SNI. Server without SNI support = legacy, fails with multiple HTTPS vhosts.
Default vhost fallback?
nginx:
server_name _; matches undefined hosts. But cert must still match SNI (otherwise UNRECOGNIZED_NAME).
Encrypted SNI (ECH)?
ECH (RFC 9460) encrypts SNI in TLS 1.3. Cloudflare supports 2023+, Chrome partial. Does not cause this error — server-side config is target.
Monitor cert match?
Enterno SSL checker validates cert-vs-hostname. Scheduled monitors alert on mismatch.
PEM vs DER?
PEM: text-based base64 (-----BEGIN CERTIFICATE-----). DER: binary ASN.1. nginx reads PEM, Java stacks — DER.
fullchain.pem format?
Sequential PEM-encoded certs (leaf, intermediate, optional root). Files separated by -----END-BEGIN-----.
Custom extensions?
EV certs have qcStatements (eIDAS), Microsoft CA — specific OIDs. Some libraries (old OpenSSL) cannot parse these.
Monitor cert validity?
Enterno SSL daily monitor + email/Telegram alert 14d before expiry.
ECH adoption 2026?
Cloudflare ECH enabled on millions of sites (default if HTTPS RR present). Chrome 115+ supports. Firefox 118+. Safari 17+.
Why ECH?
Traditional TLS leaks SNI (domain) to middleboxes. ECH hides SNI — privacy for https://adult-site or https://politicsafe.
Blocked by governments?
Some countries (Russia, China) block or filter ECH traffic. If domain blocked — ECH helps only partially.
How to test ECH?
browsers.cloudflare.com/ech — online test.
curl --ech in future.
DoH vs Do53?
DoH (DNS-over-HTTPS): queries over HTTP/2 to resolver. Do53: classic UDP 53. DoH encrypted, private; but middleboxes may interfere.
DNSSEC debug?
dig +dnssec domain. If AD flag set = validated. Otherwise — chain broken somewhere.
Chrome Secure DNS list?
Settings → Security → advanced. Providers: automatic, Cloudflare, Google, Quad9, NextDNS, CleanBrowsing.
Monitor DNS?
Enterno DNS checks records + DNSSEC validation chain. Scheduled monitors alert on DNS changes.
How to reproduce?
curl -v to the site → shows partial response + error. Compare with browser dev tools Network tab.
Content-Length mismatch?
PHP outputs content, but echo between header() calls flushes buffer — headers already sent. Use output buffering: ob_start() + ob_end_flush().
Chunked encoding bugs?
Legacy app servers (IIS, Node cluster bugs) can send invalid chunks. Workaround: force Transfer-Encoding off with explicit Content-Length.
Monitor HTTP integrity?
Enterno HTTP checker detects 502/partial responses. Scheduled monitor alerts on first fail.
Streaming vs buffered?
Streaming: chunked encoding, content flushed as generated. Buffered: full response sent in one chunk with Content-Length.
LLM-specific?
OpenAI/Anthropic streaming sends many tiny chunks. Each chunk = HTTP chunk. Connection idle timeouts on proxy kill long streams.
SSE and chunked?
SSE uses chunked encoding. Connection lasts minutes — proxy timeouts critical. Nginx:
proxy_buffering off; for streaming endpoints.
Reproduce?
curl -N https://stream-endpoint — verify if it gets full response. If prematurely cut — backend issue.
Allow self-signed in dev?
Info.plist → NSAppTransportSecurity → NSExceptionDomains → your-dev-domain → NSExceptionAllowsInsecureHTTPLoads=YES. Debug builds only.
From: NSURLErrorServerCertificateUntrusted (-1202) — iOS/macOS
Certificate pinning best practice?
SHA-256 cert hash or SPKI pin. Rotate with the cert, validate on every build.
From: NSURLErrorServerCertificateUntrusted (-1202) — iOS/macOS
iOS ignores self-signed?
Yes, Foundation by default. Needs a custom trust eval via URLSessionDelegate.
From: NSURLErrorServerCertificateUntrusted (-1202) — iOS/macOS
ATS requirements 2026?
TLS 1.2+, ECDHE forward secrecy, AES-128-GCM+, SHA-256 signature. Cert with SAN (mandatory).
From: NSURLErrorServerCertificateUntrusted (-1202) — iOS/macOS
What is Logjam?
2015 attack: precomputed 1024-bit DH group enables MITM at ~$100k (state actor). All major browsers reject < 1024 bit.
Is 4096-bit better than 2048?
More CPU cost for marginal gain (NIST SP 800-131A: 2048 secure through 2030+). 2048 is the recommended baseline.
ECDHE replaces DHE?
Yes, ECDHE P-256 is faster + secure. Modern TLS configs use ECDHE only and drop DHE entirely.
Reissue cert?
No, Logjam fix is server TLS config, the cert itself is unchanged.
Key Usage vs EKU?
Key Usage — primary: what the cert can do cryptographically (sign, encrypt). EKU — constraining: for which applications it is allowed (server auth, client auth, email, code signing).
Minimum set for HTTPS?
RSA: KU=digitalSignature,keyEncipherment + EKU=serverAuth. ECDSA: KU=digitalSignature + EKU=serverAuth.
Adjust private CA?
Yes. In OpenSSL config:
keyUsage=digitalSignature,keyEncipherment + extendedKeyUsage=serverAuth.
Is Firefox stricter than Chrome?
Firefox historically stricter on KU validation. Chrome also checks but sometimes warns less loudly.
ISRG Root X1 in 2026?
Active. 2021 → 2035. Cross-signed the old DST Root (expired 2024), but X1 self-trust in 99% of modern stacks.
nginx fullchain vs cert+chain?
Fullchain includes intermediate. nginx does not fetch intermediate automatically; it ships only the leaf cert → Firefox fails validation.
NSS trust store vs OS?
Firefox uses NSS (separate from OS), ~420 roots. Chrome uses OS trust (Windows/macOS) or the Chrome Root Store.
Private CA setup?
OpenSSL ca.cnf + valid extensions. Import .crt via about:preferences#privacy → View Certificates → Import.
Captive portal — how to tell?
From hotel/cafe Wi-Fi — yes. Try mobile hotspot. Error gone → captive portal. Usually a 302 redirect over HTTP.
nginx "listen 443" without ssl?
Fatal config error. nginx serves plain HTTP on 443, client sends TLS, server answers plain HTTP → garbage bytes.
MITM detection?
Cert pinning / HPKP (deprecated) / DANE. Or compare cert fingerprint:
openssl s_client | openssl x509 -fingerprint.
TLS record types?
ChangeCipherSpec(20), Alert(21), Handshake(22), ApplicationData(23), Heartbeat(24). Anything else is malformed.
What is Must-Staple?
A cert extension telling the client: "I expect a stapled OCSP response in the handshake". Missing → cert invalid, even if OCSP responder times out.
Does my CA set Must-Staple?
Let's Encrypt — no by default. DigiCert — optional. Became rare 2024+ because CA-level OCSP turned reliable.
Always enable stapling?
Yes, good practice. Reduces RTT, improves privacy (client does not contact CA directly).
How to verify?
Enterno SSL shows OCSP stapling status in report.
OCSP vs CRL?
OCSP — real-time status check, CRL — list of revoked. OCSP faster (one cert), CRL — all revoked at once. Modern — OCSP stapling.
Short-lived certs killing OCSP?
Let's Encrypt 90d, then 6d (2026+). Cert shorter than CRL refresh — OCSP not needed. Industry trend.
Does Chrome disable OCSP?
By default yes, since 2012 (too slow, privacy). Stapling works, raw OCSP calls do not.
Why this error now?
Usually a single-client issue: stale local cache. Clear Chrome SSL state: chrome://net-internals/#hsts → Delete domain.
Why generic?
Chrome cannot always narrowly classify. If cert has several issues simultaneously — generic.
Log for analysis?
chrome://net-export/ → Capture → Export JSON. Opaque for non-experts but reports the issue precisely.
Quick diagnosis?
SSLLabs or Enterno SSL Checker. Give specific reason + suggest fix.
Self-signed = ERR_CERT_INVALID?
Usually ERR_CERT_AUTHORITY_INVALID. Generic _INVALID is rarer.
Is renegotiation deprecated?
Secure renegotiation (RFC 5746) ok. Insecure renegotiation — CVE-2009-3555. TLS 1.3 removed renegotiation entirely and replaced it with post-handshake auth.
HTTP/2 + client auth?
HTTP/2 does not support renegotiation → separate subdomain for client auth is the modern approach.
Firefox workaround?
Disable TLS 1.3: security.tls.version.max=3 in about:config. NOT recommended.
OpenSSL config?
ssl_protocols TLSv1.2 TLSv1.3; + apply client auth on TLS 1.3 only.
What does critical mean?
RFC 5280: if the extension is critical, the client must process it. Otherwise reject the cert (for safety).
Is Chrome strict?
Chrome is more lenient with unknown extensions (if non-critical). Critical — reject too.
Which extensions are usually critical?
BasicConstraints, KeyUsage, NameConstraints. Custom Policy extensions are often non-critical.
Debug cert?
https://crt.sh for public cert, or the dumpasn1 utility for binary parsing.
What is SCT?
Signed Certificate Timestamp — cryptographic proof that the cert was logged in a public CT log (Google Argon, Cloudflare Nimbus, etc). Embedded in the cert extension, presented during TLS handshake, or stapled via OCSP.
Does Let's Encrypt include SCT?
Yes, automatically since 2018. The ISRG Root X1 cert has an SCT in the embedded CT extension.
How to verify SCT?
Enterno SSL Checker shows CT compliance in its report. Or
openssl x509 -in cert.pem -text | grep -A5 "SCT List".
Compliance impact?
CT compliance required by Chrome, Safari, Edge (Firefox not yet). Browser share ~85% — without SCT you lose most users.
Difference from ERR_FAILED?
ERR_FAILED — generic without detail. ERR_HTTP_RESPONSE_CODE_FAILURE — HTTP-status problem with a traceable code.
Only on preload?
Usually yes. Preloads fire early while the resource may not be ready.
How to purge CDN?
Cloudflare: Purge by URL or full purge. AWS: create invalidation. Yandex Cloud: prefetch API.
How to check HTTP status of my resources?
Enterno HTTP Checker — batch URL check + status code + headers.
I don't need CAA — what now?
Remove all CAA records. Any CA may issue. CAA is optional — no constraints by default.
Who checks CAA?
The CA before issuance (mandatory for public CAs since 2017). Browsers do not check CAA.
Is iodef CAA mandatory?
No. iodef is an email for notifications on mis-issuance attempts. Useful but optional.
How to check CAA?
Enterno DNS → CAA type. Or
dig CAA example.com.
Do Chrome and Firefox block the same?
Yes, since 2020: TLS 1.0 + 1.1 disabled. Safari, Edge followed. TLS 1.2 is the minimum.
From: SSL_ERROR_PROTOCOL_VERSION_ALERT — TLS Version Mismatch
How to find out which TLS my server runs?
Enterno SSL shows supported versions. Or
openssl s_client -connect host:443 -tls1_3. From: SSL_ERROR_PROTOCOL_VERSION_ALERT — TLS Version Mismatch
Worked yesterday, broke today — what?
Usually a browser auto-update. Chrome 84+ (July 2020) enabled TLS 1.0/1.1 block by default.
From: SSL_ERROR_PROTOCOL_VERSION_ALERT — TLS Version Mismatch
Is TLS 1.2 safe in 2026?
Yes. TLS 1.3 is better, but 1.2 is secure with proper ciphers. Both are accepted standards.
From: SSL_ERROR_PROTOCOL_VERSION_ALERT — TLS Version Mismatch
Is it actually MITM?
Possibly. If the error only appears on a specific network — check its proxy/firewall.
Safe way to test?
From a mobile hotspot or a VPN exit in another country. If it works there — problem is on the local network.
Is SHA-1 still available?
For cert signatures — no (Chrome blocks since 2017). For handshake HMAC — legacy accepted, not preferred.
Permanent fix?
Modern TLS config (1.2+1.3, GCM ciphers). Most browsers succeed.
Why strict HTTP/2 cipher requirements?
RFC 7540 prohibits vulnerable ciphers at the protocol level. Even if TLS accepted the cipher, HTTP/2 rejects it for defence-in-depth.
From: ERR_HTTP2_INADEQUATE_TRANSPORT_SECURITY — HTTP/2 over Weak TLS
Does HTTP/3 have the same requirements?
Similar, through QUIC. TLS 1.3 only for QUIC.
From: ERR_HTTP2_INADEQUATE_TRANSPORT_SECURITY — HTTP/2 over Weak TLS
Backwards compatibility?
HTTP/1.1 fallback works for old clients. But HTTP/2 — strict cipher requirements.
From: ERR_HTTP2_INADEQUATE_TRANSPORT_SECURITY — HTTP/2 over Weak TLS
Mozilla SSL Config Generator?
Use for correct config: ssl-config.mozilla.org. Pick Modern or Intermediate.
From: ERR_HTTP2_INADEQUATE_TRANSPORT_SECURITY — HTTP/2 over Weak TLS
OCSP vs CRL?
OCSP — query status of ONE cert in real-time. CRL — download the full list. OCSP is faster, CRL is simpler for offline validation.
Is OCSP Stapling mandatory?
For Must-Staple certs — yes. Otherwise — strongly recommended; often speeds handshake by 100-300 ms.
Does the client cache OCSP?
Yes, usually up to 7 days. A single timeout rarely repeats.
Server-side fixes?
ssl_stapling on + valid resolver. nginx fetches + caches OCSP itself.
Which TLDs currently "collide"?
.corp, .home, .mail, .office — NOT in public use but reserved by ICANN. Safer: .internal (proposed reserved), .home.arpa, .localhost.
Is this a security risk?
Yes: attacker can register a .corp domain, resolve internal names to malicious IPs, MITM.
Does Chrome specifically block?
Chrome warns, does not block. But may treat as suspicious for certain workflows.
Reserved TLDs 2026?
.internal (IETF draft), .test, .localhost, .invalid, .example — safe. Anything else — ideally check the public registry.
How long to wait for a new Let's Encrypt cert?
Immediately. Certbot auto-handles. Revocation does not affect rate limit (same 5 requests/week/domain).
Is a revoked cert cached on clients?
Yes if OCSP soft-fail. Rigorous validation (Chrome Must-Staple, Firefox) catches it. Mobile apps — up to 7-day cache.
How do I know the revocation reason?
Let's Encrypt — in email. Commercial CA — in account dashboard.
Check if it's active?
Enterno SSL checker → cert status (Active / Revoked / Expired).
How is it different from ERR_EMPTY_RESPONSE?
ERR_EMPTY_RESPONSE — server accepted connection but sent nothing. ERR_CONNECTION_RESET — the connection was torn down by an RST packet.
How do I know if it's ISP blocking?
Try via VPN. If VPN works — ISP. If it fails everywhere — server side.
Browsers show ERR_CONNECTION_RESET or ERR_CONNECTION_ABORTED — which?
ABORTED = client cancelled (redirect/close). RESET = RST packet from the other side (server/proxy/DPI).
How do I check reachability?
Enterno Ping + Port Checker — tests TCP 443 from multiple regions + monitoring.
What is the redirect limit?
Chrome: 20. Firefox: 20. Then block. Curl default: 50.
How do I inspect my chain?
Enterno Redirects Checker shows the chain + codes + timing. Or
curl -IL -w "redirects: %{num_redirects}\n" https://example.com.
Cloudflare Flexible vs Full?
Flexible: Edge↔User = HTTPS, Origin↔Edge = HTTP. Flexible + HTTPS redirect in PHP = loop. Full: both HTTPS — no loop.
Loop after HSTS preload?
If yes, the domain is HTTPS-only forever. HTTP redirect won't help. Fix only on the HTTPS side with the right target.
Which browsers blocked TLS 1.0/1.1?
Chrome 84 (July 2020), Firefox 78 (July 2020), Edge 84, Safari 14 (September 2020). By 2026 all modern browsers.
From: ERR_SSL_OBSOLETE_VERSION — Block of Outdated TLS 1.0/1.1
What if clients use old Android (API<21)?
Android < 5.0 cannot do TLS 1.2. Two options: keep a parallel subdomain with TLS 1.0 (DANGEROUS) or drop those clients. In 2026 it's <0.5% of traffic.
From: ERR_SSL_OBSOLETE_VERSION — Block of Outdated TLS 1.0/1.1
IoT device cannot reach server — disable TLS 1.2?
No. Put the device on a separate VLAN without internet and talk to it via TLS 1.0 internally, but your public site — TLS 1.2+1.3 only.
From: ERR_SSL_OBSOLETE_VERSION — Block of Outdated TLS 1.0/1.1
How do I check supported TLS?
Enterno SSL or in shell:
openssl s_client -connect example.com:443 -tls1_2. From: ERR_SSL_OBSOLETE_VERSION — Block of Outdated TLS 1.0/1.1
Why is Firefox stricter than Chrome?
Mozilla's NSS takes a more conservative stance. AES-CBC without SHA-256 — Firefox rejects since 2022, Chrome still accepts.
From: SSL_ERROR_NO_CYPHER_OVERLAP — Firefox & No Shared Ciphers
Will legacy Windows clients work?
Windows XP + Firefox — no, SHA-1 signatures blocked. Windows 7 + Firefox 78+ — OK for AES-GCM.
From: SSL_ERROR_NO_CYPHER_OVERLAP — Firefox & No Shared Ciphers
How do I test cipher matching?
openssl s_client -connect example.com:443 -cipher ECDHE-RSA-AES128-GCM-SHA256. Error = not supported. From: SSL_ERROR_NO_CYPHER_OVERLAP — Firefox & No Shared Ciphers
Switching from 3DES to AES, will I lose users?
Only IE 6/7 on XP. In 2026 statistically zero.
From: SSL_ERROR_NO_CYPHER_OVERLAP — Firefox & No Shared Ciphers
Why do cookies trigger it?
Cookies accumulate per-domain. WordPress + WooCommerce + Analytics easily hits 6-10 KB. HTTP/2 default is 8 KB.
Is HTTP/2 push a cause?
Server Push deprecated in Chrome 106+. If you have it enabled, disable — major source of HTTP/2 bugs.
ERR_HTTP2_PROTOCOL_ERROR on one page only?
Specific header or response. Open DevTools → Network → request that page → Headers tab.
How do I check HTTP/2?
Enterno SSL/TLS shows ALPN = h2. Or
curl -I --http2 https://example.com.
Why is Firefox this strict?
Mozilla pins certain root CAs and detects chain tampering. MITM on google.com is a real phishing vector.
Does Chrome show the same?
Chrome shows ERR_CERT_SYMANTEC_LEGACY or NET::ERR_CERT_AUTHORITY_INVALID marked "Pinning". Softer message.
Is a corporate proxy safe?
Depends. IT decrypts your traffic. You must trust your company's security policies and local law.
How do I know if the cert is real?
Enterno SSL checker from a clean network (not your office) — shows real CA.
What is Cross-Origin Isolation?
A mode where the page is safe from Spectre-class attacks. Required for SharedArrayBuffer, performance.measureUserAgentSpecificMemory, and high-precision timers.
When do I see this error?
DevTools → Console → "Failed to load resource: net::ERR_BLOCKED_BY_RESPONSE". Network tab — resource highlighted red.
Are Spectre mitigations about security?
Yes. Without COOP/COEP the page cannot safely use SharedArrayBuffer — hence Chrome's restrictions.
How to test this easily?
Enterno CORS checker inspects Access-Control-* headers. + DevTools → Network → Response Headers.
How is it different from ERR_CONNECTION_REFUSED?
REFUSED = server sent RST (no listener). UNREACHABLE = IP does not respond at all (network issue).
Is the error only on my side?
Check via Enterno Ping from multiple regions. Only your network — your problem.
How long to recover?
Depends on cause. DC outage — hours. DNS propagation — 5-60 min. Hardware — more complex.
Error on mobile but not desktop?
Mobile carriers have different DNS/routing. Try 8.8.8.8 on phone.
What is the CRIME attack?
CRIME (CVE-2012-4929) — attacker measures compressed response size containing secrets (cookies, CSRF tokens). TLS compression leaked secrets via side-channel.
From: ERR_SSL_DECOMPRESSION_FAILURE_ALERT — CRIME Mitigation
Is TLS compression the same as gzip content-encoding?
No. TLS compression is transport-layer. gzip is application-layer. gzip is safe.
From: ERR_SSL_DECOMPRESSION_FAILURE_ALERT — CRIME Mitigation
In which TLS version is compression?
TLS 1.0-1.2 — optional. TLS 1.3 — removed entirely. Never in TLS 1.3.
From: ERR_SSL_DECOMPRESSION_FAILURE_ALERT — CRIME Mitigation
How to check compression is off?
Enterno SSL — negotiated TLS 1.3 guarantees no compression.
From: ERR_SSL_DECOMPRESSION_FAILURE_ALERT — CRIME Mitigation
What is TLS renegotiation?
A process during an active TLS session where parties renegotiate keys/cipher/auth without tearing down the connection. TLS 1.3 replaced it with post-handshake auth.
From: ERR_SSL_RENEGOTIATION_NOT_SUPPORTED — TLS Renegotiation
Why was renegotiation removed?
Vulnerable to attack (CVE-2009-3555 renegotiation MITM). TLS 1.3 uses KeyUpdate and post-handshake auth — safer replacement.
From: ERR_SSL_RENEGOTIATION_NOT_SUPPORTED — TLS Renegotiation
How to set up mTLS in 2026?
For TLS 1.3: server sends CertificateRequest in handshake, client answers. No renegotiation. Nginx supports.
From: ERR_SSL_RENEGOTIATION_NOT_SUPPORTED — TLS Renegotiation
Legacy Java client — what to do?
Upgrade to Java 17+ (TLS 1.3 support). Or keep TLS 1.2 for this endpoint + set up mTLS correctly.
From: ERR_SSL_RENEGOTIATION_NOT_SUPPORTED — TLS Renegotiation
How do I check what TLS the server supports?
Use Enterno.io SSL Checker or on the shell:
openssl s_client -connect example.com:443 -tls1_2. If it errors — TLS 1.2 is not supported.
Can I bypass the error via Chrome flags?
No safe way. Enabling TLS 1.0/1.1 in Chrome is not supported since 2020. Fix the server.
What if the server is managed by the hosting provider?
Contact hosting support — ask them to enable TLS 1.2+1.3 and disable SSLv3/TLS 1.0/1.1. Serious hosts do it in 1–2 hours.
Why does SNI matter here?
SNI (Server Name Indication) tells the server which domain was requested so it returns the right certificate. Without SNI the server sends the default cert, often with the wrong name → mismatch.
Why does Chrome work but Firefox does not?
Chrome and Firefox ship different trusted-CA lists. Chrome since 2023 ships its own chrome-root-store. If your CA is only in the Chrome store — Firefox shows SEC_ERROR_UNKNOWN_ISSUER.
How do I bypass the error temporarily?
Click "Advanced → Accept the Risk and Continue". Works only for ad-hoc visits. Not recommended for production sites.
What is the Mozilla CA Certificate Program?
The public list of CAs Firefox trusts. ~150 CAs. Getting in takes 1–2 years and requires a WebTrust audit.
Is Let's Encrypt in Firefox?
Yes. Cross-signed via ISRG Root X1, which is in the Mozilla store. Works in every modern Firefox.
Why did Apple/Google/Mozilla cap the validity?
Shorter certs force more frequent reissuance → lower key-compromise risk and faster retirement of vulnerable certs.
From: ERR_CERT_VALIDITY_TOO_LONG — Certificate Valid > 398 Days
Why exactly 398 days?
That is 13 months + renewal buffer. Apple introduced the cap in 2020: max 398 days. Google and Mozilla followed.
From: ERR_CERT_VALIDITY_TOO_LONG — Certificate Valid > 398 Days
Can I bypass it with Chrome flags?
No. This is a built-in safetynet policy, not toggleable.
From: ERR_CERT_VALIDITY_TOO_LONG — Certificate Valid > 398 Days
Let's Encrypt's 90 days is annoying, alternatives?
ZeroSSL, Buypass — free alternatives with 90-day certs. Commercial (DigiCert, Sectigo) — 1 year. All ≤ 398 days.
From: ERR_CERT_VALIDITY_TOO_LONG — Certificate Valid > 398 Days
What is SNI and why is it needed?
Server Name Indication — a TLS extension that lets one IP serve multiple HTTPS sites. The client tells the server which domain it is connecting to before the handshake.
From: ERR_SSL_UNRECOGNIZED_NAME_ALERT — SNI Mismatch in Chrome
Does it work without SNI?
Only on a server with a single certificate for a single domain (or a wildcard). On shared hosting without SNI — impossible.
From: ERR_SSL_UNRECOGNIZED_NAME_ALERT — SNI Mismatch in Chrome
Is unrecognized_name a fatal or warning alert?
Per RFC 6066 it is a warning. Old clients may ignore it; Chrome treats it as fatal and blocks.
From: ERR_SSL_UNRECOGNIZED_NAME_ALERT — SNI Mismatch in Chrome
How do I test SNI?
On the shell:
openssl s_client -connect IP:443 -servername example.com. Without -servername (SNI) you will see alert 112. From: ERR_SSL_UNRECOGNIZED_NAME_ALERT — SNI Mismatch in Chrome
How is it different from ERR_CONNECTION_REFUSED?
Refused — TCP connect failed (no listener). Empty — connection established but reply is empty. The cause is deeper: the worker died after accept().
From: ERR_EMPTY_RESPONSE — Server Did Not Reply. Causes & Fix
Only happens on POST requests — why?
Large POST bodies exceed nginx
client_max_body_size or PHP post_max_size. PHP-FPM rejects, nginx drops the connection → empty response. From: ERR_EMPTY_RESPONSE — Server Did Not Reply. Causes & Fix
How can I catch the exact moment of failure?
Enable nginx
access_log with $upstream_response_time and $upstream_status. An empty upstream_status with a timestamp is the moment. From: ERR_EMPTY_RESPONSE — Server Did Not Reply. Causes & Fix
Does restarting help?
Temporarily, yes. The problem returns. Find the root cause in the logs.
From: ERR_EMPTY_RESPONSE — Server Did Not Reply. Causes & Fix
What is a MAC in TLS?
Message Authentication Code — a cryptographic hash embedded in every TLS record. It verifies data integrity in transit. Bad MAC = data was corrupted.
Is this an attack?
Usually not. Mostly hardware/software bugs. But constant bad MACs can hint at a MITM attack (very rare).
Why does AV break things?
TLS inspection decrypts traffic, injects its own cert, re-encrypts. Bugs → MAC does not match.
Only in mobile browser — why?
Mobile networks often have lower MTU (1400–1460). Desktop over WiFi — 1500. The delta → fragmentation at the TLS layer.
What is extKeyUsage?
Extended Key Usage — an X.509 extension listing what the cert is for: serverAuth, clientAuth, codeSigning, emailProtection. Browsers require serverAuth for HTTPS.
From: ERR_SSL_KEY_USAGE_INCOMPATIBLE — Cert Not for Server Auth
Why did it work before?
Old browsers did not enforce extKeyUsage strictly. Chrome 82+ requires serverAuth explicitly. A cert that worked 5 years ago is now blocked.
From: ERR_SSL_KEY_USAGE_INCOMPATIBLE — Cert Not for Server Auth
Can I add extKeyUsage to an existing cert?
No — the cert is signed by the CA. Changing its structure invalidates the signature. Only a reissue fixes it.
From: ERR_SSL_KEY_USAGE_INCOMPATIBLE — Cert Not for Server Auth
Is Let's Encrypt always fine?
Yes. All ACME certs are issued with
serverAuth,clientAuth in extKeyUsage. Universal format. From: ERR_SSL_KEY_USAGE_INCOMPATIBLE — Cert Not for Server Auth
What is HPKP and why is it deprecated?
HTTP Public Key Pinning bound a domain to specific public keys. Chrome 72+ removed support (2018) due to the risk of locking yourself out on misconfiguration.
From: NET::ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN — HPKP/Pinning
What is static pinning in Chrome?
Chrome ships built-in pins for ~50 large sites (Google, Facebook, Twitter). Not toggleable via UI. Protects against MITM on those domains.
From: NET::ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN — HPKP/Pinning
How do I fully reset Chrome state for a domain?
chrome://net-internals/#hsts → Delete domain. Also clear cookies/cache for the domain. Restart Chrome.
From: NET::ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN — HPKP/Pinning
Is Expect-CT a replacement for HPKP?
No. Expect-CT required certs in CT logs (Certificate Transparency), not pinning. Also deprecated since 2022 — CT is enforced automatically now.
From: NET::ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN — HPKP/Pinning
What is mTLS?
Mutual TLS — two-way authentication. The server verifies the client certificate before returning a response. Used in banking, enterprise APIs, gov services.
Why did Chrome not prompt to pick a cert?
If there is a single matching cert — Chrome uses it automatically. If multiple or none — a dialog appears. Tunable in chrome://policy.
Works in Firefox, fails in Chrome — why?
Firefox has its own cert store (NSS), independent of the OS. Chrome uses the system store. Different stores → different access.
How do I import a p12 into Chrome?
chrome://settings/certificates → Your certificates → Import. Enter the p12 password. The cert appears in the list and becomes available for mTLS.
Why did Google punish Symantec?
Symantec issued thousands of mis-issued certs in 2015–2017 (including for google.com without permission). Chrome announced the distrust in 2017 and enforced it in Chrome 70 (October 2018).
DigiCert acquired Symantec — does a reissue work?
Yes. DigiCert acquired Symantec's website security business in August 2017. New certs from the DigiCert CA are valid in Chrome.
Can I bypass the error?
No Chrome flags to bypass. The only path is a cert reissue.
Does Firefox/Safari still trust the old cert?
Mozilla and Apple applied similar distrust. In 2026 it basically does not work anywhere.
Is it safe to ignore ERR_CERT_DATE_INVALID?
No. This error indicates a real SSL certificate problem. Ignoring it (via chrome://flags or "thisisunsafe") makes the connection vulnerable to man-in-the-middle attacks. Fix it on the server side.
How can I catch this error early?
Use the Enterno.io SSL/TLS checker, or set up monitoring with 14-day expiry alerts. Receive an email/Telegram notification before your users see the error.
Does clearing cookies / cache help?
Sometimes, for transient cached SSL errors. Steps: chrome://net-internals/#sockets → Flush sockets, chrome://net-internals/#hsts → Delete domain security policies (carefully, for debugging only). But if the issue is server-side, cache clearing will not help.
Is Let's Encrypt free — and is the certificate trusted?
Yes, Let's Encrypt certificates are in every modern trust store (Chrome, Firefox, Safari, Edge). 90-day validity with automatic renewal via certbot. No reason to use a paid CA for a standard website.
Is it safe to ignore ERR_SSL_PROTOCOL_ERROR?
No. This error indicates a real SSL certificate problem. Ignoring it (via chrome://flags or "thisisunsafe") makes the connection vulnerable to man-in-the-middle attacks. Fix it on the server side.
How can I catch this error early?
Use the Enterno.io SSL/TLS checker, or set up monitoring with 14-day expiry alerts. Receive an email/Telegram notification before your users see the error.
Does clearing cookies / cache help?
Sometimes, for transient cached SSL errors. Steps: chrome://net-internals/#sockets → Flush sockets, chrome://net-internals/#hsts → Delete domain security policies (carefully, for debugging only). But if the issue is server-side, cache clearing will not help.
Is Let's Encrypt free — and is the certificate trusted?
Yes, Let's Encrypt certificates are in every modern trust store (Chrome, Firefox, Safari, Edge). 90-day validity with automatic renewal via certbot. No reason to use a paid CA for a standard website.
Is it safe to ignore ERR_CERT_COMMON_NAME_INVALID?
No. This error indicates a real SSL certificate problem. Ignoring it (via chrome://flags or "thisisunsafe") makes the connection vulnerable to man-in-the-middle attacks. Fix it on the server side.
How can I catch this error early?
Use the Enterno.io SSL/TLS checker, or set up monitoring with 14-day expiry alerts. Receive an email/Telegram notification before your users see the error.
Does clearing cookies / cache help?
Sometimes, for transient cached SSL errors. Steps: chrome://net-internals/#sockets → Flush sockets, chrome://net-internals/#hsts → Delete domain security policies (carefully, for debugging only). But if the issue is server-side, cache clearing will not help.
Is Let's Encrypt free — and is the certificate trusted?
Yes, Let's Encrypt certificates are in every modern trust store (Chrome, Firefox, Safari, Edge). 90-day validity with automatic renewal via certbot. No reason to use a paid CA for a standard website.
Is it safe to ignore SSL_ERROR_BAD_CERT_DOMAIN?
No. This error indicates a real SSL certificate problem. Ignoring it (via chrome://flags or "thisisunsafe") makes the connection vulnerable to man-in-the-middle attacks. Fix it on the server side.
How can I catch this error early?
Use the Enterno.io SSL/TLS checker, or set up monitoring with 14-day expiry alerts. Receive an email/Telegram notification before your users see the error.
Does clearing cookies / cache help?
Sometimes, for transient cached SSL errors. Steps: chrome://net-internals/#sockets → Flush sockets, chrome://net-internals/#hsts → Delete domain security policies (carefully, for debugging only). But if the issue is server-side, cache clearing will not help.
Is Let's Encrypt free — and is the certificate trusted?
Yes, Let's Encrypt certificates are in every modern trust store (Chrome, Firefox, Safari, Edge). 90-day validity with automatic renewal via certbot. No reason to use a paid CA for a standard website.
Is it safe to ignore Mixed Content?
No. This error indicates a real SSL certificate problem. Ignoring it (via chrome://flags or "thisisunsafe") makes the connection vulnerable to man-in-the-middle attacks. Fix it on the server side.
How can I catch this error early?
Use the Enterno.io SSL/TLS checker, or set up monitoring with 14-day expiry alerts. Receive an email/Telegram notification before your users see the error.
Does clearing cookies / cache help?
Sometimes, for transient cached SSL errors. Steps: chrome://net-internals/#sockets → Flush sockets, chrome://net-internals/#hsts → Delete domain security policies (carefully, for debugging only). But if the issue is server-side, cache clearing will not help.
Is Let's Encrypt free — and is the certificate trusted?
Yes, Let's Encrypt certificates are in every modern trust store (Chrome, Firefox, Safari, Edge). 90-day validity with automatic renewal via certbot. No reason to use a paid CA for a standard website.
Is it safe to ignore HSTS Error?
No. This error indicates a real SSL certificate problem. Ignoring it (via chrome://flags or "thisisunsafe") makes the connection vulnerable to man-in-the-middle attacks. Fix it on the server side.
From: HSTS Error — How to Bypass Strict-Transport-Security [2026]
How can I catch this error early?
Use the Enterno.io SSL/TLS checker, or set up monitoring with 14-day expiry alerts. Receive an email/Telegram notification before your users see the error.
From: HSTS Error — How to Bypass Strict-Transport-Security [2026]
Does clearing cookies / cache help?
Sometimes, for transient cached SSL errors. Steps: chrome://net-internals/#sockets → Flush sockets, chrome://net-internals/#hsts → Delete domain security policies (carefully, for debugging only). But if the issue is server-side, cache clearing will not help.
From: HSTS Error — How to Bypass Strict-Transport-Security [2026]
Is Let's Encrypt free — and is the certificate trusted?
Yes, Let's Encrypt certificates are in every modern trust store (Chrome, Firefox, Safari, Edge). 90-day validity with automatic renewal via certbot. No reason to use a paid CA for a standard website.
From: HSTS Error — How to Bypass Strict-Transport-Security [2026]
Is it safe to ignore SSL Handshake Failed?
No. This error indicates a real SSL certificate problem. Ignoring it (via chrome://flags or "thisisunsafe") makes the connection vulnerable to man-in-the-middle attacks. Fix it on the server side.
How can I catch this error early?
Use the Enterno.io SSL/TLS checker, or set up monitoring with 14-day expiry alerts. Receive an email/Telegram notification before your users see the error.
Does clearing cookies / cache help?
Sometimes, for transient cached SSL errors. Steps: chrome://net-internals/#sockets → Flush sockets, chrome://net-internals/#hsts → Delete domain security policies (carefully, for debugging only). But if the issue is server-side, cache clearing will not help.
Is Let's Encrypt free — and is the certificate trusted?
Yes, Let's Encrypt certificates are in every modern trust store (Chrome, Firefox, Safari, Edge). 90-day validity with automatic renewal via certbot. No reason to use a paid CA for a standard website.
Is it safe to ignore ERR_CERT_WEAK_SIGNATURE_ALGORITHM?
No. This error indicates a real SSL certificate problem. Ignoring it (via chrome://flags or "thisisunsafe") makes the connection vulnerable to man-in-the-middle attacks. Fix it on the server side.
How can I catch this error early?
Use the Enterno.io SSL/TLS checker, or set up monitoring with 14-day expiry alerts. Receive an email/Telegram notification before your users see the error.
Does clearing cookies / cache help?
Sometimes, for transient cached SSL errors. Steps: chrome://net-internals/#sockets → Flush sockets, chrome://net-internals/#hsts → Delete domain security policies (carefully, for debugging only). But if the issue is server-side, cache clearing will not help.
Is Let's Encrypt free — and is the certificate trusted?
Yes, Let's Encrypt certificates are in every modern trust store (Chrome, Firefox, Safari, Edge). 90-day validity with automatic renewal via certbot. No reason to use a paid CA for a standard website.
Is it safe to ignore SSL_ERROR_RX_RECORD_TOO_LONG?
No. This error indicates a real SSL certificate problem. Ignoring it (via chrome://flags or "thisisunsafe") makes the connection vulnerable to man-in-the-middle attacks. Fix it on the server side.
How can I catch this error early?
Use the Enterno.io SSL/TLS checker, or set up monitoring with 14-day expiry alerts. Receive an email/Telegram notification before your users see the error.
Does clearing cookies / cache help?
Sometimes, for transient cached SSL errors. Steps: chrome://net-internals/#sockets → Flush sockets, chrome://net-internals/#hsts → Delete domain security policies (carefully, for debugging only). But if the issue is server-side, cache clearing will not help.
Is Let's Encrypt free — and is the certificate trusted?
Yes, Let's Encrypt certificates are in every modern trust store (Chrome, Firefox, Safari, Edge). 90-day validity with automatic renewal via certbot. No reason to use a paid CA for a standard website.
Is it safe to bypass NET::ERR_CERT_AUTHORITY_INVALID?
No. Chrome shows this error because it cannot verify site authenticity. Bypassing (chrome://flags or "thisisunsafe") makes your connection vulnerable to man-in-the-middle attacks. Only safe for your own dev servers.
From: NET::ERR_CERT_AUTHORITY_INVALID — How to Fix [2026 Guide]
Why does the error show only in Chrome but Firefox works?
Chrome and Firefox use different trust stores. Chrome uses its own root CA list (chrome-root-store), Firefox uses Mozilla's CA list. If your CA is in Mozilla but not Chrome, the error appears only in Chrome.
From: NET::ERR_CERT_AUTHORITY_INVALID — How to Fix [2026 Guide]
Can I fix this client-side?
If only one site shows the error — fix server-side. If all HTTPS sites error out — check system clock, update Chrome, check corporate proxy (may be inspecting certificates).
From: NET::ERR_CERT_AUTHORITY_INVALID — How to Fix [2026 Guide]
How can I check SSL chain online?
Use the Enterno.io SSL/TLS checker — enter domain, get full certificate chain, expiry, issuer and warnings. Free, no signup.
From: NET::ERR_CERT_AUTHORITY_INVALID — How to Fix [2026 Guide]
Is Let's Encrypt free — will it be trusted?
Yes. Let's Encrypt is included in all major trust stores (Chrome, Firefox, Safari, Edge). Certificates valid for 90 days with automatic renewal via certbot.
From: NET::ERR_CERT_AUTHORITY_INVALID — How to Fix [2026 Guide]
Ports (194)
MQTT vs HTTP for IoT?
MQTT: persistent connection, pub/sub, tiny header (~2 bytes). HTTP: simpler, RESTful, each request = handshake. Low-traffic, battery-powered IoT — MQTT.
MQTT 5 vs 3.1.1?
5.0 adds enhanced auth, user properties, session expiry. Adoption: AWS IoT Core 2024, Mosquitto 2, HiveMQ 4+.
Do I need a client cert?
Production — yes, mutual TLS. Plain username/password breaks once device fleet hits 10k+.
Why 8554 specifically?
Often — a user-space alternative to privileged 554. Standalone servers without root use 8554 / 8888 / 10554.
RTSP security?
Digest auth + IP whitelist. Real security — TLS tunnel (stunnel / nginx-rtmp-module) or WebRTC + SRTP.
Replace RTSP?
Browser — WebRTC or HLS. IP cameras and professional video — RTSP for another 5+ years.
Why care?
If you run industrial automation (factory, energy, water) this is a key ICS port. A leak has physical consequences (stopping a pipeline).
From: Port 502 — Modbus TCP
Safe to expose to the internet?
Never in plain-text. Either VPN or Modbus Secure (802) with TLS.
From: Port 502 — Modbus TCP
Alternative?
OPC UA (4840) — modern, secure, structured data. New projects pick it.
From: Port 502 — Modbus TCP
DNP3 vs Modbus?
DNP3 — event-driven, with prioritization and time-sync. Utility-grade. Modbus — simple poll-only.
From: Port 20000 — DNP3
Is Secure Authentication required?
US NERC CIP — yes. Elsewhere depends on regulator. Always-on TLS is 2026 best practice.
From: Port 20000 — DNP3
Open-source stack?
opendnp3 (C++), pydnp3 (Python bindings), dnp3-rs (Rust, Stepfunc).
From: Port 20000 — DNP3
BACnet vs Modbus in a building?
BACnet for HVAC + lighting + access control. Modbus for generic PLC. Often BACnet on top + Modbus on the field level.
From: Port 47808 — BACnet/IP
Exposed 47808?
Never on the public internet. Even internal — segment the VLAN, block via ACL.
From: Port 47808 — BACnet/IP
Is BACnet/SC ready?
ANSI/ASHRAE 135-2020 addendum; vendor support — Carrier, Siemens in progress. Consider it for new projects.
From: Port 47808 — BACnet/IP
Do I need to open it on a router in 2026?
Only if someone at home plays Mario Kart Wii via Wiimmfi or similar. Switch / Nintendo Online uses different ports.
Security?
Plaintext. Don't send credentials over it. For online games consider Cloudflare Tunnel / ZeroTier.
Which games used it?
Mario Kart DS/Wii, Animal Crossing Wild World, Pokémon D/P/Pt — all on the Nintendo WFC shutdown list.
Is port 2049 open by default?
No, modern cloud providers close all incoming ports by default. Explicitly allow 2049 in your Security Group or firewall.
How to check if port 2049 is reachable?
Use Enterno Ping + Port Checker. Or in shell:
nc -vz example.com 2049.
Is port 2049 safe to expose?
Depends on the service. NFS (Network File System) should be hardened (auth + TLS + rate limit) before public exposure. See our 2026 exposure research.
Is port 5222 open by default?
No, modern cloud providers close all incoming ports by default. Explicitly allow 5222 in your Security Group or firewall.
How to check if port 5222 is reachable?
Use Enterno Ping + Port Checker. Or in shell:
nc -vz example.com 5222.
Is port 5222 safe to expose?
Depends on the service. XMPP Jabber (clients) should be hardened (auth + TLS + rate limit) before public exposure. See our 2026 exposure research.
Is port 25565 open by default?
No, modern cloud providers close all incoming ports by default. Explicitly allow 25565 in your Security Group or firewall.
How to check if port 25565 is reachable?
Use Enterno Ping + Port Checker. Or in shell:
nc -vz example.com 25565.
Is port 25565 safe to expose?
Depends on the service. Minecraft Java Edition server should be hardened (auth + TLS + rate limit) before public exposure. See our 2026 exposure research.
Is port 27015 open by default?
No, modern cloud providers close all incoming ports by default. Explicitly allow 27015 in your Security Group or firewall.
How to check if port 27015 is reachable?
Use Enterno Ping + Port Checker. Or in shell:
nc -vz example.com 27015.
Is port 27015 safe to expose?
Depends on the service. Steam Game Servers should be hardened (auth + TLS + rate limit) before public exposure. See our 2026 exposure research.
Is port 19132 open by default?
No, modern cloud providers close all incoming ports by default. Explicitly allow 19132 in your Security Group or firewall.
How to check if port 19132 is reachable?
Use Enterno Ping + Port Checker. Or in shell:
nc -vz example.com 19132.
Is port 19132 safe to expose?
Depends on the service. Minecraft Bedrock Edition server should be hardened (auth + TLS + rate limit) before public exposure. See our 2026 exposure research.
Is port 1935 open by default?
No, modern cloud providers close all incoming ports by default. Explicitly allow 1935 in your Security Group or firewall.
How to check if port 1935 is reachable?
Use Enterno Ping + Port Checker. Or in shell:
nc -vz example.com 1935.
Is port 1935 safe to expose?
Depends on the service. RTMP (Flash/OBS streaming) should be hardened (auth + TLS + rate limit) before public exposure. See our 2026 exposure research.
Is port 7777 open by default?
No, modern cloud providers close all incoming ports by default. Explicitly allow 7777 in your Security Group or firewall.
From: Port 7777 (TCP/UDP) — Unreal Tournament / Terraria / Ark: Survival
How to check if port 7777 is reachable?
Use Enterno Ping + Port Checker. Or in shell:
nc -vz example.com 7777. From: Port 7777 (TCP/UDP) — Unreal Tournament / Terraria / Ark: Survival
Is port 7777 safe to expose?
Depends on the service. Unreal Tournament / Terraria / Ark: Survival should be hardened (auth + TLS + rate limit) before public exposure. See our 2026 exposure research.
From: Port 7777 (TCP/UDP) — Unreal Tournament / Terraria / Ark: Survival
Is port 10000 open by default?
No, modern cloud providers close all incoming ports by default. Explicitly allow 10000 in your Security Group or firewall.
How to check if port 10000 is reachable?
Use Enterno Ping + Port Checker. Or in shell:
nc -vz example.com 10000.
Is port 10000 safe to expose?
Depends on the service. Webmin / VPN admin should be hardened (auth + TLS + rate limit) before public exposure. See our 2026 exposure research.
Is port 161 open by default?
No, modern cloud providers close all incoming ports by default. Explicitly allow 161 in your Security Group or firewall.
How to check if port 161 is reachable?
Use Enterno Ping + Port Checker. Or in shell:
nc -vz example.com 161.
Is port 161 safe to expose?
Depends on the service. SNMP (Network Monitoring) should be hardened (auth + TLS + rate limit) before public exposure. See our 2026 exposure research.
Is port 5900 open by default?
No, modern cloud providers (AWS, Google Cloud, Yandex) close all incoming ports by default. You must explicitly allow port 5900 in a Security Group or firewall.
How to check if port 5900 is reachable?
Use Enterno Ping + Port Checker. Or in shell:
nc -vz example.com 5900.
Is port 5900 safe to expose?
Depends on the service. VNC Remote Desktop should never be exposed publicly without authentication + TLS. See our 2026 exposure research.
Is port 11211 open by default?
No, modern cloud providers (AWS, Google Cloud, Yandex) close all incoming ports by default. You must explicitly allow port 11211 in a Security Group or firewall.
How to check if port 11211 is reachable?
Use Enterno Ping + Port Checker. Or in shell:
nc -vz example.com 11211.
Is port 11211 safe to expose?
Depends on the service. Memcached should never be exposed publicly without authentication + TLS. See our 2026 exposure research.
Is port 4222 open by default?
No, modern cloud providers (AWS, Google Cloud, Yandex) close all incoming ports by default. You must explicitly allow port 4222 in a Security Group or firewall.
How to check if port 4222 is reachable?
Use Enterno Ping + Port Checker. Or in shell:
nc -vz example.com 4222.
Is port 4222 safe to expose?
Depends on the service. NATS Messaging should never be exposed publicly without authentication + TLS. See our 2026 exposure research.
Is port 2375 open by default?
No, modern cloud providers (AWS, Google Cloud, Yandex) close all incoming ports by default. You must explicitly allow port 2375 in a Security Group or firewall.
How to check if port 2375 is reachable?
Use Enterno Ping + Port Checker. Or in shell:
nc -vz example.com 2375.
Is port 2375 safe to expose?
Depends on the service. Docker daemon (unsecured) should never be exposed publicly without authentication + TLS. See our 2026 exposure research.
Is port 6000 open by default?
No, modern cloud providers (AWS, Google Cloud, Yandex) close all incoming ports by default. You must explicitly allow port 6000 in a Security Group or firewall.
How to check if port 6000 is reachable?
Use Enterno Ping + Port Checker. Or in shell:
nc -vz example.com 6000.
Is port 6000 safe to expose?
Depends on the service. X Window System should never be exposed publicly without authentication + TLS. See our 2026 exposure research.
Is port 27018 open by default?
No, modern cloud providers (AWS, Google Cloud, Yandex) close all incoming ports by default. You must explicitly allow port 27018 in a Security Group or firewall.
How to check if port 27018 is reachable?
Use Enterno Ping + Port Checker. Or in shell:
nc -vz example.com 27018.
Is port 27018 safe to expose?
Depends on the service. MongoDB sharded cluster should never be exposed publicly without authentication + TLS. See our 2026 exposure research.
Is port 50000 open by default?
No, modern cloud providers (AWS, Google Cloud, Yandex) close all incoming ports by default. You must explicitly allow port 50000 in a Security Group or firewall.
How to check if port 50000 is reachable?
Use Enterno Ping + Port Checker. Or in shell:
nc -vz example.com 50000.
Is port 50000 safe to expose?
Depends on the service. SAP NetWeaver AS Java should never be exposed publicly without authentication + TLS. See our 2026 exposure research.
Is port 1080 open by default?
No, modern cloud providers (AWS, Google Cloud, Yandex) close all incoming ports by default. You must explicitly allow port 1080 in a Security Group or firewall.
How to check if port 1080 is reachable?
Use Enterno Ping + Port Checker. Or in shell:
nc -vz example.com 1080.
Is port 1080 safe to expose?
Depends on the service. SOCKS proxy (v4/v5) should never be exposed publicly without authentication + TLS. See our 2026 exposure research.
Is port 3128 open by default?
No, modern cloud providers (AWS, Google Cloud, Yandex) close all incoming ports by default. You must explicitly allow port 3128 in a Security Group or firewall.
How to check if port 3128 is reachable?
Use Enterno Ping + Port Checker. Or in shell:
nc -vz example.com 3128.
Is port 3128 safe to expose?
Depends on the service. Squid HTTP proxy should never be exposed publicly without authentication + TLS. See our 2026 exposure research.
Is port 2181 open by default?
No, modern cloud providers (AWS, Google Cloud, Yandex) close all incoming ports by default. You must explicitly allow port 2181 in a Security Group or firewall.
How to check if port 2181 is reachable?
Use Enterno Ping + Port Checker. Or in shell:
nc -vz example.com 2181.
Is port 2181 safe to expose?
Depends on the service. Apache Zookeeper should never be exposed publicly without authentication + TLS. See our 2026 exposure research.
Is port 7000 open by default?
No, modern cloud providers (AWS, Google Cloud, Yandex) close all incoming ports by default. You must explicitly allow port 7000 in a Security Group or firewall.
How to check if port 7000 is reachable?
Use Enterno Ping + Port Checker. Or in shell:
nc -vz example.com 7000.
Is port 7000 safe to expose?
Depends on the service. Cassandra inter-node should never be exposed publicly without authentication + TLS. See our 2026 exposure research.
Is port 9100 open by default?
No, modern cloud providers (AWS, Google Cloud, Yandex) close all incoming ports by default. You must explicitly allow port 9100 in a Security Group or firewall.
How to check if port 9100 is reachable?
Use Enterno Ping + Port Checker. Or in shell:
nc -vz example.com 9100.
Is port 9100 safe to expose?
Depends on the service. Prometheus node_exporter should never be exposed publicly without authentication + TLS. See our 2026 exposure research.
Is port 10250 open by default?
No, modern cloud providers (AWS, Google Cloud, Yandex) close all incoming ports by default. You must explicitly allow port 10250 in a Security Group or firewall.
How to check if port 10250 is reachable?
Use Enterno Ping + Port Checker. Or in shell:
nc -vz example.com 10250.
Is port 10250 safe to expose?
Depends on the service. Kubernetes kubelet API should never be exposed publicly without authentication + TLS. See our 2026 exposure research.
Is port 5000 open by default?
No, modern cloud providers (AWS, Google Cloud, Yandex) close all incoming ports by default. You must explicitly allow port 5000 in a Security Group or firewall.
How to check if port 5000 is reachable?
Use Enterno Ping + Port Checker. Or in shell:
nc -vz example.com 5000.
Is port 5000 safe to expose?
Depends on the service. Docker Registry / Flask dev should never be exposed publicly without authentication + TLS. See our 2026 exposure research.
Is port 6380 open by default?
No, modern cloud providers (AWS, Google Cloud, Yandex) close all incoming ports by default. You must explicitly allow port 6380 in a Security Group or firewall.
How to check if port 6380 is reachable?
Use Enterno Ping + Port Checker. Or in shell:
nc -vz example.com 6380.
Is port 6380 safe to expose?
Depends on the service. Redis over TLS should never be exposed publicly without authentication + TLS. See our 2026 exposure research.
Is port 4369 open by default?
No, modern cloud providers (AWS, Google Cloud, Yandex) close all incoming ports by default. You must explicitly allow port 4369 in a Security Group or firewall.
How to check if port 4369 is reachable?
Use Enterno Ping + Port Checker. Or in shell:
nc -vz example.com 4369.
Is port 4369 safe to expose?
Depends on the service. Erlang Port Mapper Daemon should never be exposed publicly without authentication + TLS. See our 2026 exposure research.
Is port 8000 open by default?
No, modern cloud providers (AWS, Google Cloud, Yandex) close all incoming ports by default. You must explicitly allow port 8000 in a Security Group or firewall.
How to check if port 8000 is reachable?
Use Enterno Ping + Port Checker. Or in shell:
nc -vz example.com 8000.
Is port 8000 safe to expose?
Depends on the service. Django runserver / MinIO should never be exposed publicly without authentication + TLS. See our 2026 exposure research.
Is port 9090 open by default?
No, modern cloud providers (AWS, Google Cloud, Yandex) close all incoming ports by default. You must explicitly allow port 9090 in a Security Group or firewall.
How to check if port 9090 is reachable?
Use Enterno Ping + Port Checker. Or in shell:
nc -vz example.com 9090.
Is port 9090 safe to expose?
Depends on the service. Prometheus UI + API should never be exposed publicly without authentication + TLS. See our 2026 exposure research.
Is port 8081 open by default?
No, modern cloud providers (AWS, Google Cloud, Yandex) close all incoming ports by default. You must explicitly allow port 8081 in a Security Group or firewall.
How to check if port 8081 is reachable?
Use Enterno Ping + Port Checker. Or in shell:
nc -vz example.com 8081.
Is port 8081 safe to expose?
Depends on the service. Package repos (Nexus/Artifactory) should never be exposed publicly without authentication + TLS. See our 2026 exposure research.
Is port 1883 open by default?
No, modern cloud providers (AWS, Google Cloud, Yandex) close all incoming ports by default. You must explicitly allow port 1883 in a Security Group or firewall.
How to check if my port 1883 is reachable?
Is port 1883 safe to expose?
Depends on the service. MQTT IoT broker (plain) should never be exposed publicly without authentication + TLS. See our 2026 exposure research.
Is port 9092 open by default?
No, modern cloud providers (AWS, Google Cloud, Yandex) close all incoming ports by default. You must explicitly allow port 9092 in a Security Group or firewall.
How to check if my port 9092 is reachable?
Is port 9092 safe to expose?
Depends on the service. Apache Kafka broker should never be exposed publicly without authentication + TLS. See our 2026 exposure research.
Is port 5672 open by default?
No, modern cloud providers (AWS, Google Cloud, Yandex) close all incoming ports by default. You must explicitly allow port 5672 in a Security Group or firewall.
How to check if my port 5672 is reachable?
Is port 5672 safe to expose?
Depends on the service. RabbitMQ AMQP protocol should never be exposed publicly without authentication + TLS. See our 2026 exposure research.
Is port 15672 open by default?
No, modern cloud providers (AWS, Google Cloud, Yandex) close all incoming ports by default. You must explicitly allow port 15672 in a Security Group or firewall.
How to check if my port 15672 is reachable?
Is port 15672 safe to expose?
Depends on the service. RabbitMQ Management UI should never be exposed publicly without authentication + TLS. See our 2026 exposure research.
Is port 5601 open by default?
No, modern cloud providers (AWS, Google Cloud, Yandex) close all incoming ports by default. You must explicitly allow port 5601 in a Security Group or firewall.
How to check if my port 5601 is reachable?
Is port 5601 safe to expose?
Depends on the service. Kibana UI (Elastic Stack) should never be exposed publicly without authentication + TLS. See our 2026 exposure research.
Is port 9000 open by default?
No, modern cloud providers (AWS, Google Cloud, Yandex) close all incoming ports by default. You must explicitly allow port 9000 in a Security Group or firewall.
How to check if my port 9000 is reachable?
Is port 9000 safe to expose?
Depends on the service. Portainer Docker UI / SonarQube should never be exposed publicly without authentication + TLS. See our 2026 exposure research.
Is port 9300 open by default?
No, modern cloud providers (AWS, Google Cloud, Yandex) close all incoming ports by default. You must explicitly allow port 9300 in a Security Group or firewall.
How to check if my port 9300 is reachable?
Is port 9300 safe to expose?
Depends on the service. Elasticsearch inter-node should never be exposed publicly without authentication + TLS. See our 2026 exposure research.
Is port 8086 open by default?
No, modern cloud providers (AWS, Google Cloud, Yandex) close all incoming ports by default. You must explicitly allow port 8086 in a Security Group or firewall.
How to check if my port 8086 is reachable?
Is port 8086 safe to expose?
Depends on the service. InfluxDB time-series database should never be exposed publicly without authentication + TLS. See our 2026 exposure research.
Is port 3000 open by default?
No, modern cloud providers (AWS, Google Cloud, Yandex) close all incoming ports by default. You must explicitly allow port 3000 in a Security Group or firewall.
How to check if my port 3000 is reachable?
Is port 3000 safe to expose?
Depends on the service. Grafana UI / Node.js dev should never be exposed publicly without authentication + TLS. See our 2026 exposure research.
Is port 3478 open by default?
No, modern cloud providers (AWS, Google Cloud, Yandex) close all incoming ports by default. You must explicitly allow port 3478 in a Security Group or firewall.
How to check if my port 3478 is reachable?
Is port 3478 safe to expose?
Depends on the service. STUN/TURN server (WebRTC) should never be exposed publicly without authentication + TLS. See our 2026 exposure research.
Is port 5984 open by default?
No, modern cloud providers (AWS, Google Cloud, Yandex) close all incoming ports by default. You must explicitly allow port 5984 in a Security Group or firewall.
How to check if my port 5984 is reachable?
Is port 5984 safe to expose?
Depends on the service. Apache CouchDB should never be exposed publicly without authentication + TLS. See our 2026 exposure research.
Is port 1521 open by default?
No, modern cloud providers (AWS, Google Cloud, Yandex) close all incoming ports by default. You must explicitly allow port 1521 in a Security Group or firewall.
How to check if my port 1521 is reachable?
Is port 1521 safe to expose?
Depends on the service. Oracle Database listener should never be exposed publicly without authentication + TLS. See our 2026 exposure research.
Is port 2379 open by default?
No, modern cloud providers (AWS, Google Cloud, Yandex) close all incoming ports by default. You must explicitly allow port 2379 in a Security Group or firewall.
How to check if my port 2379 is reachable?
Is port 2379 safe to expose?
Depends on the service. etcd distributed KV store should never be exposed publicly without authentication + TLS. See our 2026 exposure research.
Is port 6443 open by default?
No, modern cloud providers (AWS, Google Cloud, Yandex) close all incoming ports by default. You must explicitly allow port 6443 in a Security Group or firewall.
How to check if my port 6443 is reachable?
Is port 6443 safe to expose?
Depends on the service. Kubernetes API server should never be exposed publicly without authentication + TLS. See our 2026 exposure research.
Why close port 123?
Every open port is a potential entry point. If the service isn't used — close it.
Why close port 139?
Every open port is a potential entry point. If the service isn't used — close it.
From: Port 139 (NetBIOS-SSN) — What It Is and Security [2026]
Why close port 389?
Every open port is a potential entry point. If the service isn't used — close it.
Why close port 445?
Every open port is a potential entry point. If the service isn't used — close it.
Why close port 554?
Every open port is a potential entry point. If the service isn't used — close it.
Why close port 636?
Every open port is a potential entry point. If the service isn't used — close it.
Why close port 1194?
Every open port is a potential entry point. If the service isn't used — close it.
Why close port 1433?
Every open port is a potential entry point. If the service isn't used — close it.
Why close port 1723?
Every open port is a potential entry point. If the service isn't used — close it.
Why close port 5060?
Every open port is a potential entry point. If the service isn't used — close it.
Why close port 9200?
Every open port is a potential entry point. If the service isn't used — close it.
From: Port 9200 (Elasticsearch) — What It Is and Security [2026]
Why close port 27017?
Every open port is a potential entry point. If the service isn't used — close it.
Why close port 21?
Every open port is an attacker's entry point. If the service is not used (or uses a different port), close it to minimise attack surface.
How to check port 21 without Enterno.io?
From a local machine:
nc -zv hostname 21 or telnet hostname 21. The online checker is simpler — from different IPs, one click.
Why close port 22?
Every open port is an attacker's entry point. If the service is not used (or uses a different port), close it to minimise attack surface.
From: Port 22 (SSH / SFTP) — What It Is and How to Check [2026]
How to check port 22 without Enterno.io?
From a local machine:
nc -zv hostname 22 or telnet hostname 22. The online checker is simpler — from different IPs, one click. From: Port 22 (SSH / SFTP) — What It Is and How to Check [2026]
Why close port 23?
Every open port is an attacker's entry point. If the service is not used (or uses a different port), close it to minimise attack surface.
How to check port 23 without Enterno.io?
From a local machine:
nc -zv hostname 23 or telnet hostname 23. The online checker is simpler — from different IPs, one click.
Why close port 25?
Every open port is an attacker's entry point. If the service is not used (or uses a different port), close it to minimise attack surface.
How to check port 25 without Enterno.io?
From a local machine:
nc -zv hostname 25 or telnet hostname 25. The online checker is simpler — from different IPs, one click.
Why close port 53?
Every open port is an attacker's entry point. If the service is not used (or uses a different port), close it to minimise attack surface.
How to check port 53 without Enterno.io?
From a local machine:
nc -zv hostname 53 or telnet hostname 53. The online checker is simpler — from different IPs, one click.
Why close port 80?
Every open port is an attacker's entry point. If the service is not used (or uses a different port), close it to minimise attack surface.
How to check port 80 without Enterno.io?
From a local machine:
nc -zv hostname 80 or telnet hostname 80. The online checker is simpler — from different IPs, one click.
Why close port 110?
Every open port is an attacker's entry point. If the service is not used (or uses a different port), close it to minimise attack surface.
How to check port 110 without Enterno.io?
From a local machine:
nc -zv hostname 110 or telnet hostname 110. The online checker is simpler — from different IPs, one click.
Why close port 143?
Every open port is an attacker's entry point. If the service is not used (or uses a different port), close it to minimise attack surface.
How to check port 143 without Enterno.io?
From a local machine:
nc -zv hostname 143 or telnet hostname 143. The online checker is simpler — from different IPs, one click.
Why close port 443?
Every open port is an attacker's entry point. If the service is not used (or uses a different port), close it to minimise attack surface.
How to check port 443 without Enterno.io?
From a local machine:
nc -zv hostname 443 or telnet hostname 443. The online checker is simpler — from different IPs, one click.
Why close port 465?
Every open port is an attacker's entry point. If the service is not used (or uses a different port), close it to minimise attack surface.
How to check port 465 without Enterno.io?
From a local machine:
nc -zv hostname 465 or telnet hostname 465. The online checker is simpler — from different IPs, one click.
Why close port 587?
Every open port is an attacker's entry point. If the service is not used (or uses a different port), close it to minimise attack surface.
From: Port 587 (SMTP submission) — What It Is and How to Check [20
How to check port 587 without Enterno.io?
From a local machine:
nc -zv hostname 587 or telnet hostname 587. The online checker is simpler — from different IPs, one click. From: Port 587 (SMTP submission) — What It Is and How to Check [20
Why close port 993?
Every open port is an attacker's entry point. If the service is not used (or uses a different port), close it to minimise attack surface.
How to check port 993 without Enterno.io?
From a local machine:
nc -zv hostname 993 or telnet hostname 993. The online checker is simpler — from different IPs, one click.
Why close port 995?
Every open port is an attacker's entry point. If the service is not used (or uses a different port), close it to minimise attack surface.
How to check port 995 without Enterno.io?
From a local machine:
nc -zv hostname 995 or telnet hostname 995. The online checker is simpler — from different IPs, one click.
Why close port 3306?
Every open port is an attacker's entry point. If the service is not used (or uses a different port), close it to minimise attack surface.
From: Port 3306 (MySQL) — What It Is and How to Check [2026]
How to check port 3306 without Enterno.io?
From a local machine:
nc -zv hostname 3306 or telnet hostname 3306. The online checker is simpler — from different IPs, one click. From: Port 3306 (MySQL) — What It Is and How to Check [2026]
Why close port 3389?
Every open port is an attacker's entry point. If the service is not used (or uses a different port), close it to minimise attack surface.
How to check port 3389 without Enterno.io?
From a local machine:
nc -zv hostname 3389 or telnet hostname 3389. The online checker is simpler — from different IPs, one click.
Why close port 5432?
Every open port is an attacker's entry point. If the service is not used (or uses a different port), close it to minimise attack surface.
From: Port 5432 (PostgreSQL) — What It Is and How to Check [2026]
How to check port 5432 without Enterno.io?
From a local machine:
nc -zv hostname 5432 or telnet hostname 5432. The online checker is simpler — from different IPs, one click. From: Port 5432 (PostgreSQL) — What It Is and How to Check [2026]
Why close port 6379?
Every open port is an attacker's entry point. If the service is not used (or uses a different port), close it to minimise attack surface.
From: Port 6379 (Redis) — What It Is and How to Check [2026]
How to check port 6379 without Enterno.io?
From a local machine:
nc -zv hostname 6379 or telnet hostname 6379. The online checker is simpler — from different IPs, one click. From: Port 6379 (Redis) — What It Is and How to Check [2026]
Why close port 8080?
Every open port is an attacker's entry point. If the service is not used (or uses a different port), close it to minimise attack surface.
From: Port 8080 (HTTP alternate) — What It Is and How to Check [20
How to check port 8080 without Enterno.io?
From a local machine:
nc -zv hostname 8080 or telnet hostname 8080. The online checker is simpler — from different IPs, one click. From: Port 8080 (HTTP alternate) — What It Is and How to Check [20
Why close port 8443?
Every open port is an attacker's entry point. If the service is not used (or uses a different port), close it to minimise attack surface.
From: Port 8443 (HTTPS alternate) — What It Is and How to Check [2
How to check port 8443 without Enterno.io?
From a local machine:
nc -zv hostname 8443 or telnet hostname 8443. The online checker is simpler — from different IPs, one click. From: Port 8443 (HTTPS alternate) — What It Is and How to Check [2
Alternatives (285)
GitKraken free in 2026?
Yes for public/personal repos. Private repos = $49/yr pro subscription.
Fork vs GitKraken?
Fork: native (not Electron), faster, one-time purchase. GitKraken: more features, subscription.
lazygit for beginners?
No, terminal interface, keyboard-only. Beginners — GitHub Desktop or SourceTree.
Tower vs Fork?
Tower: fuller features, subscription, daily updates. Fork: free-ish, faster, smaller fleet.
macOS-only?
Windows version shipped in 2018, feature parity. Linux — none (2026).
Worth $70/yr?
If you work full-time with Git and value the rebase flow — yes. Casual use — Fork is enough.
When to stay on Mailchimp?
If you've used it for a year+ and built audiences/automations. Migration is painful.
SaaS startup — what to pick?
Loops or Customer.io — product-led, event-based automation. Mailchimp — small e-commerce / brand.
Self-hosted?
Listmonk (Go, open-source) — run the server yourself + SMTP (SES / Postmark). Saves $$$, needs DevOps.
Best for startups?
Resend (dev UX) or Postmark (inbox placement). SES — if you're already on AWS.
Is SendGrid still relevant?
For large enterprise with contractor relationships — yes. New projects — consider alternatives.
Combined marketing + transactional?
Brevo, Mailgun, Mailjet — support both. SendGrid used to run marketing campaigns but that's a separate product now.
Is HubSpot Free actually useful?
Yes for <5 users and <1000 contacts. Upsells start with sequences, custom reports, phone.
Pipedrive vs HubSpot?
Pipedrive — pipeline-first, 2× simpler, fewer marketing features. HubSpot — all-in-one, heavier.
Runet?
AmoCRM (Russian), Bitrix24 Free. HubSpot is localized but support sits in EU timezone.
When is Salesforce overkill?
If you have fewer than 20 sales reps and no custom business logic. Start with HubSpot/Pipedrive, migrate at $10M ARR.
Migration cost?
HubSpot → Salesforce = $50-150k (data migration + config + training). Reverse is harder (ecosystem lock).
Dynamics 365 in a Microsoft shop?
Yes if Azure AD/Teams/Office 365 are deeply used. Single SSO, integrated Power BI.
Grafana OSS vs Cloud?
OSS: self-host, free, maintenance overhead. Cloud: $29+ starter, includes Loki + Tempo + Mimir. Cloud free tier: 50 users, 10k metrics.
LGTM stack?
Loki (logs) + Grafana (viz) + Tempo (traces) + Mimir (metrics). Together — complete CNCF observability. All open-source.
Grafana vs Kibana?
Grafana: multi-source (Prometheus, InfluxDB, Postgres). Kibana: Elasticsearch-first. Kibana better for full-text logs + security analytics.
Uptime monitoring?
Enterno Uptime Monitoring — 30sec intervals, multi-region, SMS alerts. Grafana + Prometheus blackbox_exporter — powerful but complex setup.
Why high-cardinality?
Prometheus labels bomb: 100 hosts × 50 endpoints × 10 status codes × 5 methods = 250k metrics. Honeycomb indexes events directly, no pre-aggregation — query any dimension.
BubbleUp?
Unique Honeycomb feature: given slow traces, automatically highlights attributes that correlate with slowness. Finds root cause without query hacking.
Free tier limits?
20M events/mo, 60 days retention, 5 users. Enough for small apps. $70/mo — 100M events, 30 days.
Monitor endpoint uptime?
Enterno HTTP for endpoint health. Honeycomb — for details inside vast traces.
Loki vs Elasticsearch?
Elastic: index every word (expensive). Loki: index labels only (cheap). Loki search within label filter "grep-like" — slower but 10-100x cheaper.
ClickHouse logs?
ClickHouse used for petabyte-scale logs (Uber, eBay). Columnar compression + SQL queries. Needs custom ingestion pipeline (vs turnkey Loki).
Retention cost?
Loki on S3 + Glacier: $0.02-0.50/GB. Elasticsearch hot tier: $5-15/GB. 100x difference at scale.
Monitor Loki endpoint?
Enterno HTTP for /ready endpoint health. Scheduled alerts on downtime.
Snowflake vs BigQuery?
Snowflake: multi-cloud (AWS/Azure/GCP), per-credit compute. BigQuery: GCP-only, pay-per-query (good for ad-hoc). For mixed-cloud — Snowflake.
ClickHouse 10x faster real?
For aggregations + real-time — yes (columnar + vectorisation). For complex joins — Snowflake wins. Use case matters.
DuckDB embedded?
DuckDB: SQLite-like for analytics. Runs in-process (Python, Node). Free, <1 TB, replaces Pandas for local SQL.
Monitor warehouse uptime?
Enterno HTTP for JDBC endpoint. Cloud dashboards for internal monitoring, Enterno for external.
Yandex legacy concern?
ClickHouse Inc. — separate from Yandex (Dutch, US employees). Yandex Cloud and ClickHouse Inc. — independent. Open-source, 1500+ contributors.
ClickHouse vs DuckDB?
ClickHouse: server, multi-node, PB scale. DuckDB: embedded (process), <1 TB, no server. Dev-friendly Pandas alternative.
Cloud pricing?
ClickHouse Cloud starter $40/mo (1 GB RAM). Production $100-1000+/mo. 5-10x cheaper than Snowflake on comparable workloads.
Monitor endpoint?
Enterno HTTP for :8123 endpoint. Scheduled alerts on downtime.
Airflow overhead?
Requires: metadata DB (Postgres), scheduler, webserver, 1+ workers. Minimum ~2 GB RAM. Astronomer / MWAA managed $150-500+/mo.
Prefect Cloud vs OSS?
OSS (Prefect 2.0): self-host, free. Cloud: $0 free tier (5k runs/mo), $50+ Pro. Modern API, dynamic flows without static DAGs.
Dagster different?
Asset-based (materialisation output matters, not task). Type-safe (Pydantic). Observability UI better than Airflow. Learning curve steep.
Monitor pipeline endpoint?
Enterno Heartbeat — dead-man-switch for cron jobs. HTTP check for pipeline API health.
Why is Fivetran expensive?
MAR pricing: every row synced = billed. 1M rows/mo = $500, 100M = $10k+. For stable low-volume sources cheap alternatives win.
Airbyte vs Fivetran?
Airbyte: open source, 400+ community connectors (varying quality). Self-host free. Airbyte Cloud: $25/mo starter. Fivetran: more polished, reliable, expensive.
Russia payment?
Fivetran, Stitch — US card required. Airbyte self-host works everywhere. Yandex DataLens — RU alternative with local connectors.
Monitor endpoint?
Enterno scheduled monitors for data pipeline health endpoints. Notifications in Slack/Telegram.
Segment vs RudderStack?
Segment: polished SaaS, massive ecosystem, paid. RudderStack: open source + managed, "Segment API-compatible" — drop-in replace. Self-host — free.
Snowplow difference?
Snowplow: batch-first, raw events to data warehouse. More control, less out-of-box analytics. For data science teams, not marketing.
PostHog — more than CDP?
PostHog started as product analytics (Mixpanel alternative). Added CDP routing in 2023. Good for early-stage startups — one tool covers analytics + CDP + session recording.
Monitor CDP endpoint?
Enterno HTTP for tracking endpoint health (api.segment.io, hub.rudderstack.com). Alerts on downtime.
Looker Studio vs Looker?
Looker Studio (ex-Google Data Studio) — free, simple viz. Looker — enterprise BI ($5k+) with LookML. Completely different products.
Is Metabase OSS enough?
For startup 1-50 sources — yes. Limited advanced features (no semantic layer, basic permissions). Metabase Pro ($85/user/mo) adds more.
Lightdash vs Looker?
Lightdash: open source, dbt-native semantic layer (metrics defined in dbt YAML). Cheaper, but smaller ecosystem.
Monitor BI endpoint?
Enterno HTTP for :4000/api/health. Downtime alerts in Slack/Telegram.
When is Vercel expensive?
Free tier: 100 GB bandwidth, 100k function invocations. Pro $20 base, but overages $40+/100 GB. Cloudflare Pages = unlimited bandwidth $0 tier.
Netlify vs Vercel?
Netlify: older, more generic, Netlify Functions less polished for Next.js. For non-Next frameworks — Netlify solid.
Self-host Next.js?
node server.js in Docker + nginx reverse proxy works. You lose edge functions, ISR, automatic caching. Tradeoff $$ vs control.
Monitor endpoint?
Enterno HTTP for deployed app. 30-sec uptime monitoring with alerts.
ChatGPT or Claude?
ChatGPT: broader ecosystem, plugins, image gen. Claude: best coding + long context + writing. Developers often prefer Claude.
API Russia access?
OpenAI API: blocked for RU IPs. Claude: same. Workaround — proxy via a US/EU provider or use local Llama.
Cost for 1M tokens?
GPT-5: $5 input / $15 output. Claude Opus 4.7: $15 / $75. Gemini 2.5 Pro: $2 / $10. Llama 3 70B (Together): $0.88 / $0.88.
How to monitor AI API uptime?
Enterno HTTP checker for api.openai.com. Regular downtime incidents in 2024-2025.
Copilot vs Cursor?
Copilot: VS Code extension, cheaper. Cursor: standalone IDE (fork of VS Code) with superior agent workflow (composer, multi-file edit). For AI-first development — Cursor.
From: GitHub Copilot Alternatives 2026 — AI Coding Assistants
Is Codeium really free?
Yes, individual tier has unlimited autocomplete + chat. $0. Model: own + Llama fine-tune. Pro plan $12 for teams + premium models.
From: GitHub Copilot Alternatives 2026 — AI Coding Assistants
Privacy — no training on my code?
Copilot Business+ promise no training. Codeium — claims zero code stored. Cursor — stores if enabled. Self-host (Continue + ollama) = 100% private.
From: GitHub Copilot Alternatives 2026 — AI Coding Assistants
Monitor IDE endpoint uptime?
Enterno HTTP for GitHub Copilot API endpoints. Periodic outages.
From: GitHub Copilot Alternatives 2026 — AI Coding Assistants
Is there a Midjourney API?
No, only Discord UI + web. Unofficial APIs (via Discord bot) exist but are ToS violations. For API use — Flux / DALL-E / SD.
Flux Pro vs Midjourney?
Flux Pro: photorealism (skin, hair, lighting) leader. Midjourney: better artistic interpretation. For photo-style — Flux. For fine art — Midjourney.
Self-host cost?
Stable Diffusion XL on RTX 3090 ($500 used) — free inference. Cloud ~$0.01 per image (Replicate). 10k images/mo → $100 cloud vs $0 self-host.
How to check image gen service uptime?
Enterno HTTP for API endpoint. Monitors for continuous check.
Perplexity vs ChatGPT Search?
Perplexity: citations visible inline, better UX. ChatGPT Search: integrated into chat, free for Plus users.
API cost (Perplexity Sonar)?
Sonar Small $0.20 / 1M, Large $1 / 1M, Huge $5 / 1M. + search cost. Cheaper than GPT-4 + tool calling.
Exa vs SerpAPI?
Exa: semantic search via embeddings (for AI agents). SerpAPI: regular Google/Bing results. For grounding AI — Exa. For scraping — SerpAPI.
How to monitor search API?
Enterno HTTP checker for api.perplexity.ai. Periodic 502s reported in 2024+.
Is Pinecone expensive?
Yes, $70/mo minimum for production + serverless charges. Qdrant Cloud $25 starter or self-host $5/mo VPS — 10x cheaper.
Migration from Pinecone?
Export vectors via describe_index_stats + fetch API. Import to Qdrant via batch upsert. ~1 hour for 1M vectors.
Is pgvector enough?
For <1M vectors + simple use cases — yes. Single DB = simplicity + transactional consistency. >10M → dedicated vector DB.
Monitor endpoint?
Enterno HTTP for api.pinecone.io. Monitor + alerts on downtime.
Why is LangChain criticised?
Over-abstraction (dozens of classes for a simple chain), fast-changing API (breaking changes every few months), heavy dependencies. For quick prototype — fine, for production often rewritten with a simpler tool.
LlamaIndex vs LangChain?
LlamaIndex: RAG-focused, cleaner for data ingestion/querying. LangChain: more general-purpose (agents, tools, memory).
What does Vercel AI SDK give?
Simplest JS framework for LLM. useChat, useCompletion React hooks. Streaming out of the box. For Next.js apps — best choice.
Monitor LLM quality in production?
LangSmith ($39/user), LangFuse (open source), Braintrust. + Enterno for endpoint uptime.
Cursor vs Copilot?
Cursor: standalone IDE with full agent (modifies multiple files, scans codebase, runs terminal). Copilot: VS Code extension with completion + limited chat. For AI-first coding — Cursor wins.
Is Windsurf free?
Free tier available (unlimited Cascade?). Pro $10/mo with premium models. Built by Codeium team.
What is Aider?
CLI agent with git integration. pip install aider-chat. You type in terminal, it edits files + commits.
How to monitor Cursor API?
Enterno HTTP for api.cursor.com. Regular outages in 2024.
Notion AI vs ChatGPT?
Notion AI: context of your pages, in-place editing, summary workflow. ChatGPT: standalone, more powerful model. For in-document ops — Notion. For general tasks — ChatGPT.
Obsidian + AI — workflow?
Plugins: Text Generator, Copilot, Smart Connections (semantic search). Usually with OpenAI API (bring-your-own-key). Cost = only API usage.
Runet-friendly?
Notion: works but payment is harder. Obsidian: fully works (local app). Logseq: open source = zero issues.
Monitor Notion API uptime?
Enterno HTTP for api.notion.com. Public incident history 2024.
OpenAI-compatible APIs?
Many alternatives (Together, Fireworks, Groq, Anyscale, OpenRouter) emulate the OpenAI API format. Drop-in replace via base URL.
Groq — really 500 tokens/sec?
Yes, on LPU chips (custom ASIC). Llama 3 70B ~280 t/s, 8B — 750 t/s. Cost competitive ($0.59/1M). Primary use — low-latency apps.
Russia API access?
OpenRouter proxy, Anthropic API — blocked. Yandex GPT (RU native) — $0.20/1M. Local Llama via Ollama — $0 cost.
How to monitor API uptime?
Enterno HTTP for api.openai.com, api.anthropic.com, api.groq.com. Multi-region monitoring.
HF Inference API cost?
Free tier with rate limits. Inference Endpoints (dedicated) — $0.03-10/hour depending on hardware.
Replicate vs HF?
Replicate: one line — run any model. HF: browse + experiment + inference. For production API — Replicate cleaner. For research — HF.
What are Spaces (Gradio)?
HF Spaces — free ML demos via Gradio/Streamlit. 16 GB RAM limit, free tier. Alternatives: Modal, Replicate, Vercel+Next.js.
Monitor HF endpoint uptime?
Enterno HTTP for api-inference.huggingface.co. Some endpoints show rate-limit errors at high load.
JetBrains in Russia 2026?
Since 2022 JetBrains does not sell new licenses in Russia. Already purchased perpetual licenses still work. DBeaver is the main open-source substitute.
From: DataGrip Alternatives 2026 — SQL IDE without subscription
DBeaver vs DataGrip?
DBeaver CE (free) covers 80% of daily use. DBeaver PRO ($99/year) adds Cassandra, Redis, MongoDB, etc. DataGrip wins on refactoring + IntelliJ integration.
From: DataGrip Alternatives 2026 — SQL IDE without subscription
TablePlus on Windows?
Yes, TablePlus runs on Windows + macOS + Linux. $89 lifetime (or platform-specific).
From: DataGrip Alternatives 2026 — SQL IDE without subscription
How to monitor Postgres uptime?
Enterno Ping checker probes port 5432. Monitors for periodic checks + alerts.
From: DataGrip Alternatives 2026 — SQL IDE without subscription
TablePlus vs DBeaver?
TablePlus: native, fast, clean UI, $89. DBeaver: Java, slower, free, more DBs, more advanced features.
Trial limit?
2 open connections simultaneously, max 2 tabs per connection. Fine for evaluation. Lifetime license removes the limit.
Is Sequel Ace maintained?
Yes, open source (Sequel Pro fork). MySQL/MariaDB only. macOS native. Fully maintained in 2024+.
Check Postgres reachability?
Enterno Ping + Port Checker probes port 5432 online.
pgAdmin is slow — fix?
pgAdmin 4 is heavy by default. Speed-ups: disable query history auto-save, reduce Browser tree refresh interval. Or use DBeaver for daily + pgAdmin for backup/restore.
Web mode vs Desktop mode?
Desktop — PyInstaller bundle, local on laptop. Server mode — Docker / Python WSGI behind nginx. Server mode for teams with shared connections.
pgAdmin 4 vs 3?
pgAdmin 3 (Wx/C++) was faster but deprecated. pgAdmin 4 replaced it in 2016. No path back to v3.
Monitor Postgres uptime?
Enterno Ping Checker probes port 5432. Auto monitoring + alerts.
DBeaver CE vs PRO?
CE: Postgres, MySQL, SQLite, Oracle, Redshift, Snowflake. PRO: +Cassandra, Redis, MongoDB, Couchbase, Firebase. $99/year.
DBeaver slow?
Eclipse RCP is not fastest. On SSD + 16GB+ it is OK. For a single DB — TablePlus native is faster.
Plugin ecosystem?
DBeaver supports Eclipse marketplace plugins (linters, formatters). Also custom themes, connection templates.
Monitor MySQL port?
Enterno Ping for port 3306. Scheduled monitors with notification.
Why did MinIO relicense?
AGPLv3 forces SaaS providers to open-source their modifications. MinIO tries to protect itself from hyperscalers that profit without contributing.
SeaweedFS vs MinIO?
SeaweedFS — full S3 API + native filer API. Apache 2.0 forever. Faster on small objects. MinIO — polished UI + better enterprise features.
Migrate from MinIO?
rclone sync s3://minio-bucket s3://seaweed-bucket — one common tool.
Monitor S3 endpoint?
Enterno HTTP checker for /minio/health/live. Or Monitors.
B2 vs R2 price?
B2 $6/TB storage + $10/TB egress. R2 $15/TB storage + FREE egress (up to Cloudflare Cache Reserve). R2 wins on frequent download.
Wasabi no-egress limits?
Wasabi allows free egress up to 1x storage. Beyond that = account suspension. Good for cold storage.
Russia payment 2026?
Backblaze accepts international VISA/MC. Some RU cards blocked. Payeer crypto as workaround.
Monitor endpoint?
90-day min billing?
Wasabi charges a minimum of 90 days even if you delete earlier. Not for temporary hosting.
Russia payment?
Issues with RU VISA/MC. Use a foreign card or crypto paymaster.
S3 vs Wasabi?
Wasabi has cheaper storage but min duration + regional limits. S3 is universal but more expensive.
Monitor S3 bucket?
Enterno HTTP check for the public endpoint. SSL for cert validation.
Storj latency?
Requests served in parallel from multiple nodes — faster than single-node. GET latency comparable to B2/Wasabi (200-500ms).
Reliability?
Data split across 80 nodes, reconstructed from 29. Loss of up to 51 nodes — ok. Technically more reliable than a single provider.
Crypto payments?
Storj accepts USD (card). STORJ token is used internally to pay storage operators. End users do not touch crypto.
Monitor Storj endpoint?
Enterno HTTP check for gateway.storjshare.io. Downtime alerts.
Lens free tier limits?
Sign-up + Personal tier ok for 1-2 clusters. Corporate needs Pro. Many teams migrated to OpenLens / Headlamp.
OpenLens vs Lens?
OpenLens — fork, no telemetry + no sign-up + some Lens-specific features removed. Community-maintained.
Headlamp production-ready?
Yes, Headlamp is a CNCF sandbox project. Web UI + desktop app. 11k+ stars. Modern UI.
Monitor K8s service endpoint?
k9s vs kubectl?
k9s is a wrapper over kubectl — more convenient for interactive exploration. For scripting, still kubectl.
Customize shortcuts?
~/.k9s/config.yml + plugins.yml. Skins, aliases, custom hotkeys. 1000+ community plugins.
Resource usage?
k9s minimal: <100MB RAM. Idle CPU 0%. Runs locally, subscribes to API watch.
Monitor K8s endpoint?
Enterno HTTP checker for ingress URL. Scheduled monitor + alerts.
Is Postman Free tier enough?
Solo developer — yes. Team of 5+ — the 3-collaborator cap blocks, paid is mandatory.
How to migrate from Postman?
Export collections to .json from Postman → Insomnia/Bruno support import. Move under an hour for <50 collections.
Open source Postman alternatives?
Hoppscotch (hoppscotch.io, web + self-host), Bruno (usebruno.com, desktop), Yaak (yaakapp.com). All MIT/Apache.
How to test API in Enterno?
Enterno HTTP checker + Monitor for continuous. Or API v4 for scripted checks.
Insomnia vs Insomnium?
Insomnium — community fork after the cloud-required updates. Identical features, without forced login or cloud dependency.
Postman or Insomnia?
Insomnia better for GraphQL + lightweight UI. Postman — team collaboration + CI/CD integration (Newman).
API monitoring use?
Insomnia — manual only. For continuous — Enterno Monitor with keyword-match on response.
Scripting support?
Insomnia has pre/post request JS scripts. Enterno API v4 — webhooks + custom validators.
Hoppscotch vs Postman Web?
Postman Web requires login + limited features. Hoppscotch — full-featured without login (via local storage).
Is self-host hard?
docker run -p 3000:3000 hoppscotch/hoppscotch — 30 seconds. For prod add PostgreSQL + volume for persistence.
Is Hoppscotch data private?
If self-hosted — 100%. Cloud free-tier — stored in Hoppscotch cloud (there is a local-only mode).
How to connect with Enterno?
Hoppscotch — testing. Enterno — monitoring. Flow: test API in Hoppscotch → create Enterno monitor with the same URL + expected response.
Sentry vs file-based error logging?
File logs — history without alerting, manual triage. Sentry groups duplicates, alerts, shows stack trace + context. Must-have in prod.
Is GlitchTip really compatible?
Yes. Sentry SDK sends events to the GlitchTip endpoint without code changes. Open-source fork, lightweight.
Sentry + Enterno combo?
Recommended: Sentry for app errors + Enterno for uptime/SSL/security headers. Different layers of the stack.
When to upgrade Sentry free → paid?
When >5k errors/mo (one prod error per minute = 43k/mo). Or when you need >1 user.
Is session replay legal under GDPR?
Only with consent + PII masking (credit cards, passwords, email fields). LogRocket has inputPrivacyMode but setup needs care.
Does LogRocket slow the site?
~100 KB SDK + ~5-10% runtime CPU. Noticeable on CWV: LCP +200-500ms with recording enabled. Enterno RUM is ~10 KB.
Sentry Session Replay vs LogRocket?
Sentry SR added 2023, basic. LogRocket goes deeper (Redux, network, console), more mature. Sentry is cheaper.
How to debug UX without replay?
Enterno RUM shows real Core Web Vitals breakdown + error rate per page. No video but cheap.
Hotjar vs Microsoft Clarity?
Clarity is fully free, unlimited sessions. Hotjar has a more polished UI + surveys + better filtering. Solo — Clarity wins.
How to use for CRO?
Heatmaps show where users click/scroll. Recordings — how exactly they interact. Combine with A/B testing (Google Optimize deprecated, VWO/Optimizely).
GDPR compliance?
Hotjar has consent integration. Automatic PII masking on password fields. Explicit consent required before tracking.
For CWV monitoring?
Hotjar added CWV tracking in 2023 (Pro only). Enterno RUM gives CWV + uptime + error rate — more comprehensive.
Plausible vs Google Analytics?
Plausible: privacy, simple, no cookies, dashboard in 5 sec. GA4: deep, cookies, hours of learning, free but Google monetizes data.
Is self-host hard?
Docker compose: 2 containers (Plausible + PostgreSQL + ClickHouse). ~30 min setup, ~2 GB RAM.
SaaS tier limits?
10k page views/mo = $9. Large sites → ~$99/mo 10M pv. Expensive for high-traffic.
Why no real-time?
They consider real-time useless for most decisions. Dashboard refreshes every 5-10 min (batch).
Umami vs Plausible?
Umami — MIT license (permissive), Vercel-friendly. Plausible — AGPL (copyleft). Features similar.
How to deploy Umami on Vercel?
1-click from umami.is → Vercel account → PostgreSQL (Vercel Postgres or external Neon/Supabase). 5-minute setup.
Data protection self-hosted?
Full control. DB in your Postgres, script from your domain. Compliance easier.
Performance analytics?
Umami — traffic events only. For CWV — Enterno RUM. Combine for full picture.
Datadog dollar cost?
Starts $15/host/mo infra. Realistic 10 servers + logs + traces = $300-800/mo. Rises with load.
Open-source alt for Datadog?
SigNoz (signoz.io), OpenObservability. But enterprise depth Datadog does not match.
How to migrate?
Datadog → Grafana Cloud: exporters work both. Datadog → Enterno: only for basic uptime + RUM, deep APM doesn't port.
Pay-as-you-go risk?
Log volume can explode (DEBUG in prod) → thousands-of-dollars bill. Billing alerts mandatory.
Is New Relic free tier really free?
Yes, 100GB ingest and 1 user free forever. But on growth (2+ users or > 100GB logs) — $49+/mo.
How to control log spending?
Log filters in the agent, dropping low-value logs, sampling. Or a separate log aggregator (Loki, CloudWatch).
New Relic vs Datadog?
New Relic cheaper at low volume, more aggressive pricing at scale. Datadog — deeper integrations + better UI. Both enterprise-grade.
Self-host alternative?
Elastic APM (open-source ELK stack). But operational burden is high.
What is Certificate Transparency?
A public append-only log of every SSL certificate issued by public CAs. Chrome since 2018 requires each cert to be in a CT log for trust.
Can I find hidden subdomains?
Yes, CT logs surface every certificate including for *.internal.example.com. A well-known recon vector for security testing.
Does crt.sh have an API?
Technically yes (output=json) but undocumented and unknown rate limits. Enterno.io — public API with a declared limit.
How is it different from DNS?
DNS shows only active A/CNAME. CT logs cover every cert ever issued, even retired. Deeper.
How accurate is IP geolocation?
City-level: 70-90%. Country-level: 99%+. Accuracy depends on MaxMind / IP2Location database update frequency (both upstream for most APIs).
Where does the data come from?
MaxMind GeoIP2 + ARIN/RIPE WHOIS + carrier data. Enterno uses ip-api.com downstream + own enrichment.
Can I use it as geolocation-billing basis?
Not recommended — IP accuracy is not 100%. For compliance (EU VAT) use credit card country.
How do I check my own IP?
Enterno IP checker shows ASN, country, city, org. Free, no signup.
Main difference?
WhoisXML = enterprise tier with 20-year archive. Enterno.io = quick daily WHOIS with no monthly fee.
Does Enterno have historical WHOIS?
No. We show current state from authoritative WHOIS servers. For 2010 snapshots you need WhoisXML archive.
Is Domaintools another option?
Yes. Enterprise provider. More expensive ($99+/mo) but better UI for investigators.
How do I check WHOIS myself?
Enterno WHOIS — enter domain, get registrar, expiration, nameservers. No signup.
How to install testssl.sh?
git clone https://github.com/drwetter/testssl.sh && cd testssl.sh && ./testssl.sh example.com
Is coverage comparable?
Enterno.io covers common vulnerabilities + cipher + cert chain. testssl.sh goes deeper (POODLE, BEAST, CRIME detection plus historical CVE checks). For PCI-DSS audits we recommend testssl.sh.
Can I use testssl.sh in CI/CD?
Yes.
./testssl.sh --jsonfile report.json --severity HIGH example.com. Then parse JSON into PR comments.
Do I need CLI if I have Enterno?
For 95% of tasks — no. For audit-grade (PCI DSS, security consulting) — testssl.sh complements.
Is using Shodan legal?
Shodan itself scans and indexes. Searching the index is legal everywhere. Scanning others' IPs yourself can be illegal in your jurisdiction.
How long does Shodan see my exposure?
Re-scans every 1-4 weeks. If you closed a port, it can linger in the index for ≤30 days.
How do I hide my server from Shodan?
Firewall: whitelist only required IPs. ACL on router + iptables on the server. Full invisibility is impossible but 99% of attack surface is hideable.
Most dangerous exposure in 2026?
Our research: Elasticsearch 9200 no-auth, Redis 6379, MongoDB 27017.
What is Passive DNS?
An archive of every DNS query that passed through recursive resolvers (ISP level). Shows when a domain resolved to which IP over time. Private IPs included.
From: SecurityTrails Alternatives 2026 — DNS & Asset Discovery
Is Passive DNS available for free?
Limited sources: VirusTotal API (Private) ~1000 queries/day, Mnemonic PassiveDNS free tier 5000/day. Coverage below SecurityTrails.
From: SecurityTrails Alternatives 2026 — DNS & Asset Discovery
How do I find hidden subdomains?
Enterno Subdomain Enumeration — CT logs + DNS brute force. Or SecurityTrails paid goes deeper.
From: SecurityTrails Alternatives 2026 — DNS & Asset Discovery
Does it replace Shodan?
No, different jobs. Shodan = open ports/services. SecurityTrails = DNS + domain intelligence.
From: SecurityTrails Alternatives 2026 — DNS & Asset Discovery
Is check-host.net used by Enterno.io?
Yes, for eu-de and us-east regions in uptime monitoring — check-host free API under the hood. For ru-msk — own nodes.
From: Check-Host.net Alternatives 2026 — Multi-Region Checks
Is check-host coverage higher?
Yes, 40+ nodes. Enterno has 3 regions (msk + de + us). For propagation — check-host deeper, for monitoring — Enterno.
From: Check-Host.net Alternatives 2026 — Multi-Region Checks
Can I monitor via check-host?
No, they don't offer continuous monitoring. Open-source fork "checkh" does cron-based but fragile.
From: Check-Host.net Alternatives 2026 — Multi-Region Checks
How to compare ping across regions?
Enterno Ping Pro shows ru-msk + eu-de + us-east. Free — single region.
From: Check-Host.net Alternatives 2026 — Multi-Region Checks
Is Oh Dear only for Laravel?
No, works with any site. But the API and integrations are tuned for Laravel (health checks via spatie/laravel-health).
Telegram alerts?
Oh Dear: email + Slack + PagerDuty + webhook. Enterno: email + Telegram + Slack + webhook. Telegram often critical for RU teams.
Broken-link scanner depth?
Both deep, crawling 10k+ pages. Difference: Oh Dear supports JS rendering by default, Enterno — Pro tier.
Price comparison?
Oh Dear: €10 for 10 sites. Enterno ₽490 (~€5) for 50 monitors. For small teams Enterno is substantially cheaper.
How does Updown.io billing work?
$0.001 per check. 5-min checks → 8640/mo → ~$9 per monitor. 10 monitors → ~$90/mo. Can exceed Enterno.
Is there a free tier?
Yes, $0.50 credit on signup. Lasts ~50 checks. Then you need a credit card.
Does it work from Russia?
Yes, but payment in $ only and a European card. Russian cards may fail due to sanctions.
Telegram alerts?
No, email + Slack only. For Telegram use Enterno.io or UptimeRobot.
Downdetector for my own site?
No. Downdetector waits for user complaints. A small site will never get its own Downdetector page. For own-site monitoring — you need active probes (Enterno.io).
How do I know if Cloudflare is down?
Downdetector cloudflare page + Cloudflare status page cloudflarestatus.com. For auto-detection in your app — Enterno heartbeat on the upstream.
Does Enterno have multi-service status?
Pro dashboard has a "dependencies" block — track external APIs via their status pages.
How to build an own status page?
Enterno status page — public URL, your monitors, incidents, response times.
Does SSL Labs grade match Enterno.io?
Yes, both use the Baseline Requirements + Mozilla SSL Configuration algorithm. Grade A on Enterno = Grade A on SSL Labs in 98% of cases.
Is there a free-tier SSL Labs API?
No. The API is only in Qualys Cloud Platform (paid, from $1000/year). Scraping ssllabs.com/ssltest violates ToS.
Hardenize — who is the leader?
Hardenize + Enterno.io go deeper on HSTS preload, CAA, MTA-STS. SSL Labs goes deeper on cipher suites. Depends on the task.
How do I test internal/staging servers?
SSL Labs requires public DNS. Enterno.io works with any resolvable domain + IP. For internal — use
openssl s_client -connect.
Can Enterno.io fully replace MXToolbox?
For most tasks — yes (DNS, SPF, DKIM, DMARC, uptime). Exception: blacklist monitoring across 100+ RBLs — Enterno covers only the top 20. For deep antispam auditing MXToolbox is stronger.
Does MXToolbox have a free API?
No. API is Pro-only ($99/mo). Enterno.io exposes the API on Pro (₽490/mo) + a free tier at 10 req/min.
What is DNS propagation?
The process of pushing DNS changes through resolver caches worldwide. Usually 24-48 hours (per TTL). Our benchmark showed a 4.5 h median.
How do I monitor blacklists with Enterno?
Dashboard → Monitors → New → choose type "Blacklist". Checks every 30 min across top-20 RBLs (Spamhaus, SORBS, Barracuda, etc.).
Lab Data vs Field Data?
Lab — simulated measurement in a controlled env (Lighthouse). Field — real Chrome user data (CrUX). Field data is authoritative for Google ranking.
GTmetrix or PageSpeed Insights?
PSI is free and shows field data. GTmetrix gives a nicer waterfall. Enterno.io = PSI field data + waterfall + history combined.
Can I test staging?
GTmetrix requires a publicly accessible URL. Enterno.io (Pro) supports Basic Auth or tokenised URLs.
Core Web Vitals — did INP replace FID?
Yes, since March 2024. See our CWV research.
What metric is unique to WebPageTest?
Start Render, Speed Index (from video), First Visual Change. Early metrics close to "the first thing the user sees".
Can I self-host WebPageTest?
Yes, open-source (GitHub catchpoint/webpagetest). Needs Windows agents for browsers — complex deploy.
WebPageTest or PageSpeed Insights?
PSI runs Lighthouse + CrUX (real user data). WebPageTest — waterfall + video. Different depth, complementary.
Does Enterno.io cover typical WPT cases?
Yes: LCP, TTFB, FCP, Speed Index, basic waterfall, 3G/4G throttling, multiple locations. Not a substitute for deep WPT debugging.
Does Enterno match SecurityHeaders.com grade?
Yes, the algorithm is identical (Helme methodology). A+ on SecurityHeaders = A+ on Enterno Security Scanner.
From: SecurityHeaders.com Alternatives 2026 — Enterno, Mozilla
Is Scott Helme still maintaining it?
Yes, in 2026 the tool is active. But scope stays narrow — response headers only. New features are rare.
From: SecurityHeaders.com Alternatives 2026 — Enterno, Mozilla
Mozilla Observatory vs SecurityHeaders.com?
Mozilla Observatory goes deeper (+ CAA, Subresource Integrity, Redirection) but is slower and more complex. Enterno combines both.
From: SecurityHeaders.com Alternatives 2026 — Enterno, Mozilla
How do I monitor security headers continuously?
Enterno.io Monitor → New → type "Security" → interval 1 hour. Alert on regression (missing header, weakened CSP).
From: SecurityHeaders.com Alternatives 2026 — Enterno, Mozilla
Mozilla Observatory v2 — what changed?
In 2024 Mozilla rewrote it in Python 3, dropping the API and scan history. It is now a web UI for one-off checks only. That narrowed applicability.
From: Mozilla Observatory Alternatives 2026 — Enterno, Hardenize
Can I self-host Mozilla Observatory?
Yes. GitHub: mozilla/http-observatory. Needs Python + PostgreSQL. 2-4 hours to set up.
From: Mozilla Observatory Alternatives 2026 — Enterno, Hardenize
Do Enterno and Observatory complement each other?
Yes. Observatory = deeper static analysis of individual headers. Enterno = continuous monitoring + broader scope (cookies, TLS, CORS).
From: Mozilla Observatory Alternatives 2026 — Enterno, Hardenize
Is the Observatory grade equivalent to Enterno?
The algorithm differs (Observatory strict-scoring, Enterno weighted). Grade A on Observatory ≈ A- on Enterno. Both flag critical issues consistently.
From: Mozilla Observatory Alternatives 2026 — Enterno, Hardenize
How long does DNS propagation take?
Depends on record TTL. Our benchmark shows median 4.5 hours for A-record updates with TTL=3600. For TTL=86400 — up to 24 hours.
Why do results differ between checkers?
Different vantage points have different caches. DNSChecker sees mostly-US/EU, Enterno sees RU/EU/US. A 1-5% delta is normal.
Can I preview DNS before changes go live?
No. Propagation starts after the change. For planning — compute TTL and timing via migration tools.
DNSChecker shows "not propagated" — what now?
Wait 2x TTL. If still failing — verify nameservers via Enterno DNS (type NS) + DNSSEC validation.
Why did Host-Tracker lose RU nodes?
Since 2022 Ukrainian providers restricted routing into Russia. Host-Tracker is a Ukrainian provider and cannot keep RU nodes without contentious workarounds.
How do I migrate monitors from Host-Tracker?
Export monitors via Pro API → convert JSON → import to Enterno.io via /api/v4/monitors. Sample script available from support.
Does Enterno.io cover the same check types?
Yes: HTTP, HTTPS, ping, TCP, SSL expiry, DNS, keyword match, blacklist. Plus: RUM, heartbeat, cron monitoring (missing in Host-Tracker).
Any alternatives for Western projects?
UptimeRobot (50 free), Pingdom, Better Stack, Datadog Synthetics. See our UptimeRobot review.
Why Enterno.io over Uptrends?
Forever-free plan, Russian data residency, Telegram alerts. For SMB — 3-10× cheaper.
Why Enterno.io over AppSignal?
Forever-free plan, Russian data residency, Telegram alerts. For SMB — 3-10× cheaper.
Why Enterno.io over New Relic Synthetics?
Forever-free plan, Russian data residency, Telegram alerts. For SMB — 3-10× cheaper.
From: New Relic Synthetics Alternative 2026 — $0.01-$0.04 per chec
Why Enterno.io over Statuspage (Atlassian)?
Forever-free plan, Russian data residency, Telegram alerts. For SMB — 3-10× cheaper.
From: Statuspage (Atlassian) Alternative 2026 — $29-$1499/mo vs Fr
Why Enterno.io over Sematext?
Forever-free plan, Russian data residency, Telegram alerts. For SMB — 3-10× cheaper.
Why Enterno.io over StatusCake?
Forever-free plan, Russian data residency (ФЗ-152), Telegram alerts, Robokassa/CryptoCloud billing. For small/mid teams — 3-10× cheaper.
No credit card required?
Right. Free Scout plan — no card, no trial, forever. 5 monitors.
Why Enterno.io over Freshping?
Forever-free plan, Russian data residency (ФЗ-152), Telegram alerts, Robokassa/CryptoCloud billing. For small/mid teams — 3-10× cheaper.
No credit card required?
Right. Free Scout plan — no card, no trial, forever. 5 monitors.
Why Enterno.io over BetterUptime?
Forever-free plan, Russian data residency (ФЗ-152), Telegram alerts, Robokassa/CryptoCloud billing. For small/mid teams — 3-10× cheaper.
No credit card required?
Right. Free Scout plan — no card, no trial, forever. 5 monitors.
Why Enterno.io over HetrixTools?
Forever-free plan, Russian data residency (ФЗ-152), Telegram alerts, Robokassa/CryptoCloud billing. For small/mid teams — 3-10× cheaper.
No credit card required?
Right. Free Scout plan — no card, no trial, forever. 5 monitors.
Why Enterno.io over NodePing?
Forever-free plan, Russian data residency (ФЗ-152), Telegram alerts, Robokassa/CryptoCloud billing. For small/mid teams — 3-10× cheaper.
No credit card required?
Right. Free Scout plan — no card, no trial, forever. 5 monitors.
Why is Enterno.io better than Pingdom?
Forever-free plan (5 monitors, 1-min on Pro), Russian data residency, Telegram alerts, Robokassa/CryptoCloud billing. Pingdom wins in enterprise observability, but for small/mid teams Enterno.io offers the same capabilities at 3-10× lower cost.
Can I try without a credit card?
Yes. The Scout free plan requires no card, no trial — it's free forever. 5 monitors, 100 API calls/day, email alerts.
How fast is migration?
Export monitors from any platform as CSV, import via API v2 in one batch. Typical 50-monitor migration takes 10-15 minutes.
Will I lose historical uptime data?
History begins when the monitor is added to Enterno.io. For continuity, Pro plan retains 30 days of detailed 1-min data + 365 days of aggregated metrics.
Why is Enterno.io better than UptimeRobot?
Forever-free plan (5 monitors, 1-min on Pro), Russian data residency, Telegram alerts, Robokassa/CryptoCloud billing. UptimeRobot wins in enterprise observability, but for small/mid teams Enterno.io offers the same capabilities at 3-10× lower cost.
Can I try without a credit card?
Yes. The Scout free plan requires no card, no trial — it's free forever. 5 monitors, 100 API calls/day, email alerts.
How fast is migration?
Export monitors from any platform as CSV, import via API v2 in one batch. Typical 50-monitor migration takes 10-15 minutes.
Will I lose historical uptime data?
History begins when the monitor is added to Enterno.io. For continuity, Pro plan retains 30 days of detailed 1-min data + 365 days of aggregated metrics.
Why is Enterno.io better than Better Stack?
Forever-free plan (5 monitors, 1-min on Pro), Russian data residency, Telegram alerts, Robokassa/CryptoCloud billing. Better Stack wins in enterprise observability, but for small/mid teams Enterno.io offers the same capabilities at 3-10× lower cost.
Can I try without a credit card?
Yes. The Scout free plan requires no card, no trial — it's free forever. 5 monitors, 100 API calls/day, email alerts.
How fast is migration?
Export monitors from any platform as CSV, import via API v2 in one batch. Typical 50-monitor migration takes 10-15 minutes.
Will I lose historical uptime data?
History begins when the monitor is added to Enterno.io. For continuity, Pro plan retains 30 days of detailed 1-min data + 365 days of aggregated metrics.
Why is Enterno.io better than Datadog Synthetics?
Forever-free plan (5 monitors, 1-min on Pro), Russian data residency, Telegram alerts, Robokassa/CryptoCloud billing. Datadog Synthetics wins in enterprise observability, but for small/mid teams Enterno.io offers the same capabilities at 3-10× lower cost.
From: Datadog Synthetics Alternative 2026 — $5-$12 per test/mo vs
Can I try without a credit card?
Yes. The Scout free plan requires no card, no trial — it's free forever. 5 monitors, 100 API calls/day, email alerts.
From: Datadog Synthetics Alternative 2026 — $5-$12 per test/mo vs
How fast is migration?
Export monitors from any platform as CSV, import via API v2 in one batch. Typical 50-monitor migration takes 10-15 minutes.
From: Datadog Synthetics Alternative 2026 — $5-$12 per test/mo vs
Will I lose historical uptime data?
History begins when the monitor is added to Enterno.io. For continuity, Pro plan retains 30 days of detailed 1-min data + 365 days of aggregated metrics.
From: Datadog Synthetics Alternative 2026 — $5-$12 per test/mo vs
Why is Enterno.io better than Site24x7?
Forever-free plan (5 monitors, 1-min on Pro), Russian data residency, Telegram alerts, Robokassa/CryptoCloud billing. Site24x7 wins in enterprise observability, but for small/mid teams Enterno.io offers the same capabilities at 3-10× lower cost.
Can I try without a credit card?
Yes. The Scout free plan requires no card, no trial — it's free forever. 5 monitors, 100 API calls/day, email alerts.
How fast is migration?
Export monitors from any platform as CSV, import via API v2 in one batch. Typical 50-monitor migration takes 10-15 minutes.
Will I lose historical uptime data?
History begins when the monitor is added to Enterno.io. For continuity, Pro plan retains 30 days of detailed 1-min data + 365 days of aggregated metrics.
Research (169)
What blocks 100 % adoption?
Legacy Android (< 7.0), corporate Chrome with hardware acceleration disabled, low-tier GPUs without Vulkan/Metal/D3D12.
Performance vs WebGL?
Compute-heavy tasks (ML inference, physics): WebGPU is 3-10× faster. Pure 2D graphics: roughly equal.
Is it a standard?
W3C Recommendation finalized August 2023. Future extensions (subgroups, ray tracing) in development.
When will HTTP/3 become default everywhere?
2027-2028 based on trends. AWS CloudFront — the key blocker, 35 % CDN market.
Overhead?
QUIC userspace cipher = higher CPU. Cloudflare reports +5-10 % CPU vs TLS-over-TCP.
How to test?
enterno.io/protocol-test — checks HTTP/1.1, HTTP/2, HTTP/3 support on any URL.
Is bot traffic bad?
No. Googlebot, monitoring, RSS feeds — legitimate. The problem is the 32 % malicious share.
How do you tell them apart?
User-Agent + reverse DNS + behavioral fingerprinting (JA3/JA4). UA alone isn't enough (spoofable).
Should I block AI scrapers?
Depends: publishers — block (protect monetization). SaaS docs — allow (AI sends traffic back via links).
Do passkeys fully replace passwords?
Not in 2026. Best practice — passkey as primary + password fallback for recovery.
What if I lose my device?
Sync providers (iCloud/Google/MS) restore passkeys when you sign in on a new device. Device-bound keys (YubiKey) need a backup key.
Enterprise support?
Okta, Auth0, Entra ID — all ship WebAuthn/passkeys 2024-2025. For IdP-intensive companies — a no-brainer.
Is npm audit enough?
Minimum. Snyk / Socket.dev / GitGuardian add behavioral analysis + zero-day detection.
How to defend against typosquatting?
package.json reviews in PR, npm install --ignore-scripts (block post-install hooks), allowlists in a registry proxy.
Is SBOM mandatory?
US federal contracts — yes (EO 14028). Enterprise SaaS — often requested. 2026 best practice.
Tailwind vs Bootstrap — should I migrate?
For new projects — Tailwind (small bundle + flexibility). For a legacy Bootstrap codebase — do not migrate without a strong reason (rewrite all CSS).
CSS-in-JS too expensive?
Runtime cost on RSC + serverless — a problem. Zero-runtime alternatives (Pigment CSS, Panda) solve it.
Container Queries support?
All modern browsers (Chrome 106+, Safari 16+, Firefox 110+). 2026 — safe for production.
Enterno stack?
Enterno uses vanilla CSS with CSS variables + modular files. We publicly unpack in articles.
Why is OpenAI losing share?
Anthropic Claude leads in coding, Gemini is cheaper, Llama is open. GPT-5 is still the best, but the premium gap narrowed.
Why multi-provider setup?
Provider outage (OpenAI down 4 times in 2024), fallback to Anthropic. Also A/B tests for quality on specific tasks.
Runet providers?
Yandex GPT — $0.20/1M, native in Runet. GigaChat (Sber), T-Bank GPT. Quality below GPT-5 yet, but RU-language is sharper.
How to monitor provider uptime?
Enterno HTTP on api.openai.com, api.anthropic.com. Alerts on downtime.
Postgres vs MySQL — which in 2026?
Postgres — default for new project (better features, JSON, partial indexes, better defaults). MySQL — if legacy team expertise or simple CRUD.
Is MongoDB still relevant?
For multi-tenant apps with fluid schemas (chat, IoT, analytics). For relational data — Postgres with JSONB is superior.
Serverless Postgres (Neon) — production-ready?
Yes. Neon, Supabase, Vercel Postgres used in production. Main risks — cold start + pricing surprise on spikes.
How to detect a site's DB?
Impossible 100% externally. Indirectly: error messages, response time patterns, admin panel paths. Enterno — API response timing + type of 500 errors.
Is data current?
Q1 2026. Updated quarterly.
Can I cite this?
Yes, with attribution to Enterno.io.
Should I migrate dockerd → containerd?
Managed K8s (GKE, EKS, Yandex) already all on containerd. Self-hosted 1.24+ too. If on 1.22/1.23 — yes, migrate.
containerd vs CRI-O for self-hosted?
containerd — universal, easier to get CNCF support. CRI-O — best if you are on Red Hat OpenShift.
Podman vs Docker Desktop?
Podman — daemonless, rootless by default. Free. Docker Desktop — polished UI, paid for enterprises. Podman better for CI/CD containers.
Monitor K8s runtime?
Enterno HTTP for ingress endpoints. Security scan for exposed kubelet.
What is the difference between HSTS header and the preload list?
The HSTS header asks the browser on first visit to "always use HTTPS for N seconds". That is TOFU (trust on first use) — the first HTTP visit is still vulnerable. The preload list ships with the browser, so no HTTP redirect is ever needed.
How do I get into the preload list?
1) HSTS header with max-age ≥ 31536000 (1 year), includeSubDomains and the preload directive. 2) All subdomains serve HTTPS. 3) Submit at hstspreload.org. Chrome review ~1-2 weeks.
What if I need to remove HSTS preload?
Not quickly reversible. Removal via hstspreload.org waits for the next Chrome release cycle (~6 weeks). Until then the site must stay on HTTPS — HTTP redirects do not help.
How do I check HSTS for a specific site?
Enterno Security Scanner checks all security headers including HSTS. Or:
curl -I https://example.com | grep -i strict.
Next.js > React — why?
Next.js = React + routing + SSR + data fetching + deployment patterns out of box. Solo developer productive in 1 day vs 1 month on vanilla React + Webpack + Router setup.
Astro vs Next.js — difference?
Astro: static-first, zero JS by default, "islands" architecture for interactivity. Next.js: interactive-first, React-wide. For content sites — Astro. For apps — Next.js.
Is Svelte production-ready?
Yes, Spotify, New York Times, Rakuten use it. But the ecosystem (libraries, tooling) is smaller than React's. For solo/small team — Svelte excellent.
How to detect a site's framework?
Enterno Tech Detect — detects 100+ frameworks. Or Wappalyzer browser extension. Or manual DevTools inspection.
How to check my own site?
Chrome DevTools → Lighthouse → Accessibility report. Or Enterno Security Scanner includes basic a11y checks (Pro: full axe-core).
WCAG 2.2 vs 2.1 — difference?
WCAG 2.2 added 9 new success criteria (Oct 2023): focus appearance, dragging movements, target size, consistent help. Backwards-compatible with 2.1.
Are fines actually applied?
For gov sector — yes, often a prosecutor notifies the Ministry. Private business — rarely, but risk exists via Rospotrebnadzor (consumer protection).
Quick wins for low-effort compliance?
1) alt on images. 2) Semantic HTML (nav/main/article instead of div). 3) aria-label on icon buttons. 4) Color contrast check via WebAIM. These 4 close ~60% of automated violations.
Is data current?
Q1 2026. Updated quarterly.
Can I cite this?
Yes, with attribution to Enterno.io.
What does Federal Law 152-FZ require from a site?
Informed consent before collecting personal data (tracking cookies). Explicit opt-in (not pre-checked). Withdrawal option. Link to privacy policy.
Does Yandex.Metrika strictly require consent?
Yes if you collect personal data through it (including IP for geo-targeting). Consent in the banner before activation script.
How big is the fine?
Up to ₽500k per legal entity (Art. 13.11). Repeat — up to ₽6M. Roskomnadzor issues ~100 fines/year for cookie violations.
How to check my site?
Enterno Cookie Analyzer — scans all set cookies, checks flags (HttpOnly, Secure, SameSite), classifies by purpose.
Why is p99 so important?
p50 — average user. p99 — worst 1% of requests. For SLAs (99% uptime + 99% fast) you need both. Typical p99 = 10-20× p50.
Cloudflare Workers vs Lambda — what's different?
Workers — V8 isolates (1-5ms cold start). Lambda — container (100ms-2s cold start). Workers win real-time, Lambda wins large compute.
How to measure response time without monitoring?
curl -o /dev/null -s -w "%{time_total}\n" https://api.example.com gives one sample. For statistics → Enterno Monitor every-minute checks.
What speeds up API responses?
1) Edge computing / CDN. 2) Async I/O (Node, Go, Rust). 3) Database indexes. 4) HTTP/2 or 3. 5) Payload compression.
Yandex GPT quality?
In RU language — comparable to GPT-4 (2024). On complex tasks (math, coding) — below frontier. Great for Runet text gen (tone, style).
How to workaround OpenAI?
VPN + foreign card (BCS bank, Georgian, Kazakhstan). Or proxy services (OpenRouter, ProxyAPI.ru) accept RU card. Legal grey area.
GigaChat cost?
$0.60/1M for Lite, $1/1M Pro. Included in Sber Cloud. GigaChain (their LangChain fork) for RAG.
Does Enterno use RU AI?
Mainly: Claude Opus 4.7 (Anthropic, via VPN). Backup: Llama 3 70B via Together.ai. Not using RU providers due to quality.
How to protect?
Defence in depth: input validation + hardened system prompt + structured output + guardrails + output filter + tool sandbox + rate limit. NO single measure is enough.
Guardrails recommendation?
Lakera Guard (commercial, best coverage). Rebuff (open Python). NVIDIA NeMo (comprehensive, complex). Combine for critical use cases.
RAG poisoning — how to defend?
Source whitelist, content sanitisation before embedding, embedding-space anomaly detection. 100% fix does not exist.
Monitor prompt injection attempts?
Log all suspicious inputs + LLM output anomalies. Alert on patterns ("ignore previous", etc). Enterno Security Scanner basic checks.
Why does ChaCha20 matter for mobile?
AES speeds up via AES-NI instructions on x86. Old ARM processors (iPhone < 6, Android < 2017) lack them — ChaCha20 runs purely in software and wins by 2-3x.
What cipher list on nginx?
Modern:
ssl_ciphers TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256; for TLS 1.3 + ECDHE-ECDSA-AES128-GCM-SHA256:... for TLS 1.2.
AES-128 or AES-256?
AES-128 is enough for 99% of cases and faster. AES-256 only for compliance (PCI DSS, FIPS 140-2 L2+) or protecting 100-year secrets.
How do I check my site's cipher?
Enterno SSL/TLS shows the negotiated cipher + supported list. Or:
openssl s_client -connect example.com:443 -tls1_3.
What if my server is in the "no auth" list?
1) Immediately bind service to 127.0.0.1 (or VPC internal IP), 2) firewall drop port, 3) add auth, 4) audit access log for predators. In exactly that order.
Why does Beget hit "22% risky"?
Shared hosting: one IP serves 100+ clients. If one client has a misconfigured Redis — the whole IP registers as "risky" in our metrics.
How do I quickly check my ports?
Enterno Ping + Port Checker — enter your domain, see which ports are reachable from the internet. Or:
nmap -sT yourdomain.com.
Which ports are safe to open at all?
Only what your app needs: 443 (web), 22 (SSH, mandatory key-auth, no password), optionally 80 (redirect). DB/cache/queue — always bind 127.0.0.1 or private network.
Alpine vs Distroless?
Alpine (5MB base) — has shell + package manager. Distroless (0MB tools) — only runtime. Distroless is safer, debugging harder (no shell).
How to do multi-stage build?
FROM node:20 AS build → npm build. FROM node:20-alpine → COPY --from=build /app/dist. Final image 50 MB instead of 1 GB.
Alpine security?
musl libc reliability lower than glibc for some Python libs. Regular security updates via apk. CVEs patched within 1-7 days.
How to check image size?
docker images | grep myapp + dive myapp:latest for layer analysis. Dive shows wasted space.
Is data current?
Q1 2026. Updated quarterly.
Can I cite this?
Yes, with attribution to Enterno.io.
Why is Runet DNSSEC adoption below global average?
Three factors: (1) registrars (REG.RU, Timeweb) charge 500-2000₽/year for DNSSEC instead of offering it free; (2) FSB requires GOST R 34.10-2012, and most DNSKEY clients do not validate it — incompatible; (3) mass Bitrix hosting has no UI for DS updates.
.cz has 52% DNSSEC — how?
The Czech registry CZ.NIC has been offering DNSSEC free and automatic since 2010. It is enabled by default at domain registration.
How do I check DNSSEC for my domain?
Enterno DNS Checker shows DNSKEY/DS/RRSIG and validation status. Or at the terminal:
dig +dnssec +trace example.ru.
What breaks on a bad key rollover?
The domain becomes unresolvable for validating resolvers (1.1.1.1, 9.9.9.9) — clients get SERVFAIL. That is 25-40% of traffic for large sites. Fixed by committing the new DS to the TLD via your registrar.
Is the data current?
Data collected in Q1 2026. Updated quarterly.
Can I cite this?
Yes, with attribution to Enterno.io.
What TTL should I set for a new site?
3600s (1 h) — standard for 90% of cases. Balances migration speed and DNS load.
What to do 2-3 days before migrating the server?
Lower A-record TTL to 300s. Wait for the old TTL (for resolvers to refresh). Migrate. Restore TTL to 3600s.
Does Cloudflare DNS always use TTL=1?
No. Default TTL is 300s; "Auto" gives TTL=1 only with proxy:on — Cloudflare overrides for edge performance.
How do I check my site's TTL?
Enterno DNS → enter domain → per-record TTL. Or:
dig example.com → TTL shown in seconds.
How critical is a 3-hop chain?
UX — +100-300ms load time. SEO — Google accepts up to 5 hops without major losses. 6+ hops = red flag, especially for crawl budget.
How to fix in nginx without a double redirect?
In http:// server block do:
return 301 https://example.com$request_uri; (not via www). Separate server block for www: return 301 https://example.com$request_uri;. Everyone lands on the final URL in 1 hop.
301 or 308 for www→non-www?
301 — traditional, universal support. 308 — RFC 7538, better for non-GET methods. For www→non-www (almost always GET) — both work, 301 is safer.
How do I check my redirect chain?
Enterno Redirects checker — enter the URL, see the full chain + codes + timing. Or:
curl -ILk https://example.com.
www or non-www — better for SEO?
No difference since 2014. Google treats them equally. What matters is consistency + 301 redirect of one to the other.
What to pick for a new site?
2026 default: non-www (shorter, modern). Exception: if you have many subdomains and cookies across the tree — use www (cookies on .example.com work for every subdomain except www.).
What's wrong with both versions live?
Duplicate content, split backlinks, PageRank loss. Google picks canonical itself but you lose control.
How to verify my canonicalisation?
Enterno Redirects Checker — enter the domain, see chain + canonical target.
When does self-host pay off?
>10M tokens/day at constant load. 1 H100 $3/h × 24 × 30 = $2,160/mo = ~2.4B tokens throughput.
gpt-4o-mini vs GPT-5?
Mini: $0.15/$0.60. 25x cheaper than GPT-5. Quality: 70-85% on most tasks. For chatbot / classification / simple extraction — use mini.
Cache effectiveness?
Anthropic cache 90% cheaper on hit. OpenAI automatic 50% cheaper. 35% cache hit = 30%+ cost reduction.
How to monitor AI spend?
Per-provider dashboard + app-level tagging via X-Project header. Anomalies → alert (daily spend > threshold).
Multi-CDN — overkill for small sites?
Yes. If < 100k visitors/mo — one CDN is enough. Multi-CDN setup complexity isn't justified.
Is Yandex Cloud CDN reachable outside Russia?
Yes, but edge nodes are only in Russia. International users get latency through Russia backbone (not optimal).
CDN vs origin — which is faster?
CDN is always faster on cache hit. First request (cache miss) ≈ origin. Second+ — always faster on CDN.
How to measure my CDN latency?
Enterno HTTP checker measures TTFB from RU+EU+US in one click. Or ping for network layer.
Why aren't origin servers moving to HTTP/3?
Three reasons: (1) nginx HTTP/3 stable only since 1.25 (March 2023); (2) kernel UDP performance on Linux trails TCP in non-CDN scenarios; (3) operational complexity of QUIC (retries, NAT rebinding).
Is HTTP/3 always faster?
On fast wired connections it is a close call (HTTP/2 TCP + BBR is comparable). The gain shows up on mobile/Wi-Fi with packet loss — typically 100-200ms TTFB.
Do I need to change application code?
No. HTTP/3 is a transport-level change; the API is identical to HTTP/2. Only proxy/edge server configuration changes.
How do I check if a site uses HTTP/3?
Enterno SSL/TLS Checker shows supported protocols including HTTP/3. Or at the terminal:
curl -I --http3 https://example.com.
How to distinguish GoogleBot from a spoof?
Reverse DNS lookup on the IP + check it resolves back to google-crawler.google.com. Only after verification treat as legit.
From: Bot Traffic Share in Top-10k 2026 — Distribution Report
Should I block AI crawlers?
Depends. If you want citations in Perplexity/ChatGPT — allow them. If content is paid/proprietary — block via robots.txt or CF rule.
From: Bot Traffic Share in Top-10k 2026 — Distribution Report
47% bots — is that normal in 2026?
Yes, global average 40-50%. Trend upward due to AI scraping and AI-content monetisation.
From: Bot Traffic Share in Top-10k 2026 — Distribution Report
How to see my own bot traffic?
Access logs + robots.txt audit. Plus Enterno Pro dashboard shows bot % by User-Agent.
From: Bot Traffic Share in Top-10k 2026 — Distribution Report
Is CAA required?
No, not required but recommended. Without CAA any CA can issue a cert for your domain (given successful domain validation).
How do I add a CAA record?
In DNS zone:
example.com. IN CAA 0 issue "letsencrypt.org". Wildcard: 0 issuewild "letsencrypt.org".
What if CAA blocks a legitimate CA?
Clear cache on CA accounts + add CAA for the new CA. Propagation is usually 1-24 hours.
How to check my CAA?
Why is the median so high?
Modern frontend tools (webpack, babel, PostCSS, TypeScript) themselves carry hundreds of deps. Plus React + routing + state + forms + i18n.
What does npm audit do?
Checks lockfile versions against GitHub Advisory Database. Reports vulnerable packages + recommended upgrades.
Do pnpm/bun solve it?
pnpm — content-addressable storage → shared across projects (save disk). Bun — Rust-based, faster. Both preserve npm semver.
How to reduce?
depcheck for unused. Replace small deps with native APIs (fetch, Date). Consider Deno (std library > npm).
Is the data current?
Data collected in Q1 2026. Updated quarterly.
Can I cite this?
Yes, with attribution to Enterno.io.
Is Apple Intelligence available in Russia?
Feature blocked region-based, including EU (DMA), China, RU. Workaround: change region in Apple ID. But loses App Store access to restricted apps.
Is Llama 3.2 1B local useful?
Yes, for simple tasks: summary, classification, rewriting. Runs on a consumer CPU. Quality comparable to GPT-3.5 for simple queries.
What are NPU / ANE?
NPU (Neural Processing Unit) — dedicated chip for on-device AI. Apple ANE (Neural Engine): 35 TOPS. Google Tensor TPU. Intel Core Ultra NPU: 40 TOPS. Runs AI without loading GPU/CPU.
Will cloud be replaced?
No, frontier models (GPT-5, Claude Opus) are still cloud-only. On-device for privacy + cost + latency. Hybrid — best.
nginx or Apache — which one?
nginx — for high-concurrency (reverse proxy, static files). Apache — for CMS with .htaccess (WordPress, Drupal) and legacy PHP apps. For a new 2026 project — nginx default.
From: Web Server Market Share 2026 — nginx vs Apache vs Caddy
Is Caddy a serious competitor?
Yes, for small-mid projects. Automatic Let's Encrypt, simple config. Downsides: smaller community, fewer docs, slower for extreme scale.
From: Web Server Market Share 2026 — nginx vs Apache vs Caddy
Is IIS still relevant?
Only for Windows-specific workflows (Exchange, SharePoint, legacy .NET). On Linux no reason to use IIS.
From: Web Server Market Share 2026 — nginx vs Apache vs Caddy
How to tell my server?
Enterno HTTP checker shows Server header + Via + X-Powered-By. Or
curl -I https://example.com. From: Web Server Market Share 2026 — nginx vs Apache vs Caddy
Where does the platform data come from?
From response HTTP headers and HTML signatures: Bitrix emits X-Powered-By-Site, WordPress exposes /wp-content/ in asset URLs, Next.js exposes /_next/ and __NEXT_DATA__. Auto-detect confidence 89%; remainder is manually verified.
Why does 1С-Bitrix lag on CWV?
A typical Bitrix site ships 20+ scripts via core.js, jQuery, heavy widgets (amCharts/Kendo), composite cache without an edge CDN. On cheap shared hosting TTFB is often ≥600ms — already fails LCP.
Next.js at 67% pass — why not 90%?
The SPA pattern wins on INP and CLS but often loses LCP on hero images (crop, lazy-load). Next.js 15 with the app router improved SSR — migration is slow though.
How do I check my own CWV?
Enterno PageSpeed Checker — shows field data + lab data, mobile/desktop separately. Free.
Passkey = password-less?
Yes, Passkey fully replaces password. Authentication runs on local biometrics (Face ID, fingerprint) → private key → challenge response to server.
What if I lose the phone with Passkey?
Cloud sync (iCloud / Google Password Manager) restores on a new device. Backup = separate Passkey on another device / hardware key.
Does an Apple ID from Russia work?
Since 2022 Apple restricts new RU registrations. Existing ones work. Buying via App Store in another region — workaround.
Implementation complexity?
Browser API is simple. Server side needs a FIDO2 library (simplewebauthn.js, py_webauthn). 1-2 weeks to production.
pgvector or a dedicated DB?
pgvector: < 1M vectors, simplicity. Qdrant: > 1M, speed. Weaviate: native hybrid. For 90% of use cases — pgvector.
Best embedding model?
OpenAI text-embedding-3-small ($0.02/1M) — cheapest + good. text-embedding-3-large — best quality. Open: bge-m3 multilingual free.
How to measure RAG quality?
Ragas: answer_relevancy, context_precision, faithfulness. LlamaIndex evals. Manual eval of 50+ examples.
Pure long context vs RAG?
LC: simpler code, higher cost + latency. RAG: cheaper, scales. Hybrid: RAG for retrieval + LC for reasoning.
Why is IPv6 adoption in Russia much lower than global?
Three reasons: (1) only 30% of ISPs give IPv6 to residential clients; (2) mass hosters charge for IPv6; (3) Bitrix on ISPmanager without a cloud CDN requires manual setup, most admins skip it.
Should a small site enable it?
If the host supports it — yes, it's a 10-minute change. If it's a paid add-on — consider it. Gain is small without IPv6-only users.
Does Cloudflare provide IPv6 automatically?
Yes, every Cloudflare site gets IPv6 on the edge for free. That explains the 12% of the market hitting IPv6:100%.
How do I check IPv6 for my site?
Enterno IP checker shows IPv4 + IPv6 + connection type. Or:
curl -6 -I https://example.com.
GitHub Copilot legal issues?
Pending GitHub Copilot lawsuit (Doe v. GitHub, ongoing). Copilot Business promises training only on opt-in. Personal tier training concern remains.
Has code quality dropped?
No. GitHub study: -18% bugs per commit. But: hallucinated API calls, dependency confusion — new class of errors. Review still needed.
Banks do not use it?
8% of companies ban, including major banks (compliance, IP). Some allow only self-hosted (Tabnine Enterprise, Continue + local Llama).
Does Enterno use it?
Yes — Cursor for all development (composer mode, Claude Opus 4.7 backend). Claude Code for terminal tasks. Manual code review on every AI-generated PR.
Strapi or Sanity — which?
Strapi — open-source + self-host, SQL backend. Sanity — SaaS, NoSQL, premium editor UX, real-time collaboration. For budget + self-host — Strapi. For editors-first — Sanity.
Headless CMS for a small blog — overkill?
Yes. Simple blog → Ghost, Astro + MDX, or WordPress. Headless needed when one content base serves multiple channels (web + mobile + TV).
Performance impact?
Headless = extra API call for content. But with caching (Redis/Next.js cache) — almost no overhead. Core Web Vitals usually better than WordPress direct.
How to detect a site's CMS?
Enterno Tech Detect identifies 30+ CMS. Or network tab → API endpoints.
Is data current?
Q1 2026. Updated quarterly.
Can I cite this?
Yes, with attribution to Enterno.io.
What are Gmail/Yahoo 2024 requirements?
Since Feb 2024: senders of 5000+ emails/day to Gmail/Yahoo must have SPF + DKIM + DMARC (minimum p=none), one-click unsubscribe header, spam rate < 0.3%. Otherwise — throttling or reject.
Is DMARC p=none enough?
For Gmail 2024 — yes. But attackers can still spoof your domain (p=none is monitor-only). Goal: progress to p=quarantine → p=reject.
How to check my setup?
Enterno DKIM/DMARC checker scans SPF+DKIM+DMARC with one URL. Or mail-tester.com for a full email score.
Mailgun/Sendgrid vs self-SMTP?
For <10k emails/mo — self-SMTP works (with proper triad setup over 2-4 weeks). For scale or reliability — provider saves time and pain.
Do I need to explicitly enable TLS 1.3?
nginx 1.13+ with OpenSSL 1.1.1+ — TLS 1.3 default. You only need
ssl_protocols TLSv1.2 TLSv1.3; (drop 1.0/1.1).
Is 0-RTT safe?
Replay attacks possible on idempotent requests. Enable only if you accept POST replay (GET is fine). Cloudflare enables it by default for GET.
When is TLS 1.2 deprecated?
Industry moves slowly. PCI DSS 4.0 requires 1.3 minimum since 2025. Browser deprecation not before 2027.
How to verify my TLS 1.3?
Enterno SSL Checker shows supported protocols.
openssl s_client -tls1_3 — manual test.
Is data current?
Q1 2026. Updated quarterly.
Can I cite this?
Yes, with attribution to Enterno.io.
Is WP dying?
No, but growth is flat/declining. New projects move to JAMstack (Astro, Next.js) or no-code (Webflow). The existing WP ecosystem is huge.
When to pick Headless WP?
If you need a content team with WP UX + React/Vue/Svelte frontend. NOT for a simple blog — too complex.
Gutenberg alternatives?
Classic Editor plugin (official, active). ClassicPress (fork without Gutenberg). Advanced Custom Fields Pro + blocks.
WP security baseline?
Enterno Security Scanner checks headers + cookies. Wordfence for plugin-level scanning.
Other (29)
How often does Enterno.io check my site?
On the free plan, every 5 minutes. On Pro, every 1 minute.
From: Uptime Monitoring Online — Free Website Monitor | Enterno.io
How do I set up downtime alerts?
After adding a monitor, specify your Email or Telegram bot in notification settings. Alerts arrive within 1-2 minutes of an incident being detected.
From: Uptime Monitoring Online — Free Website Monitor | Enterno.io
Is uptime monitoring really free?
Yes. The free plan includes up to 3 monitors with 5-minute intervals. For more monitors and 1-minute checks, upgrade to Pro.
From: Uptime Monitoring Online — Free Website Monitor | Enterno.io
What is a good uptime percentage?
99.9% uptime means less than 8.7 hours of downtime per year. Enterprise-grade services target 99.99%, which allows under 1 hour annually.
From: Uptime Monitoring Online — Free Website Monitor | Enterno.io
How do I run a free SEO audit?
Enter any URL into the form on this page. Enterno.io will check it against 50+ parameters and deliver a full report with recommendations in 30 seconds.
From: SEO Audit Tool Online — Free Website Analysis | Enterno.io
What is an SEO audit?
An SEO audit is a comprehensive review of the technical and on-page factors that affect a website's visibility in search engines like Google and Bing.
From: SEO Audit Tool Online — Free Website Analysis | Enterno.io
How often should I audit my website?
We recommend auditing when launching a site, after major changes, and once every 1-3 months as routine maintenance.
From: SEO Audit Tool Online — Free Website Analysis | Enterno.io
Does it audit the whole site or one page?
The tool analyzes the URL you provide. For a full site audit, check key pages: homepage, main category pages, and your highest-traffic content.
From: SEO Audit Tool Online — Free Website Analysis | Enterno.io
How do I check a robots.txt file?
Enter the site URL into the form above. Enterno.io will automatically fetch the robots.txt from /robots.txt and analyze its contents.
From: Robots.txt Checker Online — Free Analysis Tool | Enterno.io
Where is the robots.txt file located?
Always at the root of the domain: e.g. https://example.com/robots.txt. It must be accessible without redirects or authentication.
From: Robots.txt Checker Online — Free Analysis Tool | Enterno.io
What does Disallow: / mean?
This directive blocks all crawlers from indexing the entire site. It's a critical error if it ends up in production — a common mistake when copying settings from a development environment.
From: Robots.txt Checker Online — Free Analysis Tool | Enterno.io
Does every website need a robots.txt?
Yes. Without one, search engines use default crawl behavior. At minimum, include your Sitemap path — it significantly improves correct indexing.
From: Robots.txt Checker Online — Free Analysis Tool | Enterno.io
What is traceroute?
Traceroute is a network diagnostic utility that tracks the path packets take from source to destination, showing each intermediate router and the latency at each hop.
From: Traceroute Online — Free Network Route Tracer | Enterno.io
What is the difference between traceroute and ping?
Ping only checks host reachability and overall latency. Traceroute shows the full path and lets you pinpoint exactly which hop is causing the problem.
From: Traceroute Online — Free Network Route Tracer | Enterno.io
What do asterisks mean in traceroute?
Three asterisks (* * *) mean a node did not respond within the timeout. Many routers block ICMP by default — this is not always a sign of a problem.
From: Traceroute Online — Free Network Route Tracer | Enterno.io
Why use online traceroute instead of a local one?
The online version runs from our server, showing the route from an external vantage point. This helps determine if a site is reachable from the internet, not just from your own network.
From: Traceroute Online — Free Network Route Tracer | Enterno.io
How do I check if my domain is blacklisted?
Enter your domain or IP into the form above. Enterno.io will check it against all major DNSBL and spam lists and display your status in each one.
From: Spam & Blacklist Check Online — Free Domain Lookup | Enterno.io
Why are my emails going to spam?
Common causes: domain on blacklists, missing SPF/DKIM/DMARC records, high complaint rates, or sending to invalid addresses. Start with a blacklist check.
From: Spam & Blacklist Check Online — Free Domain Lookup | Enterno.io
How do I remove my domain from a blacklist?
Each DNSBL has its own delisting procedure. Typically you fill out a form on the DNSBL's site, explain the issue, and describe corrective actions. Review takes 1-7 days.
From: Spam & Blacklist Check Online — Free Domain Lookup | Enterno.io
Is the check free?
Yes, checking your domain and IP against spam databases is completely free and requires no registration.
From: Spam & Blacklist Check Online — Free Domain Lookup | Enterno.io
How many monitors are free?
The free plan includes up to 3 monitors with 60-minute check intervals.
What is the minimum check interval?
30 seconds on the Business plan. 1 minute on Pro, 5 minutes on Starter.
Is there an API?
Yes, a full REST API with documentation. Up to 50,000 requests/day on the Business plan.
How to check an SSL certificate?
Enter a domain in the SSL check form — results appear in 1-2 seconds.
Is the SSL check free?
Yes, completely free and no registration required.
How long does DNS propagation take?
Usually from a few minutes to 48 hours, depending on the TTL and DNS provider.
From: DNS Lookup Online — Check DNS Records Free | Enterno.io
Is DNS lookup free?
Yes, completely free with no registration.
From: DNS Lookup Online — Check DNS Records Free | Enterno.io
How to improve LCP?
Optimize images (WebP, lazy loading), use a CDN, minimize CSS/JS, enable server caching.
From: Website Speed Test — Core Web Vitals Check | Enterno.io
Is the speed test free?
Yes, completely free.
From: Website Speed Test — Core Web Vitals Check | Enterno.io