http

Middleware intercepts HTTP requests before they reach controllers, perfect for authentication, logging, or request modification. I create middleware classes with a handle() method that receives the request and a $next closure. Middleware can inspect/m

When I want ‘real time’ updates without the operational overhead of WebSockets, I reach for Server-Sent Events (SSE). It’s just streaming HTTP, so it behaves well behind proxies and is easy to reason about. I set the right headers (Content-Type: text/

A clean shutdown is part of reliability, not an afterthought. The pattern I like is: (1) start servers and workers, (2) listen for SIGINT/SIGTERM, (3) call Shutdown with a deadline, and (4) wait for background goroutines to finish. http.Server.Shutdow

The default http.Server will happily keep connections open longer than you intended, which is how you end up with “mysterious” goroutine growth during partial outages. I set ReadHeaderTimeout to protect against slowloris-style attacks, keep IdleTimeou

CORS configs have a habit of getting more permissive over time until you’re basically allowing any origin. I keep an explicit allowlist and handle credentials carefully. If you allow cookies, you can’t use * as the origin. I also keep preflight respon

Axum is a modern web framework built on tokio and hyper. It uses extractors (like Json<T>, Path<T>, State<S>) to parse requests into Rust types, and the compiler ensures your handlers match their routes. Middleware is just functions,

Even in Go, panics happen: a nil pointer in an edge case, a bad slice index, or a library bug. I don't want a single request to take down the whole process, so I wrap handlers with a recovery middleware that captures panics, logs them with request con

Even well-tested services panic occasionally: a nil pointer from an unexpected edge case, a slice bounds bug, or a library doing something surprising. If you don’t recover, one request can crash the entire process and turn a small bug into an outage.

Even in API-heavy systems, I occasionally render HTML emails or a lightweight admin page. I always use html/template (not text/template) so content is escaped by default, which prevents accidental XSS when variables contain user input. I also keep tem

Reqwest is the most popular async HTTP client for Rust. It's built on tokio and hyper, with a high-level API for making requests. Connection pooling, redirects, timeouts, and TLS are handled automatically. I use the builder pattern to configure client

Tower is a library of modular middleware (called "layers") for async services. Axum is built on Tower, so you can use any Tower middleware: TimeoutLayer, CompressionLayer, TraceLayer, etc. Layers wrap services, adding behavior like logging, metrics, o

I like to start observability with two metrics: request duration and response codes. The wrapper below intercepts WriteHeader to capture status codes and then records both a histogram observation and a counter increment. The biggest gotcha is label ca