Blog
Practical notes on AWS architecture, serverless builds, Java on Lambda, AI workflows, and running a Swiss software practice. No hot takes, just things that worked (or did not).
Passwords are the weakest link in login. Passkeys replace them with a cryptographic key pair that cannot be phished. What passkeys are, why they are phishing-proof, how you use them, and how they work under the hood with WebAuthn.
Read post →A second search world has grown up next to Google, and many websites are invisible to it. What AI findability means, the two-minute test for your own site, and what really makes a page AI-readable.
Read post →Across the DACH region about half of all visitors reject the consent banner, Safari and Firefox block tracking by default, and AI crawlers never appear at all. Where the gap comes from, and what server-side measurement adds without replacing GA.
Read post →Three pieces of evidence on why WordPress sites are a concrete security risk for Swiss SMEs. With sources from the Federal Office for Cybersecurity (BACS), Patchstack and Wordfence.
Read post →Peak load, maintenance windows and outages often hit a website at the wrong moment. That is rarely the provider's fault, it is the hosting model. What classic hosting structurally costs, and what serverless does differently, with current Swiss prices.
Read post →Even when you avoid the self-built login and go with Cognito plus Lambda@Edge, there is a layer of traps that no AWS reference blog mentions. Four traps in a fixed order, because each one is entered because the previous one was handled correctly. The most expensive hour of the setup had nothing to do with cryptography. It went into figuring out which of two CDK stacks has to deploy first. Resolution in three steps.
Read post →2700 measurements on AWS Lambda in eu-central-2, arm64. Four runtimes side by side: Quarkus JVM, Quarkus Native, Node 24, JVM with SnapStart. Init Duration is memory-independent for three of four. JVM at 512 MB takes 5.8 seconds to first response, native and Node sit under 600 ms. And SnapStart without priming actually makes things worse. The data, the methodology, and what to take away.
Read post →My first attempt at sending a verification email from AWS Cognito was a full SMTP server of my own. Locally it ran. In AWS, not a single mail got through. Three traps later, the system was running in production: outbound port 25 blocked, SES API-only in eu-central-2 (Zurich), and KMS envelope encryption colliding with JVM cold starts and Cognito's retry logic. Architecture, runtime trade-offs, and an idempotency line of defense.
Read post →In 2024 I built a full marketplace app: iOS, Android, AWS backend, payments, three-language marketing. Zero users. The lesson from Rentaside on product-market fit, the marketplace cold start, and what three decades of code don't teach you.
Read post →Bastion hosts cost $43.80 a year just for the public IP, plus patching and key rotation. EC2 Instance Connect Endpoint is free but drops after one hour. Fargate ephemeral gives you serverless-on-demand tunnels with no session cap. Three options, one decision.
Read post →"I'll just quickly build the login." That's the sentence that starts every other SaaS disaster. Password hashing, MFA, passkeys, token rotation, audit logs, FADP compliance. Why Cognito, Lambda@Edge, and API Gateway solve it cleanly in three layers, and why you should never build this yourself.
Read post →Standard Lambda has a home region, often a continent away from the user. Lambda@Edge runs at 400+ CloudFront edge locations. The four trigger points, real use cases (edge auth, security headers, geolocation routing), the hard limits, and what's running in production at SCMC.
Read post →