Practical AWS and serverless engineering notes from a Swiss software practice.https://www.k-i-soft.ch/en-CHhttps://www.k-i-soft.ch/en/blog/passkeys-warum-besser-als-passwoerter/https://www.k-i-soft.ch/en/blog/passkeys-warum-besser-als-passwoerter/Passwords are the weakest link in login. Passkeys replace them with a cryptographic key pair that cannot be phished. What passkeys are, why they are phishing-proof, how you use them, and how they work under the hood with WebAuthn.Tue, 02 Jun 2026 00:00:00 GMTSecurityPasskeysWebAuthnhttps://www.k-i-soft.ch/en/blog/ki-auffindbar-was-heisst-das/https://www.k-i-soft.ch/en/blog/ki-auffindbar-was-heisst-das/A second search world has grown up next to Google, and many websites are invisible to it. What AI findability means, the two-minute test for your own site, and what really makes a page AI-readable.Fri, 29 May 2026 00:00:00 GMTGEOAI visibilityAEOChatGPTServerlesshttps://www.k-i-soft.ch/en/blog/google-analytics-zeigt-nur-die-haelfte/https://www.k-i-soft.ch/en/blog/google-analytics-zeigt-nur-die-haelfte/Across the DACH region about half of all visitors reject the consent banner, Safari and Firefox block tracking by default, and AI crawlers never appear at all. Where the gap comes from, and what server-side measurement adds without replacing GA.Thu, 28 May 2026 00:00:00 GMTAnalyticsAI crawlersCloudFrontServer logsFADPPrivacyhttps://www.k-i-soft.ch/en/blog/wordpress-was-die-schweizer-behoerden-warnen/https://www.k-i-soft.ch/en/blog/wordpress-was-die-schweizer-behoerden-warnen/Three pieces of evidence on why WordPress sites are a concrete security risk for Swiss SMEs. With sources from the Federal Office for Cybersecurity (BACS), Patchstack and Wordfence.Tue, 26 May 2026 00:00:00 GMTWordPressSecuritySwitzerlandServerlessFADPhttps://www.k-i-soft.ch/en/blog/wenn-die-webseite-langsam-wird/https://www.k-i-soft.ch/en/blog/wenn-die-webseite-langsam-wird/Peak load, maintenance windows and outages often hit a website at the wrong moment. That is rarely the provider's fault, it is the hosting model. What classic hosting structurally costs, and what serverless does differently, with current Swiss prices.Sun, 24 May 2026 00:00:00 GMTHostingServerlessAWSCloudFrontScalingSMEhttps://www.k-i-soft.ch/en/blog/cognito-custom-domain-cdk-henne-ei/https://www.k-i-soft.ch/en/blog/cognito-custom-domain-cdk-henne-ei/Even when you avoid the self-built login and go with Cognito plus Lambda@Edge, there is a layer of traps that no AWS reference blog mentions. Four traps in a fixed order, because each one is entered because the previous one was handled correctly. The most expensive hour of the setup had nothing to do with cryptography. It went into figuring out which of two CDK stacks has to deploy first. Resolution in three steps.Thu, 14 May 2026 00:00:00 GMTAWS · Cloud SecurityCognitoCDKhttps://www.k-i-soft.ch/en/blog/lambda-cold-start-benchmark/https://www.k-i-soft.ch/en/blog/lambda-cold-start-benchmark/2700 measurements on AWS Lambda in eu-central-2, arm64. Four runtimes side by side: Quarkus JVM, Quarkus Native, Node 24, JVM with SnapStart. Init Duration is memory-independent for three of four. JVM at 512 MB takes 5.8 seconds to first response, native and Node sit under 600 ms. And SnapStart without priming actually makes things worse. The data, the methodology, and what to take away.Thu, 30 Apr 2026 00:00:00 GMTAWS · PerformanceQuarkus · SnapStarthttps://www.k-i-soft.ch/en/blog/cognito-custom-email-sender-drei-fallen/https://www.k-i-soft.ch/en/blog/cognito-custom-email-sender-drei-fallen/My first attempt at sending a verification email from AWS Cognito was a full SMTP server of my own. Locally it ran. In AWS, not a single mail got through. Three traps later, the system was running in production: outbound port 25 blocked, SES API-only in eu-central-2 (Zurich), and KMS envelope encryption colliding with JVM cold starts and Cognito's retry logic. Architecture, runtime trade-offs, and an idempotency line of defense.Wed, 29 Apr 2026 00:00:00 GMTAWS · Cognito · SESCustom Email Senderhttps://www.k-i-soft.ch/en/blog/rentaside-product-market-fit/https://www.k-i-soft.ch/en/blog/rentaside-product-market-fit/In 2024 I built a full marketplace app: iOS, Android, AWS backend, payments, three-language marketing. Zero users. The lesson from Rentaside on product-market fit, the marketplace cold start, and what three decades of code don't teach you.Fri, 24 Apr 2026 00:00:00 GMT30 Jahre Code · Issue #1Founder lessonshttps://www.k-i-soft.ch/en/blog/private-rds-access-serverless/https://www.k-i-soft.ch/en/blog/private-rds-access-serverless/Bastion hosts cost $43.80 a year just for the public IP, plus patching and key rotation. EC2 Instance Connect Endpoint is free but drops after one hour. Fargate ephemeral gives you serverless-on-demand tunnels with no session cap. Three options, one decision.Thu, 23 Apr 2026 00:00:00 GMTAWS · Cost & SecurityServerlesshttps://www.k-i-soft.ch/en/blog/never-build-your-own-login/https://www.k-i-soft.ch/en/blog/never-build-your-own-login/"I'll just quickly build the login." That's the sentence that starts every other SaaS disaster. Password hashing, MFA, passkeys, token rotation, audit logs, FADP compliance. Why Cognito, Lambda@Edge, and API Gateway solve it cleanly in three layers, and why you should never build this yourself.Wed, 22 Apr 2026 00:00:00 GMTAWS · Cloud SecurityCognitohttps://www.k-i-soft.ch/en/blog/lambda-edge-explained/https://www.k-i-soft.ch/en/blog/lambda-edge-explained/Standard Lambda has a home region, often a continent away from the user. Lambda@Edge runs at 400+ CloudFront edge locations. The four trigger points, real use cases (edge auth, security headers, geolocation routing), the hard limits, and what's running in production at SCMC.Tue, 21 Apr 2026 00:00:00 GMTAWS · ServerlessLambda@Edge