Anyone for Webmention?

A DDOS attack may not be easy on your static site per se especially since you have a strict CSP as you pointed out. But it may slow down the server where your site resides through a multitude of HTTP requests. If I understood it right you have an automated process to trigger a build of your site whenever a new Webmention is received. Now imagine a scenario where Netlify receives thousands of build requests for your site and others at the exact same time. They probably already have precautions to mitigate such an attack, but I for one don’t feel comfortable with the Webmention i.e. the old Pingback vulnerability.

No. But with Hugo’s getJSON you can render everything from a Mastodon status on you site. Also if you give your application read & write access you can have direct interactions such as favoring a status from your site (if the visitor is an already authenticated Mastodon user). Their API exposes everything since it’s not a silo.

I saw Bridgy and I tested this feature on your site out of curiosity.

In this post I pressed the Twitter heart, went to Twitter and liked your status, but the count hasn’t updated on your site and it’s been like 20 hours already. Just thought to let you know.

Thanks! So far I like what I’ve seen a lot and also I really like the fact that there is a dedicated Mastodon instance for art.

Many thanks for sharing your configuration. Very useful source of inspiration.

@kaushalmodi You have my thanks also for having made your Content Security Policy configuration available. It is especially great since you document the various options.

Also if you have the time maybe you should write a forum Tips & Tricks or even better include a page in the Hugo Docs about implementing Content Security Policy for a Hugo site with Netlify.

And I don’t think it would be out of place in the Hugo Docs at all. We need this kind of info available for Hugo sites because security is a very important topic. And I think @bep and others would agree on this.

Totally agree!

Love that documented netlify.toml - man after my own heart! And you’ve pointed the way for me to simplify my own CSP which (only implemented for reporting so far) is threatening to be bigger than some content!!

And don’t get me started on the size of metadata I’m serving now just to satisfy all the incompatible microformats that different search engines and social media sites require.

I love the thought that Netlify have put into their service as well. All the right things either thought about in advance or allowed for because of the flexible design.

Once I’ve finally got to the bottom of all of the weird and wonderful headers and meta tags you are supposed to use these days, I’ll be documenting it in the hugo section of my blog at https://it.knightnet.org.uk/kb/hugo

When did web development get so complecated!! It wasn’t like that when I started nearly 2 decades ago

When IE reigned supreme?

Personally I have no nostalgia for the old days from a web design perspective. I have too many hair pulling memories from back then.

And I much prefer how things are now. It may be more complex but at least these days browsers tend to respect specs not ignore them.

Haha - I don’t disagree particularly. Things were simple, but ugly.

But the more serious point is that my Hugo generated content is vastly larger than just the content due to the myriad of headers and meta tags that I have to send in order to meet all the “standards” now in use. It’s a mess.

Sorry, probably a bit off-topic.

Webmention, like many federated protocols, is indeed vulnerable to some forms of DDOS attacks, although no such practical attack was spotted so far. Only annoying but harmless spam has been spread throughout the indieweb.

I would say the risk is more for the webmention endpoint than for your static website. The endpoints have to parse remote web pages to understand the semantics behind. In this regard, ActivityPub is more appropriate because parsing JSON is waaaaay faster and less error-prone than parsing raw HTML. ⁽¹⁾

But in any case nothing is wrong with the protocol in itself, we just need crypto auth (and encryption) plus moderation built on top. Some people within the indieweb movement are already working on this. We just need more pioneers to get on board and challenge the status quo

Well you could write your own ActivityPub endpoint (it’s really not hard), but if you need a prepackaged solution then there’s fed.brid.gy, a bridgy ActivityPub endpoint that will turn ActivityPub + AS 2.0 → Webmention + Microformats 2.0

Wow, that sounds nice. How does that work? How can you guess the Mastodon API address (i.e. the instance) when you generate your site, if it changes with every user? Do you have to use some Javascript vodoo to let users enter their instance address, and from there update the form action?

On a slightly different topic, i had started writing some content plugin system for my build script. I’m currently thinking on refining it and working on proper webmention.io integration. Are other people interested in such pre-packaged solutions? Is it worth spending my time working on?

⁽¹⁾ How a webmention endpoint works : it receives a request saying “page A linked to page B”. From there, it will try to load page A and B, ensure it’s responsible for page B’s webmentions and that the endpoint that sent the request is indeed page A’s webmention endpoint. This requires parsing both HTML pages to find rel links. Then, if those links are correctly setup (i.e. we’re not receiving webmention for a website we don’t manage, or from a fishy website), we can parse page A’s body to interpret the interaction that took place on that page. So that’s a lot of parsing and guessing for every interaction, which makes it more vulnerable to DOS/DDOS.

I am only interested in my published statuses, it’s easy to get these by entering the status id in the frontmatter of a Hugo content file. I haven’t had the time to test the POST request yet. It might not work out, but if it does I’ll let you know.

BTW you can read the Mastodon API docs over here if you want: https://github.com/tootsuite/documentation/blob/master/Using-the-API/API.md

Well, I’m interested in the build workflow and how to integrate other dynamic sources. Mentions and comments are two things that might be updated at build time but things like twitter feeds and RSS feeds are a couple of other things I’m interested in.

This really falls under the banner of data-driven sites. We currently have a simple form of this with Hugo’s data folder which is great. But there are a number of use-cases where more open, dynamic data might be used to drive new or updated content.

Having a standard process for this using well recognised and supported tools would be, in my opinion, be a real boon to Hugo. However, I recognise that this probably isn’t a core Hugo feature.

Anyway this is just me musing about the art of the possible - I’m still learning the basics.

Sorry if I’m a little late but I saw this topic some time ago and now it has a lot of useful content I was looking for a hugo site with webmentions to have as an example as I want to implement them on my site.

But first I want to ask you about your twitter interaction buttons since I was looking to have something similar (Show a tweet conversation thread) to replace comments but your solution is way better and cleaner. I went to look your site code but I still don’t have very clear your posting process, do you have to tweet and then copy the tweet ID and paste it on the post front-matter to make it work or is a more automatic process.

Maybe as a webmention it gets the id or I’m totally confused?

Sorry to say, but that’s what it is.

There is no automatic process involved. It you look at the git blame for a post, you will find the secret – I post, I tweet, I add the tweet ID, and I re-publish .

That’s out of my scope… don’t know PHP, and for now sticking with Netlify that allows serving only static pages, no scripts like PHP, etc.

Sounds ideal for one of Netlify’s AWS serverless functions.

I was just about to say that, honest!

I have zero knowledge about AWS lambda functions. Also I have a probably wrong idea that AWS lambda functions are proprietary to Amazon hosting services, which I have no interest in.

If someone ends up implementing Webmentions using those, please blog about the whole flow, and also including a bit of AWS lambda 101 if possible.

that is the beauty of Netlify, zero knowledge about AWS required
handy intro tutorial here:

Thanks. Oh, so that uses JavaScript, which also I don’t know (I am not a web developer) .

Though, I’ll play with it and see if I can make some use of Python lambda functions as substitute.

Currently, you can deploy functions built with JavaScript and Go.
Functions overview | Netlify Docs

Oh well, thanks for pointing that out. I hadn’t yet started looking into this. I’ll file this self action item to delve into Lambda functions/JS for some other day .

Till then, I’ll just watch and learn what others are doing with Netlify + Lambda functions + Webmentions.

Sadly, my eyes glazed over when I started reading about webmentions. Might just be me but they seem way too complex compared to the potential benefit - at the moment.

I did have a similar integration with my WordPress comments via a plugin that integrated pingbacks to comments. I’m afraid I don’t have the time to learn the complexities. Hopefully some clever people with simplify things to a more useful point.

As for AWS Lambda functions - I think that the title is the most complex part about them! Just think about them as a quick way to run a small, focused function. Responses to a form for example.

Although they are called “serverless”, this is more marketing doublespeak. They just provide a quick and easy way to publish some accessible function. But most people (AFAIK) are using JavaScript for things like this.

As I saw the usefulness of learning a single language for both front and back-end programming quite a few years ago now, I switched from PHP to JS (using Node.JS at the back end) and I’ve never regretted it.

I haven’t been a “developer” for many years now and most of my programming is for personal use or for utility use in my wider roles as an Information Management and Cyber Security specialist.