The latest articles on DEV Community by ABDUL RAHMAN (@devlobb). https://dev.to/devlobb https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F784464%2F5a99ce6d-6368-48ec-94cc-3d40937c55d0.jpeg https://dev.to/devlobb en ABDUL RAHMAN Sun, 28 Dec 2025 19:38:56 +0000 https://dev.to/devlobb/how-i-built-a-stable-247-youtube-livestream-on-a-vps-using-ffmpeg-no-saas-required-1bid https://dev.to/devlobb/how-i-built-a-stable-247-youtube-livestream-on-a-vps-using-ffmpeg-no-saas-required-1bid <p>Most live-streaming tools make 24/7 YouTube streaming sound easy — until you read the pricing page.</p> <p>Recently, I wanted to run a continuous 24/7 livestream to YouTube. The challenge?<br> Most SaaS streaming platforms either:</p> <p>• charge monthly fees<br> • limit long-running streams<br> • or only allow full features on paid plans</p> <p>Since I already operate my own VPS, I decided to engineer a fully self-hosted solution using FFmpeg — stable enough to run indefinitely.</p> <p><strong>Challenge</strong></p> <p>The stream worked at first, but YouTube repeatedly showed:</p> <p>• “Not receiving enough video”<br> • “No data”<br> • Buffering warnings</p> <p>Which meant the stream wasn’t stable, and viewers experienced freezes.</p> <p>It looked like a network problem — but it wasn’t.</p> <p><strong>Root Cause</strong></p> <p>On the VPS, FFmpeg was using ~98–100% CPU constantly.</p> <p>At 100% CPU:</p> <ul> <li>encoding slows</li> <li>timestamps drift</li> <li>bitrate becomes unstable</li> <li>sometimes YouTube receives 0 kbps</li> </ul> <p>So the problem was simple:</p> <p>The stream was CPU-bound, not bandwidth-bound.</p> <p><strong>Technical Fix</strong></p> <p>The goal was to keep CPU safely below ~60%.</p> <p>I tuned FFmpeg as follows:</p> <p>Use a faster preset<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>-preset superfast </code></pre> </div> <p>Apply predictable bitrate control<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>-b:v 2000k -maxrate 2000k -bufsize 4000k </code></pre> </div> <p>Keyframe interval for 30fps<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>-g 60 -keyint_min 60 </code></pre> </div> <p>Scale when needed<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>-vf scale=1280:-2 </code></pre> </div> <p>Final Working Command (Simplified)<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>ffmpeg -re -stream_loop -1 -i video.mp4 \ -vf scale=1280:-2 \ -c:v libx264 -preset superfast -profile:v high \ -b:v 2000k -maxrate 2000k -bufsize 4000k \ -g 60 -keyint_min 60 -r 30 -pix_fmt yuv420p \ -c:a aac -b:a 128k -ar 44100 \ -f flv rtmp://a.rtmp.youtube.com/live2/STREAM_KEY </code></pre> </div> <p>CPU dropped to ~50–60%, and the stream stabilized to Excellent Health.</p> <p><strong>Key Takeaways</strong></p> <p>• CPU load directly affects live-streaming stability<br> • Stable bitrate &gt; chasing maximum resolution<br> • VPS-based streaming requires margin and monitoring<br> • FFmpeg tuning matters in production</p> <p><strong>Why I Built This</strong></p> <p>I wanted a reliable 24/7 stream without SaaS cost limitations, and since I already maintain servers, building it myself made sense — and it turned into a great engineering exercise across streaming, DevOps, and system reliability.</p> opensource devops performance tutorial ABDUL RAHMAN Wed, 23 Feb 2022 13:30:16 +0000 https://dev.to/devlobb/content-security-policy-with-php-5d07 https://dev.to/devlobb/content-security-policy-with-php-5d07 <p>Use X-Frame-Options and Content-Security-Policy with PHP</p> <p>Most of today's browsers can help protect your site from malicious attacks if you tell them so. A method that is almost universally supported is to set the X-Frame options. If this option is set, the browser does not allow other sites to display your own site in an iframe. This protects against clickjacking attacks and should be used on all sensitive pages such as the login page.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>// Adds X-Frame-Options to HTTP header so that page can only be shown in an iframe of the same site. header('X-Frame-Options: SAMEORIGIN'); // FF 3.6.9+ Chrome 4.1+ IE 8+ Safari 4+ Opera 10.5+ </code></pre> </div> <p>Users who work with a current browser automatically benefit when a website sends a Content Security Policy (CSP) in the header. With a CSP, you can define where JavaScript code is accepted from, which pages are allowed to display your page in an iframe, and many other things. If a browser supports CSP, this can be effective protection against cross-site scripting. <a href="https://developers.google.com/web/fundamentals/security/csp" rel="noopener noreferrer">more…</a></p> <p>The implementation in PHP is very simple, but problems can arise with inline JavaScript. You get the greatest protection if you avoid all JavaScript in the HTML files and instead store them in separate *.js files. In case this is not possible (existing source code), there is an option to allow inline-script.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>// Adds the Content-Security-Policy to the HTTP header. // JavaScript will be restricted to the same domain as the page itself. header("Content-Security-Policy: default-src 'self'; script-src 'self';"); // FF 23+ Chrome 25+ Safari 7+ Opera 19+ header("X-Content-Security-Policy: default-src 'self'; script-src 'self';"); // IE 10+ </code></pre> </div> php javascript security programming