DEV Community: Kristiyan The latest articles on DEV Community by Kristiyan (@kristiyan_4476d7d92148b4c). https://dev.to/kristiyan_4476d7d92148b4c https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3843545%2F3660b814-b6ab-4848-82ba-a02fbce1a505.png DEV Community: Kristiyan https://dev.to/kristiyan_4476d7d92148b4c en I Built 3 Free Developer Tools with Go and Astro — Here's the Architecture Kristiyan Thu, 09 Apr 2026 17:49:09 +0000 https://dev.to/kristiyan_4476d7d92148b4c/i-built-3-free-developer-tools-with-go-and-astro-heres-the-architecture-1n98 https://dev.to/kristiyan_4476d7d92148b4c/i-built-3-free-developer-tools-with-go-and-astro-heres-the-architecture-1n98 <p>I'm a developer who got tired of bloated online tools that require signup just to merge two PDFs. So I built three free alternatives and deployed them on a single ARM64 VPS.</p> <h2> The Tools </h2> <h3> 1. ImgCrush — Image Optimizer </h3> <p><strong><a href="https://imgcrush.dev" rel="noopener noreferrer">imgcrush.dev</a></strong></p> <p>Compress, resize, and convert images (JPEG, PNG, WebP). Drop files in, get optimized files out. No signup, no file count limits.</p> <h3> 2. PDFCrush — PDF Toolkit </h3> <p><strong><a href="https://pdfcrush.dev" rel="noopener noreferrer">pdfcrush.dev</a></strong></p> <p>Merge, compress, split PDFs and edit metadata. Server-side processing means it works with large files that crash browser-based tools.</p> <h3> 3. EU VAT Dev — VAT Calculator </h3> <p><strong><a href="https://euvat.dev" rel="noopener noreferrer">euvat.dev</a></strong></p> <p>Calculate EU VAT across all 27 member states, validate VAT numbers against the official VIES database. Built for developers and businesses selling digital products in the EU.</p> <h2> Architecture </h2> <p>All three follow the same pattern:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>[Astro Frontend] → [Go API] → [SQLite] ↓ [File Processing] (libvips / pdfcpu) </code></pre> </div> <h3> Why Go? </h3> <p>File processing is CPU-bound work. Go's standard library handles HTTP, file I/O, and concurrency out of the box. The compiled binary is ~15MB and starts in milliseconds. No runtime, no dependency hell.</p> <p>Key libraries:</p> <ul> <li> <strong>chi</strong> for HTTP routing</li> <li> <strong>pdfcpu</strong> for PDF operations (pure Go, no CGO)</li> <li> <strong>modernc.org/sqlite</strong> for database (pure Go SQLite, works on ARM64)</li> <li> <strong>bimg/libvips</strong> for image processing</li> </ul> <h3> Why Astro? </h3> <p>The landing pages are 100% static HTML — zero JavaScript shipped to the browser. This matters for SEO (Core Web Vitals) and for users on slow connections. The actual tool UI uses React "islands" — interactive components that hydrate only where needed.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>--- // This is a static Astro page import Layout from '../layouts/Layout.astro'; --- &lt;Layout title="PDF Toolkit"&gt; &lt;!-- Static marketing content, zero JS --&gt; &lt;h1&gt;Merge, Compress &amp; Split PDFs&lt;/h1&gt; &lt;!-- Only this component ships React JS --&gt; &lt;PDFUploader client:load /&gt; &lt;/Layout&gt; </code></pre> </div> <h3> Deployment: Single VPS, Multiple Products </h3> <p>Everything runs on one Hetzner cax21 (ARM64, 4 vCPU, 8GB RAM, ~€7/mo):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight conf"><code><span class="n">Caddy</span> (<span class="n">reverse</span> <span class="n">proxy</span> + <span class="n">auto</span> <span class="n">HTTPS</span>) ├── <span class="n">pdfcrush</span>.<span class="n">dev</span> → :<span class="m">8081</span> (<span class="n">pdf</span>-<span class="n">toolkit</span> <span class="n">container</span>) ├── <span class="n">imgcrush</span>.<span class="n">dev</span> → :<span class="m">8082</span> (<span class="n">image</span>-<span class="n">optimizer</span> <span class="n">container</span>) ├── <span class="n">euvat</span>.<span class="n">dev</span> → :<span class="m">8083</span> (<span class="n">eu</span>-<span class="n">vat</span>-<span class="n">calculator</span> <span class="n">container</span>) └── <span class="n">analytics</span> → :<span class="m">8000</span> (<span class="n">Plausible</span> <span class="n">CE</span>) </code></pre> </div> <p>Each product is a multi-stage Docker build:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight docker"><code><span class="c"># Stage 1: Build Go binary</span> <span class="k">FROM</span><span class="w"> </span><span class="s">golang:1.26-alpine</span><span class="w"> </span><span class="k">AS</span><span class="w"> </span><span class="s">go-builder</span> <span class="k">WORKDIR</span><span class="s"> /app</span> <span class="k">COPY</span><span class="s"> go.mod go.sum ./</span> <span class="k">RUN </span>go mod download <span class="k">COPY</span><span class="s"> . .</span> <span class="k">RUN </span><span class="nv">CGO_ENABLED</span><span class="o">=</span>0 go build <span class="nt">-o</span> server ./cmd/server <span class="c"># Stage 2: Build Astro frontend</span> <span class="k">FROM</span><span class="w"> </span><span class="s">node:20-alpine</span><span class="w"> </span><span class="k">AS</span><span class="w"> </span><span class="s">frontend-builder</span> <span class="k">WORKDIR</span><span class="s"> /app</span> <span class="k">COPY</span><span class="s"> frontend/ .</span> <span class="k">RUN </span>npm ci <span class="o">&amp;&amp;</span> npm run build <span class="c"># Stage 3: Minimal runtime</span> <span class="k">FROM</span><span class="s"> alpine:3.19</span> <span class="k">COPY</span><span class="s"> --from=go-builder /app/server /server</span> <span class="k">COPY</span><span class="s"> --from=frontend-builder /app/dist /static</span> <span class="k">EXPOSE</span><span class="s"> 8080</span> <span class="k">CMD</span><span class="s"> ["/server"]</span> </code></pre> </div> <p>Final image size: ~25MB per product.</p> <h3> Rate Limiting &amp; Pro Tiers </h3> <p>Each product has IP-based rate limiting with a cookie-based "Pro" bypass:</p> <ol> <li>User pays via Stripe</li> <li>Webhook saves their email as an active subscription</li> <li>User enters email → gets an HMAC-signed HTTP-only cookie</li> <li>Rate limiter checks cookie before checking IP</li> </ol> <p>No passwords, no sessions, no user accounts. Just email → cookie → unlimited access.</p> <h2> Numbers (Honest) </h2> <p>After a few weeks live:</p> <ul> <li>~38 total visitors across all 3 products</li> <li>Zero revenue</li> <li>Near-zero SEO rankings (too new)</li> </ul> <p>Traffic is the bottleneck, not product quality. ImgCrush shows 26s average session duration — people who find it actually use it. The problem is nobody can find it yet.</p> <h2> What's Next </h2> <ol> <li> <strong>SEO content</strong> — Blog articles targeting long-tail keywords ("best free PNG compressor 2026", "how to compress PDF without losing quality")</li> <li> <strong>Directory submissions</strong> — AlternativeTo, SaaSHub, BetaList</li> <li> <strong>Community sharing</strong> — this post is part of that effort</li> </ol> <p>If you're building similar tools, I'd recommend the Go + Astro stack. It's lightweight, fast, and the deployment story is simple.</p> <p><em>Try them out: <a href="https://imgcrush.dev" rel="noopener noreferrer">imgcrush.dev</a> | <a href="https://pdfcrush.dev" rel="noopener noreferrer">pdfcrush.dev</a> | <a href="https://euvat.dev" rel="noopener noreferrer">euvat.dev</a></em></p> go astro webdev sideprojects I Built a Free PDF Toolkit in Go + Astro — Here's What I Learned Kristiyan Wed, 25 Mar 2026 17:14:29 +0000 https://dev.to/kristiyan_4476d7d92148b4c/i-built-a-free-pdf-toolkit-in-go-astro-heres-what-i-learned-22d8 https://dev.to/kristiyan_4476d7d92148b4c/i-built-a-free-pdf-toolkit-in-go-astro-heres-what-i-learned-22d8 <p>Every few months I find myself needing to merge two PDFs or pull a few pages out of a big document. I open a search, find a tool, and immediately get hit with "sign up to continue" or "buy premium to process files over 5MB." For a 30-second task.</p> <p>So I built <a href="https://pdfcrush.dev" rel="noopener noreferrer">PDFCrush</a> — a free online PDF toolkit that does merge, split, and compress without accounts or upsells. Here is what the process looked like and what I learned along the way.</p> <h2> The Stack </h2> <ul> <li> <strong>Backend</strong>: Go with the <a href="https://github.com/go-chi/chi" rel="noopener noreferrer">chi</a> router</li> <li> <strong>Frontend</strong>: <a href="https://astro.build/" rel="noopener noreferrer">Astro</a> with Tailwind CSS</li> <li> <strong>Database</strong>: SQLite via <a href="https://pkg.go.dev/modernc.org/sqlite" rel="noopener noreferrer">modernc.org/sqlite</a> </li> <li> <strong>PDF processing</strong>: <a href="https://github.com/pdfcpu/pdfcpu" rel="noopener noreferrer">pdfcpu</a> (pure Go)</li> <li> <strong>Hosting</strong>: Hetzner ARM64 VPS, Caddy reverse proxy, Cloudflare</li> </ul> <p>No frameworks on the backend. No ORM. No Redis. The entire thing is a single Go binary serving both the API and the static frontend.</p> <h2> Why Go? </h2> <p>I wanted a single binary I could <code>scp</code> to a cheap ARM64 VPS and run. No runtime, no dependency hell, no <code>node_modules</code> on the server. Go gives me that plus genuinely good concurrency for handling file uploads.</p> <p>The server setup is minimal — chi for routing, <code>slog</code> for structured JSON logging, and standard library for everything else:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="n">r</span> <span class="o">:=</span> <span class="n">chi</span><span class="o">.</span><span class="n">NewRouter</span><span class="p">()</span> <span class="n">r</span><span class="o">.</span><span class="n">Use</span><span class="p">(</span><span class="n">chimw</span><span class="o">.</span><span class="n">RequestID</span><span class="p">)</span> <span class="n">r</span><span class="o">.</span><span class="n">Use</span><span class="p">(</span><span class="n">chimw</span><span class="o">.</span><span class="n">RealIP</span><span class="p">)</span> <span class="n">r</span><span class="o">.</span><span class="n">Use</span><span class="p">(</span><span class="n">chimw</span><span class="o">.</span><span class="n">Logger</span><span class="p">)</span> <span class="n">r</span><span class="o">.</span><span class="n">Use</span><span class="p">(</span><span class="n">chimw</span><span class="o">.</span><span class="n">Recoverer</span><span class="p">)</span> <span class="n">r</span><span class="o">.</span><span class="n">Use</span><span class="p">(</span><span class="n">middleware</span><span class="o">.</span><span class="n">SecurityHeaders</span><span class="p">)</span> <span class="n">r</span><span class="o">.</span><span class="n">Use</span><span class="p">(</span><span class="n">middleware</span><span class="o">.</span><span class="n">CORS</span><span class="p">(</span><span class="s">"*"</span><span class="p">))</span> <span class="n">r</span><span class="o">.</span><span class="n">Route</span><span class="p">(</span><span class="s">"/api/v1"</span><span class="p">,</span> <span class="k">func</span><span class="p">(</span><span class="n">r</span> <span class="n">chi</span><span class="o">.</span><span class="n">Router</span><span class="p">)</span> <span class="p">{</span> <span class="n">r</span><span class="o">.</span><span class="n">Get</span><span class="p">(</span><span class="s">"/health"</span><span class="p">,</span> <span class="n">handlers</span><span class="o">.</span><span class="n">HealthCheck</span><span class="p">(</span><span class="n">store</span><span class="p">))</span> <span class="c">// PDF operations — rate limited for free users.</span> <span class="n">r</span><span class="o">.</span><span class="n">With</span><span class="p">(</span><span class="n">rateLimiter</span><span class="o">.</span><span class="n">Limit</span><span class="p">)</span><span class="o">.</span><span class="n">Post</span><span class="p">(</span><span class="s">"/pdf/merge"</span><span class="p">,</span> <span class="n">pdfHandlers</span><span class="o">.</span><span class="n">Merge</span><span class="p">)</span> <span class="n">r</span><span class="o">.</span><span class="n">With</span><span class="p">(</span><span class="n">rateLimiter</span><span class="o">.</span><span class="n">Limit</span><span class="p">)</span><span class="o">.</span><span class="n">Post</span><span class="p">(</span><span class="s">"/pdf/split"</span><span class="p">,</span> <span class="n">pdfHandlers</span><span class="o">.</span><span class="n">Split</span><span class="p">)</span> <span class="n">r</span><span class="o">.</span><span class="n">With</span><span class="p">(</span><span class="n">rateLimiter</span><span class="o">.</span><span class="n">Limit</span><span class="p">)</span><span class="o">.</span><span class="n">Post</span><span class="p">(</span><span class="s">"/pdf/compress"</span><span class="p">,</span> <span class="n">pdfHandlers</span><span class="o">.</span><span class="n">Compress</span><span class="p">)</span> <span class="p">})</span> </code></pre> </div> <p>Chi's middleware chaining with <code>.With()</code> is one of those things that looks obvious but makes route-level concerns (rate limiting, auth) really clean.</p> <h2> Pure Go PDF Processing (No CGO) </h2> <p>This was the decision that shaped the whole project. Most PDF libraries in Go lean on C bindings (poppler, MuPDF, etc.), which means CGO, which means cross-compilation headaches and no static binaries on ARM64 without pain.</p> <p>Instead I used <a href="https://github.com/pdfcpu/pdfcpu" rel="noopener noreferrer">pdfcpu</a>, which is pure Go. The processing layer is thin:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">func</span> <span class="p">(</span><span class="n">p</span> <span class="o">*</span><span class="n">Processor</span><span class="p">)</span> <span class="n">Merge</span><span class="p">(</span><span class="n">files</span> <span class="p">[]</span><span class="kt">string</span><span class="p">)</span> <span class="p">(</span><span class="kt">string</span><span class="p">,</span> <span class="kt">error</span><span class="p">)</span> <span class="p">{</span> <span class="k">if</span> <span class="nb">len</span><span class="p">(</span><span class="n">files</span><span class="p">)</span> <span class="o">&lt;</span> <span class="m">2</span> <span class="p">{</span> <span class="k">return</span> <span class="s">""</span><span class="p">,</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Errorf</span><span class="p">(</span><span class="s">"pdf: merge requires at least 2 files, got %d"</span><span class="p">,</span> <span class="nb">len</span><span class="p">(</span><span class="n">files</span><span class="p">))</span> <span class="p">}</span> <span class="n">outFile</span> <span class="o">:=</span> <span class="n">filepath</span><span class="o">.</span><span class="n">Join</span><span class="p">(</span><span class="n">p</span><span class="o">.</span><span class="n">uploadDir</span><span class="p">,</span> <span class="n">uuid</span><span class="o">.</span><span class="n">New</span><span class="p">()</span><span class="o">.</span><span class="n">String</span><span class="p">()</span><span class="o">+</span><span class="s">".pdf"</span><span class="p">)</span> <span class="n">conf</span> <span class="o">:=</span> <span class="n">model</span><span class="o">.</span><span class="n">NewDefaultConfiguration</span><span class="p">()</span> <span class="k">if</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">api</span><span class="o">.</span><span class="n">MergeCreateFile</span><span class="p">(</span><span class="n">files</span><span class="p">,</span> <span class="n">outFile</span><span class="p">,</span> <span class="no">false</span><span class="p">,</span> <span class="n">conf</span><span class="p">);</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="k">return</span> <span class="s">""</span><span class="p">,</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Errorf</span><span class="p">(</span><span class="s">"pdf: merge failed: %w"</span><span class="p">,</span> <span class="n">err</span><span class="p">)</span> <span class="p">}</span> <span class="n">slog</span><span class="o">.</span><span class="n">Info</span><span class="p">(</span><span class="s">"pdf merge completed"</span><span class="p">,</span> <span class="s">"input_count"</span><span class="p">,</span> <span class="nb">len</span><span class="p">(</span><span class="n">files</span><span class="p">),</span> <span class="s">"output"</span><span class="p">,</span> <span class="n">outFile</span><span class="p">)</span> <span class="k">return</span> <span class="n">outFile</span><span class="p">,</span> <span class="no">nil</span> <span class="p">}</span> </code></pre> </div> <p>Split and compress follow the same pattern — validate inputs, call pdfcpu, return a path. The <code>Processor</code> struct owns the upload directory and max file size, and every handler cleans up temp files with <code>defer</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">defer</span> <span class="n">h</span><span class="o">.</span><span class="n">processor</span><span class="o">.</span><span class="n">Cleanup</span><span class="p">(</span><span class="n">savedPaths</span><span class="o">...</span><span class="p">)</span> </code></pre> </div> <p>The trade-off: pdfcpu does not do image resampling for compression, so "compress" is really "optimize the PDF structure" (remove duplicate objects, linearize streams). For most office-generated PDFs this still cuts 20-40% off the size. For image-heavy PDFs, less so. Honest about it, and it still beats "please sign up first."</p> <h2> SQLite for Everything </h2> <p>I use <a href="https://pkg.go.dev/modernc.org/sqlite" rel="noopener noreferrer">modernc.org/sqlite</a> — a pure Go translation of SQLite's C source. No CGO needed. It works on ARM64, M-series Macs, and Linux AMD64 without any build flags.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="n">db</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">sql</span><span class="o">.</span><span class="n">Open</span><span class="p">(</span><span class="s">"sqlite"</span><span class="p">,</span> <span class="n">dbPath</span><span class="p">)</span> <span class="n">pragmas</span> <span class="o">:=</span> <span class="p">[]</span><span class="kt">string</span><span class="p">{</span> <span class="s">"PRAGMA journal_mode=WAL"</span><span class="p">,</span> <span class="s">"PRAGMA foreign_keys=ON"</span><span class="p">,</span> <span class="s">"PRAGMA busy_timeout=5000"</span><span class="p">,</span> <span class="s">"PRAGMA synchronous=NORMAL"</span><span class="p">,</span> <span class="p">}</span> </code></pre> </div> <p>SQLite handles rate-limit counters, operation logs, subscriptions, and email signups. For a tool that processes maybe a few hundred requests a day, it is absurd overkill to reach for Postgres. WAL mode gives me concurrent reads while writes are happening, and the entire database is a single file I can back up with <code>cp</code>.</p> <h2> Rate Limiting Without Redis </h2> <p>The rate limiter is SQLite-backed. It counts operations per IP within a sliding window:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">type</span> <span class="n">RateLimiter</span> <span class="k">struct</span> <span class="p">{</span> <span class="n">store</span> <span class="o">*</span><span class="n">storage</span><span class="o">.</span><span class="n">Store</span> <span class="n">maxOps</span> <span class="kt">int</span> <span class="n">window</span> <span class="n">time</span><span class="o">.</span><span class="n">Duration</span> <span class="n">proSecret</span> <span class="kt">string</span> <span class="p">}</span> <span class="k">func</span> <span class="p">(</span><span class="n">rl</span> <span class="o">*</span><span class="n">RateLimiter</span><span class="p">)</span> <span class="n">Limit</span><span class="p">(</span><span class="n">next</span> <span class="n">http</span><span class="o">.</span><span class="n">Handler</span><span class="p">)</span> <span class="n">http</span><span class="o">.</span><span class="n">Handler</span> <span class="p">{</span> <span class="k">return</span> <span class="n">http</span><span class="o">.</span><span class="n">HandlerFunc</span><span class="p">(</span><span class="k">func</span><span class="p">(</span><span class="n">w</span> <span class="n">http</span><span class="o">.</span><span class="n">ResponseWriter</span><span class="p">,</span> <span class="n">r</span> <span class="o">*</span><span class="n">http</span><span class="o">.</span><span class="n">Request</span><span class="p">)</span> <span class="p">{</span> <span class="n">ip</span> <span class="o">:=</span> <span class="n">extractIP</span><span class="p">(</span><span class="n">r</span><span class="p">)</span> <span class="c">// Pro users bypass rate limiting.</span> <span class="n">proEmail</span> <span class="o">:=</span> <span class="n">proauth</span><span class="o">.</span><span class="n">ReadProEmail</span><span class="p">(</span><span class="n">r</span><span class="p">,</span> <span class="n">rl</span><span class="o">.</span><span class="n">proSecret</span><span class="p">)</span> <span class="k">if</span> <span class="n">proEmail</span> <span class="o">!=</span> <span class="s">""</span> <span class="p">{</span> <span class="n">isPro</span><span class="p">,</span> <span class="n">_</span> <span class="o">:=</span> <span class="n">rl</span><span class="o">.</span><span class="n">store</span><span class="o">.</span><span class="n">IsProUser</span><span class="p">(</span><span class="n">r</span><span class="o">.</span><span class="n">Context</span><span class="p">(),</span> <span class="n">proEmail</span><span class="p">)</span> <span class="k">if</span> <span class="n">isPro</span> <span class="p">{</span> <span class="n">next</span><span class="o">.</span><span class="n">ServeHTTP</span><span class="p">(</span><span class="n">w</span><span class="p">,</span> <span class="n">r</span><span class="p">)</span> <span class="k">return</span> <span class="p">}</span> <span class="p">}</span> <span class="n">since</span> <span class="o">:=</span> <span class="n">time</span><span class="o">.</span><span class="n">Now</span><span class="p">()</span><span class="o">.</span><span class="n">Add</span><span class="p">(</span><span class="o">-</span><span class="n">rl</span><span class="o">.</span><span class="n">window</span><span class="p">)</span> <span class="n">count</span><span class="p">,</span> <span class="n">_</span> <span class="o">:=</span> <span class="n">rl</span><span class="o">.</span><span class="n">store</span><span class="o">.</span><span class="n">GetOperationCount</span><span class="p">(</span><span class="n">r</span><span class="o">.</span><span class="n">Context</span><span class="p">(),</span> <span class="n">ip</span><span class="p">,</span> <span class="n">since</span><span class="p">)</span> <span class="k">if</span> <span class="n">count</span> <span class="o">&gt;=</span> <span class="n">rl</span><span class="o">.</span><span class="n">maxOps</span> <span class="p">{</span> <span class="n">w</span><span class="o">.</span><span class="n">Header</span><span class="p">()</span><span class="o">.</span><span class="n">Set</span><span class="p">(</span><span class="s">"Retry-After"</span><span class="p">,</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Sprintf</span><span class="p">(</span><span class="s">"%d"</span><span class="p">,</span> <span class="kt">int</span><span class="p">(</span><span class="n">rl</span><span class="o">.</span><span class="n">window</span><span class="o">.</span><span class="n">Seconds</span><span class="p">())))</span> <span class="n">writeJSONError</span><span class="p">(</span><span class="n">w</span><span class="p">,</span> <span class="n">http</span><span class="o">.</span><span class="n">StatusTooManyRequests</span><span class="p">,</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Sprintf</span><span class="p">(</span><span class="s">"rate limit exceeded: %d operations per %s"</span><span class="p">,</span> <span class="n">rl</span><span class="o">.</span><span class="n">maxOps</span><span class="p">,</span> <span class="n">rl</span><span class="o">.</span><span class="n">window</span><span class="p">))</span> <span class="k">return</span> <span class="p">}</span> <span class="n">rl</span><span class="o">.</span><span class="n">store</span><span class="o">.</span><span class="n">RecordOperation</span><span class="p">(</span><span class="n">r</span><span class="o">.</span><span class="n">Context</span><span class="p">(),</span> <span class="n">ip</span><span class="p">)</span> <span class="n">next</span><span class="o">.</span><span class="n">ServeHTTP</span><span class="p">(</span><span class="n">w</span><span class="p">,</span> <span class="n">r</span><span class="p">)</span> <span class="p">})</span> <span class="p">}</span> </code></pre> </div> <p>Free users get 5 operations per 24 hours. Pro users (identified by an HMAC-signed HTTP-only cookie) bypass the limit entirely. No Redis, no in-memory maps that reset on deploy — the counts survive restarts because they live in SQLite.</p> <h2> Security Without Overthinking It </h2> <p>A middleware function sets the standard hardening headers:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">func</span> <span class="n">SecurityHeaders</span><span class="p">(</span><span class="n">next</span> <span class="n">http</span><span class="o">.</span><span class="n">Handler</span><span class="p">)</span> <span class="n">http</span><span class="o">.</span><span class="n">Handler</span> <span class="p">{</span> <span class="k">return</span> <span class="n">http</span><span class="o">.</span><span class="n">HandlerFunc</span><span class="p">(</span><span class="k">func</span><span class="p">(</span><span class="n">w</span> <span class="n">http</span><span class="o">.</span><span class="n">ResponseWriter</span><span class="p">,</span> <span class="n">r</span> <span class="o">*</span><span class="n">http</span><span class="o">.</span><span class="n">Request</span><span class="p">)</span> <span class="p">{</span> <span class="n">w</span><span class="o">.</span><span class="n">Header</span><span class="p">()</span><span class="o">.</span><span class="n">Set</span><span class="p">(</span><span class="s">"X-Content-Type-Options"</span><span class="p">,</span> <span class="s">"nosniff"</span><span class="p">)</span> <span class="n">w</span><span class="o">.</span><span class="n">Header</span><span class="p">()</span><span class="o">.</span><span class="n">Set</span><span class="p">(</span><span class="s">"X-Frame-Options"</span><span class="p">,</span> <span class="s">"DENY"</span><span class="p">)</span> <span class="n">w</span><span class="o">.</span><span class="n">Header</span><span class="p">()</span><span class="o">.</span><span class="n">Set</span><span class="p">(</span><span class="s">"X-XSS-Protection"</span><span class="p">,</span> <span class="s">"1; mode=block"</span><span class="p">)</span> <span class="n">w</span><span class="o">.</span><span class="n">Header</span><span class="p">()</span><span class="o">.</span><span class="n">Set</span><span class="p">(</span><span class="s">"Referrer-Policy"</span><span class="p">,</span> <span class="s">"strict-origin-when-cross-origin"</span><span class="p">)</span> <span class="n">w</span><span class="o">.</span><span class="n">Header</span><span class="p">()</span><span class="o">.</span><span class="n">Set</span><span class="p">(</span><span class="s">"Content-Security-Policy"</span><span class="p">,</span> <span class="s">"default-src 'self'; script-src 'self' 'unsafe-inline'; ..."</span><span class="p">)</span> <span class="n">next</span><span class="o">.</span><span class="n">ServeHTTP</span><span class="p">(</span><span class="n">w</span><span class="p">,</span> <span class="n">r</span><span class="p">)</span> <span class="p">})</span> <span class="p">}</span> </code></pre> </div> <p>Uploaded files get validated with magic bytes (<code>%PDF-</code> header check) and saved with UUID filenames to prevent path traversal. Files are deleted immediately after the response is sent. There is also a background cleanup job that sweeps stale uploads every hour, just in case.</p> <h2> Why Astro for the Frontend </h2> <p>Astro ships zero JavaScript by default. For a tool where the landing page is static marketing content and the actual app is one interactive page, that is perfect. The landing page loads fast (just HTML + CSS), and the interactive PDF uploader is a React island hydrated only on the app page.</p> <p>The entire frontend builds to static files that the Go server serves directly — no separate Node process in production.</p> <h2> What I Would Do Differently </h2> <p><strong>Start with better compression.</strong> pdfcpu's optimize is solid for structural cleanup but does not resample images. If I were starting over, I would evaluate whether Ghostscript via a subprocess (ugly but effective) is worth it for the compress feature specifically.</p> <p><strong>Skip the dual payment provider setup.</strong> I wired up both Stripe and LemonSqueezy. In practice, Stripe handles everything. The abstraction cost was not worth the optionality.</p> <p><strong>Add WebSocket progress for large files.</strong> Right now, large merges just hang with a spinner until the response comes back. A progress stream would make the UX feel faster even if the processing time is the same.</p> <h2> The Numbers </h2> <p>The whole thing runs on a single Hetzner CAX21 (ARM64, 4 vCPUs, 8GB RAM) that costs about 7 EUR/month — and that VPS also hosts two other products. Memory usage hovers around 30MB for the Go process. Deploys are <code>rsync</code> + <code>docker build</code> on the VPS, done in under a minute.</p> <h2> Try It </h2> <p>If you need to merge, split, or compress PDFs, give it a try at <a href="https://pdfcrush.dev" rel="noopener noreferrer">pdfcrush.dev</a> — it is free, no signup required, and your files are deleted immediately after processing.</p> <p>The source is part of a larger monorepo where I am experimenting with AI agents that build and manage products autonomously, but that is a story for another post.</p> go webdev opensource showdev