DEV Community: Olha Stefanishyna The latest articles on DEV Community by Olha Stefanishyna (@olha-stefanishyna). https://dev.to/olha-stefanishyna https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3023504%2Fd59caf8c-5948-4cd2-8e42-11baab79e1e6.jpeg DEV Community: Olha Stefanishyna https://dev.to/olha-stefanishyna en Positive Security Models: From Block-Lists to Allow-Lists Olha Stefanishyna Wed, 09 Jul 2025 07:07:28 +0000 https://dev.to/olha-stefanishyna/positive-security-models-from-block-lists-to-allow-lists-48c6 https://dev.to/olha-stefanishyna/positive-security-models-from-block-lists-to-allow-lists-48c6 <p>Hey DEV community! 👋</p> <p>Ever wondered why your WAF lets some attacks slip through? Are you trying to block known bad stuff while allowing everything else?</p> <p>What if I told you there's a better way? 🛡️</p> <p>Positive security at infrastructure and application layers is that better way.<br> This approach protects against entire classes of attacks, including ones that don't exist yet.</p> <p>Ready to flip your security paradigm?</p> <p>👉 <a href="https://ostefani.dev/tech-notes/security-models" rel="noopener noreferrer">Read the complete article: "Building Fortress-First: The Power of Positive Security Models"</a></p> <p>Happy securing! 🔒</p> webdev security backend Mastering Offscreen Rendering in WebGL Olha Stefanishyna Wed, 18 Jun 2025 11:17:05 +0000 https://dev.to/olha-stefanishyna/mastering-offscreen-rendering-in-webgl-19e5 https://dev.to/olha-stefanishyna/mastering-offscreen-rendering-in-webgl-19e5 <p>Hey DEV community! 👋</p> <p>Want to create cool post-processing effects in your WebGL projects, like bloom or motion blur? Or maybe you need to render a complex 3D scene to a texture for later use? Working with complex effects relies in understanding <strong>Framebuffers</strong>.</p> <p>I've been diving deep into WebGL lately and wanted to share my journey of rendering scenes to a texture. This process is often called offscreen rendering.</p> <p>In my latest article, I break down the entire process. We'll explore:</p> <ul> <li> <strong>What Framebuffers are</strong> and why they are so essential in modern graphics.</li> <li>The process of <strong>setting up your Framebuffer</strong>.</li> <li>A practical example of how to render your scene to a texture and then use that texture on another object.</li> </ul> <p>This technique opens up a whole new world of possibilities for advanced rendering and special effects.</p> <p>Ready to take your WebGL skills to the next level?</p> <p>👉 <strong><a href="https://ostefani.dev/tech-notes/rendering-to-texture-with-framebuffers" rel="noopener noreferrer">Read the full, detailed guide on my blog: "Rendering to Texture with Framebuffers in WebGL"</a></strong></p> <p>I've included code snippets and explanations to make it as clear as possible. Let me know what you think, and I'd love to see what you create with it!</p> <p>Happy coding! ✨</p> <p><strong>Like my content? Follow me on <a href="https://x.com/o_stefanishyna" rel="noopener noreferrer">X</a></strong></p> webgl2 webdev javascript graphics Timing Attacks: Why Your Code Might Be Leaking Secrets Olha Stefanishyna Tue, 10 Jun 2025 04:17:07 +0000 https://dev.to/olha-stefanishyna/timing-attacks-why-your-code-might-be-leaking-secrets-5f9n https://dev.to/olha-stefanishyna/timing-attacks-why-your-code-might-be-leaking-secrets-5f9n <p>Have you ever heard about <strong>side-channel attacks</strong>? They are a category of security attacks where attackers instead of breaking cryptography directly, analyze unintended information that "leaks" from the physical implementation of a system during normal operation.</p> <p>Side-channel attacks are dangerous - even perfectly implemented cryptography can be vulnerable because of information leakage from the physical implementation of cryptographic systems. They may be invisible to standard security audits as it requires interdisciplinary knowledge to understand and prevent.</p> <p>There are several types of the attack: timing attacks, cache timing attacks, power analysis attacks and others.</p> <p>Timing attacks are one of the most common and accessible side-channel attacks because:</p> <ul> <li> They can be performed remotely over networks</li> <li> Don't require physical access to hardware</li> <li> Can be executed with standard software tools</li> <li> Often affect web applications and APIs directly</li> </ul> <h2> Understanding timing attacks </h2> <p>Instead of attacking the mathematical solution of your encryption algorithms, these attacks target how your code actually runs, allowing attackers to extract passwords, private keys, and other sensitive data simply by measuring response times. Timing attacks present unique challenges because they can bypass traditional security measures entirely.</p> <p>In 2003, researchers David Brumley and Dan Boneh demonstrated extracting complete 1024-bit RSA private keys from SSL servers over a network using only timing analysis—requiring about one million queries over two hours. Their attack worked despite network jitter and proved that timing attacks are real danger for real systems.</p> <p>The core principle is deceptively simple: execution time often correlates with specific properties of the secret like values and length.</p> <p>For example, consider this condition:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="dl">'</span><span class="s1">HELLO</span><span class="dl">'</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">AAAA</span><span class="dl">'</span><span class="p">;</span> </code></pre> </div> <p>It is technically vulnerable because JavaScript engines (V8, SpiderMonkey) implement string comparison with an early exit for performance.</p> <p>Testing "AAAA" against string "HELLO" fails on the first character (fastest), while "HAAA" fails on the second character (slightly slower), and "HEAA" fails on the third (even slower). An attacker can determine the correct string character-by-character, reducing the search space from exponential to linear complexity.</p> <p><strong>This is important</strong> - it is not a practical example because:</p> <ul> <li> Timing differences are tiny - nanoseconds, not milliseconds</li> <li> Network jitter drowns out these tiny differences</li> <li> Nobody compares passwords directly (I hope so)</li> </ul> <p>Let's consider more practical examples.</p> <p>Real timing attacks exploit operations that take milliseconds, not nanoseconds. When a database lookup or cryptographic operation creates measurable delays, attackers can extract secrets even over noisy networks.</p> <h2> Authentication systems under attack </h2> <p>Authentication systems represent the highest-value target for timing attacks in web applications. When your authentication takes different amounts of time based on whether a username exists, or when your password comparison exits early on the first wrong character, you're broadcasting sensitive information through timing patterns.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">function</span> <span class="nf">authenticate</span><span class="p">(</span><span class="nx">username</span><span class="p">,</span> <span class="nx">password</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">user</span> <span class="o">=</span> <span class="nx">database</span><span class="p">.</span><span class="nf">getUser</span><span class="p">(</span><span class="nx">username</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">user</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="kc">false</span><span class="p">;</span> <span class="c1">// Fast return - major timing leak</span> <span class="p">}</span> <span class="k">return</span> <span class="nx">bcrypt</span><span class="p">.</span><span class="nf">compare</span><span class="p">(</span><span class="nx">password</span><span class="p">,</span> <span class="nx">user</span><span class="p">.</span><span class="nx">hashedPassword</span><span class="p">);</span> <span class="c1">// Slow operation</span> <span class="p">}</span> </code></pre> </div> <p>When an invalid username is provided, the function returns immediately. For valid usernames, the expensive <code>bcrypt.compare()</code> operation executes, creating a timing difference that's easily detectable across network connections.</p> <p>Attackers can build complete lists of valid usernames before launching targeted password attacks.</p> <h2> API rate limiting and timing analysis </h2> <p>Rate limiting systems, designed to prevent abuse, often become timing attack vectors themselves. <strong>Timing-based rate limit detection</strong> allows attackers to map rate limiting thresholds and develop evasion strategies:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// Rate limiting creates timing patterns</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span> <span class="nf">rateLimit</span><span class="p">({</span> <span class="na">windowMs</span><span class="p">:</span> <span class="mi">15</span> <span class="o">*</span> <span class="mi">60</span> <span class="o">*</span> <span class="mi">1000</span><span class="p">,</span> <span class="c1">// 15 minutes</span> <span class="na">max</span><span class="p">:</span> <span class="mi">100</span><span class="p">,</span> <span class="c1">// Limit requests per window</span> <span class="na">handler</span><span class="p">:</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">429</span><span class="p">).</span><span class="nf">send</span><span class="p">(</span><span class="dl">'</span><span class="s1">Too many requests</span><span class="dl">'</span><span class="p">);</span> <span class="c1">// Immediate response</span> <span class="p">},</span> <span class="p">})</span> <span class="p">);</span> <span class="c1">// Normal request: 200-500ms response</span> <span class="c1">// Rate limited request: &lt;10ms response (timing leak)</span> </code></pre> </div> <p>Rate-limited requests typically return immediately with error codes, while normal requests undergo full processing. This timing difference enables attackers to detect rate limiting activation and adjust their attack patterns accordingly.</p> <p>What to do with the attack on the rate limiting systems? You may see suggestions like hiding rate limits.<br> Because visible rate limiting allows attackers to:</p> <ul> <li> Map exact thresholds (e.g., "I can make exactly 99 requests before hitting the limit")</li> <li> Optimize attack patterns to stay just under limits</li> <li> Rotate through different IPs/sessions more efficiently</li> <li> Time their attacks to reset windows perfectly</li> </ul> <p>The idea is that uncertainty forces attackers to be more cautious. However, this is generally considered "security through obscurity" and not very effective - attackers can still discover the limits through probing.</p> <p>I would suggest to consider rate limits as public information. They just should be sensible, but they may not be secrets.</p> <p><em>You may learn more about rate-limiting at (Backend Rate Limiting)[<a href="https://dev.to/olha-stefanishyna/rate-limiting-architectural-layers-in-web-applications-3g76">https://dev.to/olha-stefanishyna/rate-limiting-architectural-layers-in-web-applications-3g76</a>]</em></p> <h2> Modern defensive strategies and countermeasures </h2> <p>Defending against timing attacks requires a multi-layered approach combining <strong>constant-time programming</strong>, <strong>architectural defenses</strong>, and <strong>monitoring systems</strong>. The fundamental principle is ensuring that execution time remains independent of secret data.</p> <h3> Constant-time comparison functions </h3> <p>Constant-time comparison functions are the cornerstone of timing attack defense. Modern platforms provide built-in timing-safe comparison functions.</p> <p><strong>Dummy‐hash trick for passwords</strong>:<br> Make your login endpoint always invoke the slow password check, whether the username exists or not, so an attacker can’t time‐probe “does this user exist?”<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// Precompute a dummy hash once at startup:</span> <span class="kd">const</span> <span class="nx">DUMMY_HASH</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">$2b$12$K9QhMWzVN5YbRz5sXl0ueODhk0PtAyp7cVt2hx6Vj7XOx0JPTWm6W</span><span class="dl">'</span><span class="p">;</span> <span class="c1">// In your login handler, always do bcrypt.compare:</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">login</span><span class="p">(</span><span class="nx">username</span><span class="p">,</span> <span class="nx">password</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">user</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">db</span><span class="p">.</span><span class="nf">findUser</span><span class="p">(</span><span class="nx">username</span><span class="p">);</span> <span class="c1">// If user is missing, compare against the dummy hash</span> <span class="kd">const</span> <span class="nx">hashToCompare</span> <span class="o">=</span> <span class="nx">user</span> <span class="p">?</span> <span class="nx">user</span><span class="p">.</span><span class="nx">hash</span> <span class="p">:</span> <span class="nx">DUMMY_HASH</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">passwordValid</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">bcrypt</span><span class="p">.</span><span class="nf">compare</span><span class="p">(</span><span class="nx">password</span><span class="p">,</span> <span class="nx">hashToCompare</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">user</span> <span class="o">||</span> <span class="o">!</span><span class="nx">passwordValid</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="p">{</span> <span class="na">error</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Invalid credentials</span><span class="dl">'</span> <span class="p">};</span> <span class="p">}</span> <span class="k">return</span> <span class="p">{</span> <span class="na">token</span><span class="p">:</span> <span class="nf">generateToken</span><span class="p">(</span><span class="nx">user</span><span class="p">)</span> <span class="p">};</span> <span class="p">}</span> </code></pre> </div> <p>Bcrypt’s <code>.compare()</code> is already designed to run in constant time per hash, but if you ever compare raw secrets (HMACs, tokens, API keys, etc.), you should never use <code>===</code>. Instead do something like<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="p">{</span> <span class="nx">timingSafeEqual</span> <span class="p">}</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">crypto</span><span class="dl">'</span><span class="p">);</span> <span class="kd">function</span> <span class="nf">safeCompare</span><span class="p">(</span><span class="nx">a</span><span class="p">,</span> <span class="nx">b</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">bufA</span> <span class="o">=</span> <span class="nx">Buffer</span><span class="p">.</span><span class="k">from</span><span class="p">(</span><span class="nx">a</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">bufB</span> <span class="o">=</span> <span class="nx">Buffer</span><span class="p">.</span><span class="k">from</span><span class="p">(</span><span class="nx">b</span><span class="p">);</span> <span class="c1">// If lengths differ, compare bufA to itself (constant time)</span> <span class="c1">// to prevent leaking the length of the secret</span> <span class="k">if </span><span class="p">(</span><span class="nx">bufA</span><span class="p">.</span><span class="nx">length</span> <span class="o">!==</span> <span class="nx">bufB</span><span class="p">.</span><span class="nx">length</span><span class="p">)</span> <span class="p">{</span> <span class="nf">timingSafeEqual</span><span class="p">(</span><span class="nx">bufA</span><span class="p">,</span> <span class="nx">bufA</span><span class="p">);</span> <span class="k">return</span> <span class="kc">false</span><span class="p">;</span> <span class="p">}</span> <span class="c1">// true constant-time compare</span> <span class="k">return</span> <span class="nf">timingSafeEqual</span><span class="p">(</span><span class="nx">bufA</span><span class="p">,</span> <span class="nx">bufB</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <h3> Architectural defenses </h3> <p>Architectural defenses are system design patterns that eliminate timing attack vectors by restructuring how your application processes sensitive operations. Instead of fixing timing leaks in code, you redesign the system so timing information becomes meaningless to attackers.</p> <p>Key Architectural Patterns:</p> <ul> <li> Request/Response Decoupling</li> <li> Response Caching Strategy</li> <li> Uniform Processing Pipelines</li> <li> Service Segregation</li> </ul> <p>Let's look closer at Request/Response Decoupling:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// app/api/auth/forgot-password/route.js</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">addToQueue</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@/lib/queue</span><span class="dl">'</span><span class="p">;</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">POST</span><span class="p">(</span><span class="nx">request</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">email</span> <span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">request</span><span class="p">.</span><span class="nf">json</span><span class="p">();</span> <span class="c1">// Queue the task instead of processing inline</span> <span class="nf">addToQueue</span><span class="p">(</span><span class="dl">'</span><span class="s1">password-reset</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="nx">email</span><span class="p">,</span> <span class="na">requestId</span><span class="p">:</span> <span class="nx">crypto</span><span class="p">.</span><span class="nf">randomUUID</span><span class="p">(),</span> <span class="na">timestamp</span><span class="p">:</span> <span class="nb">Date</span><span class="p">.</span><span class="nf">now</span><span class="p">(),</span> <span class="p">});</span> <span class="c1">// Return response immediately</span> <span class="k">return</span> <span class="nx">Response</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="na">message</span><span class="p">:</span> <span class="dl">"</span><span class="s2">If an account exists, you'll receive reset instructions</span><span class="dl">"</span><span class="p">,</span> <span class="p">});</span> <span class="p">}</span> <span class="cm">/** Background worker processes queue (runs separately) **/</span> <span class="c1">// lib/workers/password-reset.js</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">processPasswordReset</span><span class="p">({</span> <span class="nx">email</span> <span class="p">})</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">user</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">findUserByEmail</span><span class="p">(</span><span class="nx">email</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">user</span><span class="p">)</span> <span class="p">{</span> <span class="k">await</span> <span class="nf">sendPasswordResetEmail</span><span class="p">(</span><span class="nx">user</span><span class="p">);</span> <span class="p">}</span> <span class="c1">// No timing information leaks to the original requester</span> <span class="p">}</span> </code></pre> </div> <h3> Monitoring systems </h3> <p>Monitoring systems are detection and analysis tools that identify timing attack attempts by analyzing request patterns, response times, and behavioral anomalies. Unlike rate limiting systems that prevent requests, monitoring systems are designed for detection. They observe and alert on suspicious patterns without blocking the traffic, allowing you to analyze potential attacks.</p> <h2> Start protecting your code today </h2> <p>Defending against timing attacks starts with three simple changes to your codebase:</p> <ul> <li> Switch all secret comparisons to timing-safe functions</li> <li> Implement dummy processing for authentication failures</li> <li> Use libraries with built-in timing attack protection</li> </ul> <p>Timing attacks are subtle but real. They won't show up in your unit tests or security scans. The best defense is understanding how they work and building protection into your code from the start by incorporating timing attack considerations into architectural decisions, development processes, and monitoring systems.</p> <h2> Conclusion </h2> <p>While the fundamental attack principles remain unchanged since Paul Kocher's pioneering work in 1996, timing attacks now affect a much broader range of applications - from browser JavaScript to backend services.</p> <p>Success in defending against timing attacks requires combining multiple defensive layers: constant-time implementations at the code level, architectural protections like rate limiting and response normalization, comprehensive monitoring for attack detection, and regular security assessments to identify emerging vulnerabilities. By implementing these defenses systematically, development teams can build applications that resist even sophisticated timing attacks while maintaining the performance and functionality that users expect.</p> webdev security javascript nextjs WebGL 2 Basics: Drawing a Full-Screen Quad Olha Stefanishyna Fri, 06 Jun 2025 12:47:12 +0000 https://dev.to/olha-stefanishyna/webgl-2-basics-drawing-a-full-screen-quad-3fcd https://dev.to/olha-stefanishyna/webgl-2-basics-drawing-a-full-screen-quad-3fcd <p>As mentioned in the <a href="https://dev.to/olha-stefanishyna/getting-started-with-webgl-2-conceptual-foundation-33p6">previous article</a>, WebGL 2 uses a programmable pipeline.<br> This article covers shaders and GLSL language fundamentals - the essential building blocks before tackling fluid simulation.</p> <p>Before creating complex effects, you need to understand how WebGL fundamentally renders anything to the screen. Unlike declarative approaches like HTML/CSS, WebGL requires to explicitly define the geometry and the appearance using custom programs. These programs, called shaders, are written in GLSL and executed directly on the GPU.</p> <h2> Introduction to GLSL ES 3.0 </h2> <p><strong>GLSL ES 3.0</strong> (OpenGL Shading Language for Embedded Systems version 3.0) is a high-level shading language with a C-like syntax, specifically designed for graphics processing units (GPUs) in embedded systems and web browsers.<br> The GLSL ES 3.00 specification requires every shader to begin with <code>#version 300 es</code> to specify GLSL version for Embedded Systems. Without this directive, the shader won't compile. It also requires precision qualifiers in fragment shaders (e.g., <code>precision mediump float;</code>)</p> <h3> GLSL ES 3.0 Type System </h3> <p>Type System is the building blocks of GLSL ES 3.0 code. Understanding the type system will help declare variables correctly and use built-in functions without confusion.</p> <h4> Scalar Types </h4> <ul> <li> <code>float</code> (32-bit IEEE 754)</li> <li> <code>int</code> (32-bit signed)</li> <li> <code>uint</code> (32-bit unsigned)</li> <li> <code>bool</code> </li> </ul> <p>These are the simplest types: single numeric or boolean values.</p> <h4> Vector Types </h4> <ul> <li> Floating-point: <code>vec2</code>, <code>vec3</code>, <code>vec4</code> </li> <li> Integer: <code>ivec2</code>, <code>ivec3</code>, <code>ivec4</code> </li> <li> Unsigned: <code>uvec2</code>, <code>uvec3</code>, <code>uvec4</code> </li> <li> Boolean: <code>bvec2</code>, <code>bvec3</code>, <code>bvec4</code> </li> </ul> <p>GPUs process vector operations efficiently in parallel.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight glsl"><code><span class="kt">vec4</span> <span class="n">color</span> <span class="o">=</span> <span class="kt">vec4</span><span class="p">(</span><span class="mi">1</span><span class="p">.</span><span class="mi">0</span><span class="p">,</span> <span class="mi">0</span><span class="p">.</span><span class="mi">5</span><span class="p">,</span> <span class="mi">0</span><span class="p">.</span><span class="mi">2</span><span class="p">,</span> <span class="mi">1</span><span class="p">.</span><span class="mi">0</span><span class="p">);</span> <span class="kt">float</span> <span class="n">r</span> <span class="o">=</span> <span class="n">color</span><span class="p">.</span><span class="n">r</span><span class="p">;</span> <span class="c1">// Same as color.x or color[0]</span> <span class="kt">vec3</span> <span class="n">bgr</span> <span class="o">=</span> <span class="n">color</span><span class="p">.</span><span class="n">bgr</span><span class="p">;</span> <span class="c1">// Swizzle: vec3(0.2, 0.5, 1.0)</span> </code></pre> </div> <h4> Matrix and Sampler Types </h4> <ul> <li> Matrices: <code>mat2</code>, <code>mat3</code>, <code>mat4</code> (plus non-square variants)</li> <li> Texture samplers: <code>sampler2D</code>, <code>sampler3D</code>, <code>samplerCube</code> </li> <li> Integer samplers: <code>isampler2D</code>, <code>usampler2D</code> </li> </ul> <p>A sampler type (e.g. <code>sampler2D</code>) tells the compiler you want to sample a 2D texture inside your shader. You’ll see these used in fragment shaders when you write expressions like <code>texture(uTexture, vUV)</code>.</p> <h3> Variable Qualifiers </h3> <p>In GLSL, you also need to tell the compiler how data moves into and out of each shader stage. That’s where qualifiers like <code>in</code>, <code>out</code>, and <code>uniform</code> come in.</p> <ul> <li> <code>in</code>: Input data (per-vertex in vertex shader, interpolated in fragment shader)</li> <li> <code>out</code>: Output data (interpolated outputs in vertex shader, framebuffer outputs in fragment shader)</li> <li> <code>uniform</code>: Constant values for entire draw call</li> </ul> <h4> Uniform Blocks </h4> <p>WebGL 2 supports grouping uniforms into blocks for efficient updates.<br> The GLSL code declares the uniform block structure in the shader:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight glsl"><code><span class="k">layout</span><span class="p">(</span><span class="n">std140</span><span class="p">)</span> <span class="k">uniform</span> <span class="n">TransformBlock</span> <span class="p">{</span> <span class="kt">mat4</span> <span class="n">model</span><span class="p">;</span> <span class="kt">mat4</span> <span class="n">view</span><span class="p">;</span> <span class="kt">mat4</span> <span class="n">projection</span><span class="p">;</span> <span class="p">}</span> <span class="n">transform</span><span class="p">;</span> </code></pre> </div> <p>The JavaScript code creates a buffer and uploads data to match that structure:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// Create and bind uniform buffer</span> <span class="kd">const</span> <span class="nx">ubo</span> <span class="o">=</span> <span class="nx">gl</span><span class="p">.</span><span class="nf">createBuffer</span><span class="p">();</span> <span class="nx">gl</span><span class="p">.</span><span class="nf">bindBuffer</span><span class="p">(</span><span class="nx">gl</span><span class="p">.</span><span class="nx">UNIFORM_BUFFER</span><span class="p">,</span> <span class="nx">ubo</span><span class="p">);</span> <span class="nx">gl</span><span class="p">.</span><span class="nf">bufferData</span><span class="p">(</span><span class="nx">gl</span><span class="p">.</span><span class="nx">UNIFORM_BUFFER</span><span class="p">,</span> <span class="nx">transformData</span><span class="p">,</span> <span class="nx">gl</span><span class="p">.</span><span class="nx">DYNAMIC_DRAW</span><span class="p">);</span> <span class="c1">// Associate with shader program</span> <span class="kd">const</span> <span class="nx">blockIndex</span> <span class="o">=</span> <span class="nx">gl</span><span class="p">.</span><span class="nf">getUniformBlockIndex</span><span class="p">(</span><span class="nx">program</span><span class="p">,</span> <span class="dl">'</span><span class="s1">TransformBlock</span><span class="dl">'</span><span class="p">);</span> <span class="nx">gl</span><span class="p">.</span><span class="nf">uniformBlockBinding</span><span class="p">(</span><span class="nx">program</span><span class="p">,</span> <span class="nx">blockIndex</span><span class="p">,</span> <span class="mi">0</span><span class="p">);</span> <span class="nx">gl</span><span class="p">.</span><span class="nf">bindBufferBase</span><span class="p">(</span><span class="nx">gl</span><span class="p">.</span><span class="nx">UNIFORM_BUFFER</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="nx">ubo</span><span class="p">);</span> </code></pre> </div> <p>The <code>std140</code> layout is a standardized memory layout rule. It ensures all GPUs organize uniform buffer data the same way. Without this standard, your code might work on one graphics card but fail on another due to different memory arrangements.</p> <h3> WebGL 2 Vertex Specification Enhancements </h3> <p>WebGL 2 (GLSL ES 3.0) added several conveniences that cut down on boilerplate JavaScript and reduce errors when setting up vertex data.</p> <h4> Vertex Array Objects (VAOs) </h4> <p>Instead of binding and configuring each attribute (position, normal, UV, etc.) every time you draw, you can store that entire setup in a VAO.</p> <p>VAOs encapsulate vertex attribute configuration, storing buffer bindings, attribute pointers, and enable states. This eliminates repetitive setup calls:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">vao</span> <span class="o">=</span> <span class="nx">gl</span><span class="p">.</span><span class="nf">createVertexArray</span><span class="p">();</span> <span class="nx">gl</span><span class="p">.</span><span class="nf">bindVertexArray</span><span class="p">(</span><span class="nx">vao</span><span class="p">);</span> <span class="c1">// Configure all attributes once</span> <span class="nx">gl</span><span class="p">.</span><span class="nf">bindVertexArray</span><span class="p">(</span><span class="kc">null</span><span class="p">);</span> <span class="c1">// Later: single call to use</span> <span class="nx">gl</span><span class="p">.</span><span class="nf">bindVertexArray</span><span class="p">(</span><span class="nx">vao</span><span class="p">);</span> <span class="nx">gl</span><span class="p">.</span><span class="nf">drawArrays</span><span class="p">(</span><span class="nx">gl</span><span class="p">.</span><span class="nx">TRIANGLES</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="nx">vertexCount</span><span class="p">);</span> </code></pre> </div> <h4> Explicit Attribute Locations </h4> <p>Instead of querying attribute indices at runtime with <code>gl.getAttribLocation</code>, you can hard-code the location right in your shader.</p> <p>GLSL ES 3.0 supports explicit attribute location assignment, eliminating the need for <code>getAttribLocation</code> queries:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight glsl"><code><span class="k">layout</span><span class="p">(</span><span class="n">location</span> <span class="o">=</span> <span class="mi">0</span><span class="p">)</span> <span class="k">in</span> <span class="kt">vec2</span> <span class="n">aPosition</span><span class="p">;</span> <span class="k">layout</span><span class="p">(</span><span class="n">location</span> <span class="o">=</span> <span class="mi">1</span><span class="p">)</span> <span class="k">in</span> <span class="kt">vec3</span> <span class="n">aColor</span><span class="p">;</span> </code></pre> </div> <p>JavaScript can then reference attributes numerically: <code>gl.enableVertexAttribArray(0)</code>.</p> <h3> Shaders </h3> <p>A shader is a program written in GLSL for processing graphics data. There are two main types of shaders that work together to render graphics: the vertex shader and the fragment shader.</p> <p>GLSL provides predefined built-in variables that handle communication between shader stages and the GPU.</p> <p><strong>Vertex Shader Built-ins:</strong></p> <ul> <li> <code>gl_Position</code> Must be written to the vertex shader. It’s the clip-space (x, y, z, w) output.</li> <li> <code>gl_VertexID</code> Automatically provides the index of the current vertex (useful for procedural geometry).</li> <li> <code>gl_InstanceID</code> When doing instanced draws, this tells you which instance you’re on.</li> </ul> <p><strong>Fragment Shader Built-ins:</strong></p> <ul> <li> <code>gl_FragCoord</code> The window-space coordinates <code>(x, y, z, w)</code> of the current fragment center, where <code>z</code> is depth and <code>w</code> is <code>1/w</code> from clip space. <code>gl_FragCoord.y</code> uses bottom-left origin (OpenGL convention), so manual flipping may be needed for top-left origin coordinates.</li> <li> <code>gl_FrontFacing</code> A boolean telling you whether the primitive was front-facing or back-facing.</li> <li> <code>gl_FragDepth</code> Allows the fragment shader to write a custom value to the depth buffer</li> </ul> <h4> Vertex Shader </h4> <p>The vertex shader executes once per vertex with mandatory output <code>gl_Position</code> in clip-space coordinates. It receives per-vertex data through <code>in</code> variables and passes interpolated data to the fragment shader via <code>out</code> variables:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight glsl"><code><span class="cp">#version 300 es </span> <span class="k">in</span> <span class="kt">vec3</span> <span class="n">aPosition</span><span class="p">;</span> <span class="c1">// Per-vertex position from buffer</span> <span class="k">in</span> <span class="kt">vec3</span> <span class="n">aColor</span><span class="p">;</span> <span class="c1">// Per-vertex color from buffer</span> <span class="k">out</span> <span class="kt">vec3</span> <span class="n">vColor</span><span class="p">;</span> <span class="c1">// Interpolated color for fragments</span> <span class="k">uniform</span> <span class="kt">mat4</span> <span class="n">uModelViewMatrix</span><span class="p">;</span> <span class="c1">// Constant for all vertices</span> <span class="k">uniform</span> <span class="kt">mat4</span> <span class="n">uProjectionMatrix</span><span class="p">;</span> <span class="c1">// Constant for all vertices</span> <span class="kt">void</span> <span class="nf">main</span><span class="p">()</span> <span class="p">{</span> <span class="c1">// Transform to clip space with w=1.0 for positions</span> <span class="nb">gl_Position</span> <span class="o">=</span> <span class="n">uProjectionMatrix</span> <span class="o">*</span> <span class="n">uModelViewMatrix</span> <span class="o">*</span> <span class="kt">vec4</span><span class="p">(</span><span class="n">aPosition</span><span class="p">,</span> <span class="mi">1</span><span class="p">.</span><span class="mi">0</span><span class="p">);</span> <span class="n">vColor</span> <span class="o">=</span> <span class="n">aColor</span><span class="p">;</span> <span class="c1">// Pass color to fragment shader</span> <span class="p">}</span> </code></pre> </div> <p>After vertex shader execution, the GPU clips primitives outside the clip volume and then the GPU's fixed-function hardware automatically performs perspective division (dividing by the w component) to convert clip-space to Normalized Device Coordinates (NDC).</p> <p>Compute in vertex shader when possible — few vertices in the vertex shader vs millions of pixels in the fragment shader.</p> <h4> Fragment Shader </h4> <p>After NDC producing, the GPU’s fixed-function maps NDC to window (pixel) coordinates. The rasterizer then converts triangles (defined by vertices) into fragments. Each fragment corresponds to a pixel location that the triangle covers. It contains: screen position (x, y), depth value (z), other interpolated values from vertex shader outputs.</p> <p>The fragment shader runs once per fragment, receiving interpolated values from the vertex shader. The GPU automatically interpolates all vertex shader outputs across each triangle's surface:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight glsl"><code><span class="cp">#version 300 es </span><span class="k">precision</span> <span class="kt">mediump</span> <span class="kt">float</span><span class="p">;</span> <span class="k">in</span> <span class="kt">vec3</span> <span class="n">vColor</span><span class="p">;</span> <span class="c1">// Interpolated from vertex shader</span> <span class="k">out</span> <span class="kt">vec4</span> <span class="n">fragColor</span><span class="p">;</span> <span class="c1">// RGBA output to framebuffer</span> <span class="kt">void</span> <span class="nf">main</span><span class="p">()</span> <span class="p">{</span> <span class="n">fragColor</span> <span class="o">=</span> <span class="kt">vec4</span><span class="p">(</span><span class="n">vColor</span><span class="p">,</span> <span class="mi">1</span><span class="p">.</span><span class="mi">0</span><span class="p">);</span> <span class="c1">// Alpha = 1.0 for opaque</span> <span class="p">}</span> </code></pre> </div> <p>Output colors typically use a vec4 data type, representing <code>red</code>, <code>green</code>, <code>blue</code>, and <code>Alpha</code> (RGBA) components, with values often ranging from 0.0 to 1.0.</p> <p>GPUs can trade accuracy for speed — using <code>mediump</code> instead of <code>highp</code> can improve performance on mobile devices while maintaining acceptable visual quality.</p> <p>GPUs execute fragments in groups of threads (sometimes called warps or wavefronts). If a branch splits those threads — some go one way, some go another — the GPU ends up running both sides of the branch. That extra work makes branching less efficient:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight glsl"><code><span class="c1">// Efficient: branchless operations</span> <span class="kt">float</span> <span class="n">t</span> <span class="o">=</span> <span class="n">step</span><span class="p">(</span><span class="mi">0</span><span class="p">.</span><span class="mi">5</span><span class="p">,</span> <span class="n">value</span><span class="p">);</span> <span class="c1">// Returns 0.0 or 1.0</span> <span class="kt">vec3</span> <span class="n">result</span> <span class="o">=</span> <span class="n">mix</span><span class="p">(</span><span class="n">colorA</span><span class="p">,</span> <span class="n">colorB</span><span class="p">,</span> <span class="n">t</span><span class="p">);</span> <span class="c1">// Inefficient: dynamic branching</span> <span class="kt">vec3</span> <span class="n">result</span> <span class="o">=</span> <span class="p">(</span><span class="n">value</span> <span class="o">&gt;</span> <span class="mi">0</span><span class="p">.</span><span class="mi">5</span><span class="p">)</span> <span class="o">?</span> <span class="n">colorB</span> <span class="o">:</span> <span class="n">colorA</span><span class="p">;</span> </code></pre> </div> <h3> Full-Screen Quad Geometry </h3> <p>Many advanced GPU effects — from motion blur to fluid dynamics — are often implemented using two triangles that define a quad. These two triangles form a rectangle, invoking the fragment shader — once for every pixel. If it's full-screen, we call this a 'full-screen quad'. This technique allows you to run a fragment shader on every pixel of the screen or the quad's area.</p> <p>A full-screen quad typically uses two triangles to cover the viewport because GPUs are highly optimized for processing triangles. This method ensures the entire rectangular area is consistently covered:</p> <h2> Full-Screen Quad Implementation <a id="full-screen-quad-implementation"></a> </h2> <p>This implementation renders a full-screen quad. We'll create a visual test pattern by outputting UV coordinates as colors - this technique helps verify that our geometry covers the viewport correctly and that our coordinate mapping works as expected. This same setup will later serve as the foundation for post-processing effects.</p> <h3> Shaders </h3> <div class="highlight js-code-highlight"> <pre class="highlight glsl"><code><span class="c1">// Vertex Shader</span> <span class="cp">#version 300 es </span><span class="k">layout</span><span class="p">(</span><span class="n">location</span> <span class="o">=</span> <span class="mi">0</span><span class="p">)</span> <span class="k">in</span> <span class="kt">vec2</span> <span class="n">aPosition</span><span class="p">;</span> <span class="k">out</span> <span class="kt">vec2</span> <span class="n">vUV</span><span class="p">;</span> <span class="kt">void</span> <span class="nf">main</span><span class="p">()</span> <span class="p">{</span> <span class="nb">gl_Position</span> <span class="o">=</span> <span class="kt">vec4</span><span class="p">(</span><span class="n">aPosition</span><span class="p">,</span> <span class="mi">0</span><span class="p">.</span><span class="mi">0</span><span class="p">,</span> <span class="mi">1</span><span class="p">.</span><span class="mi">0</span><span class="p">);</span> <span class="c1">// Account for WebGL's bottom-left origin:</span> <span class="n">vUV</span> <span class="o">=</span> <span class="n">aPosition</span> <span class="o">*</span> <span class="mi">0</span><span class="p">.</span><span class="mi">5</span> <span class="o">+</span> <span class="mi">0</span><span class="p">.</span><span class="mi">5</span><span class="p">;</span> <span class="c1">// Flip Y for top-left texture origin</span> <span class="n">vUV</span><span class="p">.</span><span class="n">y</span> <span class="o">=</span> <span class="mi">1</span><span class="p">.</span><span class="mi">0</span> <span class="o">-</span> <span class="n">vUV</span><span class="p">.</span><span class="n">y</span><span class="p">;</span> <span class="p">}</span> <span class="c1">// Fragment Shader</span> <span class="cp">#version 300 es </span><span class="k">precision</span> <span class="kt">mediump</span> <span class="kt">float</span><span class="p">;</span> <span class="k">in</span> <span class="kt">vec2</span> <span class="n">vUV</span><span class="p">;</span> <span class="k">out</span> <span class="kt">vec4</span> <span class="n">fragColor</span><span class="p">;</span> <span class="kt">void</span> <span class="nf">main</span><span class="p">()</span> <span class="p">{</span> <span class="n">fragColor</span> <span class="o">=</span> <span class="kt">vec4</span><span class="p">(</span><span class="n">vUV</span><span class="p">,</span> <span class="mi">0</span><span class="p">.</span><span class="mi">5</span><span class="p">,</span> <span class="mi">1</span><span class="p">.</span><span class="mi">0</span><span class="p">);</span> <span class="c1">// RG gradient visualization</span> <span class="p">}</span> </code></pre> </div> <h3> JavaScript Setup </h3> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// Context acquisition</span> <span class="kd">const</span> <span class="nx">gl</span> <span class="o">=</span> <span class="nx">canvas</span><span class="p">.</span><span class="nf">getContext</span><span class="p">(</span><span class="dl">'</span><span class="s1">webgl2</span><span class="dl">'</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">gl</span><span class="p">)</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="dl">'</span><span class="s1">WebGL 2 not supported</span><span class="dl">'</span><span class="p">);</span> <span class="c1">// Shader compilation</span> <span class="kd">function</span> <span class="nf">compileShader</span><span class="p">(</span><span class="nx">gl</span><span class="p">,</span> <span class="nx">source</span><span class="p">,</span> <span class="nx">type</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">shader</span> <span class="o">=</span> <span class="nx">gl</span><span class="p">.</span><span class="nf">createShader</span><span class="p">(</span><span class="nx">type</span><span class="p">);</span> <span class="nx">gl</span><span class="p">.</span><span class="nf">shaderSource</span><span class="p">(</span><span class="nx">shader</span><span class="p">,</span> <span class="nx">source</span><span class="p">);</span> <span class="nx">gl</span><span class="p">.</span><span class="nf">compileShader</span><span class="p">(</span><span class="nx">shader</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">gl</span><span class="p">.</span><span class="nf">getShaderParameter</span><span class="p">(</span><span class="nx">shader</span><span class="p">,</span> <span class="nx">gl</span><span class="p">.</span><span class="nx">COMPILE_STATUS</span><span class="p">))</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">info</span> <span class="o">=</span> <span class="nx">gl</span><span class="p">.</span><span class="nf">getShaderInfoLog</span><span class="p">(</span><span class="nx">shader</span><span class="p">);</span> <span class="nx">gl</span><span class="p">.</span><span class="nf">deleteShader</span><span class="p">(</span><span class="nx">shader</span><span class="p">);</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="s2">`Compile failed: </span><span class="p">${</span><span class="nx">info</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="p">}</span> <span class="k">return</span> <span class="nx">shader</span><span class="p">;</span> <span class="p">}</span> <span class="c1">// Program creation</span> <span class="kd">function</span> <span class="nf">createProgram</span><span class="p">(</span><span class="nx">gl</span><span class="p">,</span> <span class="nx">vertSrc</span><span class="p">,</span> <span class="nx">fragSrc</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">program</span> <span class="o">=</span> <span class="nx">gl</span><span class="p">.</span><span class="nf">createProgram</span><span class="p">();</span> <span class="nx">gl</span><span class="p">.</span><span class="nf">attachShader</span><span class="p">(</span><span class="nx">program</span><span class="p">,</span> <span class="nf">compileShader</span><span class="p">(</span><span class="nx">gl</span><span class="p">,</span> <span class="nx">vertSrc</span><span class="p">,</span> <span class="nx">gl</span><span class="p">.</span><span class="nx">VERTEX_SHADER</span><span class="p">));</span> <span class="nx">gl</span><span class="p">.</span><span class="nf">attachShader</span><span class="p">(</span><span class="nx">program</span><span class="p">,</span> <span class="nf">compileShader</span><span class="p">(</span><span class="nx">gl</span><span class="p">,</span> <span class="nx">fragSrc</span><span class="p">,</span> <span class="nx">gl</span><span class="p">.</span><span class="nx">FRAGMENT_SHADER</span><span class="p">));</span> <span class="nx">gl</span><span class="p">.</span><span class="nf">linkProgram</span><span class="p">(</span><span class="nx">program</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">gl</span><span class="p">.</span><span class="nf">getProgramParameter</span><span class="p">(</span><span class="nx">program</span><span class="p">,</span> <span class="nx">gl</span><span class="p">.</span><span class="nx">LINK_STATUS</span><span class="p">))</span> <span class="p">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="s2">`Link failed: </span><span class="p">${</span><span class="nx">gl</span><span class="p">.</span><span class="nf">getProgramInfoLog</span><span class="p">(</span><span class="nx">program</span><span class="p">)}</span><span class="s2">`</span><span class="p">);</span> <span class="p">}</span> <span class="k">return</span> <span class="nx">program</span><span class="p">;</span> <span class="p">}</span> <span class="c1">// Full-screen quad VAO</span> <span class="kd">function</span> <span class="nf">createFullScreenQuad</span><span class="p">(</span><span class="nx">gl</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">vao</span> <span class="o">=</span> <span class="nx">gl</span><span class="p">.</span><span class="nf">createVertexArray</span><span class="p">();</span> <span class="nx">gl</span><span class="p">.</span><span class="nf">bindVertexArray</span><span class="p">(</span><span class="nx">vao</span><span class="p">);</span> <span class="c1">// Two triangles: [-1,-1] to [1,1]</span> <span class="kd">const</span> <span class="nx">vertices</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Float32Array</span><span class="p">([</span> <span class="o">-</span><span class="mi">1</span><span class="p">,</span> <span class="o">-</span><span class="mi">1</span><span class="p">,</span> <span class="mi">1</span><span class="p">,</span> <span class="o">-</span><span class="mi">1</span><span class="p">,</span> <span class="o">-</span><span class="mi">1</span><span class="p">,</span> <span class="mi">1</span><span class="p">,</span> <span class="c1">// Triangle 1</span> <span class="o">-</span><span class="mi">1</span><span class="p">,</span> <span class="mi">1</span><span class="p">,</span> <span class="mi">1</span><span class="p">,</span> <span class="o">-</span><span class="mi">1</span><span class="p">,</span> <span class="mi">1</span><span class="p">,</span> <span class="mi">1</span><span class="p">,</span> <span class="c1">// Triangle 2</span> <span class="p">]);</span> <span class="kd">const</span> <span class="nx">buffer</span> <span class="o">=</span> <span class="nx">gl</span><span class="p">.</span><span class="nf">createBuffer</span><span class="p">();</span> <span class="nx">gl</span><span class="p">.</span><span class="nf">bindBuffer</span><span class="p">(</span><span class="nx">gl</span><span class="p">.</span><span class="nx">ARRAY_BUFFER</span><span class="p">,</span> <span class="nx">buffer</span><span class="p">);</span> <span class="nx">gl</span><span class="p">.</span><span class="nf">bufferData</span><span class="p">(</span><span class="nx">gl</span><span class="p">.</span><span class="nx">ARRAY_BUFFER</span><span class="p">,</span> <span class="nx">vertices</span><span class="p">,</span> <span class="nx">gl</span><span class="p">.</span><span class="nx">STATIC_DRAW</span><span class="p">);</span> <span class="nx">gl</span><span class="p">.</span><span class="nf">enableVertexAttribArray</span><span class="p">(</span><span class="mi">0</span><span class="p">);</span> <span class="nx">gl</span><span class="p">.</span><span class="nf">vertexAttribPointer</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="mi">2</span><span class="p">,</span> <span class="nx">gl</span><span class="p">.</span><span class="nx">FLOAT</span><span class="p">,</span> <span class="kc">false</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">0</span><span class="p">);</span> <span class="nx">gl</span><span class="p">.</span><span class="nf">bindVertexArray</span><span class="p">(</span><span class="kc">null</span><span class="p">);</span> <span class="k">return</span> <span class="nx">vao</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <p>This implementation renders a full-screen quad with a UV coordinate gradient, serving as the foundation for post-processing effects and GPU-based computations.</p> <p><strong>Example</strong>: <a href="https://github.com/ostefani/web-gl-series/tree/main/article-2" rel="noopener noreferrer">repo</a></p> <h2> Debugging Techniques </h2> <p>Debugging shaders presents unique challenges because they execute on the GPU, separate from the JavaScript environment. You can't simply use <code>console.log()</code> inside a GLSL shader to inspect values. So, you have to rely on specific techniques to understand program flow and data, helping to identify and fix issues.</p> <h3> Shader Compilation Checks </h3> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">gl</span><span class="p">.</span><span class="nf">getShaderParameter</span><span class="p">(</span><span class="nx">shader</span><span class="p">,</span> <span class="nx">gl</span><span class="p">.</span><span class="nx">COMPILE_STATUS</span><span class="p">))</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="dl">'</span><span class="s1">Shader error:</span><span class="dl">'</span><span class="p">,</span> <span class="nx">gl</span><span class="p">.</span><span class="nf">getShaderInfoLog</span><span class="p">(</span><span class="nx">shader</span><span class="p">));</span> <span class="p">}</span> </code></pre> </div> <h3> Visual Debugging </h3> <p>Output intermediate values as colors:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight glsl"><code><span class="n">fragColor</span> <span class="o">=</span> <span class="kt">vec4</span><span class="p">(</span><span class="n">vUV</span><span class="p">,</span> <span class="mi">0</span><span class="p">.</span><span class="mi">0</span><span class="p">,</span> <span class="mi">1</span><span class="p">.</span><span class="mi">0</span><span class="p">);</span> <span class="c1">// UV coordinates</span> <span class="n">fragColor</span> <span class="o">=</span> <span class="kt">vec4</span><span class="p">(</span><span class="n">normalize</span><span class="p">(</span><span class="n">vNormal</span><span class="p">)</span> <span class="o">*</span> <span class="mi">0</span><span class="p">.</span><span class="mi">5</span> <span class="o">+</span> <span class="mi">0</span><span class="p">.</span><span class="mi">5</span><span class="p">,</span> <span class="mi">1</span><span class="p">.</span><span class="mi">0</span><span class="p">);</span> <span class="c1">// Normals</span> </code></pre> </div> <h2> Summary </h2> <p>Full-screen quads provide the foundation for GPU image processing and simulations. Two triangles covering the viewport create a one-to-one fragment-to-pixel mapping, enabling parallel computation across the framebuffer. This technique underlies post-processing effects, fluid simulations, and GPU-accelerated algorithms.</p> <p><em>This is part of my series on implementing interactive 3D visualizations with WebGL 2</em>.</p> webdev javascript webgl beginners Getting Started with WebGL 2: Conceptual foundation Olha Stefanishyna Wed, 04 Jun 2025 16:32:14 +0000 https://dev.to/olha-stefanishyna/getting-started-with-webgl-2-conceptual-foundation-33p6 https://dev.to/olha-stefanishyna/getting-started-with-webgl-2-conceptual-foundation-33p6 <p>Learning WebGL 2 can be challenging, but understanding its core concepts makes the journey easier. This introduction covers the essential concepts you need before writing your first WebGL program.</p> <h2> What is WebGL 2? </h2> <p>WebGL 2 (Web Graphics Library) is a JavaScript API that allows rendering interactive 2D and 3D graphics in compatible web browsers without requiring plugins. It's based on OpenGL ES (Embedded Systems), specifically designed for mobile devices and web applications.</p> <p>This is fundamentally different from traditional DOM manipulation. While DOM operations primarily work with elements in a tree structure, WebGL 2 provides low-level access to your graphics card through the canvas element, allowing for hardware-accelerated graphics rendering.</p> <p>Here's a simple example of initializing a WebGL 2 context:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// Get the canvas element</span> <span class="kd">const</span> <span class="nx">canvas</span> <span class="o">=</span> <span class="nb">document</span><span class="p">.</span><span class="nf">getElementById</span><span class="p">(</span><span class="dl">'</span><span class="s1">myCanvas</span><span class="dl">'</span><span class="p">);</span> <span class="c1">// Initialize WebGL 2 context</span> <span class="kd">const</span> <span class="nx">gl</span> <span class="o">=</span> <span class="nx">canvas</span><span class="p">.</span><span class="nf">getContext</span><span class="p">(</span><span class="dl">'</span><span class="s1">webgl2</span><span class="dl">'</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">gl</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="dl">'</span><span class="s1">WebGL 2 not supported or enabled on this browser</span><span class="dl">'</span><span class="p">);</span> <span class="c1">// Fallback or error message</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">'</span><span class="s1">WebGL 2 initialized successfully</span><span class="dl">'</span><span class="p">);</span> <span class="c1">// Continue with your WebGL 2 code</span> <span class="p">}</span> </code></pre> </div> <p>To better understand the difference in complexity between these APIs, let's compare what it takes to draw a simple red square in Canvas 2D and WebGL 2:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// CANVAS 2D API - Drawing a red square (3 lines of code)</span> <span class="kd">const</span> <span class="nx">ctx</span> <span class="o">=</span> <span class="nx">canvas</span><span class="p">.</span><span class="nf">getContext</span><span class="p">(</span><span class="dl">'</span><span class="s1">2d</span><span class="dl">'</span><span class="p">);</span> <span class="nx">ctx</span><span class="p">.</span><span class="nx">fillStyle</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">red</span><span class="dl">'</span><span class="p">;</span> <span class="c1">// Set the color to red</span> <span class="nx">ctx</span><span class="p">.</span><span class="nf">fillRect</span><span class="p">(</span><span class="mi">10</span><span class="p">,</span> <span class="mi">10</span><span class="p">,</span> <span class="mi">100</span><span class="p">,</span> <span class="mi">100</span><span class="p">);</span> <span class="c1">// Draw a 100x100 square at position (10,10)</span> <span class="c1">// WEBGL 2 - Drawing a red square (simplified, but still ~30 lines minimum)</span> <span class="kd">const</span> <span class="nx">gl</span> <span class="o">=</span> <span class="nx">canvas</span><span class="p">.</span><span class="nf">getContext</span><span class="p">(</span><span class="dl">'</span><span class="s1">webgl2</span><span class="dl">'</span><span class="p">);</span> <span class="c1">// 1. Define vertex shader (runs once per vertex)</span> <span class="kd">const</span> <span class="nx">vertexShaderSource</span> <span class="o">=</span> <span class="s2">`#version 300 es in vec4 a_position; void main() { gl_Position = a_position; }`</span><span class="p">;</span> <span class="c1">// 2. Define fragment shader (runs once per pixel)</span> <span class="kd">const</span> <span class="nx">fragmentShaderSource</span> <span class="o">=</span> <span class="s2">`#version 300 es precision highp float; out vec4 outColor; void main() { outColor = vec4(1.0, 0.0, 0.0, 1.0); // Red color }`</span><span class="p">;</span> <span class="c1">// 3. Create and compile shaders</span> <span class="c1">// ... (multiple lines of setup code omitted)</span> <span class="c1">// 4. Create program and link shaders</span> <span class="c1">// ... (more setup code omitted)</span> <span class="c1">// 5. Define geometry for a square</span> <span class="c1">// ... (more setup code omitted)</span> <span class="c1">// 6. Finally draw</span> <span class="nx">gl</span><span class="p">.</span><span class="nf">clearColor</span><span class="p">(</span><span class="mf">0.0</span><span class="p">,</span> <span class="mf">0.0</span><span class="p">,</span> <span class="mf">0.0</span><span class="p">,</span> <span class="mf">1.0</span><span class="p">);</span> <span class="c1">// Clear to black</span> <span class="nx">gl</span><span class="p">.</span><span class="nf">clear</span><span class="p">(</span><span class="nx">gl</span><span class="p">.</span><span class="nx">COLOR_BUFFER_BIT</span><span class="p">);</span> <span class="nx">gl</span><span class="p">.</span><span class="nf">useProgram</span><span class="p">(</span><span class="nx">program</span><span class="p">);</span> <span class="nx">gl</span><span class="p">.</span><span class="nf">bindVertexArray</span><span class="p">(</span><span class="nx">vao</span><span class="p">);</span> <span class="nx">gl</span><span class="p">.</span><span class="nf">drawArrays</span><span class="p">(</span><span class="nx">gl</span><span class="p">.</span><span class="nx">TRIANGLE_STRIP</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">4</span><span class="p">);</span> <span class="c1">// Draw the square</span> </code></pre> </div> <p>This comparison illustrates the fundamental trade-off: Canvas 2D is designed for simplicity and requires minimal code for basic operations, while WebGL 2 demands more setup but gives you direct control over the GPU's rendering pipeline. This extra complexity enables the advanced 3D graphics and performance that WebGL 2 is designed for.</p> <p>By leveraging GPU acceleration, WebGL 2 can render complex 3D scenes at 60fps or higher, enabling applications like:</p> <ul> <li> Interactive 3D data visualizations</li> <li> Browser-based games with sophisticated graphics</li> <li> Architectural and product visualization tools</li> <li> Physics simulations and particle systems</li> <li> Image processing and filters with real-time performance</li> </ul> <p>The cost? A steeper learning curve compared to other web technologies, but the payoff is tremendous visual power that was previously only available in native applications.</p> <h2> WebGL 2 as a State Machine </h2> <p>One of the first concepts needed to grasp is understanding that WebGL 2 functions as a state machine. This means its operations depend on previously set states rather than exclusively on parameters passed to functions - a fundamental characteristic that makes WebGL 2 different from typical JavaScript patterns.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvsdojf7m2qqk4icenubb.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvsdojf7m2qqk4icenubb.png" alt="WebGL 2 State Machine Diagram" width="800" height="588"></a></p> <p>In most JavaScript code, a function's behavior is determined primarily by the parameters you pass in:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// Regular JavaScript: behavior determined by parameters</span> <span class="kd">const</span> <span class="nx">result</span> <span class="o">=</span> <span class="nf">calculateSomething</span><span class="p">(</span><span class="nx">paramA</span><span class="p">,</span> <span class="nx">paramB</span><span class="p">);</span> </code></pre> </div> <p>WebGL 2, however, works differently:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// Set a state</span> <span class="nx">gl</span><span class="p">.</span><span class="nf">useProgram</span><span class="p">(</span><span class="nx">shaderProgram</span><span class="p">);</span> <span class="nx">gl</span><span class="p">.</span><span class="nf">uniform1f</span><span class="p">(</span><span class="nx">uniformLocation</span><span class="p">,</span> <span class="mf">0.5</span><span class="p">);</span> <span class="c1">// This function's behavior depends on the states set above</span> <span class="nx">gl</span><span class="p">.</span><span class="nf">drawArrays</span><span class="p">(</span><span class="nx">gl</span><span class="p">.</span><span class="nx">TRIANGLES</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">3</span><span class="p">);</span> </code></pre> </div> <p>In this example, <code>drawArrays()</code> will use whatever shader program and uniform values were previously set. Understanding this state-based architecture is crucial for effective WebGL 2 programming.</p> <h2> The Programmable Pipeline </h2> <p>A fundamental aspect of WebGL 2 is its enhanced programmable pipeline, implemented through shader programs.</p> <p>There are two mandatory shader programs that you need to write:</p> <ul> <li> <strong>Vertex Shader</strong>: position vertices</li> <li> <strong>Fragment Shader</strong>: color pixels</li> </ul> <p>The programmable pipeline represents a fundamental shift from fixed-function graphics rendering to a flexible, developer-controlled system where you can write custom programs that execute directly on the GPU.</p> <p>Before programmable shaders, graphics hardware used a "fixed-function pipeline" with built-in, unchangeable algorithms for:</p> <ul> <li> Vertex transformation (multiply by matrices)</li> <li> Lighting (typically Phong or Blinn-Phong model)</li> <li> Texture mapping (basic sampling only)</li> <li> Fog calculations</li> <li> Color blending</li> </ul> <p>The modern programmable pipeline mirrors the physical hardware architecture of GPUs and enables efficient parallel execution of custom rendering code, giving developers unprecedented control over visual output. We'll explore how to write these shader programs in detail in the next article.</p> <h2> WebGL 2 Coordinate System </h2> <p>Another important concept is the WebGL 2 coordinate system, which differs fundamentally from what web developers are used to in CSS.</p> <p>In WebGL 2:</p> <ul> <li> The origin (0,0) is located at the center of the canvas, not the top-left corner</li> <li> The Y-axis points upward (positive is up), not downward</li> <li> All coordinates are normalized between -1.0 and 1.0 regardless of canvas size</li> </ul> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fa1f5arcy1w8yd6ik2z0u.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fa1f5arcy1w8yd6ik2z0u.png" alt="WebGL Coordinate System showing the normalized device coordinates with the origin (0,0) at center" width="800" height="586"></a></p> <p>Understanding this coordinate system from the beginning helps prevent common positioning and orientation errors in your WebGL 2 projects.</p> <h2> What's Next </h2> <p>This post covered the WebGL 2 fundamentals. In upcoming articles, I'll deep dive into: shader techniques, performance optimization strategies, building a practical fluid simulation.</p> <p>If you're working on graphics-heavy applications or need to squeeze more performance out of browser-based visualizations, WebGL 2's capabilities are worth the steeper learning curve.</p> <p><strong>Next article</strong>: <a href="https://dev.to/olha-stefanishyna/webgl-2-basics-drawing-a-full-screen-quad-3fcd">WebGL 2 Basics: Drawing a Full-Screen Quad</a> - Learn GLSL ES 3.0 and implement your first WebGL 2 program.</p> webdev webgl javascript beginners Rate Limiting: Architectural Layers in Web Applications Olha Stefanishyna Fri, 23 May 2025 14:14:31 +0000 https://dev.to/olha-stefanishyna/rate-limiting-architectural-layers-in-web-applications-3g76 https://dev.to/olha-stefanishyna/rate-limiting-architectural-layers-in-web-applications-3g76 <h2> Introduction<a id="intro"></a> </h2> <p>Rate limiting is a critical defensive strategy for web applications, allowing you to control the flow of incoming and outgoing requests. By restricting how many requests a client can make in a given time window, you can maintain system stability, prevent abuse, and ensure fair resource allocation across your user base.</p> <p>This configuration demonstrates infrastructure-level rate limiting by setting request identifiers, allocating memory, defining burst-tolerant limits, and applying rules to specific URLs.</p> <h3> The Critical Role of Backend Rate Limiting </h3> <p>Effective backend rate limiting is foundational for:</p> <ul> <li> <strong>System Stability</strong>: Prevents resource exhaustion during traffic spikes</li> <li> <strong>Security Enhancement</strong>: Mitigates brute force attacks, credential stuffing, and DDoS attempts</li> <li> <strong>Fair Resource Usage</strong>: Ensures equitable access for all users</li> <li> <strong>Performance Optimization</strong>: Improves overall latency for legitimate users by smoothing request bursts</li> </ul> <p>Backend rate limiting can be implemented across three distinct architectural layers, each operating at different points in the request lifecycle. These layers differ in their proximity to the client, available context, and performance characteristics. Understanding where each layer fits in your application architecture is crucial for designing an effective rate limiting strategy that balances early traffic filtering with granular business logic control.</p> <h2> Infrastructure Layer Rate Limiting <a id="infrastructure-layer"></a> </h2> <p>The infrastructure layer represents your first line of defense. At this level, rate limiting is typically implemented in load balancers and reverse proxies.</p> <h3> Key Advantages </h3> <ul> <li> Early Rejection: Blocks excessive traffic before it consumes application server resources.</li> <li> Global Scope: Can enforce limits across all underlying services.</li> <li> Performance: Typically implemented in highly optimized native code.</li> </ul> <p><strong>Example with Nginx</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight nginx"><code><span class="k">limit_req_zone</span> <span class="nv">$binary_remote_addr</span> <span class="s">zone=mylimit:10m</span> <span class="s">rate=10r/s</span><span class="p">;</span> <span class="k">server</span> <span class="p">{</span> <span class="kn">location</span> <span class="n">/api/</span> <span class="p">{</span> <span class="kn">limit_req</span> <span class="s">zone=mylimit</span> <span class="s">burst=20</span> <span class="s">nodelay</span><span class="p">;</span> <span class="kn">proxy_pass</span> <span class="s">http://my_upstream</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>This configuration illustrates how infrastructure-level rate limiting works by defining request identifiers, allocating tracking memory, setting rate limits with burst tolerance, and applying these rules to specific URL patterns.</p> <h3> Limitations and Considerations </h3> <p>While infrastructure-level rate limiting is powerful, it has limitations:</p> <ul> <li> Typically relies on IP-based identification, which can penalize multiple users behind a NAT or corporate proxy.</li> <li> CDN Interaction: If behind a CDN, ensure Nginx sees the actual client IP via headers like X-Forwarded-For.</li> </ul> <p>For more granular control, consider using different identifiers by setting custom keys like API tokens:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight nginx"><code><span class="c1"># Use API key from header instead of IP</span> <span class="k">limit_req_zone</span> <span class="nv">$http_x_api_key</span> <span class="s">zone=api_limits:10m</span> <span class="s">rate=5r/s</span><span class="p">;</span> </code></pre> </div> <h2> Application Gateway Layer Rate Limiting <a id="gateway-layer"></a> </h2> <p>This layer exists closer to the application, often within the application framework itself. In Next.js applications, this is often implemented using Middleware, which intercepts requests before they reach your route handlers.</p> <p><strong>Example: Next.js Middleware with in-memory rate limiter (for illustration only)</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// middleware.js</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">NextRequest</span><span class="p">,</span> <span class="nx">NextResponse</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">next/server</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">requestStore</span> <span class="o">=</span> <span class="cm">/** In-memory request tracking **/</span><span class="p">;</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">middleware</span><span class="p">(</span><span class="nx">request</span><span class="p">)</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">request</span><span class="p">.</span><span class="nx">nextUrl</span><span class="p">.</span><span class="nx">pathname</span><span class="p">.</span><span class="nf">startsWith</span><span class="p">(</span><span class="dl">'</span><span class="s1">/api/protected-route</span><span class="dl">'</span><span class="p">))</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">ip</span> <span class="o">=</span> <span class="cm">/** Extract client IP **/</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">isRateLimited</span> <span class="o">=</span> <span class="cm">/** Check if user exceeded rate limit **/</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="nx">isRateLimited</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="k">new</span> <span class="nc">NextResponse</span><span class="p">(</span><span class="dl">'</span><span class="s1">Too many requests.</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">status</span><span class="p">:</span> <span class="mi">429</span><span class="p">,</span> <span class="na">headers</span><span class="p">:</span> <span class="p">{</span> <span class="cm">/** Standard rate limit headers **/</span> <span class="p">},</span> <span class="p">});</span> <span class="p">}</span> <span class="cm">/** Update request tracking **/</span> <span class="p">}</span> <span class="k">return</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">next</span><span class="p">();</span> <span class="p">}</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">config</span> <span class="o">=</span> <span class="p">{</span> <span class="na">matcher</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">/api/:path*</span><span class="dl">'</span><span class="p">],</span> <span class="p">};</span> </code></pre> </div> <h4> Key Advantages of Middleware Rate Limiting </h4> <ul> <li> <strong>Edge Execution</strong>: Next.js Middleware can run at the edge, providing low latency decisions</li> <li> <strong>Dynamic Rules</strong>: Easier to implement rules based on application state or user roles.</li> <li> <strong>Contextual Awareness</strong>: Access to request headers, cookies, JWTs for finer-grained identifier choice.</li> </ul> <h4> Considerations </h4> <p>The in-memory approach shown here is purely illustrative. In any production environment, you should use a persistent, distributed store like Redis, or a specialized rate limiting service. In-memory solutions are unreliable because they lose state during restarts, deployments, or crashes, and can accumulate memory leaks over time.</p> <h2> Application Service Layer Rate Limiting <a id="service-layer"></a> </h2> <p>This involves implementing rate limits directly within the application's business logic, typically at the controller, service, or individual function level.<br> In Next.js rate limiting at the service layer is implemented directly in your API route handlers or server-side logic. This offers fine-grained control with the ability to integrate business rules.</p> <p><strong>Example - Next.js API Route with a simple in-memory store (Illustrative):</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// pages/api/service-data.js</span> <span class="kd">const</span> <span class="nx">requestTracker</span> <span class="o">=</span> <span class="cm">/** Initialize request tracking **/</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">MAX_REQUESTS</span> <span class="o">=</span> <span class="cm">/** Configure rate limit **/</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">WINDOW_MS</span> <span class="o">=</span> <span class="cm">/** Define time window **/</span><span class="p">;</span> <span class="k">export</span> <span class="k">default</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">handler</span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">identifier</span> <span class="o">=</span> <span class="cm">/** Extract appropriate identifier (API key, user ID, or IP) **/</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">recentRequests</span> <span class="o">=</span> <span class="cm">/** Get user's requests within current time window **/</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="nx">recentRequests</span><span class="p">.</span><span class="nx">length</span> <span class="o">&gt;=</span> <span class="nx">MAX_REQUESTS</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">429</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Too many requests. Please try again later.</span><span class="dl">'</span><span class="p">,</span> <span class="na">retryAfter</span><span class="p">:</span> <span class="cm">/** Calculate retry time **/</span> <span class="p">});</span> <span class="p">}</span> <span class="cm">/** Update request tracking with current request **/</span> <span class="cm">/** Clean up old entries to prevent memory leaks **/</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">200</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">data</span><span class="p">:</span> <span class="cm">/** Return requested data **/</span> <span class="p">});</span> <span class="p">}</span> </code></pre> </div> <h4> Considerations </h4> <p>Service layer rate limiting may affect performance, so this approach should be reserved for scenarios where middleware solutions aren't sufficient.</p> <h2> Standard Headers for Rate Limiting </h2> <p>Consistent client communication is key. Always include these HTTP headers in responses from rate-limited endpoints:</p> <ul> <li> <code>X-RateLimit-Limit</code>: Maximum requests allowed in the current window</li> <li> <code>X-RateLimit-Remaining</code>: Number of requests left in the current window</li> <li> <code>X-RateLimit-Reset</code>: Unix timestamp or seconds until the limit resets</li> <li> <code>Retry-After</code>: Seconds to wait before making another request (when rate limited)</li> </ul> <p>Note that the IETF has a draft specification for standardized rate limiting headers, introducing RateLimit and RateLimit-Policy to consolidate rate limiting information. However, many APIs still use legacy headers with the X- prefix, such as X-RateLimit-Limit, X-RateLimit-Remaining, and X-RateLimit-Reset.</p> <h2> Best Practices for Backend Rate Limiting<a id="#best-practices"></a> </h2> <ul> <li> Layered Approach: Combine infrastructure, gateway, and application-level limits for comprehensive protection.</li> <li> Choose Appropriate Identifiers: Use IP for broad, unauthenticated traffic; API keys or user IDs for authenticated traffic.</li> <li> Failure Handling: Decide whether to fail open (allow requests) or fail closed (block requests) when rate limiting services are unavailable.</li> <li> Adaptive Limits: Consider implementing dynamic limits that adjust based on system health, user tiers, or traffic patterns.</li> </ul> <p>Backend rate limiting is a multi-layered defense mechanism that protects your application while ensuring fair resource allocation. By implementing rate limiting at the infrastructure, gateway, and service layers, you create a robust system that can handle varying traffic patterns while preventing abuse.</p> <p>Remember that well-implemented rate limiting should be invisible to normal users while protecting your system from abuse. When done right, it's an essential component of a resilient, scalable backend architecture.</p> javascript nextjs softwareengineering ratelimiting