DEV Community: Aryamaan jain

Building My Home Server from an Old Laptop

Aryamaan jain — Sat, 11 Oct 2025 11:22:53 +0000

Building Home Server

A few months ago, I noticed my old laptop lying in the corner, untouched and gathering dust. It wasn’t powerful enough for my daily work anymore, but I didn’t feel like throwing it away either. That’s when the idea struck me: why not turn it into a home server?

I wiped everything off, installed a fresh copy of Ubuntu Server, and slowly started experimenting. At first, it was just about getting the basics running, but one thing led to another. Soon, I had a NAS for file storage, AdGuard to block ads across my network, a media server for streaming, a VPN for secure browsing, and even a place to run some of my own apps.

This blog covers how I set things up, the tools I used, and some lessons I picked up along the way. If you’ve got an old machine lying around, this might give you a reason to bring it back to life.

Base Ubuntu Server Setup

I won’t go too deep into the installation here (that probably deserves its own blog — let me know if you’d like one). If you’re new, you can follow this reference video — it’s a solid guide for installing Ubuntu Server. Just watch until the installation part if that’s all you need, or continue further if you want a deeper dive. Here’s a quick outline of the steps you’ll likely follow:

Created a flash drive with the Ubuntu Server image.
Logged into BIOS and changed boot order.
Booted from USB and installed Ubuntu with mostly default values.
Chose DHCP for network initially (later switched to static IP).
Selected the laptop’s drive for installation.

SSH Setup

First things first — let’s make this laptop feel like a real server by setting up SSH. This way, I can connect remotely without ever needing to touch it physically.

Install SSH Server

sudo apt update && sudo apt install openssh-server -y

Check status: systemctl status sshd
By default, it should start automatically.

Change Default SSH Port

Open the SSH config: sudo vi /etc/ssh/sshd_config
Find the line with #Port 22, uncomment it, and change it to something non-default, e.g.: Port 2222

This helps avoid random automated attacks.

Disable Password Authentication

Still in sshd_config, set: PasswordAuthentication_,_ This ensures only key-based logins work — much safer.

Sometimes you also need to update /etc/ssh/sshd_config.d/50-cloud-init.conf.

Add Your Public Key

On your client machine , generate a key if you don’t already have one: ssh-keygen -t ed25519 -C “your_email@example.com”
Then copy it to the server: ssh-copy-id -i ~/.ssh/id_ed25519.pub @server-ip -p 2222 (Note: The steps below include ways to find your server’s IP address.)
This adds your key to ~/.ssh/authorized_keys on the server.

In the End Restart SSH Server sudo systemctl reload sshd, Now you can try connecting like this: ssh @server-ip -p 2222

After setting up SSH keys, you might still not be able to connect from your client. That’s usually because of the firewall or changing IP addresses. To make things smooth, we’ll:

Assign a static IP to the server.
Open the correct ports in the firewall.
Configure the client for easy SSH access.

Step 1: Find Your Current IP

Before setting a static IP, you need to know your network interface and current IP. Here are a few ways:

Using ip command: ip addr showip addr show. Look for inet under your ethernet interface (e.g., enp4s0).
Using ifconfig (may need sudo apt install net-tools):
Using hostname -I:

Using ifconfig

This shows all IPs assigned to the machine.

Step 2: Set a Static IP and Connect to wifi

Connect to your router and pick an available IP. Usually, numbers at the higher end of the subnet (like .7, .100, etc.) are free. Then edit your netplan config (/etc/netplan/01-netcfg.yaml or similar):

network:
  version: 2
  renderer: networkd
  ethernets:
    enp4s0:
      addresses:
        - 192.168.1.7/24
      gateway4: 192.168.1.1
      nameservers:
        addresses:
          - 8.8.8.8
          - 8.8.4.4
  wifis:
    wlan0:
      addresses:
        - 192.168.1.50/24 # your static Wi-Fi IP
      gateway4: 192.168.1.1 # usually same as router
      nameservers:
        addresses:
          - 8.8.8.8
          - 8.8.4.4
      access-points:
        "Your_SSID":
          password: "YourPassword"

Apply the new configuration: sudo netplan apply

Now your server will always have the same IP, which makes connecting much easier.|

Step 3: Configure the Client

On your client machine, you can simplify SSH access by creating ~/.ssh/config:

Host MyServer
    HostName 192.168.1.7
    User your-username
    Port 2222 # or the port you set for SSH
    IdentityFile ~/.ssh/id_ed25519

After this, you can connect simply with: ssh MyServer

Step 4: Configure Firewall

Ubuntu uses UFW to manage access.

Enable/disable UFW:

sudo ufw enable
sudo ufw disable

Allow SSH (default port or custom port):

sudo ufw allow ssh # if using default port 22
sudo ufw allow 2222/tcp # replace 2222 with your custom SSH port

Check firewall status: sudo ufw status

With a static IP and firewall configured, your SSH connection should work reliably from your client.

Alright, enough of the setup — let’s get into the good stuff.

Network Storage (NAS with Samba)

So, what’s the point of a NAS? Think of it like your personal cloud — a drive you can connect to from multiple devices at the same time, without messing with wires or constantly plugging in drives.

Before setting up the NAS, I mounted a 50GB external drive on my server. I recommend doing the same so that your operating system runs on a separate drive, and the mounted drive can be fully dedicated for storage.

Step 1: Identify and Prepare the Drive

Check available storage: lsblk
Find the drive you want to use (e.g., /dev/sda).
If the drive has existing partitions, clear them:

sda
|
--sda1
--sda2

# Command to clear this
sudo wipefs -a <drive path>
# eg.
sudo wipefs -a /dev/sda

Note: Moving Forward Please use your own drive path instead of /dev/sda.

Step 2: Create a Partition

Start partitioning: sudo gdisk /dev/sda
Commands in gdisk:

n → create new partition
Accept defaults to use the entire drive
w → write changes
y → confirm

Verify the partition: sudo gdisk -l /dev/sda

Step 3: Format the Partition

Create an ext4 filesystem: sudo mkfs.ext4 /dev/sda1

If prompted about an existing filesystem, type y.

Step 4: Mount the Partition

Go to /mnt and create a folder:

cd /mnt
sudo mkdir data

Make the folder immutable (optional, prevents accidental deletion):

sudo chattr +i data

Find the UUID of your partition:

sudo blkid /dev/sda1

# eg.
/dev/sda1: UUID="b2e62f4f-d338-470e-9ae7-4fc0e014858c" TYPE="ext4"

# Copy
UUID="b2e62f4f-d338-470e-9ae7-4fc0e014858c"

Edit /etc/fstab to mount automatically on boot: sudo vi /etc/fstab

UUID="b2e62f4f-d338-470e-9ae7-4fc0e014858c" /mnt/data ext4 defaults 0 2

Mount the drive using sudo mount -a
Check it was mounted properly using df -h

Now the drive will mount automatically on each restart, and you can freely create files in /mnt/data.

Step 5: Set Up Network Storage with Samba

Install Samba and create a user:

sudo smbpasswd -a striker

Add a share configuration in /etc/samba/smb.conf:

[share]
path = /mnt/data
valid users = striker
read only = no

Restart the Samba service: sudo systemctl restart smbd.service
Allow in UFW: sudo ufw allow samba
Connect from another device (e.g., Mac) via Go > Network Server, mounted at /Volumes/.

Now you have a NAS you can access anytime on your local network. The steps to connect may vary slightly depending on the device.

AdGuard Home with Docker

Next, I wanted my server to act as a network-wide ad blocker using AdGuard Home.

Docker Compose for AdGuard

Create a directory for AdGuard (create on system storage not attached storage):

mkdir ~/adguard
cd ~/adguard

Create a docker compose file: vi docker-compose.yaml

version: '3'
services:
  adguard:
    image: adguard/adguardhome:latest
    container_name: adguard
    restart: unless-stopped
    ports:
      - "53:53/tcp"
      - "53:53/udp"
      - "67:67/udp"
      - "68:68/tcp"
      - "80:80/tcp"
      - "443:443/tcp"
      - "3000:3000/tcp"
    volumes:
      - ./adguard/work:/opt/adguardhome/work
      - ./adguard/conf:/opt/adguardhome/conf

Fixing the Port 53 Conflict

Ubuntu’s systemd-resolved already uses port 53. To free it for AdGuard:

Create a custom config in /etc/systemd/resolved.conf.d/adguardhome.conf

[Resolve] DNS=127.0.0.1 DNSStubListener=no

Backup existing config:

mv /etc/resolv.conf /etc/resolv.conf.backup

Create a symlink:

ln -s /run/systemd/resolve/resolv.conf /etc/resolv.conf

Restart systemd-resolved:

systemctl reload-or-restart systemd-resolved

Now AdGuard runs on port 53 without issues.

Steps

Run docker-compose up -d to start AdGuard
On another machine in same network, go to: http://:3000
You will see the Get Started screen. Select all the default options and create an admin user.
Log in to your admin account.
Update DNS settings:
Go to **Settings > DNS Settings
For Upstream DNS Server , clear the field and add 1.1.1.1** (Cloudflare)
For Fallback DNS Server , add 8.8.8.8 (Google)
Click Test Upstreams and then Apply
To use AdGuard, change your router or devices to use this DNS server. It’s best to update at the network level so you don’t have to configure each device individually. If configured only on a device, it will work only for that device. Your server must keep running for AdGuard to function.
You can explore more settings to customize AdGuard, but the above steps cover the bare minimum setup needed.

Jellyfin Media Server with Docker

To manage and stream my media, I installed Jellyfin — an open-source alternative to Plex.

Docker Compose for Jellyfin

Create a directory for Jellyfin (create on system storage not attached storage):

mkdir ~/jellyfin
cd ~/jellyfin

Create a docker compose file: vi docker-compose.yaml

services:
  jellyfin:
    image: jellyfin/jellyfin
    container_name: jellyfin
    user: 1000:1000
    network_mode: 'host'
    volumes:
      - ./src/config:/config
      - ./src/cache:/cache
      - type: bind
        source: /mnt/data/jellyfin-media
        target: /media
    restart: unless-stopped
    extra_hosts:
      - 'host.docker.internal:host-gateway'

Steps

Run docker-compose up -d to start Jellyfin
Create the required directories for config, cache, and media:

mkdir -p /mnt/data/config
mkdir -p /mnt/data/cache
mkdir -p /mnt/data/media

Access Jellyfin from another machine in same network: http://<your-server-static-ip>:8096
Follow the setup guide:
Create a user for yourself.
For the media folder, leave it as is for now.
Select your preferred metadata language (default works fine).
In Configure Remote Access, check both checkboxes.
At this point, the server page will load but show “nothing here” initially.
Add your media:
Inside /mnt/data/media, create folders for your content (e.g., movies, tv).
Go to Menu > Dashboard > Library in Jellyfin.
Add your media libraries through this page.
Now your media will appear on the home page. You can:
Create different folder structures for movies and TV series.
Add multiple users.
I Suggest to Explore settings to customize further.

Note: Jellyfin automatically downloads metadata for your media.

Currently, everything is available only on your local network. If you want remote access or want to deploy your apps for access from anywhere, check out this blog: Host Local Projects Without Static IP Using Cloudflare Tunnel. This allows you to move your apps from local-only to remote access.

Setting up a home server on an old laptop has been surprisingly rewarding. From remote SSH access to a NAS for file storage, network-wide ad blocking with AdGuard, and a media server with Jellyfin, I now have a versatile system running multiple services smoothly.

If you’re curious about taking it further — like hosting your own AI models (think ChatGPT), setting up an automated torrent service with indexers, trackers, and downloaders, or deploying other custom applications — let me know. I can create dedicated blogs diving into each of these topics in detail.

—

Refs:

202510110450

How We Upgraded PostgreSQL on AWS RDS in Production

Aryamaan jain — Mon, 22 Sep 2025 21:14:13 +0000

Guide to Upgrading PostgreSQL on AWS RDS for Production Environments

At one of my previous organizations, we were still running a PostgreSQL 12.x version on AWS RDS. This database powered our Metabase instance , which was critical for analytics across the org. The catch? Since PostgreSQL 12 had already gone out of mainstream support, we had to rely on extended support — and pay extra for it.

Naturally, this sparked conversations about cost savings and long-term sustainability. The decision was clear: we needed to upgrade PostgreSQL to a supported version, for us it was PostgreSQL 17.

But like any database upgrade, it wasn’t just about clicking an “Upgrade” button. It meant understanding compatibility, preparing for edge cases, and making sure we didn’t bring down production dashboards that half the company relied on.

That’s when I started drafting a structured upgrade plan — something I wish I had when we first went through it.

The Upgrade Journey: Steps I Followed

Step 1: Change Log

First, I dug into PostgreSQL’s release notes. This was important to identify deprecated features or breaking changes that could cause Metabase queries to fail.

Step 2: Compatible Target Version

AWS doesn’t allow skipping major versions, so I had to check the valid upgrade paths from 12.x using the AWS CLI. Luckily, for us, it was a straightforward single-step upgrade.

aws rds describe-db-engine-versions \
  --engine postgres \
  --engine-version 12 \
  --query "DBEngineVersions[*].ValidUpgradeTarget[*].{EngineVersion:EngineVersion}" \
  --output text

📖 Reference: AWS RDS Upgrade Targets

Eg. Target Versions

Step 3: Instance class compatibility

Not every instance type supports all PostgreSQL versions, so I had to cross-check our RDS class against AWS’s documentation. In our case, we were on db.m6i.large, which turned out to support PostgreSQL 17 perfectly for our needs.

📖 Reference: AWS RDS Instance Class

Step 4: Parameter group

PostgreSQL upgrades can introduce new parameters or remove existing ones, which may impact your setup. To be safe, I created a new parameter group for the target version and reviewed it. Since we hadn’t customized much, the defaults worked fine.

Step 5: Database Content

Clean up potential blockers before upgrading:

Prepared transactions:

SELECT count(*) FROM pg_catalog.pg_prepared_xacts;

Replication slots:

SELECT * FROM pg_replication_slots;

reg* data types:

SELECT count(*) FROM pg_catalog.pg_class c, pg_catalog.pg_namespace n, pg_catalog.pg_attribute a
  WHERE c.oid = a.attrelid
     AND NOT a.attisdropped
     AND a.atttypid IN ('pg_catalog.regproc'::pg_catalog.regtype,
                         'pg_catalog.regprocedure'::pg_catalog.regtype,
                         'pg_catalog.regoper'::pg_catalog.regtype,
                         'pg_catalog.regoperator'::pg_catalog.regtype,
                         'pg_catalog.regconfig'::pg_catalog.regtype,
                         'pg_catalog.regdictionary'::pg_catalog.regtype)
     AND c.relnamespace = n.oid
     AND n.nspname NOT IN ('pg_catalog', 'information_schema');

Invalid databases:

SELECT datname FROM pg_database WHERE datconnlimit = -2;

Unknown data types:

SELECT DISTINCT data_type FROM information_schema.columns 
WHERE data_type ILIKE 'unknown';

📖 Reference: Official Postgres Upgrade Docs

Step 6: Extension Compatibility

Extensions (like uuid-ossp, pgcrypto, etc.) are not automatically upgraded during a major version upgrade. So I listed all installed extensions and verified their compatibility with the new version.

SELECT * 
FROM pg_extension pe
JOIN pg_available_extension_versions pev 
  ON pev.name = pe.extname;

Verify compatibility in AWS Postgres Extensions Release Note

Step 7: Pending maintenance

Checked RDS console for any pending maintenance tasks — these can conflict with upgrades, as running them during the upgrade can cause issues. You can view pending maintenance in the AWS RDS console under your DB instance’s “Maintenance & backups” section.

Step 8: Take snapshot

Took a manual snapshot before starting. It serves as a fallback in case the upgrade fails or anything goes wrong.

Step 9: Check Application Compatibility

Finally, I tested Metabase itself with the upgraded PostgreSQL version in staging. This step was crucial because Metabase Docker images often lock supported PostgreSQL versions. That’s when we ran into a new issue: our current Metabase version didn’t support PostgreSQL 17. This meant we had to upgrade Metabase as well. I created a forked Docker image with a few of our custom patches, then tested it against the new database to ensure everything worked smoothly.

Final Checklist

- [] Change log
- [] Compatible Target version
- [] Instance class compatibility
- [] Parameter group
- [] Database Content
- [] Extension compatibility
- [] Pending maintenance
- [] Take snapshot
- [] Application compatibility with new postgres version

Other Points to Consider

Blue-Green Deployment: We used a blue-green deployment approach to test the upgrade on a separate environment, which allowed for a smooth transition to production.
Performance Monitoring: Throughout the upgrade process, we monitored the RDS database diligently to ensure everything was working smoothly. We kept an eye on CPU, memory, disk usage, and query performance both before and after the upgrade to catch any regressions early.
Driver & Connection Compatibility: We made sure that all applications were using PostgreSQL drivers compatible with the new version to avoid connection issues.
Security Review: We reviewed roles, permissions, and SSL settings to ensure security wasn’t impacted.
Communicate Downtime: I announced the upgrade downtime for Metabase and scheduled it at night, when traffic was minimal, to reduce disruption for users.

For us, the upgrade was about more than just security or new features — it was about avoiding unnecessary costs while ensuring reliability. What started as a cost-saving initiative turned into a lesson on systematic upgrades and resilience planning.

If you’re in a similar boat with aging PostgreSQL versions on RDS, hopefully, this step-by-step narrative gives you a practical starting point.

—

Refs:

202509230243

Rails CSRF Internals Uncovered — And a Real-World Bug We Faced

Aryamaan jain — Sun, 21 Sep 2025 22:22:07 +0000

In a previous post, I explored the Fundamentals of CSRF — what it is, how it works, and the standard mechanisms used to prevent it. While these mechanisms often “just work” in most frameworks, things can get tricky when you’re building or debugging something custom.

At one of my Org, we encountered a puzzling issue: “Invalid CSRF token” errors appearing on two different pages, each caused by a different underlying reason. To debug it, I had to dive deep into how Rails handles CSRF tokens internally.

This post shares what I learned from that journey — including how Rails generates, masks, and verifies CSRF tokens, how we implemented similar logic in our codebase, and what ultimately caused the issue.

💎 How Rails Handles CSRF (Under the Hood)

Rails’ CSRF protection works out of the box, But once you peek under the hood, there’s some really clever stuff going on — especially around how tokens are generated, masked, and verified.

At its core, Rails generates a base token , stores it in the session, and then sends a masked version of that token in the forms or headers. When a request comes in, Rails unmasks the token from the request and simply compares it with the one stored in the session. If they match, the request is good to go. A little more breakdown for each step.

1. Generating the CSRF Token

When a new session starts, Rails creates a random string using SecureRandom and stores it in the session under :_csrf_token. This is the base token and stays the same for the entire session (unless something like a login/logout resets it).

File — request_forgery_protection.rb

session[:_csrf_token] ||= SecureRandom.base64(32)

This base token is what everything else is built on.

2. Masking the Token (The Cool Part)

Rails doesn’t just throw that raw token into your forms or headers. Instead, it masks the token every time it sends it to the client.

Here’s what that means:

It creates a random one-time pad (same length as the token).
It XORs the base token with the pad to “encrypt” it.
It then sticks the pad and the encrypted result together.
Finally, the combined result is Base64-encoded.

So even if the base token never changes, the token sent to the frontend looks different every time. This helps protect against attacks like BREACH.

3. Where the Token Shows Up

The masked token is:

Embedded in forms via a hidden input field (authenticity_token)
Sent in the X-CSRF-Token header for AJAX or fetch requests

This way, Rails knows to expect it during any state-changing request like POST, PUT, PATCH, or DELETE.

4. Verifying the Token

When a request comes in, Rails does the reverse dance:

It grabs the token from the header or form field.
Decodes it from Base64.
If it’s a masked token (i.e., twice the expected length), it splits out the pad and encrypted part and XORs them to get back the original token.
Compares this unmasked token to what’s stored in the session (:_csrf_token).

If anything’s off — wrong value, malformed format, etc. — Rails throws an InvalidAuthenticityToken error.

To keep things extra safe, Rails regenerates the CSRF token after login or sign-up. So even though your session is still active, the CSRF token is refreshed. This prevents old tokens from being reused in new sessions.

This behaviour is defined in the Devise initialiser: config/initializers/devise.rb:102

Now let’s get started with the issues I ran into.

To make debugging easier, I first built a few common utilities for decoding and comparing CSRF tokens.

Common Utils

To parse Session token

def decrypt_session(cookie_string, mode = 'json')
  serializer = case mode
  when 'json' then JSON
  when 'marshal' then ActiveSupport::MessageEncryptor::NullSerializer
  end
  cookie = CGI::unescape(cookie_string.strip)
  salt = Rails.configuration.action_dispatch.encrypted_cookie_salt
  signed_salt = Rails.configuration.action_dispatch.encrypted_signed_cookie_salt
  key_generator = ActiveSupport::KeyGenerator.new(
    Rails.application.secrets.secret_key_base,
    iterations: 1000
  )
  secret = key_generator.generate_key(salt)[0, 32]
  sign_secret = key_generator.generate_key(signed_salt)
  encryptor = ActiveSupport::MessageEncryptor.new(
    secret,
    sign_secret,
    serializer: serializer
  )
  result = encryptor.decrypt_and_verify(cookie)
  (mode == 'marshal') ? Marshal.load(result) : result
end

To parse CSRF token

def unmask_token(masked_token)
  token_length = masked_token.length / 2
  one_time_pad = masked_token[0...token_length]
  encrypted_token = masked_token[token_length..-1]
  xor_byte_strings(one_time_pad, encrypted_token)
end

def encode_token(token)
  Base64.strict_encode64(token)
end

def decode_token(token)
  Base64.strict_decode64(token)
end

def xor_byte_strings(s1, s2)
  s1.bytes.zip(s2.bytes).map { |(c1, c2)| c1 ^ c2 }.pack('c*')
end

def due(token)
  d = decode_token(token)
  u = unmask_token(d)
  encode_token(u)
end

First Issue: Invalid CSRF Token on Landing Page

Issue

There was a recurring problem where users would sometimes face an Invalid CSRF token error on the new landing

What I Found

When the error happened, the two tokens didn’t match:

The session contained one _csrf_token
The CSRF API returned another

But in Rails, there are really only two valid scenarios:

No token exists yet → Rails generates one, saves it in the session, and returns it (after masking).
Token already exists → Rails reuses it, masking it again before sending.

So how could they be different?

It turned out to be a race condition :

Two requests landed almost at the same time.
Both checked the session, saw no CSRF token, and decided to generate one.
One request won the race and saved its token in the session.
But the other request had already generated its own token, so it returned a value that was immediately outdated.

This explains why the issue appeared when users hit the new landing page directly without any cookies (for example, in incognito mode).

The Fix

The problem was that we were eagerly calling the CSRF API as soon as the page loaded. That increased the chance of this race condition.

The solution was simple:

👉 Remove the initial CSRF API call and instead fetch the token only when it’s actually needed — at the time of the first POST request.

This way, only one request is responsible for generating and storing the token, eliminating the race.

Second Issue: Invalid CSRF Token on Product Page

Issue

We noticed users sometimes got “Invalid CSRF token” errors when opening the Product landing page from Slack links. The issue was inconsistent — only happening when the page was opened in Chrome’s Slack preview.

Here’s the request flow that caused the issue:

User clicks a Slack link to open the Product landing page.
The page makes an initial API call to load content.
A subsequent API call (e.g., user/v2 for OTP) fails with an invalid CSRF token error.

It seemed like the session was being dropped between requests , causing CSRF verification to fail. This issue was particularly tricky to debug.

Debugging Process

I approached this step by step, adding logs and tracing the request flow.

1. Inspecting CSRF Verification

Added logging inside Rails’ request_forgery_protection.rb where the CSRF token is compared with the session.
Finding: The session was empty at this point, even though the cookie itself was present.

This suggested the session was being created correctly initially, but something later in the middleware chain was removing it.

2. Checking Session Creation

Added loggers in ActionDispatch::Request::Session and CookieStore.
Found that the session was properly populated from the cookie, including the CSRF token.

So the drop wasn’t during session creation — it happened later in the middleware stack.

3. Tracing Middleware Calls

Added logging in SanitizeQueryStringMiddleware.
Observation: The session was available before the middleware but gone after.
Testing middleware order confirmed that session availability depended on execution order.
Rack-protection middleware, especially session_hijacking.rb, ran after SanitizeQueryStringMiddleware.

4. Identifying the Root Cause

In rack-protection/lib/rack/protection/session_hijacking.rb, I found a check comparing the session’s tracking hash with request environment values.
Specifically, the HTTP_ACCEPT_LANGUAGE header differed between requests:

Request HTTP_ACCEPT_LANGUAGEInitial Product APIen-USOTP API (user/v2)en-US,en;q=0.9,hi;q=0.8

This difference triggered rack-protection’s session-hijacking check , which dropped the session.
Dropping the session invalidated the CSRF token, causing the failure.

5. Hypothesis Testing

Replicated the flow using Postman:

First, call the Product page to get the CSRF token.
Then, call user/v2 with the same cookies and CSRF token.

Results:

Same Accept-Language header → CSRF passed
Different header → CSRF failed

This confirmed that the mismatch in headers caused the session drop and CSRF failure.

Fix

The fix was straightforward:

Remove HTTP_ACCEPT_LANGUAGE tracking in session-hijacking (already removed in newer rack-protection versions — Commit Link).
Upgrade or patch the rack-protection middleware.

Now, minor differences in request headers no longer drop the session, and the CSRF token remains valid across the flow — even in Slack preview.

CSRF protection usually works behind the scenes, and you rarely notice it — until it breaks. Going through Rails’ internals and debugging these real issues reminded me that even small things, like request timing or headers, can trip it up. Understanding how the tokens are generated, masked, and verified made it much easier to find the root cause and fix it properly.

—

Refs:

202509220350

Host Local Projects Without Static IP Using Cloudflare Tunnel

Aryamaan jain — Fri, 11 Apr 2025 13:42:44 +0000

Setting up a public-facing server from your internal network usually comes with a major headache — you need a static IP and a DNS provider. Even if you’ve got your domain name ready, your ISP may not assign you a static IP, or worse, may charge extra for it.

But what if I told you there’s a way to bypass that entirely?

🔐 Enter Cloudflare Tunnel (aka cloudflared)

Cloudflare Tunnel allows you to expose your local server securely to the internet without needing a static IP or poking holes in your firewall. The magic? It establishes a persistent outbound connection from your machine to Cloudflare’s edge network.

So, instead of users directly hitting your home IP, their requests go through Cloudflare, which then forwards traffic through this tunnel to your internal server — and sends responses back the same way.

All you need is a registered domain on Cloudflare. No static IP, no port forwarding, and no exposing your machine directly.

🛠️ Setting Up a Cloudflare Tunnel

Let’s walk through the setup with a simple example.

1. Go to Cloudflare Zero Trust Dashboard

Navigate to the Zero Trust section in your Cloudflare dashboard.

Zero Trust Section

2. Create Your Team Domain

Pick any name for your team domain. This is just for internal structuring.

Team Domain

3. Select the Free Plan

Yes, it’s completely free! Just proceed to payment, enter any method (no actual charges).

Free Plan

4. Navigate to “Networks > Tunnels”

On the sidebar, head to Networks → Tunnels , then click “Add a Tunnel.”

Add A Tunnel

6. Start the Tunnel (Pick Your Environment)

You’ll now get setup instructions based on your OS.

For macOS: brew install cloudflared and run as a service.
Docker: You can also run it inside Docker — straightforward and clean.

Once done, your tunnel status should show as Connected.

Connected Tunnel

🌐 Host Something Locally

Let’s test it out by running a simple server:

Option 1: NGINX via Docker

docker run -p 8080:80 nginx

Option 2: A Tiny Flask App

Save this as app.py and run with python app.py:

from flask import Flask
app = Flask( __name__ )
@app.route('/')
def home():
    return 'Hello, Flask!'
if __name__ == ' __main__':
    app.run(debug=True)

🌍 Expose It with a Public Hostname

Once the tunnel is active:

Add a new public hostname
Choose any subdomain (e.g., demo.yourdomain.com)
Type: HTTP
URL: localhost:8080 (for NGINX) or localhost:5000 (for Flask)

Setting for public Host Name

Save it, and boom — you now have a public link to your local server!

Local Server On Public Domain

🐛 Facing issue with HTTPS request

In my setup:

Next.js frontend ran on port 3000 and was exposed via a tunnel to a subdomain.
Python Flask backend ran on port 5000, also exposed via a tunnel.

Both were running with HTTP internally.

Cloudflare provides an HTTPS URL for every tunnel. So even though my servers were running on HTTP, the frontend was making HTTPS requests to the backend.

This caused CORS or SSL handshake failures. The requests were made over HTTPS but seemed to break mid-way, possibly due to internal HTTP fallback.

Solution

I started the Flask server with an adhoc self-signed SSL certificate :

flask run --cert=adhoc --host=0.0.0.0

While setting up the public hostname in the tunnel:

I used: https://:5000
Changed the TLS setting to “No TLS verify” , allowing Cloudflare to accept self-signed certs.

Since Flask was generating the certificate on the fly, this was essential to avoid SSL errors.

🧠 Final Thoughts

Cloudflare Tunnel is a game-changer for self-hosting. Whether you’re building demos, internal tools, or working on projects that need remote access, you can now skip the static IP drama.

Try it out, and give your side projects a proper home on the internet — without compromising on security or simplicity.

If you face any issues while setting this up, feel free to reach out. Always happy to help!

—

Refs:

Cloudflare Docs

202504111902

Behind the Scenes of CSRF: A Developer’s Deep Dive

Aryamaan jain — Wed, 09 Apr 2025 08:54:44 +0000

CSRF is one of those security issues that’s been around for a long time. There are well-known solutions and standard practices to prevent it — so much so that they’re often taken for granted. But sometimes, it’s worth taking a step back to understand the vulnerability more deeply and how each mitigation actually works under the hood.

A while back, I encountered a tricky CSRF-related issue that led me down a rabbit hole of understanding how Ruby on Rails internally handles CSRF protection. That experience inspired this post.

This blog is part one of that journey — focusing on what CSRF really is, the conditions that make it possible, and how different protective mechanisms work. In a future post, I’ll share how Rails tackles CSRF internally, what went wrong in my case, and how I ended up resolving it.

Let’s dive in.

💣 What Even Is CSRF?

At its core, Cross-Site Request Forgery (CSRF) is about abusing trust. If you’re logged into a website (say, your bank), and then unknowingly visit a malicious site, that site might trick your browser into sending a request to the bank on your behalf. The browser includes your cookies (like session tokens) automatically — so the bank thinks it’s you.

It’s like handing your house keys to a stranger because they asked in the right tone of voice.

Imagine this scenario:

You’re logged into your account.
A malicious page includes something like:

<img src="https://bank.com/transfer-money?amount=1000&to=attacker" />

Your browser sees it and thinks, “Sure! Let me attach your auth cookies and fire that off!”

Note : If your API uses stateless, token-based authentication in headers (like JWT), CSRF isn’t typically an issue. This mainly affects cookie-based auth.

🔑 Conditions That Make CSRF Possible

For a CSRF attack to succeed, a few conditions must align:

Important Action : The targeted action must be meaningful — like changing account details or transferring funds.
Cookie-Based Authentication : If the browser automatically attaches auth cookies or headers, the server is easily fooled.
Predictable Parameters : If request parameters are easy to guess or fixed, attackers can replicate them in malicious payloads.

🛠️ How a CSRF Attack Happens

Attackers typically set up a webpage that silently triggers a request to a vulnerable endpoint. For example:

<img src="https://website.com/risky-path">

Or with a form:

<form action="https://vulnerable.com/update-email" method="POST">
  <input type="hidden" name="email" value="attacker@example.com" />
</form>
<script>document.forms[0].submit()</script>

Suddenly, your innocent browsing turns into a silent attack.

🛡️ Preventing CSRF Attacks

The goal is to break the attack chain — by introducing randomness or validating the origin of requests. Common strategies include:

1. CSRF Tokens

The server generates a unique, random token for each user session. This token must be sent back by the client with every sensitive request — via header or hidden form field.

But using CSRF tokens incorrectly opens up vulnerabilities:

If the token is not tied to the session , attackers can use their own token.
If the token is stored in cookies and validated by simply matching values (called Double Submit ), an attacker can manipulate both the token and the cookie if the browser allows it.

Best Practices :

Tokens should be random and session-bound.
Tokens should not be sent in cookies.
For form-based actions, embed them as hidden fields.
For XHR requests, send them in custom headers.

Note: If sent via headers, only AJAX/XHR requests are supported — not native HTML forms.

2. SameSite Cookie Attribute

This is a browser-level defense that controls when cookies are sent during cross-site requests.

Strict : Cookies are only sent in first-party contexts. Completely blocks CSRF but may break SSO and other flows.
Lax (Default): Cookies are sent on top-level GET navigations (like clicking a link), but blocked in other cross-site cases.
None : Cookies are sent in all requests, but must include the Secure flag (HTTPS only).

Set-Cookie: sessionId=abc123; SameSite=None; Secure

Vulnerabilities in SameSite Protections:

Lax Bypass : If the server treats both GET and POST similarly, attackers can misuse Lax rules.
Strict Bypass via Redirection : Attacker-controlled redirections using URL parameters can indirectly trigger CSRF.
Lax Delays : For SSO flows, browsers delay applying Lax for 120 seconds — creating a window of vulnerability.

3. Referrer-Based Validation

Some servers rely on checking the Referrer header to ensure requests come from the right origin.

This method is less secure , and attackers can bypass it easily:

Use meta tags to strip the referrer:

Host malicious pages on subdomains like:

http://vulnerable.com.attacker.com

Referrer validation should never be your only line of defense.

🔚 Final Thoughts

CSRF is dangerous because it abuses trust — your browser’s trust in cookies, your server’s trust in headers, and the user’s trust in your website.

The good news? It’s preventable. With the right strategies, you can turn this silent threat into a non-issue.

—

Refs:

202504091409

Hamiltonian Cycle

Aryamaan jain — Wed, 03 May 2023 18:45:28 +0000

Great use of Hamiltonian cycle

Let’s take a step back and let’s see what’s a hamiltonian cycle. In the mathematical field, it’s a concept of graph theory.). A graph is like a map of nodes. Where each node connects with an edge, and this represents that there is a path between those specific nodes. A graph is used in many ways to represent all kinds of data.

The edges between nodes represent a direct connection between them. We can use a combination of these edges to show a path between two nodes that are not directly connected. A Hamiltonian path is a path in a graph where all nodes are only visited once. A hamiltonian cycle is a cycle of the hamiltonian path where the first node and last node are the same.

How to find a Hamiltonian cycle in an undirected graph?

To find a Hamiltonian cycle in a graph (whenever I use a word graph I am talking about an undirected graph) we can use backtracking. In this algorithm, we will keep a log of the path till now, and we will add nodes to it. If the node is not already present in the path we will keep adding nodes. Else we will backtrack to the previous working state and check new nodes with that. In the end, if we can’t find any path with the required conditions we will say there is no possible hamiltonian cycle in this graph.

Let see the algorithm in-depth
First, let’s create a function to check if a node N is ok to add to the path. We will check if N and the last node have an edge between them. After that, we will see if N is not already present in the path. If both conditions hold, we will return true that it is ok to add N in the path.

bool node_check(int node, vector<vector<int>> graph, vector<int> path, int pos){

    // node is not conneccted to the prev node of the path
    if(graph[path[pos - 1]][node] == 0)
        return false;

    // check the node is already visited in the path
    for(int i = 0; i < pos; i++)
        if(path[i] == node)
            return false;

    return true;
}

Now let’s create a recursive function to find hamiltonian cyclen in the graph. The base case for this function will be if we have added all nodes in the path. Further, we will check if the last node and first node of the path have an edge between them. If an edge is present between those two nodes we will return true, or else we will return false. Let’s have a look over the recursive step. We will try to add each node in the path and check if it is valid or not. If the node is valid we will add it to the path and look further for the hamiltonian cycle using recursive call. If the function returns false, it shows we can’t find any hamiltonian cycle with the specific node. Then we will remove the node from the path and further check with other nodes.

bool find_cycle(vector<vector<int>> graph, vector<int> &path, int pos, int n)  {  

    // check all node are added to path
    if(pos == n){  
        // And check the is a edge between first node and the last node of the path
        if(graph[path[pos - 1]][path[0]] == 1)  
            return true;  
        else
            return false;  
    }  

    // we will check all node 
    for(int v = 0; v < n; v++)  
    {  
        // check if node is valid to insert in cycle
        if(node_check(v, graph, path, pos))  {  

            // we will add node to the path 
            path[pos] = v;  

            // check further 
            if(find_cycle(graph, path, pos + 1, n) == true)  
                return true;  

            // if no valid cycle with this node we will remove it from cycle
            path[pos] = -1;  
        }  
    } 

    return false; 
}

At last, let’s take a graph as an input and find a hamiltonian cycle in it.

Include the necessary header file while running the code.

int main() {

    // to take input of a graph
    int n, q;
    cin>>n>>q;
    vector<vector<int>> graph(n, vector<int>(n));
    vector<int> path(n, -1);
    path[0]=0;

    for(int i = 0; i < q; i++){
        int a, b;
        cin>>a>>b;

        graph[a][b] = 1;
        graph[b][a] = 1;
    }

 // if there is a valid cycle
 if(find_cycle(graph, path, 1, n)){
     // print the path
     for(int i : path)cout<<i<<" ";
     cout<<path[0];
     cout<<endl;
 }
 else {
     cout<<"No valid cycle \n";
 }

 return 0;
}

Input

Output

Now let’s see what so great about the hamiltonian cycle. The property of touching a node only once, or we can say never crossing the path in a hamiltonian cycle provides high usability and can be used in real-life problems. Let’s look over one example, we can use these cycles to create a perfect path for the snake to follow in the snake game, so it will never collide with its tail or the border. This can work as the AI for the snake game.

Feel free to contact me🔥. LinkedIn Twitter Instagram

You can check my other projects and stay tuned for more.👀

Parallax Images

Aryamaan jain — Mon, 30 Nov 2020 12:17:05 +0000

We have all seen 3D movies, illusion images, and know-how good they look, and this gave me the idea to make some tool that makes images shift their perspective as the user moves his head. Imagine how cool it will look.

What will be the effect?

We are all familiar with the term Parallax which is simply the different amount of change in the apparent position of the object, which depends on how far we are from it.
So if we can gain the same effect in 2D images that the different layers of images shift differently, then we can have a sense of dept in those images and a cool effect that we want.

Let’s break down the process

So first, we need to break an image into different layers and, we need a depth map of the 2D image for that. A depth map is simply a black and white image where the whiteness of the images tells how close the object is to POV. After we got the basic layers, we need to inpaint the missing parts from each layer. So finally, we have broken a single image into different layers. Now we can show different layers on top of each other, which will look the same as the original image. Now we can use our camera for face detection and measure how the movement of the user’s head and then shift those layers to match the new POV.

Let’s see how to code this tool

So first, we need to import some files, So copy this code into your file.
I recommend using OpenCV of version 4.1.0.25 because there are few bugs in later versions when we use face_cascade. For other libraries, you can use any version but try to use the newer ones.

import os, sys
import numpy as np
import pygame as pg
import cv2

Now we need to load the image and the depth map and resize them to match the size. For now, we will provide a depth map to our code, but you can generate your own using a model MiDaS, which I have used in my main tool. You can have a look at my GitHub repo.

img = cv2.imread('moon.jpg', flags=cv2.CV_8UC4)
depth_map = cv2.imread('moon_depth_map.png')
depth_map = cv2.cvtColor(depth_map,cv2.COLOR_RGB2GRAY)
img = cv2.resize(img, depth_map.shape[:2])

Now, after we have loaded the depth map, we can create masks for different layers by thresholding the depth map at different Thresholds.
While making one layer we need two masks, one of this layer and the second of the previous layer to inpaint the missing parts. We will take the last layer outside the loop so we can extract all the remaining parts in this layer.


layers = []     
prev_thres = 255
div=30

for thres in range(255 - div, 0, -div):        
   ret, mask = cv2.threshold(depth_map, thres, 255,          cv2.THRESH_BINARY)

   ret, prev_mask = cv2.threshold(depth_map, prev_thres, 255, cv2.THRESH_BINARY)  

   prev_thres = thres        
   inpaint_img = cv2.inpaint(img, prev_mask, 10, cv2.INPAINT_NS)
   layer = cv2.bitwise_and(inpaint_img, inpaint_img, mask = mask) 
   layers.append(conv_cv_alpha(layer, mask))  

# adding last layer 

mask = np.zeros(depth_map.shape, np.uint8)    
mask[:,:] = 255   

ret, prev_mask = cv2.threshold(depth_map, prev_thres, 255, cv2.THRESH_BINARY)

inpaint_img = cv2.inpaint(img, prev_mask, 10, cv2.INPAINT_NS)    layer = cv2.bitwise_and(inpaint_img, inpaint_img, mask = mask)
layers.append(conv_cv_alpha(layer, mask))

layers = layers[::-1]

We have reversed the layers so we can arrange them in order of last to the first layer. While we are adding the layer to the list, we are using a function ‘conv_cv_alpha’ this will add the alpha value (make RGB to RGBA) and make parts of the layer transparent using the mask.

def conv_cv_alpha(cv_image, mask):    
    b, g, r = cv2.split(cv_image)    
    rgba = [r, g, b, mask]    
    cv_image = cv2.merge(rgba,4)    

    return cv_image

Now comes the part of face detection and showing the image. For face detection, we will use haarcascade. download them from their official Github repository.
To download them, right-click “Raw” => “Save link as”. Make sure they are in your working directory.
Now we will load haar cascade for face detection and make a function that will return the face-rect from the image.

face_cascade = cv2.CascadeClassifier( 'haarcascade_frontalface_default.xml')   

def get_face_rect(img):    
    gray_img = cv2.cvtColor(img, cv2.COLOR_BGR2GRAY)    
    face_rects = face_cascade.detectMultiScale(gray_img, 1.3, 5)
    if len(face_rects) == 0:         
        return ()
    return face_rects[0]

Now we have to show the image that will shift according to the user’s head. We will use OpenCV to read cam and then Pygame to render each frame on top of each other. To calculate the shift for each layer, we will calculate the shift of head from the center of the frame and then scale it down to get a small shift value. After that, we will multiply the index value of each layer to get the shift value for the respective layer, you can also multiply some constant value in that for better results.

We will create a Pygame window slightly smaller than the original image and load the camera. We have used scale, so you change its value to make the final result bigger.

scale = 1
off_set = 20
width, height = layers[0].get_width(), layers[0].get_height()        win = pg.display.set_mode((int((width - off_set)*scale), int((height - off_set)*scale)))    
pg.display.set_caption('Parallax_image')
scaled_layers = []    
for layer in layers: 
             scaled_layers.append(pg.transform.scale(layer, (int(width*scale), int(height*scale))))
cap = cv2.VideoCapture(0, cv2.CAP_DSHOW)

We will set some constants. you can play with these constants to get different results.

x_transform = True     # allow shift in x-axis
y_transform = False    # allow shift in y-axis
sens = 50              # the amount of scale down of shift value
show_cam = False       # show your face cam
shift_x = 0    
shift_y = 0    
run = True

Finally, the main loop to render all layers.

while run:
    for event in pg.event.get():
        if event.type==pg.QUIT:
            run = False
    ret, frame = cap.read()
    frame = cv2.cvtColor(frame, cv2.COLOR_BGR2RGB)
    initial_pos = (frame.shape[0]/2, frame.shape[1]/2)
    face_rect = get_face_rect(frame)
    if len(face_rect) != 0:
        x,y,w,h, = face_rect
        face_rect_frame = cv2.rectangle(frame, (x, y), (x + w, y + h), (255,255,0), 3)
        shift_x = (initial_pos[0] - (x + w/2))/(sens*scale)
        shift_y = (initial_pos[1] - (y + h/2))/(sens*scale)
    win.fill((255, 255, 255))

    for i, layer in enumerate(scaled_layers):
        new_x = -off_set/2
        new_y = -off_set/2
        if x_transform:
            new_x = 0 + shift_x*i
        if y_transform:
            new_y = 0 + shift_y*i
        win.blit(layer, (new_x, new_y)) 

   face_rect_frame = cv2.resize(face_rect_frame, (100, 100))
   if show_cam:
       win.blit(conv_cv_pygame(face_rect_frame), (0, 0))
   pg.display.update()
cap.release()
cv2.destroyAllWindows()
pg.quit()

There it is, the final result.

I have created a more advanced version of this tool where you can just choose the image and it will automatically create the parallax image, the depth map will be automatically generated.
You can check more on my GitHub repo.

Feel free to contact me🔥. LinkedIn Twitter Instagram
You can check my other projects and stay tuned for more.👀

ReVamp — Virtual Renovation

Aryamaan jain — Tue, 24 Nov 2020 12:01:16 +0000

The virtual world is getting bigger. Everything from rocket simulation to grocery shopping is virtual now, and now a new thing is getting added to this list. Moving your furniture can be a tough job, and trying a new look on a virtual platform can give a new dimension and make it a little easier to do.

There are a few layers when you wish to give your room a new look. Usually, you want to add new furniture or move the old one to a new location, but it gets tricky when you want a perfect setting for your furniture or wants to buy a new one that will perfectly fit in your room’s theme. But we can add a virtual element in this and make visualization easier.

What ReVamp brings to the table?

In ReVamp, you can make a virtual element of your furniture using your camera. You can click on the object, and it will create a virtual overlay that you can move using your camera. It also allows you to use external images so you can use pictures of furniture you wish to buy to make the virtual overlay.

Technical view of ReVamp

I was working on this project and finished a software version of ReVamp using Python.

Let’s see how ReVamp works.

I used OpenCV to get the camera feed of the device or the IP cam for better quality. Using this, I get a continuous stream of frames that I use to extract the object.

Extracting the object from a picture is tricky so, I tried different approaches to do that.

Flood fill with the color difference

I tried the flood fill algorithm with different color difference formula.
I used Euclidean distance and Red Mean. Euclidean distance was better for computer-generated images, and Red Mean was good for the pictures taken from the camera.

All over the result were not as good as the noise in the picture is left out.

Adding edge Detection

The next big step in the results was adding edge-detection. Now to extract an object, I run a flood fill algorithm with low Delta-e on edge and, then I draw the contour on the resulted CV-MAT. Finally, we get a mask of the object, and applying that on the original image gives us the required virtual overlay of the object.

There were a few flaws in this approach.

Adding convolution filters and contour smoothing

Adding convolution filters and contour smoothing removes the flaw in the previous approach. Before using the above approach, I preprocess the image with a different convolution filter. I tried many filters and, smooth + edge enhance works the best as it removes the noise and sharpens the edge. After this, I also added contour smoothing while creating the mask.

The results were fine on different images. Still, there were outliers images where results were not up to the mark. While I was trying different approaches, I saw an idea similar to mine getting popular. So I started looking at the technologies used in that. There I found BASNet, which provides very good results on object detection and segmentation.

Using BASNet

BASNet is a deep Convolutional neural network used for salient object detection and accurately predict the fine structures with clear boundaries.
Using BASNet gave the best results for creating the overlay.

Deep Convolutional Neural Networks have been adopted for salient object detection and achieved the state-of-the-art performance. Most of the previous works however focus on region accuracy but not on the boundary quality.

And finally, the tricky part of the ReVamp was ready. Now I have to implement this in ReVamp and create a usable tool.

Interface/UI

Now to create an interface, I used the Pygame library of python, I didn’t use other interfacing libraries like Tkinter as I want a little flexible UI with a different feature. So, I create my UI library for Pygame that provided me the flexibility I needed. Further, I used multi treading to make the flow of ReVamp seamless.

I used different techniques to provide the basic functionality of ReVamp like using external images to create the overlay, save/load overlay, basic camera function, and some basic functions on the overlay.

You can check more about ReVamp

GitHub