Tim Perry
Founder of https://httptoolkit.com (🦋 @httptoolkit.com), Node.js core collaborator, tech speaker, drummer, mountain biker and dad.
🇬🇧/🇨🇦 living in 🇪🇸
- Reposted by Tim Perry2026 is the year Bluesky and the Atmosphere really come alive here's what's next bsky.social/about/blog/0...
- My AI code generation has decided it can generate an inline private key pair by itself, and I think we might be in trouble...
- Reposted by Tim PerryHappy Cloudflare is down once again to all who celebrate
- Reposted by Tim Perry[Not loaded yet]
- Being hit by my first DDOS attack right now, it's all quite exciting!!!
- For some reason, somebody using random IPs and random-ish emails for every request hit the HTTP Toolkit checkout API ~500k times this morning.
- Needless to say, HTTP Toolkit normally does not normally have 500k daily customers. Clearly recent marketing efforts are paying dividends!
-
View full threadHonestly I'm just really excited to discover that people running a global DDOS setup have heard of me.
- Being hit by my first DDOS attack right now, it's all quite exciting!!!
- Reposted by Tim PerryBig milestone: HTTP Toolkit just crossed one million downloads! 🚀 Honestly I didn't think it'd ever get this far, I'm blown away. A huge thanks to all the users, contributors & supporters over the years ❤️. Onwards!
- Reposted by Tim Perry[Not loaded yet]
- Just in case Shia-Hulud is making you paranoid as well, did you know you can link SSH keys to a Yubikey? ssh-keygen -t ed25519-sk -O resident -C "you@example.com" Requires a tap to confirm any git push. Even if malware steals your ssh key files, they're useless without the physical key.
- Right now npm is locking down npm tokens, which will help a lot, but in a trusted publishing world "find SSH keys, git push a malicious tag to trigger a CI deploy" is surely not far down the list of future attack ideas.
- If you do this, add the below to .gitconfig, so you can still fetch via http, without confirmation: [url "https://github.com/"] insteadOf = "git@github.com:" [url "git@github.com:"] pushInsteadOf = "https://github.com/" # Required to override the insteadOf: pushInsteadOf = "git@github.com:"
-
View full threadThis still isn't perfect (you could steal GH sessions via browser cookies, and publish through the web interface instead) but it does remove one relatively easy avenue. w3c.github.io/webappsec-db... should help with the web session theft in future anyway hopefully!
- Reposted by Tim Perrycloudflare's on-duty IT staff bangs on the doors which I have padlocked from the inside as I calmly break open lava lamp after lava lamp and drink the contents
- These AWS & Cloudflare mega-outages are honestly embarrassing as an industry. Eugh. What are we doing??? We have so many tools & processes for ensuring reliability, but somehow two vendors can each single-handledly wipe everything out anytime.
- The latest npm attacks & changes have pushed me to set up Trusted Publishing via GitHub Actions, and honestly it's actually fantastic. Didn't realise how much hassle & friction manual publishing was. npm version + push --tags is incredibly convenient (and safer + more verifiable for everyone!)
- I've basically been listening to this album on a loop for the last couple of weeks now, highly recommended. I definitely don't like all jazz, but sometimes it really can be spectacular: open.spotify.com/album/5whNm4...
- Barcelona is the first city in the world to commit to the UN's #opensource principles: ajuntament.barcelona.cat/digital/en/a... (specifically, these: unite.un.org/en/news/osi-..., including OSS by default, open participation & interoperability) Glad to be building HTTP Toolkit here! Great city.
- In related news, it's Open Tech Week here (canodrom.barcelona/ca/opentechw...) with a selection events orbiting around Mozilla DevFest this coming weekend. Anybody I know going to DevFest? TBC but I'm likely to be there on Friday.
- Reposted by Tim Perryi write to you with solemn news. i am in paris, writing my life’s only masterwork. i spend my days drinking good espresso and smoking inexpensive cigarettes, writing clear and hard about what hurts. as such, i cannot ‘Log On’ - and friend - i will not attend your ‘laser-focused mesh network webinar’
- Reposted by Tim Perry[Not loaded yet]
- Curious to see if after yesterday's AWS shitshow (a major outage, sure it happens, but also very poor communication & extremely slow recovery) anybody is considering alternatives? I'm honestly surprised by the level of dominance of AWS, there are plenty of other interesting options out there.
- Especially looking at stories like www.dexerto.com/entertainmen... I'd really love to see this lead to more IoT to prioritising local control instead of AWS-for-everything (or at least, local fallbacks).
- Surprises me more things don't do this tbh. Doesn't seem that hard to do with mdns etc, you can still have a cloud as well for tricky networks, non-local control or advanced features, but local-connectivity-where-possible gives you a huge boost to reliability _and_ drops your server load.
- Reposted by Tim Perrytired: it's always DNS inspired: ICANN feel it coming in the air tonight
- After the recent npm attacks, really feels like the wind is in the sails of passkeys. Unphishable auth suddenly seems like a core requirement! Currently going through providers to make sure I've got my yubikeys everywhere... Surprisingly limited options even in pure infra providers like @bunny.net.
- Excitingly I've just seen BitWarden employees hinting that they're adding unlock support in the extension etc with passkeys, which will polish the UX for all this very nicely.
- End goal: all the passwords live in BitWarden, all 2FA runs via a Yubikey that lives on my keyring, all unphishable. Login anywhere with a yubikey tap for BW, 2fa with another yubikey tap, done.
-
View full threadAnd in terms of recovery, I just need to know the BitWarden password, and be able to get access to one of my yubikeys (there's a backup stashed away) or the backup-backup recovery codes, and I can always get back in.
- Node v25 is here! github.com/nodejs/node/...
- Reposted by Tim PerryAnother year of paying #opensource maintainers for their hard work 🦾 alongside the rest of the OpenSourcePledge.com businesses, and to celebrate: we're back up on the NASDAQ tower in Times Square!
- Very interesting to see engineering.fb.com/2025/10/07/o... but a bit sad. I'm yearning for a world where React simplifies down again and focuses on a core base, but it definitely feels like expansion & adding complexity is the name of the game right now. No change here.
- My kingdom for a world where hooks die and get replaced by something with less magic and more normal JS semantics 🙏 Classes had their issues, but at least they behaved the same way as all the rest of my codebase.
