Posts on Upsonar Blog

SRI Hash Mismatches: The Silent Dependency Failure Your Monitor Says Is Up

Sat, 11 Apr 2026 00:00:00 +0000

Subresource Integrity is one of the few web-platform security features with zero downsides in theory and a real footgun in practice. The theory is simple: you pin a cryptographic hash of the file you expect, and if a CDN is ever compromised and starts serving something different, the browser refuses to run it. In practice, the browser also refuses to run the file when nothing malicious happened at all — someone just released a patch version, or the minifier output shifted, or a new encoding header changed the bytes. From the browser’s point of view, the two cases are indistinguishable.

Why Your Uptime Monitor Silently Ignored the Last CDN Outage

Sat, 11 Apr 2026 00:00:00 +0000

June 8, 2021, 9:58 UTC. Fastly pushes a configuration change. A latent bug in their Varnish-based edge detonates globally. For the next hour, Reddit, Amazon, The New York Times, The Guardian, CNN, Gov.uk, Twitch, Shopify, and Stack Overflow are all broken.

During that hour, every one of those sites’ uptime monitors reported them as up.

Not “up but degraded”. Not “warning”. Up. HTTP 200 OK.

This is not a bug in any specific uptime monitor. It is a fundamental category limit of how they work. Here is the technical gap.

Free Automated Status Pages That Detect CDN and Third-Party Outages

Mon, 16 Mar 2026 00:00:00 +0000

A status page is a public-facing dashboard that shows the real-time operational health of your services to customers and stakeholders. Upsonar status pages are now live — create a page, connect your monitors, and publish. Your page updates automatically when something goes down.

No manual toggling. No “we’ll update this shortly.” Your monitoring data drives the status page in real time.

Why most status pages fail during outages

Most status pages today are disconnected from actual monitoring. Someone has to manually change component status during an incident — if they remember. The result: your CDN goes down, your site breaks, but the status page still says “All Systems Operational.”

How to Monitor Third-Party Dependencies on Your Website

Thu, 12 Mar 2026 00:00:00 +0000

Your website loads dozens of external resources on every page view — CDN-hosted JavaScript, Google Fonts, analytics scripts, payment forms, chat widgets. When any of them fails, your page breaks. But most monitoring tools only check your server.

This guide shows you how to find every external dependency on your site and set up monitoring so you know when one fails — before your users report it.

Step 1: Find your dependencies

Before you can monitor dependencies, you need to know what they are. Most website owners don’t have a complete list of the external resources their pages load.

What Is Website Dependency Monitoring (And Why Your Uptime Monitor Isn't Enough)

Thu, 12 Mar 2026 00:00:00 +0000

Your website doesn’t run in isolation. It loads JavaScript from CDNs, fonts from Google, payment forms from Stripe, analytics from third-party vendors. When any of these fail, your users see a broken page — even though your server is perfectly fine.

Website dependency monitoring is the practice of tracking every external resource your site loads and alerting you when any of them fails. Unlike traditional uptime monitors that only check if your server responds, dependency monitoring checks what your users actually see.

Beyond Soft 404s: 5 Ways Your Website Can Return 200 OK But Still Be Broken

Sun, 08 Mar 2026 00:00:00 +0000

Your uptime monitor says 100% uptime. Google Search Console reports soft 404 errors. Your customers see an error page.

The status code says 200 OK. The page is broken. Your monitor doesn’t know the difference.

Key takeaway: A 200 OK status code only means your server responded — not that users see the right content. Keyword monitoring checks actual page content, catching soft 404s, error pages, and broken deployments that status code monitoring misses.

How We Measure HTTP Timing: DNS, TCP, TLS, TTFB Breakdown

Wed, 25 Feb 2026 00:00:00 +0000

When you check a website’s response time, “847ms” doesn’t tell you much. Is it slow DNS? Network latency? The server itself? You need a breakdown.

At upsonar.io we show exactly where the time goes. Here’s how we do it with Go’s net/http/httptrace package.

The problem

start := time.Now()
resp, _ := http.Get("https://example.com")
fmt.Println(time.Since(start)) // 847ms

847ms. But why? Could be anything.

The solution

httptrace hooks into every phase of an HTTP request. You attach callbacks, and they fire as each phase completes:

Why .dev, .app, .page (and 40+ Other TLDs) Don't Respond to WHOIS

Sun, 22 Feb 2026 00:00:00 +0000

I was building upsonar.io — it monitors uptime, SSL certificates, and domain expiration. When I got to domain expiry alerts, I hit a wall.

Checked .com, .org, .net — worked fine. Then I tried google.dev.

Connection refused.

The investigation

First thought: maybe Google blocks WHOIS queries for their domains? Let me check the WHOIS server for .dev:

$ whois -h whois.iana.org dev

Output (trimmed):

domain: DEV
organisation: Charleston Road Registry Inc.
...
whois:

status: ACTIVE
remarks: Registration information: https://www.registry.google

See that empty whois: field? There’s no WHOIS server for .dev at all.

Why Most SSL Certificate Monitors Are Blind (And How to Fix It)

Thu, 19 Feb 2026 00:00:00 +0000

Google “golang check ssl certificate” and every example looks like this:

conn, _ := tls.Dial("tcp", "example.com:443",
 &tls.Config{InsecureSkipVerify: true})
cert := conn.ConnectionState().PeerCertificates[0]
fmt.Println(cert.NotAfter) // 2026-03-16

53 days left. Great. Ship it.

But your monitor just became blind to 3 out of 4 certificate problems.

The InsecureSkipVerify trap

InsecureSkipVerify: true skips all certificate validation - expiry, trust chain, hostname match. The connection is still encrypted, but Go won’t check if the cert is actually valid.

Why do examples use it? Without it, Go refuses to connect if anything is wrong. You get an error instead of certificate details. For a quick script, that’s inconvenient.

When 200 OK Doesn't Mean Everything Is OK

Mon, 16 Feb 2026 00:00:00 +0000

Last year my site went down. Well, not really “down” — the server was fine. But users saw a broken page because Cloudflare had issues and my CSS wasn’t loading.

My uptime monitor? Green checkmarks everywhere. 100% uptime. Great job.

That’s when I realized: traditional monitoring is broken.

The lie of “200 OK”

Every uptime tool does the same thing:

GET https://your-site.com → 200 OK → "All good!"

But your site isn’t just your server. It’s:

What Happens When Your Domain Expires (And How to Prevent It)

Fri, 13 Feb 2026 00:00:00 +0000

Your domain is the foundation of your online presence. Every page, every email, every API endpoint depends on it. When it expires, everything stops — instantly.

Yet thousands of domains expire every day, often belonging to active businesses that simply forgot to renew. Here’s exactly what happens, day by day, and how to make sure it never happens to you.

The Domain Expiration Timeline

Day 0: Expiration Date

The moment your domain registration expires:

Domain Expiration Monitoring: The Complete Guide

Tue, 10 Feb 2026 00:00:00 +0000

Domain expiration monitoring is the practice of regularly checking when your domains expire and alerting you before they lapse. It sounds simple, but the consequences of getting it wrong are severe — complete website downtime, lost email, damaged SEO, and potentially losing your domain to squatters.

This guide covers everything you need to know about monitoring domain expiration effectively.

Why You Need Domain Expiration Monitoring

Most domain owners assume their registrar handles everything. In reality:

WHOIS vs RDAP: The Future of Domain Lookups

Sat, 07 Feb 2026 00:00:00 +0000

For over 40 years, WHOIS has been the go-to protocol for looking up domain registration data. But it’s showing its age. RDAP (Registration Data Access Protocol) is the modern replacement that ICANN has been rolling out since 2019.

If you manage domains, monitor domain expiration, or work with DNS infrastructure, here’s what you need to know about both protocols.

The Short Version

Feature	WHOIS	RDAP
Created	1982	2015 (RFC 7480-7484)
Response format	Free-form text	Structured JSON
Authentication	None	Optional (tiered access)
Standardization	Informal	IETF standards (RFC)
HTTPS support	No (port 43, plain text)	Yes (HTTPS by default)
Internationalization	Limited	Full Unicode support
Server discovery	Manual / hardcoded	IANA bootstrap registry
Status	Being phased out	Replacing WHOIS

For everyday domain checks, both give you the same essential information: registration dates, expiry date, registrar, name servers, and status codes.