Symfony Profiler

INSERT INTO messenger_messages (
  body, headers, queue_name, created_at,
  available_at
)
VALUES
  (?, ?, ?, ?, ?)

INSERT INTO messenger_messages (body, headers, queue_name, created_at, available_at) VALUES('{\"payload\":\"{\\\"@context\\\":[\\\"https:\\/\\/join-lemmy.org\\/context.json\\\",\\\"https:\\/\\/www.w3.org\\/ns\\/activitystreams\\\"],\\\"actor\\\":\\\"https:\\/\\/programming.dev\\/c\\/programmer_humor\\\",\\\"to\\\":[\\\"https:\\/\\/www.w3.org\\/ns\\/activitystreams#Public\\\"],\\\"object\\\":{\\\"id\\\":\\\"https:\\/\\/lemmy.cafe\\/activities\\/update\\/5ed80b35-3d7b-4a32-990c-df0fc8a59d61\\\",\\\"actor\\\":\\\"https:\\/\\/lemmy.cafe\\/u\\/adminofoz\\\",\\\"@context\\\":[\\\"https:\\/\\/join-lemmy.org\\/context.json\\\",\\\"https:\\/\\/www.w3.org\\/ns\\/activitystreams\\\"],\\\"to\\\":[\\\"https:\\/\\/www.w3.org\\/ns\\/activitystreams#Public\\\"],\\\"object\\\":{\\\"type\\\":\\\"Note\\\",\\\"id\\\":\\\"https:\\/\\/lemmy.cafe\\/comment\\/14470760\\\",\\\"attributedTo\\\":\\\"https:\\/\\/lemmy.cafe\\/u\\/adminofoz\\\",\\\"to\\\":[\\\"https:\\/\\/www.w3.org\\/ns\\/activitystreams#Public\\\"],\\\"cc\\\":[\\\"https:\\/\\/programming.dev\\/c\\/programmer_humor\\\",\\\"https:\\/\\/lemmy.world\\/u\\/themaninblack\\\"],\\\"content\\\":\\\"<p>By no means am I the microservices guy. Im more of a self hosted person than anything and used to always be a monolith guy and would still prefer that in many situations. But now I would at least \\u201cwrap\\u201d the monolith with supplemental self hosted microservices.<\\/p>\\\\n<p>But this is the logic as I understand it and the key thing. If a malicious actor compromises one utility they likely made a lot of noise doing it, a lot of that can be mitigated with a proactive WAF. There are a few free solutions here\\\\nCrowdsec WAF (ModSecurity, i think is another, working from memory could be wrong) has a decent signature detection and shared banned list.  If you couple it with proper alerting you should be able to see, watch and isolate attackers in near real time. So even if they get the gateway and you messed up alerting on WAF, you still have your fall back EDR alert for when gatewayUser starts issuing ping commands and performing asset discovery. So  should see it days before then (unless 0 day or nation state etc).<\\/p>\\\\n<p>They will still do damage you are absolutely right. But let\\u2019s assume a three tiered microservice approach where you have something like pocketdb for Auth, Umami for analytics and postgres for paid api data. Now an issue in pocketbase can absolutely ruin you. But you know what wont ruin you. Metadata storage of their profile picture in postgres. Sure one user gets access to your paid api data but they don\\u2019t have your user data and no one else is impacted.<\\/p>\\\\n<p>Additionally look at actual CVEs related to pocketbase and you will find a lot to do with OATH so its simple. Disable OATH for best security. Put a waf in front of your app using something like traefik with crowdsec catch bad actors when they try to abuse your non existent OATH endpoint and ban them instantly.<\\/p>\\\\n<p>Is it perfect, no. Any determined actor will find a way into any system given enough time. But a layered approach like this is best in my opinion.  Of course it needs modified for every system this is just one example.<\\/p>\\\\n\\\",\\\"inReplyTo\\\":\\\"https:\\/\\/lemmy.world\\/comment\\/20444139\\\",\\\"mediaType\\\":\\\"text\\/html\\\",\\\"source\\\":{\\\"content\\\":\\\"By no means am I the microservices guy. Im more of a self hosted person than anything and used to always be a monolith guy and would still prefer that in many situations. But now I would at least \\\\\\\"wrap\\\\\\\" the monolith with supplemental self hosted microservices. \\\\n\\\\nBut this is the logic as I understand it and the key thing. If a malicious actor compromises one utility they likely made a lot of noise doing it, a lot of that can be mitigated with a proactive WAF. There are a few free solutions here\\\\n Crowdsec WAF (ModSecurity, i think is another, working from memory could be wrong) has a decent signature detection and shared banned list.  If you couple it with proper alerting you should be able to see, watch and isolate attackers in near real time. So even if they get the gateway and you messed up alerting on WAF, you still have your fall back EDR alert for when gatewayUser starts issuing ping commands and performing asset discovery. So  should see it days before then (unless 0 day or nation state etc).  \\\\n\\\\nThey will still do damage you are absolutely right. But let\'s assume a three tiered microservice approach where you have something like pocketdb for Auth, Umami for analytics and postgres for paid api data. Now an issue in pocketbase can absolutely ruin you. But you know what wont ruin you. Metadata storage of their profile picture in postgres. Sure one user gets access to your paid api data but they don\'t have your user data and no one else is impacted. \\\\n\\\\nAdditionally look at actual CVEs related to pocketbase and you will find a lot to do with OATH so its simple. Disable OATH for best security. Put a waf in front of your app using something like traefik with crowdsec catch bad actors when they try to abuse your non existent OATH endpoint and ban them instantly.\\\\n\\\\nIs it perfect, no. Any determined actor will find a way into any system given enough time. But a layered approach like this is best in my opinion.  Of course it needs modified for every system this is just one example. \\\",\\\"mediaType\\\":\\\"text\\/markdown\\\"},\\\"published\\\":\\\"2025-11-12T01:00:02.131575Z\\\",\\\"updated\\\":\\\"2025-11-12T01:39:58.008023Z\\\",\\\"tag\\\":[{\\\"href\\\":\\\"https:\\/\\/lemmy.world\\/u\\/themaninblack\\\",\\\"name\\\":\\\"@themaninblack@lemmy.world\\\",\\\"type\\\":\\\"Mention\\\"}],\\\"distinguished\\\":false,\\\"language\\\":{\\\"identifier\\\":\\\"en\\\",\\\"name\\\":\\\"English\\\"},\\\"audience\\\":\\\"https:\\/\\/programming.dev\\/c\\/programmer_humor\\\",\\\"attachment\\\":[]},\\\"cc\\\":[\\\"https:\\/\\/programming.dev\\/c\\/programmer_humor\\\",\\\"https:\\/\\/lemmy.world\\/u\\/themaninblack\\\"],\\\"tag\\\":[{\\\"href\\\":\\\"https:\\/\\/lemmy.world\\/u\\/themaninblack\\\",\\\"name\\\":\\\"@themaninblack@lemmy.world\\\",\\\"type\\\":\\\"Mention\\\"}],\\\"type\\\":\\\"Update\\\",\\\"audience\\\":\\\"https:\\/\\/programming.dev\\/c\\/programmer_humor\\\"},\\\"cc\\\":[\\\"https:\\/\\/programming.dev\\/c\\/programmer_humor\\/followers\\\"],\\\"type\\\":\\\"Announce\\\",\\\"id\\\":\\\"https:\\/\\/programming.dev\\/activities\\/announce\\/update\\/d78b7aa9-9a04-4f15-a1d4-8e43e409f8a8\\\"}\",\"request\":{\"host\":\"kbin.spritesserver.nl\",\"method\":\"POST\",\"uri\":\"\\/f\\/inbox\",\"client_ip\":\"162.55.240.75\"},\"headers\":{\"content-type\":[\"application\\/activity+json\"],\"host\":[\"kbin.spritesserver.nl\"],\"date\":[\"Wed, 12 Nov 2025 01:40:25 GMT\"],\"digest\":[\"SHA-256=Dl7Th4Ejhu8oPEC+fZJZl++GTmgSB3OneqU1J9W7AbU=\"],\"signature\":[\"keyId=\\\"https:\\/\\/programming.dev\\/c\\/programmer_humor#main-key\\\",algorithm=\\\"hs2019\\\",headers=\\\"(request-target) content-type date digest host\\\",signature=\\\"lDhkMJzXYxab2MSSAVqHUGPUJJ\\/r66CeGx7tofUkWOAGnzNjAuTggD+PKKDRMSI3Z9sXOmDrRt1FvnCR6LsTSUtguwNOoNP6Duh+lsCqwbBxVdZ8g9pVwsWPGBkfVT2lNHiv27DPZYeM9KXwjtlbu8dPwZi0suko8QIe5VTj0OPZNw43zpi\\/1bpKAjw\\/XRq0O8pDANKmeWmdPyFlMh1wImBE0IZBIiR9e0vkZnSKraL9N3X\\/Xx45SGTD42jBRlmnha3kmxQXNF8kQw9BgXbiJd6KL2+KPjlFHi\\/MSHelYBJEB2mbPr7i0eLoLo8MFjyqOLNo\\/B02V4VtCXqxwoH2aA==\\\"\"],\"accept\":[\"*\\/*\"],\"user-agent\":[\"Lemmy\\/0.19.13; +https:\\/\\/programming.dev\"],\"accept-encoding\":[\"gzip\"],\"content-length\":[\"5723\"],\"x-php-ob-level\":[\"1\"]}}', '{\"type\":\"App\\\\Message\\\\ActivityPub\\\\Inbox\\\\ActivityMessage\",\"X-Message-Stamp-Symfony\\\\Component\\\\Messenger\\\\Stamp\\\\BusNameStamp\":\"[{\\\"busName\\\":\\\"messenger.bus.default\\\"}]\",\"Content-Type\":\"application\\/json\"}', 'default', '2025-11-12 01:40:25', '2025-11-12 01:40:25');