IndieWebCamp September 12-19, 2014

This is an automatically-generated summary of the IndieWebCamp wiki edits from September 12-19, 2014

Table of Contents

New Pages

Changed Pages

New Pages


Created by on September 16

  • Tue, September 16 Stubbed page with definition, webmention example, potential solutions, example code, myself as indieweb example
  • Tue, September 16 Added additional possible preventative measure, using expiring webmention endpoints
  • Tue, September 16 /* Webmention */
  • Tue, September 16 /* Webmention */ comment that cURL requests should still be possible
  • Tue, September 16 user:danlyke /* Webmention */ added suggestion to spread load out temporally
  • Tue, September 16
  • Wed, September 17 /* Indieweb Examples */
  • Thu, September 18 add subheads, for each how to method, cluster code/downside of IP checking with that suggestion
  • Thu, September 18 resources related to the WordPress pingback vulnerability
  • Thu, September 18 Copy edits, moved most commonly implemented fix to the top of the list

DDOS stands for Distributed Denial of Service, and refers to an attack involving a large quantity of computers making many simultaneous requests to a single site.



As webmention uses the exact same notification/fetch/verify flow as Pingback (but without the unnecessary XMLRPC) it is vulnerable to the known pingback DDOS attack.

Resources related to the WordPress pingback vulnerability:

Specifically, the attack involves an attacker creating a list of many (potentially hundreds of thousands) of websites which support webmention, and sending them all fake webmentions pointing towards the same source URL. All of the servers fetch the same URL simultaneously, and the victim’s servers are overloaded. The attack is unblockable because the attacks come from many different IP addresses.

How to avoid

There are several possible measures which could be taken to prevent unwitting participation in this attack.

Expiring token in endpoint

Add an expiring, random or encrypted token to webmention endpoints, preventing the accumulation of lists of endpoints and forcing attackers to look up the webmention endpoint of each of the sites they want to use to DDOS a victim.

Check client IP

Check the client IP of the incoming webmention POST request against the possible IPs of the source URL hostname — if they don’t match, ignore the webmention without ever fetching the source URL.

Example PHP webmention endpoint source code:

// Anti-webmention DDOS measures
$sourceIps = gethostbynamel(parse_url($source, PHP_URL_HOST));
if ($sourceIps === false) {
  // The source host cannot be resolved. Accept only if whitelisted IPs match.
  $sourceIps = [];

$sourceIps = array_merge($sourceIps, $whitelistedIPs);

if (!in_array($request->getClientIp(), $sourceIps)) {
  // Error!
  return new MentionException('x_request_not_from_source_ip', 'The webmention request didn’t come from an IP address which matched the source hostname.');
  • This method requires web mentions to be sent by the web server only which isn't necessarily practical all the time. Things like web mention endpoints separate from the web server don't seem possible with this method. This also breaks the use of curl from any IP. This seems overly restrictive. --Bret Comnes 10:38, 16 September 2014 (PDT)
    • As Barnaby notes, the endpoint could accept a hashcash with the request, this should in theory allow one to make requests from cURL 10:50, 16 September 2014 (PDT)


Require a hashcash “payment” parameter or header on incoming webmentions, accepting them if they’ve put enough processing power into the request to slow down a DDOS.

HEAD request source first

(Amplification mitigation) do a HEAD request to the source URL and check for text/html content type. This doesn’t prevent excess requests but it might reduce server load if the attacker is trying to DDOS a large, expensive-to-serve file e.g. video.

Queue and delay GET source

(Immediate load mitigation) queue and randomly delay actually performing the GET request for the source URL.

Indieweb Examples

  • Barnaby Walters implemented expiring webmention endpoint tokens as of 2014-09-16; previously had implemented client IP checking on but ran into problems
  • Aaron Parecki implemented expiring webmention endpoints on 2014-09-16. Each request to discover the webmention endpoint for a post results in a unique endpoint that is valid for 5 minutes.
  • …add yourself here!

See Also

Created by on September 13


Discovery of IndieWeb

I discovered IndieWeb through the podcast TWiG, episode 266, 2014-09 (Kevin Marks, Ben Werdmüller, and Erin Jo Richey were on the podcast episode).

The real meat starts at 23 mins 02 secs and ends at 01 h 07 mins 18 secs (the part from 50 mins 50 secs - 56 mins 43 secs can safely be ignored...).


Profile: see my Wikipedia user page.

Credentials: more than 5000 edits on the English Wikipedia.

Reading list



Created by on September 17

  • Wed, September 17 Created page with "'''<dfn>[ indie-stats]</dfn>''' is a Python open source [[project]] that will gather mf2 data for IndieWeb domains and generate stats. Generat..."
  • Wed, September 17 fix link
  • Wed, September 17 fix link
  • Wed, September 17 updated with latest design notes

indie-stats is a Python open source project that will gather mf2 data for IndieWeb domains and generate stats.

Generates a domains.json file for each domain with metadata for the site and it's status - this is needed because quite a few of them are 404 or timeouts.



  • Crawl IndieWeb domains and store
    • mf2 data
    • html content
    • request and response headers
  • Maintain metadata for domains showing their current status
  • Domain list was seeded from IRC-people

Working On

Generate stats

For each domain crawled the domain, timestamp and data will be passed to a master "cruncher" that will then loop thru a list of stat generating apps. The resulting json blob from this generating app will be added along with namespace and timestamp to the stat history for the domain.

Domain opt-in and opt-out

Add an endpoint to allow for both opt-in and out for a domain owner - needs to be backed by IndieAuth.

Stat retrieval

Add an endpoint to allow for a call to be made for a domain and a date range and the response will be the json blob of stats.


Created by on September 14


Created by on September 13

Created by on September 14


Paul Tibbetts is a web developer from Birmingham, UK.


WordPress with the following plugins:


Thoughts and Ideas

I do want to make my own thing but can't start on it just yet. Hoping I can help onboard non-IndieWebbers and then with the weaning process from WordPress to other projects for now.

I would love to set up an IndieWebCamp / meet-up in Birmingham, I'll try and get in touch soon to find out as much info as I can.

static site generator

Created by on September 19

Static site generators are programs that take a set of flat text files on disk and transforms them into a set of static html files ready to be served by a standard web server, or some variation of this example.


  • Long term maintenance advantages
  • Archival ready html output
  • Can be hosted on any webserver
  • No "moving parts"; nothing to break
  • Easy to get started
  • Source files can be edited on an operating system. Usually its just text files!
  • Generators are typically fairly simple programs to write and modify
  • Lots of existing options; Few are better than most
  • ...


  • Most SSGs are written as CLI programs and are difficult for non-technical people to learn
  • Can be difficult to install due to the use of programming language package managers
  • Most SSGs don't scale well with large data sets
  • ...

Popular and Documented SSGs

  • Jekyll
  • Wintersmith
  • Docpad
  • Hakyll
  • Harp


Created by on September 15

  • Mon, September 15 Created page with "{{stub}} '''<dfn>registerProtocolHandler</dfn>''' is a method on the <code>window.navigator</code> object usable from JavaScript in the browser. With it one can register custom ..."

registerProtocolHandler is a method on the window.navigator object usable from JavaScript in the browser. With it one can register custom protocols, like the web+action protocol that's used by indie-config.

Supported in at least Firefox and Chrome.

See Also


Created by on September 19

  • Fri, September 19 Created page with "<span class="h-card"><a href= "http://{{{1}}}" class="u-url">{{#if: {{{3|}}} | {{sparkline|{{{3}}}}} | }}</a> <span class="p-name p-nickname">[[User:{{{1}}}|{{{2}}}]]</span></span>"



Created by on September 19

A manifesto is "a published verbal declaration of the intentions, motives, or views of the issuer, be it an individual, group, political party or government" according to Wikipedia[1].

There is no "indieweb manifesto" nor "indiewebcamp manifesto".

IndieWebCamp does have

but to call either of them a manifesto would be an exaggeration and inaccurate.

Separately from indieweb/indiewebcamp, there is the manifesto - which was developed independently from the indiewebcamp community (e.g. no discussion of it on IRC, nor on this wiki).

See Also


Created by on September 19

  • Fri, September 19 stub with dfn and reference to existing article with even more detail and depth.

The object-oriented-programming antipattern is the excessive / unnecessary use of object-oriented-programming (OOP) and OOP techniques when simple procedural functions would have sufficed, with less overhead, fewer files to navigate around, fewer indirections to follow while debugging, etc.

Articles and references

See Also


Created by on September 16

JWT (JSON Web Token) is a method of encoding and signing JSON data in a URL-safe string.

While JWT is actually designed to represent auth "claims," it can also serve as a general-purpose signing method ignoring all well-defined property names in the spec.


See Also

Retrieved from ""

Changed Pages


15 edits by,,,


7 edits by,,


6 edits by,
  • Mon, September 15 add Why section, put "How to" immediately after IndieWeb examples
  • Mon, September 15 /* Why */ you
  • Mon, September 15 write up a How to PuSH 0.3 off the top of my head with roughly the info I used to get mine working, move notes about 0.4 into a how-to sections, likely needs more "how-to"-ness
  • Mon, September 15 /* Why */ promptness more than efficiency for point 1
  • Mon, September 15 /* Publish PuSH 0.4 */ updated hub list
  • Mon, September 15 /* IndieWeb Examples */ superfeedr -> google’s hub

IRC People

5 edits by user:danlyke,,

4 edits by

web hosting

4 edits by


4 edits by,


4 edits by,,
  • Fri, September 12 Added notes about potential conflict if using IndieWeb plugin in combination with both webmention plugin and semantic-linkbacks plugin
  • Fri, September 12 /* IndieAuth */ not confusion between rel-me links and IndieAuth plugin
  • Fri, September 12 Recommended using either indieweb plugin OR (webmention plugin and semantic-linkbacks plugins)
  • Sun, September 14 /* Other independents using it on their primary site */ add Paul Tibbetts -


3 edits by,,


3 edits by

2 edits by

2 edits by


2 edits by,


2 edits by


2 edits by,

Red Wind

2 edits by


2 edits by


1 edits by

App Engine

1 edits by


1 edits by


1 edits by

1 edits by
  • Tue, September 16 /* For now */ Finished migrating images & applying taxonomy. Disabled Webcomic plugin & switched themes.


1 edits by
  • Sat, September 13 /* Criticism */ First they came for the drag queens...

1 edits by


1 edits by


1 edits by
  • Sat, September 13 expand definition to include key indieweb essentials, more See Also

How to set up web sign-in on your own domain

1 edits by
  • Sat, September 13 change intro text to be more welcoming, contextually relevant


1 edits by


1 edits by


1 edits by


1 edits by


1 edits by
  • Fri, September 19 /* Authentication */ add brief explanation of using pgp with indieauth


1 edits by


1 edits by


1 edits by
  • Thu, September 18 /* Example Tumblrs with microformats */ uses a free IndieWeb-ified Tumblr theme


1 edits by


1 edits by


1 edits by

Posts about the IndieWeb

1 edits by


1 edits by

Getting Started

1 edits by


1 edits by


1 edits by