How It Works | appsec.fyi

2,500+

Resources

Topics

2x daily

Auto-builds

Frameworks

The Pipeline

Every resource on appsec.fyi flows through a fully automated pipeline. No CMS, no framework, no manual HTML editing. Just Python scripts, a SQLite database, and cron jobs.

Discover

I find articles, tools, writeups, and talks across the web — from Twitter, RSS feeds, Hacker News, Reddit, and security mailing lists. When something is worth saving, I bookmark and categorize it under one of 22 topics. A browser extension lets me do this in one click without leaving the page.

Sync & Summarize

Twice a day, a cron job syncs new bookmarks into a local SQLite database. Each new resource gets a concise AI-generated summary — no more than 100 words, focused on what the resource covers and why it's useful. Duplicates are caught by URL deduplication.

Build

Twice a day, a build script generates the entire site from the database. Every page is static HTML — no JavaScript frameworks, no client-side rendering, no build tools. The build also generates RSS feeds, JSON API endpoints, a search index, the changelog, trending data, an interactive topic graph, and structured data for search engines. Everything is pre-compressed with gzip and served by nginx.

Distribute

The site is the primary output, but content also flows to a weekly email newsletter (via Buttondown), RSS feeds (main + per-topic), JSON API endpoints that power a Discord bot, and search engines via IndexNow pings after every build.

What Gets Built

The build script runs 20 steps in sequence. Here's what it produces:

22 topic pages — one per security topic, each with a sortable resource table, related topics, comparison links, and FAQ structured data
Recently added — the newest resources across all topics
Weekly changelog — everything added in the last 7 days, grouped by topic
Trending topics — ranked by click volume from real visitor engagement data
Topic graph — an interactive D3.js force-directed visualization of how topics relate to each other
Glossary — plain-English definitions of 48 appsec terms
Comparisons About — 15 side-by-side breakdowns of commonly confused concepts
JSON APIs — 5 public endpoints covering resources, glossary, trending, changelog, and topic graph data. Available upon request.
RSS feeds — one main feed plus 22 per-topic feeds
Sitemap — content-hash based so lastmod only changes when content actually changes

Automation Schedule

12:00a

Database Sync

Sync new bookmarks to database, generate AI summaries for new resources

2:30a

Full Site Build

Regenerate all 22 topic pages, feeds, APIs, changelog, trending, sitemap. Ping search engines.

quiet hours — site serves static files

9:00a

Weekly Newsletter (Mondays only)

Trending topics, glossary term of the week, and all new resources — sent via Buttondown

quiet hours

12:00p

Database Sync

Second daily sync — catches anything bookmarked during the morning

2:30p

Full Site Build

Second daily build — afternoon resources go live

quiet hours — Discord bot serves from cached JSON APIs

4:00a

Broken Link Check (1st of month)

Crawls every resource URL. Dead links are automatically hidden from the site.

Quality Control

Not everything that gets bookmarked makes it to the site. Several layers of quality control run automatically:

Deduplication — the same URL can't appear twice under the same topic
Broken link checker — runs monthly, automatically hides resources that return 404s or connection errors
Health badges — each topic on the homepage shows whether it's actively updated, stable, or going stale
Click tracking — anonymous engagement data shows which topics and resources visitors actually find useful, feeding back into the trending system

The Stack

Language

Python

Database

SQLite

Web Server

nginx

Bookmarks

Bookmark Manager

AI Summaries

LLM

Newsletter

Buttondown

Visualization

D3.js

Hosting

VPS + Let's Encrypt

The entire site is static HTML. No React, no Next.js, no Tailwind, no build tools. Pages load in under 200ms. The server runs on a single small VPS with HTTP/2, HTTP/3 (QUIC), and pre-compressed static files.

Why Build It This Way?

Most resource collections are either manually maintained wikis that go stale, or algorithmically generated link farms with no curation. appsec.fyi tries to be neither — human-curated content with automated infrastructure.

The pipeline is designed so that adding a new resource takes seconds (bookmark it), while everything else — summarization, page generation, distribution — happens automatically. The result is a site that stays fresh without requiring daily maintenance.

Built and maintained by Carl Sampson. Questions or ideas? Find me on X or LinkedIn.