BeBoRE
tRPC doesn't explicitly check Content-Type
OWASP recommends explicitly checking the Content-Type header to be the expected one, but when I pass Content-Type: 'application/xml' to tRPC with JSON, it just parses it like it's JSON, instead of throwing a 400 or something. Is there a reason why this is done this way, and how can I change this behavior?
9 replies
Why use unstable_httpBatchStreamLink in React server components?
When using create-t3-app I noticed that they were using
unstable_httpBatchStreamLink in their TRPCProxyClient when using RSC. I find this strange, since you already have access to the actual appRouter, doing an HTTP request to your own server adds a lot of overhead. Why use TRPCProxyClient with unstable_httpBatchStreamLink and why not just use createCaller?
I understand why it's done when rendering 'use client' components on the server, because you don't want server code bundled into the client code. But I fail to understand why they opted to also use this method when rendering server components.4 replies
Suspend subscriptions when app is in background
When using React Native, subscriptions stay open even when the app is in the background. While this could be good for some applications, in my use case there is no need to keep the app up to date when in the background.
Using the query client you can make React Query not refetch data using the focusManager's setFocused. Is there a way of telling all subscriptions to end when the app loses focus?
I am currently doing this by just setting the enabled option to false whenever the app loses focus. But I would like for this to apply app-wide it feels a bit hacky to have to define this everywhere I'm subbing to something.
1 replies