When /etc/h*sts Breaks Your Substack Editor: An Adventure in Web Content Filtering
13 points by tiff
13 points by tiff
I understand people may have reasons not to choose the DIY blog route, but I wonder why writers still put up with a piece of software as horrible as Substack (from a UX perspective) when many alternatives exist that are more independent and more respectful for their users.
Monetization, network effects.
Same reason every video in the world is on YouTube. Everyone searches for videos on YouTube, and it likely has the best view/$ ratio.
Of course, it’s Google who wins money with YouTube; everyone else is a rounding error.
Substack is popular, and many people have the perception it’s the platform where they are most likely to make a buck.
But blogging is not the same as putting up videos. Hosting your own videos is hard, and searching for videos is hard.
There’s grassroots blogging, and there’s monetizable blogging. I feel those two are entirely different worlds.
If you are blogging for “fun”, then surely Substack makes 0 sense. I guess there are still many places where you can host your blog for free without pain. Although unfortunately, this seems to be receding in favor of microblogging and general social networks.
If you write for money, then Substack is alluring. Yes, with video content, hosting is harder due to bandwidth and storage costs. However, getting clicks is still a tough problem- and there’s also handling monetization. Substack has this on their front page:
Our network helps publishers grow and subscribers discover new perspectives.
More than 50% of all subscriptions and 30% of paid subscriptions on the platform come directly from the Substack network. This is happening because there are tens of millions of people active on Substack every week, they understand what it means to subscribe to a publisher, and they are open to discovering new perspectives to fall in love with.
I am suspicious on how effective is that, but I can understand people thinking being on popular platforms is helpful.
(Of course, if everyone is on Substack, then it’s the same as app stores; it’s hard anyway to get into what gets displayed.)
People I’ve met were very happy to be able to earn money from writing. I think that’s the reason.
As a user, I’m actually quite fond of it. It has great email integration, so I get updates from everyone I follow.
That said, I don’t feel like there are enough guardrails for it from enshittification.
This case highlights an interesting tension in web security: the balance between protection and usability.
Sorry but just nope. Any useful protection will not have to “strike a balance”.
Conversely, this also the reason why this web application firewall is so dumb: What we are seeing here is a generic http-level filter that knows nothing about the underlying architecture. It has to guess what the PUT request does and how URLs and paths are handled.
This kind of nonsense is what you get when security is an afterthought, slapped on after the software has been already built. The actual balances between security and usability are struck elsewhere: Before and during software development.
Sorry but just nope. Any useful protection will not have to “strike a balance”.
Websites could allow users to sign in to their accounts with just a username or account number. Do you claim that additionally requiring a password does not involve striking a balance between protection and usability, or do you claim that passwords provide no useful protection?
No. People have been using authentication on the internet for decades. It’s less of a hurdle than an expectation imho.
You would have a bigger usability issue if everyone can log in as everyone else.
Moxon is worth a read in any context, but specifically here:
https://www.techdirt.com/2025/04/11/a-newsletter-writer-reflects-on-leaving-substack/