Forem: Sarim Nadeem

From One to One Billion: A Guide to System Scalability

Sarim Nadeem — Wed, 22 Apr 2026 12:12:00 +0000

From One to One Billion: A Guide to System Scalability

In the world of modern computing, scalability isn't just a "nice-to-have" feature—it is the difference between a successful application and a system crash. Whether you are building a small app or a global service, understanding how to handle growth is essential.

1. What is Scalability?

At its core, scalability is the property of a system to handle a growing amount of work. It is a characteristic that applies to everything in the tech stack: computers, networks, algorithms, and even networking protocols.

The Two Ways to Scale

When a system needs more power, there are generally two directions to go:

Vertical Scaling (Scale Up): Adding more power (CPU, RAM) to an existing machine.
Horizontal Scaling (Scale Out): Adding more machines to your network to share the load.

2. Concurrency vs. Parallelism

These two terms are often used interchangeably, but they represent very different concepts in logic and execution.

Concurrency

Concurrency is the ability of a system to manage multiple tasks at once. It doesn't necessarily mean they are running at the same instant; instead, the system uses time-sharing (context switching) to juggle them. This improves responsiveness and throughput.

Parallelism

Parallelism is the simultaneous execution of tasks on multiple processing units (like a multi-core CPU).

Key Difference: Concurrency is about dealing with lots of things at once. Parallelism is about doing lots of things at once.

3. High-Performance Computing (HPC) & Scaling Laws

When we talk about extreme levels of performance, we use two specific notions of scaling to measure efficiency:

Strong Scaling: How the solution time varies with the number of processors for a fixed total problem size.
Weak Scaling: How the solution time varies with the number of processors for a fixed problem size per processor.

The Bottleneck Rule: Amdahl’s Law

Amdahl’s Law is the most critical concept to understand when scaling software. It explains a harsh reality: You cannot make a program infinitely fast just by adding more processors.

The speed of your program is always limited by the part that cannot be run in parallel (the "serial" part). If a portion of your code must happen in a specific order, that portion will eventually become your bottleneck.

1. The Formula

To calculate the theoretical speedup of a task, we use this formula:

$$S_{latency}(s) = \frac{1}{(1 - p) + \frac{p}{s}}$$

2. Breaking Down the Variables

$S_{latency}$: This is the Total Speedup you actually achieve.
$p$: The percentage of the program that can be parallelized (e.g., 0.95 for 95%).
$(1 - p)$: The Serial Part that must run one step at a time.
$s$: The Resource Speedup (usually how many CPU cores you are adding).

3. The "Plain English" Explanation

Imagine you are baking a cake.

Parallel Part ($p$): Cracking 10 eggs. If you have 10 people, you can do this almost instantly.
Serial Part ($1-p$): Baking the cake in the oven. No matter how many people you have in the kitchen, the cake still takes 30 minutes to bake.

The Takeaway: If the "baking time" (serial part) takes up 50% of your total process, your total speedup will never exceed 2x, even if you hire a thousand chefs to crack the eggs.

4. Why This Matters for Scalability

When you scale a system, you must identify the serial bottlenecks first. Adding more hardware (Horizontal Scaling) only helps the parts of your code that are "parallel-ready." If your database lock or your network handshake is serial, that is where your scaling will hit a wall.

4. Web Scale Computing

"Web Scale" is a term popularized by cloud giants like Google, Amazon, and Netflix. It refers to architectures that enable extreme levels of agility and scalability.

Web Scale Computing involves:

Interprocess Communication (IPC): The sharing of data between running processes to ensure the system stays synchronized.
Elasticity: The ability to automatically scale resources up and down based on real-time demand.
Indeterminacy: Managing the unpredictable effects that happen when thousands of cores and massive networks interact simultaneously.

5. Why Does This Matter?

Understanding these principles allows you to build systems that don't just work today, but continue to work as your user base grows. By mastering the balance between IPC, Parallelism, and Horizontal Scaling, you can achieve "Web Scale" levels of performance.

The Internet’s Bouncer: A Clear Guide to SOP and CORS

Sarim Nadeem — Tue, 14 Apr 2026 11:06:57 +0000

The Internet’s Bouncer: A Clear Guide to SOP and CORS

If you’ve ever seen a red error message in your browser console shouting about "Cross-Origin Request Blocked," you’ve met the web’s most important security duo: SOP and CORS.

Here is everything you need to know to understand how they work together to keep the web safe.

What is Same-Origin Policy (SOP)?

The Same-Origin Policy (SOP) is a fundamental security feature implemented by web browsers. It’s like the internet’s bouncer, preventing web pages from making requests to different origins unless they match.

Without SOP, malicious websites could easily access sensitive data on other tabs you’ve got open—imagine your bank account details hanging out for all to see!

What Defines an "Origin"?

If any of these three components differ between two URLs, they are considered to have different origins:

Protocol (e.g., http vs. https)
Domain (e.g., example.com vs. api.example.com)
Port (e.g., :80 vs. :443)

Example:

https://example.com:443/page1  ✅ Same origin as https://example.com:443/page2
http://example.com/page1       ❌ Different origin from https://example.com/page2 (different protocol)

How SOP Restricts Interactions

To protect your data, the browser restricts what scripts can do across origins:

Cookies: You can only access cookies for your own origin.
Storage: LocalStorage and SessionStorage are origin-specific. No peeking at someone else’s data!
DOM Access: A script from Origin A cannot access the DOM of a page from Origin B.
AJAX/Fetch Requests: Requests are blocked by default unless explicitly allowed.

What Is CORS (Cross-Origin Resource Sharing)?

CORS is a security feature that allows or restricts resources on a web server to be requested from a different domain. It’s like giving permission to certain websites to knock on your server’s door and grab some data.

Without CORS, web pages are locked in their own origin-sandbox, unable to communicate with external APIs, CDNs, or other resources.

Why Is CORS Important?

Enforces SOP: It makes the strictness of SOP flexible for legitimate communication.
Controlled Sharing: Servers can whitelist specific domains to keep data safe.
Prevents Attacks: It helps protect against attacks like Cross-Site Request Forgery (CSRF) and Cross-Site Scripting (XSS).

The CORS Workflow

1. Simple Requests

These include GET, POST, and HEAD requests that don’t require special handling.

The browser sends the request with an Origin header.
If the server returns an Access-Control-Allow-Origin header that matches, all is good.

2. Preflight Requests

These are like asking the server, "Hey, is it cool if I send a DELETE request?" before making the actual request. This is done via an OPTIONS call.

CORS Headers You Should Know

Access-Control-Allow-Origin: Specifies which origins are allowed access.
Access-Control-Allow-Methods: Defines permitted HTTP methods (GET, POST, etc.).
Access-Control-Allow-Headers: Specifies which custom headers can be used.
Access-Control-Allow-Credentials: Allows cookies or authorization headers to be included.

The Wildcard Policy

A wildcard * is appropriate when an API response is intended to be accessible to any code on any site, such as Google Fonts.

Note: The value of * is special because it does not allow requests to supply credentials. This means it won't allow HTTP authentication, SSL certificates, or cookies to be sent in the cross-domain request.

Summary

SOP is the "Default Deny" policy that keeps your browser secure.
CORS is the "Explicit Allow" protocol that lets modern web apps talk to each other.

Happy coding!