ZeroDaily is a high-performance, serverless, and automated cybersecurity newsletter platform that aggregates, summarizes, and broadcasts threat intelligence, CVEs, and security news.
The live platform is accessible at: zerodaily.in
ZeroDaily is designed to be highly reliable, cost-efficient, and capable of scaling to zero when idle, while easily absorbing traffic spikes. It features a serverless architecture designed to run seamlessly in AWS Lambda combined with Amazon S3 and Amazon DynamoDB, while offering compatibility with containerized Docker environments.
flowchart TD
subgraph Client ["🌐 Client Layer"]
User["User Browser"]
Admin["Admin Panel"]
end
subgraph CDN ["⚡ Delivery & Edge"]
Route53["AWS Route 53 / DNS"]
APIGateway["AWS API Gateway"]
end
subgraph Compute ["⚙️ Serverless Compute"]
Lambda["AWS Lambda (Flask App / WSGI)"]
end
subgraph Storage ["💾 Data & Storage Layer"]
S3["Amazon S3 (Issues JSON & Logo)"]
Dynamo["Amazon DynamoDB (Subscribers & Tokens)"]
SQLite["SQLite /tmp (Transient Tracking/Dev)"]
end
subgraph External ["✉️ External Services"]
Resend["Resend API (Double Opt-In & Broadcast)"]
LLM["Groq / OpenAI API (AI Summarization)"]
end
User -->|HTTPS| Route53
Route53 --> APIGateway
APIGateway --> Lambda
Admin -->|JWT Auth| Lambda
Lambda -->|Get Issues / Serve Logo| S3
Lambda -->|Manage Subscribers| Dynamo
Lambda -->|Log Telemetry| SQLite
Lambda -->|Verify & Broadcast| Resend
Lambda -->|Generate Issues| LLM
Deploying a state-of-the-art web application on AWS requires overcoming serverless limitations while optimizing performance and cost. ZeroDaily achieves this through the following core designs:
- ASGI/WSGI Adapter: The Flask application is mapped to Lambda handler entry points using lightweight adapters (like Zappa or Mangum). Requests from AWS API Gateway are converted to standard WSGI environments.
- Scale-to-Zero Efficiency: Since newsletters are processed in batch intervals and user reads occur sporadically, hosting the application on Lambda ensures that compute costs are strictly pay-per-request, scaling down to $0.00 when there is no traffic.
- Cold Start Optimization: The codebase maintains a tiny dependency footprint and uses modular imports so that container initialization times remain under 200ms.
- Decoupled Data Store: Weekly newsletter issues are generated offline or asynchronously via AI summaries and stored as structured JSON blobs (
issue_YYYY-MM-DD.json) in an S3 bucket. - Zero-Database Reads for Content: When a reader requests a daily issue or visits the archive page, the Lambda function fetches the JSON directly from S3. This reduces read loads and database contention to zero.
- S3 Logo & Asset Service: Dynamic brand assets like
logo.pngare served via a dedicated stream handler directly from S3, featuring customized HTTP response headers (Cache-Control: public, max-age=86400) to enable browser-side caching.
- Single-Table Design: The subscriber registry is stored in a DynamoDB table. Since DynamoDB offers sub-millisecond lookups, subscriber lookup operations during verification and email broadcasting are lightning fast.
- Secondary Indexes: Global Secondary Indexes (GSIs) are configured on
verification_tokenandunsubscribe_tokenfields, enabling O(1) query performance during authentication and unsubscribe events without performing expensive table scans.
- Automated Intelligence Ingestion: Integrated parser utilities digest security feeds (
feedparser,newspaper3k,beautifulsoup4) and employ Groq/OpenAI APIs to summarize dry technical CVEs into readable, engaging security updates. - Robust Double Opt-In Flow: Protects against spam using cryptographic verification tokens. Generates unique
verification_tokenandunsubscribe_tokenpairs per subscriber, with email deliverability managed through the Resend API. - Analytics & Engagement Telemetry: Custom JavaScript trackers log page-views and active reading session durations. The Flask endpoint logs session lengths back to SQLAlchemy and computes average read times to gauge content interest.
- Security Hardening:
- Admin accounts are secured using bcrypt hashed credential matches.
- Successful logins issue short-lived JWT (JSON Web Tokens) stored in HTTPOnly, SameSite cookies.
- Flask-Limiter configures aggressive rate-limiting on sensitive subscription/login routes.
- Honey-pot fields (
b_url) intercept automated spam bots.
- SEO-Engine Ready: Automatically updates an XML sitemap and a standard RSS feed (
rss.xml) dynamically as new newsletter issues are published. Includes arobots.txtconfiguration to prevent search engine indexing of sensitive endpoints. - Telemetry Dashboard: An interface for admins to monitor total/recent subscribers, database metrics, average reading time, top pages, and system health status.
├── D:\zeroday/
│ ├── web/ # Flask Application & Web Layer
│ │ ├── static/ # Local fallbacks for branding assets
│ │ ├── templates/ # Jinja2 HTML templates (Home, Issue, Dashboard, Auth)
│ │ └── main.py # App entrypoint, routing, tracking, and Admin endpoints
│ ├── lib/ # Core Business & Infrastructure Logic
│ │ ├── blob_store.py # Subscribers storage layer (JSON/Blob abstraction)
│ │ ├── content.py # Issues content fetching, caching, and text search
│ │ ├── db.py # SQLAlchemy SQLite engine setup (views, durations)
│ │ ├── health.py # Multi-point system dependency diagnostic checks
│ │ ├── notifications.py # Resend email client integration (double opt-in)
│ │ └── validation.py # Email normalization & parsing safety checks
│ ├── data/ # Local database storage volume directory
│ ├── start.sh / stop.sh # Docker Compose initialization shell scripts
│ ├── update.sh / rollback.sh # Zero-downtime deployment pipelines for host servers
│ └── docker-compose.yml # Orchestration configuration for local development
| Environment Variable | Description |
|---|---|
AWS_REGION |
The region where S3 bucket and DynamoDB tables reside (e.g., us-east-1). |
S3_BUCKET_NAME |
The Amazon S3 bucket name holding asset and issues JSON files. |
DYNAMODB_TABLE |
The Amazon DynamoDB table storing subscriber list profiles. |
RESEND_API_KEY |
Transactional email client key used for delivering double opt-in mails. |
GROQ_API_KEY / OPENAI_API_KEY |
API tokens used during daily news ingestion. |
ADMIN_USERNAME |
Bcrypt-hashed admin username. |
ADMIN_PASSWORD |
Bcrypt-hashed admin password. |
JWT_SECRET_KEY |
Symmetric key used to sign Admin Web tokens. |
FLASK_SECRET_KEY |
Web application session signing key. |
This project is licensed under the MIT License - see the LICENSE file for details.