‼️‼️‼️‼️‼️‼️ NEW WEBSITE!!! ‼️‼️‼️‼️‼️‼️
Posted: Mon Jan 19, 2026 7:02 pm
Hey guys! As some of you know, a lot has been going on behind the scenes at GOTOES.
This past summer, GOTOES started getting hit with a sustained bot/DDoS problem that (unfortunately) has continued. I turned on Cloudflare protection, but the attackers quickly found ways around it by bypassing Cloudflare and hammering the origin directly. To stop that, I migrated to a higher-performance server and tightened things down hard: an extremely strict firewall on the server side, plus a much stricter “I am human” regime in Cloudflare.
Along the way I had some bad luck: the “fresh clean” server I was paying for was actually misconfigured, causing intermittent latency issues — which you may have noticed around January 1–12. I also had to put several formerly-free features behind a paywall to protect them from bot abuse.
That is not what I wanted. My goal is for GOTOES to stay “mostly free” so anyone can use it. But the bots were literally taking down the site on a daily basis. I still need donations to pay for the server (about $1300/year just in hosting), and that doesn’t include my time. For the last ~5 weeks I’ve basically been behind my computer 16–17 hours a day rewriting major parts of the site from scratch.
The purpose of this overhaul is twofold:
Coming soon: the “flip the switch” moment
In the next couple weeks, we’re going to do a final cutover. There will be a minor disruption:
This past summer, GOTOES started getting hit with a sustained bot/DDoS problem that (unfortunately) has continued. I turned on Cloudflare protection, but the attackers quickly found ways around it by bypassing Cloudflare and hammering the origin directly. To stop that, I migrated to a higher-performance server and tightened things down hard: an extremely strict firewall on the server side, plus a much stricter “I am human” regime in Cloudflare.
Along the way I had some bad luck: the “fresh clean” server I was paying for was actually misconfigured, causing intermittent latency issues — which you may have noticed around January 1–12. I also had to put several formerly-free features behind a paywall to protect them from bot abuse.
That is not what I wanted. My goal is for GOTOES to stay “mostly free” so anyone can use it. But the bots were literally taking down the site on a daily basis. I still need donations to pay for the server (about $1300/year just in hosting), and that doesn’t include my time. For the last ~5 weeks I’ve basically been behind my computer 16–17 hours a day rewriting major parts of the site from scratch.
The purpose of this overhaul is twofold:
- Security / Lockdown: The bot attacks made it obvious the codebase needed to be much more locked down. I’ve added a very strict Content Security Policy (CSP), tightened the perimeter, and made a lot of changes aimed at making the site more resilient.
- FIT feature velocity: The previous architecture made it time-consuming to add or iterate on FIT file features. The revamp should let me move faster on esoteric feature requests. If you have a pending request I haven’t addressed yet, I’m sorry — my plan is to answer those requests once the migration is complete.
Coming soon: the “flip the switch” moment
In the next couple weeks, we’re going to do a final cutover. There will be a minor disruption:
- Strava + Garmin reconnect required: All existing connections will be removed, and you’ll need to reconnect on the new system.
- Garmin auth upgrade: As part of the migration, GOTOES is moving to Garmin’s recently announced OAuth 2.0 / PKCE flow.
- Legacy site access: The legacy site will no longer be available except to donors. The idea is simple: if a donor has a critical workflow that isn’t yet covered in the new system, they can still roll back temporarily until their needs are addressed by the new site.
- Legacy site “freeze”: The legacy site will block new account creation, donations, and account changes — its state will be frozen. Tools should keep working for legacy donors, but Strava connections will effectively be per-site (connecting on the new site can disconnect the old one, and vice versa). Garmin connections on the legacy site will be blocked due to the auth changes.
- Critical: Please tell me immediately if you hit any issues on the new site. I’m aiming to fully sunset the legacy site about 1–2 weeks after the flip.