{
"$type": "site.standard.document",
"bskyPostRef": {
"cid": "bafyreifxsb77byz4xvdcfr3q2kln64lb23wdcpvf74dymiwhdvapcumvz4",
"uri": "at://did:plc:25rdn5elo5izoxrmtis34zuk/app.bsky.feed.post/3moinhtwhayo2"
},
"coverImage": {
"$type": "blob",
"ref": {
"$link": "bafkreihdi4tbvn5poyp7vt5rwzi7saeqmfh3rywsvryvj6tgdtk2cbz2sa"
},
"mimeType": "image/webp",
"size": 186532
},
"path": "/m0dus/i-built-a-financial-terminal-in-the-browser-because-bloomberg-costs-24kyear-and-i-have-opinions-mn9",
"publishedAt": "2026-06-17T15:21:24.000Z",
"site": "https://dev.to",
"tags": [
"serverless",
"showdev",
"sideprojects",
"webdev",
"Finterm",
"@noble/hashes",
"finterm.xyz"
],
"textContent": "The financial data industry runs on vibes and legacy software. Bloomberg Terminal: $24,000/year for a keyboard from 1983 and a UI that looks like it was designed by someone who genuinely hates users. Koyfin: prettier, but $600/year and you're still just renting access to the same SEC filings that are public domain.\n\nI built Finterm — a keyboard-first browser terminal for stocks and crypto. Free tier is actually free, data comes from public sources, and the whole thing runs on Cloudflare Workers at the edge. Here's what building it taught me.\n\n## The platform constraint that broke all my dependencies\n\nI deployed to Cloudflare Workers instead of a Node.js server. This was either the smartest or dumbest decision depending on the day.\n\nWorkers runs V8 isolates, not Node. This means: no `fs`, no `crypto` module (as you know it), no `bcrypt`, no `axios`, no `cheerio`, no `jsdom`. Half of npm just... doesn't work.\n\nPassword hashing is where I have to be honest: `bcryptjs` actually runs on Workers if you enable the `nodejs_compat` flag, which exposes most of `node:crypto` including `crypto.randomBytes`. Not a hard blocker. But I swapped it out for @noble/hashes anyway — pure JS Argon2id, zero Node-compat surface area, and OWASP currently recommends Argon2id over bcrypt for new password storage because it's more memory-hard. The platform pushed me to look at the options, and the better option was right there.\n\nThe SEC data layer was next. The old code used `axios` and `cheerio` to scrape HTML. Both fail on Workers. But scraping was wrong anyway — SEC's EDGAR has a proper JSON API at `data.sec.gov` that barely anyone uses. You get typed company facts, filing histories, the whole thing. No parsing required. The constraint forced the right architecture.\n\n## Getting financial data for free (and why Bloomberg is a scam)\n\nBloomberg's entire moat is: we have the data and you don't. But for US equities, the SEC requires public companies to file machine-readable XBRL data. Every quarterly earnings number, every balance sheet line item, every cash flow figure — it's all in the public domain at `data.sec.gov/api/xbrl/companyfacts/`.\n\nThe fun part is that companies don't all use the same GAAP concept names. Apple reports revenue under `RevenueFromContractWithCustomerExcludingAssessedTax`. Other companies use `Revenues`. Some use `SalesRevenueNet`. You have to build a concept alias map and pick the first one that has data for the period you're looking for:\n\n\n\n const CONCEPT_MAP = {\n revenue: [\n 'Revenues',\n 'RevenueFromContractWithCustomerExcludingAssessedTax',\n 'RevenueFromContractWithCustomerIncludingAssessedTax',\n 'SalesRevenueNet',\n 'SalesRevenueGoodsNet',\n ],\n // ...30 more metrics\n };\n\n\nThe other gotcha: SEC only gives you Q1, Q2, Q3, and FY. There's no Q4 row. You have to synthesise it: `Q4 = FY - (Q1 + Q2 + Q3)`. But this only works for _flow_ metrics (revenue, net income, cash flow). Balance sheet metrics are point-in-time stocks — you just carry the FY close value as Q4 because it's the same date.\n\nFree cash flow isn't in XBRL at all. You derive it: `FCF = operating cash flow - capex`. And capex is reported as a positive outflow (you _paid_ $X), so you subtract it, not add.\n\nBloomberg charges you $24k/year partly for someone to have already figured all this out.\n\n## A data gateway instead of Redis\n\nThe obvious architecture for caching upstream API responses is: Redis. Call upstream, cache in Redis, return to client. This is also the architecture that costs $40/month for Upstash before you've written a line of product code.\n\nThe alternative: route everything through a single Next.js API route and let Cloudflare cache it at the edge.\n\n\n\n GET /api/data/binance/ticker24?symbol=BTCUSDT\n GET /api/data/sec/quarterly?ticker=AAPL\n GET /api/data/fred/series?id=DFF\n\n\nEvery endpoint returns `Cache-Control: s-maxage=N, stale-while-revalidate=86400`. Price feeds get `s-maxage=5`. SEC filings get `s-maxage=3600`. Cloudflare's CDN absorbs the cache hits before they ever reach the worker. Rate limiting only fires on cache misses — exactly the traffic you actually want to throttle.\n\nNo Redis. No Upstash. No cache invalidation logic. Just HTTP semantics working as designed.\n\n## Dual-layer rate limiting\n\nCloudflare Workers has a native rate limiting binding — sub-millisecond, sliding window, in-memory at the edge. But it's eventually consistent across colos. During the ramp-up window, a burst of 10-30 parallel requests from one IP can slip through before the state propagates.\n\nSo there are two layers:\n\n**Layer 1** — Cloudflare's binding: 600 req/min for hot price feeds, down to 5 req/min for bulk registry fetches. Catches sustained abuse.\n\n**Layer 2** — Per-isolate in-memory burst cap: a `Map<key, timestamp[]>` that enforces a per-second limit from a single isolate's perspective. Doesn't share state across isolates, but nails the runaway curl loop and rogue browser tabs immediately while the CF binding catches up globally.\n\n\n\n const BURST_PER_SEC = {\n heavy: 4, // 4/sec/isolate\n bulk: 1, // one registry fetch per second is plenty\n };\n\n\nThe CF binding cap catches scraper farms. The in-memory burst catches the single idiot with a `while(true) { fetch() }` loop. Both are necessary.\n\n## WebGL charts (not TradingView widgets)\n\nKoyfin's charts are TradingView widgets. They're fine. They're also somebody else's software bolted onto your product, and you can't touch the renderer.\n\nFinterm's chart is a custom WebGL renderer — candlesticks, volume bars, crosshair, axes, drawings, indicators, all built from scratch. The reason to go WebGL is simple: you want 5,000 candles to render in under a frame at 60fps. Canvas 2D can't do it. The DOM definitely can't.\n\nThe tricky part was zoom/pan feel. The naive implementation is: on wheel event, call `zoomAt(factor, x)`. This produces stair-step motion — each wheel tick snaps the view to a new discrete state. TradingView doesn't do that, and it's why TradingView feels smooth.\n\nThe fix is RAF-eased momentum. Wheel events accumulate into a target zoom level; each animation frame eases toward it with a decay function. Pan has a sub-pixel offset — fractional bar positions accumulate in a float, and only integer amounts get folded into the data slice. The residual is applied as a matrix translation so the candles actually slide between positions rather than jumping bar-by-bar.\n\nGetting this right took two weeks and about forty rewrites of the interaction handler. \"Don't touch `ZOOM_DIVISOR = 2500` or `MAX_DELTA = 0.012`\" is now in the codebase docs.\n\n## Indicators in a sandboxed Web Worker\n\nUsers can write custom indicators in JavaScript. This is a sandbox problem.\n\nThe solution is a Web Worker that evaluates user code with `Function()`, feeds it the candle history, and enforces a 1-second timeout. The worker is the sandbox — if the code hangs or throws, you terminate the worker and return an error, and the main thread never blocks.\n\nThe contract is deliberately minimal: candles in, `{ outputs, series }` out. Users can implement VWAP, MACD, Supertrend, whatever they want, in ~10 lines of JS. The built-in presets (SMA, EMA, Bollinger Bands, RSI) ship as code strings evaluated through the same sandbox, so there's exactly one code path.\n\n## Pop-out windows and the `ownerDocument` problem\n\nEvery chart window has a popout button that calls `window.open()` and renders the full React component tree into the opened window's document via `createRoot`. This is not a common pattern.\n\nThe bug you hit immediately: `addEventListener('mousemove', handler)` resolves to the _parent_ window's event target, not the popout's. So drag events stop working. `matchMedia` queries the parent window's viewport. `innerWidth` returns the wrong number.\n\nThe fix is `useOwnerWindow`:\n\n\n\n export function useOwnerWindow(ref: RefObject<HTMLElement | null>): Window {\n const [win, setWin] = useState<Window>(() => window);\n useEffect(() => {\n const next = ref.current?.ownerDocument?.defaultView;\n if (next && next !== win) setWin(next);\n });\n return win;\n }\n\n\nEvery component that attaches DOM events uses this instead of the global `window`. Similarly, any `document.createElement` for offscreen canvas nodes goes through `node.ownerDocument.createElement` so it belongs to the right document.\n\nPlain JSX, `fetch`, and `ResizeObserver` are document-agnostic and just work. The only things that care about which `window` they're in are event listeners and layout queries.\n\n## The state of financial tooling\n\nBloomberg's defensible moat is mostly institutional inertia and the Excel add-in. Koyfin's moat is a better UX than Bloomberg, which is a low bar. Neither is particularly hard to build around for retail-scale use cases.\n\nThe data is out there. The EDGAR API is excellent and underused. Binance's REST and WebSocket APIs are clean and fast. FRED has decades of macro data at `api.stlouisfed.org`. CoinGecko's free tier is genuinely generous.\n\nThe hard part isn't access. It's building a data gateway that caches correctly, rate-limits sanely, and doesn't wake you up at 3am because you forgot to pay the Redis bill.\n\n_Finterm is live at finterm.xyz. Free to use._",
"title": "I built a financial terminal in the browser because Bloomberg costs $24k/year and I have opinions"
}