Server-Side WebAssembly you own this product

Building portable and secure multi-language apps

Danilo Chiarlone
Foreword by Brendan Burns
Afterword by Luke Wagner

December 2025
ISBN 9781633436206
272 pages

Included with a Manning Online subscription

printed in black & white

available in Korean

catalog / Programming Languages and Styles / System Programming

table of content

Part 1 WebAssembly for architects

1 Introducing Wasm on the server

1.1 What is the server side and where does Wasm fit in?

1.2 The advantages of Wasm for server-side development

1.2.1 Language agnosticism

1.2.2 Performance

1.2.3 Hardware agnosticism

1.2.4 Security

1.2.5 Standards-based and vendor neutrality

1.3 When and where to use Wasm (and when not to)

1.4 How to navigate this book

2 Building server-side applications with Wasm modules

2.1 Understanding Wasm’s building blocks

2.2 Understanding the guest-host architecture of server-side Wasm

2.3 Creating a Wasm app using Rust

2.3.1 Creating a Rust library project

2.3.2 Specifying compilation to a Wasm module

2.3.3 Writing the code for our application

2.3.4 Compiling the Rust code into a Wasm module

2.3.5 Executing the Wasm module with the custom host

2.3.6 Reflecting on the “Hello, World” application

2.4 Building on Wasm’s simple types with WebAssembly Interface Types

2.5 Building the foundation of a smart content management system

3 Enhancing portability and security with Wasm components

3.1 Benefits of Wasm components

3.1.1 Cross-language portability

3.1.2 Shared-nothing security

3.1.3 Only-what-you-need security and improved vulnerability mitigation response

3.2 Building a componentized “Hello, World” guest application with JavaScript

3.2.1 Setting up the project and installing the toolchain

3.2.2 Implementing the component logic

3.2.3 Compiling the Wasm component

3.3 Building a Python host for a JavaScript-bundled Wasm component

3.3.1 Setting up the project and installing the toolchain

3.3.2 Implementing the host logic

3.3.3 Running the Python host

3.4 Expanding the example project with Wasm components

3.4.1 Improving the WIT file for the key-value store

3.4.2 Creating the SmartCMS host

3.4.3 Implementing and running a guest Wasm component inside our SmartCMS host

4 Interfacing Wasm with the underlying system

4.1 The WebAssembly System Interface

4.2 What can you build with WASI?

4.2.1 Creating a CLI application

4.2.2 Creating libraries

4.2.3 Creating HTTP proxies

4.3 Converting a Wasm module to a Wasm component

4.4 Managing component capabilities

4.5 Composing components together

4.6 Expanding our example project with WASI and composability

5 From machine learning to databases: Applications of Wasm

5.1 WebAssembly Standard Interfaces

5.2 Machine learning with Wasm

5.2.1 Understanding ML inference

5.2.2 Using wasi-nn

5.3 Running Wasm inside databases

5.3.1 Making Wasm UDFs

5.3.2 Getting Wasm into SQL

5.3.3 Running Wasm UDFs in libSQL

5.4 Improving our example project with wasi-nn

5.4.1 Setting up our project

5.4.2 Writing the ML Wasm component

5.4.3 Updating our host to use ONNX for wasi:nn

Part 2 WebAssembly for developers

6 Creating production-grade Wasm applications

6.1 Creating a wasmCloud “Hello, World” application

6.2 Adding persistent storage to our Wasm app

6.2.1 Modifying our WIT and wadm manifest

6.2.2 Modifying our application and redeploying it

6.3 Scaling our wasmCloud application

6.4 Distributing our wasmCloud application

6.5 Another off-the-shelf host: Spin

6.5.1 Creating a Spin “Hello, World” application

6.5.2 Comparing wasmCloud and Spin

6.6 Implementing the example project as a wasmCloud app

6.6.1 Adding persistent storage to the SmartCMS

6.6.2 Adding machine learning to the SmartCMS

7 Introducing Wasm containers

7.1 Containers vs. Wasm

7.2 Wasm containers

7.3 Running a Wasm container

7.3.1 Setting up containerd and Wasm support

7.3.2 Building and running the Wasm container

7.4 Wasm and the OCI

7.4.1 Packaging and publishing Wasm components as OCI images

7.4.2 Inspecting Wasm component OCI images

7.4.3 Pulling and running Wasm OCI images

7.5 wasmCloud and Wasm containers

7.6 Converting Linux containers to Wasm

7.6.1 Introducing container2wasm

7.6.2 Installing container2wasm

7.6.3 Using container2wasm

8 Scalability for Wasm with Kubernetes

8.1 Kubernetes and Wasm

8.2 Running Wasm in Kubernetes with SpinKube

8.2.1 Preparing the cluster for SpinKube

8.2.2 Running a Wasm app in Kubernetes with SpinKube

8.2.3 Scaling Wasm in Kubernetes with SpinKube

8.3 Running Wasm in Kubernetes with wasmCloud

8.3.1 Preparing the cluster for wasmCloud

8.3.2 Running a Wasm app in Kubernetes with wasmCloud

8.4 Running the SmartCMS example on Kubernetes

8.4.1 Preparing the SmartCMS image and manifest

8.4.2 Preparing the Ollama dependency

8.4.3 Running the app

9 The future of Wasm

9.1 SmartCMS closing remarks

9.2 What’s next for Wasm?

9.2.1 Confidential computing

9.2.2 AI and machine learning

9.2.3 Compute at the edge

9.3 What’s next for WASI?

9.4 Staying in the loop

Appendices

Appendix A: Required tools

A.1 Rust

A.1.1 Target installation

A.1.2 Cargo installs

A.2 Git LFS

A.3 Docker

A.4 JS toolchain

A.5 Python toolchain

A.6 Spin

A.7 Ollama setup

A.8 regctl

A.9 container2wasm

A.10 Kubernetes setup

Appendix B: Deploying the SmartCMS to Azure Kubernetes Service

B.1 Prerequisites

B.2 Preparing the cluster

B.3 Deploying the SmartCMS

B.3.1 Deploying the backend components

B.3.2 Deploying the frontend

B.3.3 Configuring Ingress

Overview

1 Introduction to Wasm on the server

WebAssembly (Wasm) began as a way to run high-performance code in the browser and has grown into a portable, sandboxed compute layer for the server. Rather than a physical CPU, it is a hardware-agnostic instruction format executed by a runtime, allowing code written in many languages to run safely and consistently across machines. The introduction of the WebAssembly System Interface (WASI) enabled Wasm outside the web by standardizing how it interacts with operating systems. In today’s mix of IaaS, PaaS, serverless, containers, and edge computing, Wasm fits naturally—especially where container platforms are used—bringing small, portable artifacts that integrate with existing workflows.

The chapter underscores four pillars that make Wasm attractive on the server: performance, security, flexibility, and portability. Wasm delivers near-native speed for many workloads and significantly faster cold starts with smaller artifacts than traditional containers, boosting serverless responsiveness and workload density in Kubernetes. Its capability-based sandbox restricts default access to the host, reducing the blast radius of supply-chain issues. Unlike JVM bytecode, Wasm is truly language-agnostic and well-suited to systems languages such as Rust and C/C++, while ongoing proposals (such as support for host-managed garbage collection) improve the experience for garbage-collected languages. Hardware independence enables “build once, run anywhere,” spanning x86, ARM, and resource-constrained edge devices.

The chapter also outlines trade-offs and where Wasm fits best. It excels in serverless and edge scenarios, and is compelling for mobile/desktop code sharing, secure application plug-ins, and even microcontrollers. However, ecosystem maturity varies, debugging support is still evolving, and some language toolchains and libraries are not yet Wasm-ready. A major current limitation is multi-threading, which can hurt latency for thread-heavy, long-lived services; mitigations include scaling via many lightweight instances while the threading proposal matures. Overall, Wasm and WASI offer an open, vendor-neutral foundation that complements containers and unlocks secure, portable deployment models on the server.

Wasm as an abstraction layer virtualizing over various kinds of hardware.

Compiling to Wasm from various languages.

Java and Wasm's similarities

Running a PHP Wasm without garbage collection application in the browser.

Dockerfiles for a Docker container and a Wasm container

A native (traditional) application security model vs. Wasm's capability-based security model.

Summary

Wasm is akin to an ISA like x86_64, in the sense that your code can target it for compilation. But it is not a real platform, and instead, just virtualizes actual hardware.
Wasm apps can run outside of browser primarily through the Wasm System Interface (WASI) that allows communication with the OS.
Docker supports running two types of containers: the traditional Docker container, and the newly introduced Wasm container.
Wasm's language-agnosticism makes it so that over 40 languages can be compiled to it, but that is a double-edged sword as support for a particular language might not be as mature as it is for others.
While benchmarks show that standalone Wasm apps can be 10-50% faster than containerized apps, real-world applications can struggle due to Wasm's lack of support for multi-threading.
Wasm, when paired with serverless and its scale-to-zero requirement, leads to 80% faster execution times on average when compared to traditional serverless technologies.
A Wasm binary is completely independent of the platform or hardware where it is built and can theoretically run on any system due to its hardware-agnosticism property.
Wasm employs a capability-based security model that restricts the binary to only access the native OS through specific capabilities made available by the Wasm runtime.
Aside from serverless and edge computing, Wasm has found its footing in mobile and desktop applications, microcontrollers, smart contracts, and polyglot programming.
When targeting Wasm, it is commonplace to make sacrifices of particular packages that do not support Wasm.

FAQ

What is WebAssembly (Wasm) and how is it different from traditional CPU architectures?

Wasm is a portable binary target similar to an instruction set architecture, but it isn’t tied to physical hardware. Instead, it acts as a hardware abstraction layer: you compile code (C, C++, Rust, etc.) to Wasm, and a runtime translates it to native code for the host machine. Its goal is to be a common denominator across different CPUs.

Why did Wasm move from the browser to the server?

Wasm began (2017) to meet the web’s performance needs (e.g., 3D, audio/video, games) with safe, near‑native speed. Developers quickly realized the same attributes—speed, safety, portability—are valuable on servers, leading to WASI (2019) so Wasm could run outside the browser with OS capabilities.

What is WASI and why does it matter?

WASI (WebAssembly System Interface) defines a standardized set of system APIs that runtimes implement, allowing Wasm modules to interact with files, clocks, networking, and more outside the browser. It’s the key that lets Wasm run on servers, edge devices, and anywhere a host runtime exists.

Where does Wasm fit among IaaS, PaaS, FaaS, and containers?

Wasm shines in PaaS and FaaS, both of which rely on containers. Docker now supports “Wasm containers” that follow OCI image standards but run Wasm workloads. The result is lightweight, portable deployments that are especially attractive for serverless (e.g., scale-to-zero scenarios).

How does Wasm perform on the server compared to native apps and Docker containers?

- Wasm vs native (x86_64): about 14% slower on average for single-threaded benchmarks (near‑native).
- Wasm vs container cold start: Wasm can be 10x faster for simple tasks; often 10–50% faster on warm starts for benchmarks.
- Real HTTP server test: a Docker container achieved ~17x lower worst-case latency than a comparable Wasm setup due to Wasm’s current single-threaded model. However, Wasm still had much faster cold starts and smaller artifacts.

Why are Wasm containers smaller and faster to cold-start?

Wasm images typically contain just the application, not a full OS layer, and still use OCI formats. This cuts image sizes to KBs–low MBs (often 80% smaller than traditional containers), reducing pull times and improving cold starts (reported ~160% faster in one study).

How is Wasm language-agnostic, and how does it compare to the JVM?

Wasm is a lightweight, language‑neutral binary format with broad tooling across many languages. Unlike the JVM (optimized for Java-like languages and a heavier VM), Wasm’s simple, stack‑based design targets portability and small runtime overhead. GC-dependent languages historically bundled their own runtimes, but the WasmGC proposal enables host‑managed garbage‑collected references to reduce duplication.

What are the current limitations and challenges of server-side Wasm?

- Limited multi-threading (proposals in progress); many setups handle concurrency by instantiating multiple Wasm instances.
- Ecosystem maturity: some packages don’t compile to Wasm; tooling and debugging support are improving but not yet on par with mature stacks.

How does Wasm improve security?

Wasm runs inside a memory‑safe sandbox with capability-based access. It cannot call the host OS directly; all I/O goes through explicitly granted interfaces in the runtime. This isolation contains the blast radius of supply‑chain issues and reduces attack surface compared to native binaries with full syscall access.

When should I use Wasm on the server—and when not?

Use Wasm for serverless (faster cold starts, tiny artifacts), edge computing (hardware-agnostic and low memory), high-density Kubernetes workloads, plugins, microcontrollers, and cross‑platform app sharing. Avoid or be cautious for heavily multi-threaded, traditional PaaS-style apps until threading support matures—mitigate via horizontal scaling/orchestration.

pro $24.99 per month

access to all Manning books, MEAPs, liveVideos, liveProjects, and audiobooks!
choose one free eBook per month to keep
exclusive 50% discount on all purchases
renews monthly, pause or cancel renewal anytime

lite $19.99 per month

access to all Manning books, including MEAPs!

team

5, 10 or 20 seats+ for your team - learn more

eBook

pdf, ePub, online

$39.99 $25.99

you save $14.00 (35%)

pro $24.99 per month

access to all Manning books, MEAPs, liveVideos, liveProjects, and audiobooks!
choose one free eBook per month to keep
exclusive 50% discount on all purchases
renews monthly, pause or cancel renewal anytime

lite $19.99 per month

access to all Manning books, including MEAPs!

team

5, 10 or 20 seats+ for your team - learn more

eBook

$39.99 $25.99

you save $14.00 (35%)

eBook

pdf, ePub, online

$39.99 $25.99

you save $14.00 (35%)

pro $24.99 per month

access to all Manning books, MEAPs, liveVideos, liveProjects, and audiobooks!
choose one free eBook per month to keep
exclusive 50% discount on all purchases
renews monthly, pause or cancel renewal anytime

lite $19.99 per month

access to all Manning books, including MEAPs!

team

5, 10 or 20 seats+ for your team - learn more