Server-Side WebAssembly you own this product

Building portable and secure multi-language apps

Danilo Chiarlone
Foreword by Brendan Burns
Afterword by Luke Wagner

December 2025
ISBN 9781633436206
272 pages

Included with a Manning Online subscription

printed in black & white

available in Korean

catalog / Programming Languages and Styles / System Programming

table of content

Part 1 WebAssembly for architects

1 Introducing Wasm on the server

1.1 What is the server side and where does Wasm fit in?

1.2 The advantages of Wasm for server-side development

1.2.1 Language agnosticism

1.2.2 Performance

1.2.3 Hardware agnosticism

1.2.4 Security

1.2.5 Standards-based and vendor neutrality

1.3 When and where to use Wasm (and when not to)

1.4 How to navigate this book

2 Building server-side applications with Wasm modules

2.1 Understanding Wasm’s building blocks

2.2 Understanding the guest-host architecture of server-side Wasm

2.3 Creating a Wasm app using Rust

2.3.1 Creating a Rust library project

2.3.2 Specifying compilation to a Wasm module

2.3.3 Writing the code for our application

2.3.4 Compiling the Rust code into a Wasm module

2.3.5 Executing the Wasm module with the custom host

2.3.6 Reflecting on the “Hello, World” application

2.4 Building on Wasm’s simple types with WebAssembly Interface Types

2.5 Building the foundation of a smart content management system

3 Enhancing portability and security with Wasm components

3.1 Benefits of Wasm components

3.1.1 Cross-language portability

3.1.2 Shared-nothing security

3.1.3 Only-what-you-need security and improved vulnerability mitigation response

3.2 Building a componentized “Hello, World” guest application with JavaScript

3.2.1 Setting up the project and installing the toolchain

3.2.2 Implementing the component logic

3.2.3 Compiling the Wasm component

3.3 Building a Python host for a JavaScript-bundled Wasm component

3.3.1 Setting up the project and installing the toolchain

3.3.2 Implementing the host logic

3.3.3 Running the Python host

3.4 Expanding the example project with Wasm components

3.4.1 Improving the WIT file for the key-value store

3.4.2 Creating the SmartCMS host

3.4.3 Implementing and running a guest Wasm component inside our SmartCMS host

4 Interfacing Wasm with the underlying system

4.1 The WebAssembly System Interface

4.2 What can you build with WASI?

4.2.1 Creating a CLI application

4.2.2 Creating libraries

4.2.3 Creating HTTP proxies

4.3 Converting a Wasm module to a Wasm component

4.4 Managing component capabilities

4.5 Composing components together

4.6 Expanding our example project with WASI and composability

5 From machine learning to databases: Applications of Wasm

5.1 WebAssembly Standard Interfaces

5.2 Machine learning with Wasm

5.2.1 Understanding ML inference

5.2.2 Using wasi-nn

5.3 Running Wasm inside databases

5.3.1 Making Wasm UDFs

5.3.2 Getting Wasm into SQL

5.3.3 Running Wasm UDFs in libSQL

5.4 Improving our example project with wasi-nn

5.4.1 Setting up our project

5.4.2 Writing the ML Wasm component

5.4.3 Updating our host to use ONNX for wasi:nn

Part 2 WebAssembly for developers

6 Creating production-grade Wasm applications

6.1 Creating a wasmCloud “Hello, World” application

6.2 Adding persistent storage to our Wasm app

6.2.1 Modifying our WIT and wadm manifest

6.2.2 Modifying our application and redeploying it

6.3 Scaling our wasmCloud application

6.4 Distributing our wasmCloud application

6.5 Another off-the-shelf host: Spin

6.5.1 Creating a Spin “Hello, World” application

6.5.2 Comparing wasmCloud and Spin

6.6 Implementing the example project as a wasmCloud app

6.6.1 Adding persistent storage to the SmartCMS

6.6.2 Adding machine learning to the SmartCMS

7 Introducing Wasm containers

7.1 Containers vs. Wasm

7.2 Wasm containers

7.3 Running a Wasm container

7.3.1 Setting up containerd and Wasm support

7.3.2 Building and running the Wasm container

7.4 Wasm and the OCI

7.4.1 Packaging and publishing Wasm components as OCI images

7.4.2 Inspecting Wasm component OCI images

7.4.3 Pulling and running Wasm OCI images

7.5 wasmCloud and Wasm containers

7.6 Converting Linux containers to Wasm

7.6.1 Introducing container2wasm

7.6.2 Installing container2wasm

7.6.3 Using container2wasm

8 Scalability for Wasm with Kubernetes

8.1 Kubernetes and Wasm

8.2 Running Wasm in Kubernetes with SpinKube

8.2.1 Preparing the cluster for SpinKube

8.2.2 Running a Wasm app in Kubernetes with SpinKube

8.2.3 Scaling Wasm in Kubernetes with SpinKube

8.3 Running Wasm in Kubernetes with wasmCloud

8.3.1 Preparing the cluster for wasmCloud

8.3.2 Running a Wasm app in Kubernetes with wasmCloud

8.4 Running the SmartCMS example on Kubernetes

8.4.1 Preparing the SmartCMS image and manifest

8.4.2 Preparing the Ollama dependency

8.4.3 Running the app

9 The future of Wasm

9.1 SmartCMS closing remarks

9.2 What’s next for Wasm?

9.2.1 Confidential computing

9.2.2 AI and machine learning

9.2.3 Compute at the edge

9.3 What’s next for WASI?

9.4 Staying in the loop

Appendices

Appendix A: Required tools

A.1 Rust

A.1.1 Target installation

A.1.2 Cargo installs

A.2 Git LFS

A.3 Docker

A.4 JS toolchain

A.5 Python toolchain

A.6 Spin

A.7 Ollama setup

A.8 regctl

A.9 container2wasm

A.10 Kubernetes setup

Appendix B: Deploying the SmartCMS to Azure Kubernetes Service

B.1 Prerequisites

B.2 Preparing the cluster

B.3 Deploying the SmartCMS

B.3.1 Deploying the backend components

B.3.2 Deploying the frontend

B.3.3 Configuring Ingress

Overview

1 Introduction to Wasm on the server

WebAssembly (Wasm) is a portable, binary instruction format that acts like a hardware-agnostic target for compiled code, originally created to bring near-native performance to the browser. With the WebAssembly System Interface (WASI), those same qualities extend beyond the web: a host runtime provides controlled access to operating system capabilities, allowing Wasm modules to run on servers. In today’s landscape of microservices, containers, serverless, and edge computing, this makes Wasm a compelling foundation, particularly where portability, consistency, and operational simplicity are critical.

On the server, Wasm’s strengths cluster around performance, security, and flexibility. It is language-agnostic, lightweight to run, and hardware-independent, enabling “compile once, run anywhere” across diverse environments (from x86_64 to ARM). Its capability-based sandbox delivers strong isolation by default, reducing blast radius in modern, componentized systems. In practice, Wasm achieves near-native speeds for many compute tasks, while its very small artifacts and fast cold starts translate into higher workload density, lower costs, and improved responsiveness—benefits that shine in PaaS, FaaS, Kubernetes, and at the edge. Crucially, Wasm and WASI are open, standards-based, and vendor-neutral, helping teams avoid lock-in while integrating with familiar container tooling and image formats.

Wasm is best suited to serverless and edge workloads that value quick startup, minimal footprint, and safe extensibility, and it also excels for plugins, polyglot systems, cross‑platform apps, and even microcontroller scenarios. Current challenges include limited multi-threading (affecting highly concurrent, latency-sensitive services), uneven language ecosystem maturity, and less integrated debugging across some toolchains. Proposals like threads and garbage collection are closing these gaps, and many platforms mitigate concurrency needs via instance-per-request models. In short, reach for Wasm when portability, isolation, and startup speed matter most; prefer traditional containers or native runtimes where mature multithreading and established language ecosystems are the priority.

Wasm as an abstraction layer virtualizing over various kinds of hardware.

Compiling to Wasm from various languages.

Java and Wasm's similarities

Running a PHP Wasm without garbage collection application in the browser.

Dockerfiles for a Docker container and a Wasm container

A native (traditional) application security model vs. Wasm's capability-based security model.

Summary

Wasm is akin to an ISA like x86_64, in the sense that your code can target it for compilation. But it is not a real platform, and instead, just virtualizes actual hardware.
Wasm apps can run outside of browser primarily through the Wasm System Interface (WASI) that allows communication with the OS.
Docker supports running two types of containers: the traditional Docker container, and the newly introduced Wasm container.
Wasm's language-agnosticism makes it so that over 40 languages can be compiled to it, but that is a double-edged sword as support for a particular language might not be as mature as it is for others.
While benchmarks show that standalone Wasm apps can be 10-50% faster than containerized apps, real-world applications can struggle due to Wasm's lack of support for multi-threading.
Wasm, when paired with serverless and its scale-to-zero requirement, leads to 80% faster execution times on average when compared to traditional serverless technologies.
A Wasm binary is completely independent of the platform or hardware where it is built and can theoretically run on any system due to its hardware-agnosticism property.
Wasm employs a capability-based security model that restricts the binary to only access the native OS through specific capabilities made available by the Wasm runtime.
Aside from serverless and edge computing, Wasm has found its footing in mobile and desktop applications, microcontrollers, smart contracts, and polyglot programming.
When targeting Wasm, it is commonplace to make sacrifices of particular packages that do not support Wasm.

FAQ

What is WebAssembly (Wasm) and how does it differ from traditional CPU architectures?

Wasm is a portable binary instruction format you compile code to, similar in spirit to an instruction set architecture (ISA). Unlike x86_64 or ARM64, there is no physical Wasm chip. Instead, Wasm acts as a hardware-agnostic abstraction layer that a host runtime translates to native instructions for the underlying machine.

What is WASI and why is it important for server-side Wasm?

WASI (WebAssembly System Interface) is a standard set of system APIs that lets Wasm modules interact with the outside world (files, clocks, networking via host capabilities). It enables Wasm to run outside the browser by giving runtimes a consistent, secure way to provide OS-like services.

Where does Wasm fit across IaaS, PaaS, and FaaS?

Wasm is most impactful in PaaS and FaaS environments that rely on containers. Its lightweight isolation, small artifacts, and fast startup make it ideal for serverless (scale-to-zero, frequent cold starts) and for platform services that benefit from portability and density. It also works at IaaS via host runtimes.

What are “Wasm containers,” and how do they relate to Docker and OCI?

“Wasm containers” use the same OCI image format and tooling as traditional containers, but the workload inside is a Wasm module executed by a runtime instead of a full OS userland. This yields much smaller images and faster cold starts. Docker’s Wasm support lets you build, ship, and run these images with familiar workflows.

What advantages does Wasm bring to server-side development?

Key benefits include near-native performance for many workloads, strong security via sandboxed, capability-based execution, hardware and language agnosticism for portability, tiny artifacts that download quickly, and high density on shared infrastructure (e.g., Kubernetes), which reduces cost.

How does Wasm performance compare to native binaries and to Docker containers?

Compared to native x86_64, single-threaded Wasm workloads have shown around a 14% average slowdown—close to near-native. Versus Docker, simple short-running tasks can start at least 10x faster from cold, and many microbenchmarks show 10–50% improvement on warm starts. For complex, highly concurrent servers, current single-threaded limits can lead to higher tail latencies than Dockerized native apps.

Why are Wasm cold starts so fast, and why does that matter?

Wasm images are typically only the app and its bytecode (no full OS), so they’re small and start quickly under a runtime. In serverless settings with frequent de-provisioning, this translates to much better cold-start behavior and can yield large response-time improvements during periods of inactivity.

What are the main limitations and challenges of adopting Wasm today?

Notable gaps include limited multi-threading support (proposals in progress), uneven language/runtime maturity (especially for GC languages), package compatibility issues, and less mature debugging tooling. These can impact complex PaaS-style applications and developer experience.

How is multi-threading handled today, and what’s the roadmap?

Native multi-threading in Wasm is still evolving. In practice, platforms achieve concurrency by running many Wasm instances (one per request or similar) and scaling horizontally with orchestrators like Kubernetes. Proposals are in flight to unlock broader threading capabilities within the sandbox.

How does Wasm improve security and portability (and help avoid vendor lock-in)?

Wasm runs in a memory-safe sandbox and can only access host capabilities explicitly granted by the runtime, reducing the blast radius of supply-chain issues. As a W3C-backed, vendor-neutral standard (alongside WASI), it supports true portability across clouds, on-prem, and edge, helping teams avoid proprietary lock-in.

pro $24.99 per month

access to all Manning books, MEAPs, liveVideos, liveProjects, and audiobooks!
choose one free eBook per month to keep
exclusive 50% discount on all purchases
renews monthly, pause or cancel renewal anytime

lite $19.99 per month

access to all Manning books, including MEAPs!

team

5, 10 or 20 seats+ for your team - learn more

eBook

pdf, ePub, online

$39.99 $19.99

you save $20.00 (50%)

include audio $19.99 $9.99

pro $24.99 per month

access to all Manning books, MEAPs, liveVideos, liveProjects, and audiobooks!
choose one free eBook per month to keep
exclusive 50% discount on all purchases
renews monthly, pause or cancel renewal anytime

lite $19.99 per month

access to all Manning books, including MEAPs!

team

5, 10 or 20 seats+ for your team - learn more

eBook

$39.99 $19.99

you save $20.00 (50%)

include audio $19.99 $9.99

eBook

pdf, ePub, online

$39.99 $19.99

you save $20.00 (50%)

include audio $19.99 $9.99

pro $24.99 per month

access to all Manning books, MEAPs, liveVideos, liveProjects, and audiobooks!
choose one free eBook per month to keep
exclusive 50% discount on all purchases
renews monthly, pause or cancel renewal anytime

lite $19.99 per month

access to all Manning books, including MEAPs!

team

5, 10 or 20 seats+ for your team - learn more