ca, duh. tiny explainers that actually help.

For developers, DevOps engineers, and the tech-curious who want clear, practical answers fast. We break down topics you actually use — so you spend less time Googling and more time building.

All posts RSS

CORS Explained Without Cargo Culting

A practical guide to CORS for builders: origins, preflights, credentials, common browser errors, and the server configs that actually fix them without opening your API to the world.

March 30th, 20267 min read

devsecurityweb

Secrets Management 101

A practical guide to env vars, secret managers, rotation, and least privilege — with delivery patterns for web apps, workers, CI/CD, and Kubernetes.

March 28th, 202610 min read

devsecuritysecrets

CSRF Still Matters

A practical guide to CSRF protection in modern apps: SameSite cookies, synchronizer tokens, custom headers, Fetch Metadata, and the CORS mistakes that quietly reopen old holes.

March 27th, 20267 min read

devsecuritycsrf

RBAC vs ABAC vs ReBAC

A practical guide to choosing role-based, attribute-based, or relationship-based authorization for real products, with examples for SaaS apps, internal tools, B2B org models, and shared resources.

March 26th, 202610 min read

devauthauthorization

Passkeys / WebAuthn in Practice

A practical guide to shipping passkeys with WebAuthn: registration, sign-in, recovery, account settings, and the RP ID/origin gotchas that usually break rollouts.

March 25th, 20269 min read

devauthpasskeys

Session Cookies vs JWTs vs PASETO

A practical guide to choosing session cookies, JWTs, or PASETO for web apps, SPAs, mobile apps, and APIs without cargo-culting stateless auth.

March 25th, 202611 min read

devauthsecurity