How the three common deployment strategies differ, when to use each one, and what health checks, traffic shifting, rollback plans, and database compatibility need to be in place first.
How to make logs useful under real traffic: correlation IDs, JSON event shape, sampling rules, and PII redaction that does not depend on everyone remembering.
Which signal answers which question, where baggage helps, where it leaks, and how one bad metric label can quietly torch your observability budget.
How TTLs really affect changes, why propagation feels slow, where DNS failover helps and where it doesn’t, plus cutover playbooks that keep rollback easy.
Three edge layers, three different jobs: one shapes HTTP traffic, one spreads load, one enforces API policy. Here’s where each belongs.
Cert chains, renewals, mTLS, HSTS, and handshake debugging, explained from the operator’s side.
What actually breaks in CORS, which headers matter, and the server configs that fix browser errors without accidentally opening your API.
Env vars are only the beginning. This covers secret managers, rotation, least privilege, and delivery patterns that do not leak credentials across your stack.
CSRF never really left. Here’s how SameSite cookies, synchronizer tokens, custom headers, and Fetch Metadata fit together in modern apps.
Most teams do not need every authorization model. This shows where RBAC, ABAC, and ReBAC fit, and what gets painful later if you pick the wrong one.
What shipping passkeys actually involves: registration, sign-in, recovery, account settings, and the RP ID/origin mistakes that break rollouts.
Three ways to carry auth state, three different tradeoffs. Here’s where session cookies, JWTs, and PASETO fit without stateless-auth cargo culting.