CORS Explained Without Cargo Culting
A practical guide to CORS for builders: origins, preflights, credentials, common browser errors, and the server configs that actually fix them without opening your API to the world.
devsecurityweb
Posts tagged “ca-duh”
Tiny explainers grouped by topic. Spend less time Googling, more time building.
Secrets Management 101
A practical guide to env vars, secret managers, rotation, and least privilege — with delivery patterns for web apps, workers, CI/CD, and Kubernetes.
devsecuritysecrets
CSRF Still Matters
A practical guide to CSRF protection in modern apps: SameSite cookies, synchronizer tokens, custom headers, Fetch Metadata, and the CORS mistakes that quietly reopen old holes.
devsecuritycsrf
RBAC vs ABAC vs ReBAC
A practical guide to choosing role-based, attribute-based, or relationship-based authorization for real products, with examples for SaaS apps, internal tools, B2B org models, and shared resources.
devauthauthorization
Passkeys / WebAuthn in Practice
A practical guide to shipping passkeys with WebAuthn: registration, sign-in, recovery, account settings, and the RP ID/origin gotchas that usually break rollouts.
devauthpasskeys
Session Cookies vs JWTs vs PASETO
A practical guide to choosing session cookies, JWTs, or PASETO for web apps, SPAs, mobile apps, and APIs without cargo-culting stateless auth.
devauthsecurity
OAuth 2.1 & OpenID Connect, Explained for Builders
A practical guide to OAuth 2.1 and OpenID Connect for real apps: authorization code + PKCE, refresh tokens, ID tokens, and machine-to-machine flows without the usual auth confusion.
devauthoauth
Connection Pooling for Databases — sizing, timeouts, and “too many clients” fixes
A production-focused guide to right-sizing pools, setting timeouts that prevent stalls, and fixing Postgres/MySQL “too many clients/connections” errors with app and proxy patterns.
devdatabasespostgres
Safe File Uploads — accept untrusted files without getting owned
A battle‑tested checklist and patterns: allowlists, size limits, magic‑byte checks, streaming to object storage, virus scanning, image/PDF sanitization, signed URLs, and safe download headers.
devsecurityweb
OpenAPI Done Right — contracts, not just docs
Practical patterns for rock‑solid APIs: spec styleguide, reusable components, Problem Details errors, auth & versioning, pagination, idempotency, testing, and CI gates. Includes a copy‑paste 3.1 template.
devapiopenapi
Security Headers Cheat Sheet — copy‑paste defaults that actually help
Practical, modern defaults for CSP, HSTS, Referrer-Policy, Permissions-Policy, COOP/COEP/CORP, X-Content-Type-Options, X-Frame-Options vs frame-ancestors, cookies, and cache controls—with NGINX/Apache/Express snippets.
devsecurityweb
Events, Commands, and Sagas — coordinate cross‑service work without tight coupling
Commands say 'do X', events say 'X happened'. Use sagas (orchestration or choreography) for long‑running, cross‑service workflows with compensations, idempotency, and reliable messaging.
devarchitecturemicroservices
Make Your CLI a Joy to Use — ergonomics, DX patterns, and copy‑paste snippets
Design principles and ready-to-use patterns: consistent subcommands, great help, smart defaults, colors/TTY, progress, JSON output, config precedence, auth, errors, exit codes, and distribution.
devclidx
Kubernetes, Minimal Survival Guide — ship, debug, and sleep at night
The 80% you actually need: Pods, Deployments, Services, Ingress/Gateway, Requests/Limits, Probes, Config & Secrets, HPA, storage, and the kubectl commands you’ll use daily.
devopskubernetes
Rate Limiting Strategies — windows, buckets, and distributed guards
Fixed/sliding windows, token & leaky buckets, GCRA, and real-world implementations (Redis, NGINX, Envoy). Covers headers, bursts, backoff, multi‑DC, and tuning.
devapireliability
Time, Timezones, and Timestamps — the least boring, most dangerous part of your stack
UTC vs local time, offsets vs zones, DST edge cases, ISO 8601/RFC 3339, DB column types, and sane patterns in JS/Python/SQL. How to store, compare, schedule, and display time without pain.
devtimedatetime
JWTs — Expiration, Rotation, and Revocation
Design access + refresh flows that are safe: short-lived access tokens, rotating refresh tokens with reuse detection, device-scoped sessions, and practical revocation strategies.
devsecurityauth
Circuit Breakers & Bulkheads, Explained — fail fast, contain blast radius
Real-world settings and copy‑paste snippets for circuit breakers (closed/open/half‑open) and bulkheads (bounded concurrency/queues). Works with HTTP, gRPC, and message calls.
devreliabilityresilience
The Testing Pyramid (That Actually Works) — fast feedback, minimal flakes
Pragmatic ratios, what to test where, and how to keep CI under 10 minutes: unit vs integration vs E2E, contract & component tests, data management, and flake-killers.
devtestingqa
HTTP Caching Deep‑Dive — headers that actually make things fast
Freshness, validators, and directives: Cache-Control, ETag/Last-Modified, Vary, s-maxage, stale-while-revalidate, immutable. Patterns for APIs, HTML, and assets—plus CDN tips.
devwebperformance
The JavaScript Event Loop — macro/microtasks, rendering, and avoiding jank
A practical mental model of tasks vs microtasks, when the browser renders, and patterns to keep 60fps: rAF, chunking, debouncing, and avoiding microtask traps.
devjavascriptweb
Queues 101 — At‑Least‑Once (and Why “Exactly‑Once” Is a Myth)
Design for duplicates and reordering. Use idempotency, an inbox/outbox, and per‑key ordering to get effectively‑once processing in real systems.
devarchitecturemessaging
Dockerfile Best Practices — fast builds, small images, safer containers
Multi-stage builds, cache-friendly layering, non-root users, and sane defaults for ENTRYPOINT/CMD, healthchecks, and secrets. Copy‑paste patterns for Node, Python, and Go.
devcontainersdocker
Text Beyond UTF‑8 — Unicode gotchas every dev should know
Normalization, grapheme clusters, collation, bidi, and emojis—why 'string length' and 'toLowerCase' can betray you, with practical recipes in JS/Python/SQL.
devi18nunicode
Google Ads API — the essentials (tiny playbook)
Developer token + OAuth, account hierarchy (manager vs customer), GAQL for reporting, safe mutations with validate_only/partial_failure, quotas, and offline conversions.
devapiads
Password Storage the Right Way — salts, peppers, and modern hashes
Use Argon2id (or bcrypt) with unique per‑user salts, optional KMS‑backed pepper, and safe on‑login migrations. Includes copy‑paste snippets for Node, Python, and Go.
devsecurityauth
Zero‑Downtime Migrations — expand/contract without breaking prod
Change schemas safely with backward‑compatible steps, dual writes, background backfills, and rolling deploys. Postgres‑flavored, but patterns apply to MySQL and friends.
devdatabasesmigrations
API Versioning Strategies — pick one and stick to it
What counts as a breaking change, URL vs header versions, deprecation signals, and how to evolve APIs without breaking clients. With routing and policy snippets you can paste today.
devapidesign
Database Indexing 101 — faster queries, fewer surprises
A practical mental model for indexes, with copy‑paste patterns for B‑tree, composite order, covering, partial, and expression indexes—plus when **not** to index.
devdatabasessql
Timeouts, Retries, and Backoff — the practical playbook
Design request deadlines, hop timeouts, and idempotent retries with jitter so you protect upstreams, tame tail latency, and avoid cascading failures.
devreliabilityresilience
Web Accessibility Basics: 5 Easy Wins for Every Developer
Low‑effort, high‑impact a11y fixes: alt text, semantic HTML & landmarks, color contrast (and non‑color cues), keyboard navigation & focus, and form labels/errors—with copy‑paste examples.
devwebaccessibility
A Practical Guide to API Error Handling
Status codes you should actually use, consistent error shapes (Problem Details, JSend), and production‑ready logging/observability—so clients get clear signals and you get actionable telemetry.
devapihttp
Semantic Versioning (SemVer) Explained in 3 Minutes
MAJOR.MINOR.PATCH — what each digit means, how pre‑releases work, and the practical rules you need for safe dependency upgrades.
devversioningreleases
Writing a README Your Coworkers Will Actually Appreciate
A practical, skimmable template (with explanations) so your README answers the real questions: What is this? How do I run it, test it, deploy it, and debug it—today.
devdocumentationproductivity
How Git Actually Works (Under the Hood) — blobs, trees, commits
A gentle tour of Git’s content‑addressed storage: blobs, trees, commits, refs, and the index—so complex commands like rebase, cherry‑pick, and reset feel predictable.
devgitversion-control
The OAuth2 Flow, Decoded — roles, tokens, and the PKCE dance
A simple, diagram-first walkthrough of OAuth 2’s Authorization Code + PKCE flow—who does what (client, resource owner, authorization server, resource server), how the redirects work, and where tokens live.
devsecurityoauth
Demystifying DNS Propagation — why changes aren’t instant
DNS changes feel slow because of caching everywhere: resolvers, browsers, OSes, CDNs, and parent zones. Here’s the mental model, typical timelines, and how to plan zero‑drama cutovers.
devdnsnetworking
What Happens When You Type a URL in a Browser — the tiny explainer
A concise, modern walkthrough of the path from address bar to pixels: DNS lookup, HTTP/3 & TLS 1.3 handshakes, CDNs & caching, request/response, and the rendering pipeline.
devwebnetworking
What is an N+1 Query and How Do You Fix It?
A fundamental database performance problem: why N+1 happens, how to spot it, and fixes with eager loading/batching in popular ORMs (Django, Rails, Prisma/Sequelize, SQLAlchemy).
devdatabasesorm
Nginx vs Apache — a practical comparison and migration guide
Event‑driven Nginx vs process/thread‑based Apache: performance, memory, config models, .htaccess, reverse proxying, PHP, HTTP/2/3, and how to switch without breaking prod.
devwebservers
Securely Managing Environment Variables (The Right Way)
Why you shouldn’t commit .env files, how to handle secrets differently in local, staging, and production, and the exact patterns to inject, validate, rotate, and audit configuration safely.
devsecuritysecrets
Base64 Encoding is Not Encryption — myth-busting what Base64 is actually for
Base64 turns bytes into ASCII text for transport and storage. It is not a security mechanism. Learn how it works, common uses (MIME, URLs, JWTs), and what to use instead when you need secrecy or integrity.
devsecurityencoding
Docker vs Podman — what’s different and how to migrate
As Podman’s daemonless, rootless approach gains traction, here’s a practical comparison with Docker—architecture, security, node networking/volumes, speed, and real migration paths.
devcontainersdocker
npm vs Yarn vs pnpm — a practical guide to speed, disk usage, and lockfiles
A no-nonsense comparison of npm, Yarn, and pnpm: real-world differences in install speed, node_modules size, and lockfile handling—plus when to pick which.
devjavascriptnode
Webpack vs Vite — why the shift and what you gain in practice
A modern, practical comparison of Webpack and Vite: how native ESM + esbuild change dev speed, what HMR feels like, what the build story is (Rollup), and when Webpack is still the right call.
devjavascripttooling
Authentication vs. Authorization — what’s the difference and how they fit together
A clear, practical comparison: authN proves who you are; authZ decides what you can do. Learn identities, sessions/tokens (OIDC/OAuth2), roles/scopes/permissions, and common pitfalls.
devsecurityauth
The Difference Between Concurrency and Parallelism — clear & concise
Concurrency is about dealing with lots of things at once; parallelism is about doing lots of things at once. Here’s the mental model, practical examples, and when to use each.
devconcurrencyparallelism
Containers 101 — what they are and why they matter
A no-jargon primer on containers: how they isolate processes, how images/layers work, and what Docker/Kubernetes actually do.
devopscontainers
Long Polling vs WebSockets vs Server‑Sent Events — real‑time communication compared
A practical comparison of three ways to push updates from server to browser. Learn how each works, trade‑offs, code snippets, scaling notes, and a quick decision guide.
devrealtimewebsockets
When to Use an ENV File (and How to Use it Securely)
A practical guide to environment variables—when .env files make sense, how to load them locally, and how to keep secrets out of your repo and images.
devsecuritysecrets
A Simple Guide to SSH Keys — generate & use keys for secure server access
Step-by-step: create an SSH key, add it to a server, use ssh-agent, set up ~/.ssh/config, and harden your SSH settings. Works on macOS, Linux, and Windows.
devsecurityssh
An Introduction to CI/CD — what Continuous Integration & Deployment actually mean
A simple walkthrough of Continuous Integration and Continuous Delivery/Deployment—what they solve, how a pipeline is structured, and a tiny example to get started.
devcicd
Common Design Patterns — The 5‑Minute Version
A whirlwind tour of widely used patterns—Singleton, Factory, Observer, Strategy, Adapter/Decorator—with tiny examples, when to use them, and common pitfalls.
devprogrammingdesign-patterns
Git Explained with 5 Essential Commands — beyond add/commit/push
Learn rebase, cherry-pick, undoing mistakes, and day-to-day flows with five commands that cover 90% of real-world Git.
devgitversion-control
Idempotency — What it is and Why it Matters (especially for APIs)
A quick, practical explainer of idempotency: what it means, how HTTP methods relate, and how to implement idempotent POSTs with idempotency keys to make retries safe.
devapisreliability
Monolith vs Microservices — A Quick Comparison
The practical trade‑offs: when a monolith (or modular monolith) is the right call, when microservices pay off, and how to evolve without pain.
devarchitecturemicroservices
Object-Oriented Programming (OOP) Concepts — encapsulation, inheritance, polymorphism
A brief, practical overview of the core OOP ideas with tiny examples: how encapsulation protects invariants, when inheritance fits, and how polymorphism keeps code open to extension.
devprogrammingoop
UTF-8 vs ASCII — What Every Developer Should Know
A simple guide to character encoding: what ASCII is, how UTF‑8 works, why bytes ≠ characters, and the real-world gotchas (mojibake, emojis, normalization, MySQL utf8mb4).
devencodingunicode
The Basics of Caching — strategies that actually move the needle
A fast primer on in-memory, distributed, and CDN caching—what they are, when to use each, and how they boost latency, throughput, and cost efficiency.
devperformancecaching
How SSL/TLS Works in 60 Seconds — the HTTPS handshake demystified
Demystify the TLS handshake—ClientHello, ServerHello, certificates, ECDHE key exchange, session keys—and why HTTPS protects confidentiality, integrity, and authenticity.
devwebhttp
SQL vs NoSQL Databases — The 2‑Minute Guide
A high-level comparison of relational and non-relational databases with common use cases for each.
devdatabasessql
What is an API Gateway? — and why you might need one
A simple explainer of API gateways—how they centralize auth, rate limiting, routing, and observability—and when to adopt one versus calling services directly.
devapigateway
REST vs GraphQL vs gRPC — which one should you ship?
A quick, practical guide to choosing between REST, GraphQL, and gRPC for new and existing services.
devapibackend
Understanding CORS — a tiny explainer for stuck web devs
A fast primer on Cross-Origin Resource Sharing—what “origin” means, how simple vs. preflighted requests work, when to send credentials, and the exact headers that fix the dreaded CORS error.
devwebhttp
What is DMARC (and why you should care)
DMARC tells inboxes what to do when email fails SPF/DKIM checks — and sends you reports so you can fix issues.
emailsecurityca-duh
SPF vs DKIM — simple differences
SPF says who can send. DKIM signs the message. Use both for deliverability.
emailsecurityca-duh
Cron expressions, decoded in 60 seconds
A quick mental model to read and write cron schedules without Googling.
devcronops
JWT vs server sessions — when to use which
Stateless tokens are convenient, but server sessions are still the default for many apps.
webauthca-duh
HTTP/2 vs HTTP/3 — practical upgrade notes
QUIC (HTTP/3) reduces head-of-line blocking; most CDNs support it — flip it on.
webperfca-duh
Regex cheats you’ll actually use
A handful of patterns that cover 80% of cases, with explainers.
devproductivityca-duh
Sitemap.xml vs robots.txt (and how both help SEO)
Robots controls crawling. Sitemap lists your canonical URLs. Use both.
seobasicsca-duh
OG images that look good everywhere
Make link previews consistent across platforms with the right meta tags.
seometaca-duh
UTM shortlinks that don’t look ugly
Keep branded redirects readable while preserving tracking.
marketinglinksca-duh