Blue-Green vs Canary vs Rolling Deployments
How the three common deployment strategies differ, when to use each one, and what health checks, traffic shifting, rollback plans, and database compatibility need to be in place first.
devdevopsdeployments
Posts tagged “ca-duh”
Tiny explainers grouped by topic. Spend less time Googling, more time building.
Structured Logging That Survives Production
How to make logs useful under real traffic: correlation IDs, JSON event shape, sampling rules, and PII redaction that does not depend on everyone remembering.
devobservabilitylogging
OpenTelemetry for Mortals
Which signal answers which question, where baggage helps, where it leaks, and how one bad metric label can quietly torch your observability budget.
devobservabilityopentelemetry
DNS for Engineers
How TTLs really affect changes, why propagation feels slow, where DNS failover helps and where it doesn’t, plus cutover playbooks that keep rollback easy.
devdnsnetworking
Reverse Proxy vs API Gateway vs Load Balancer
Three edge layers, three different jobs: one shapes HTTP traffic, one spreads load, one enforces API policy. Here’s where each belongs.
devdevopsapi
TLS / HTTPS: the parts that break in production
Cert chains, renewals, mTLS, HSTS, and handshake debugging, explained from the operator’s side.
devsecurityweb
CORS Explained Without Cargo Culting
What actually breaks in CORS, which headers matter, and the server configs that fix browser errors without accidentally opening your API.
devsecurityweb
Secrets Management That Survives Production
Env vars are only the beginning. This covers secret managers, rotation, least privilege, and delivery patterns that do not leak credentials across your stack.
devsecuritysecrets
CSRF Still Matters
CSRF never really left. Here’s how SameSite cookies, synchronizer tokens, custom headers, and Fetch Metadata fit together in modern apps.
devsecuritycsrf
RBAC vs ABAC vs ReBAC
Most teams do not need every authorization model. This shows where RBAC, ABAC, and ReBAC fit, and what gets painful later if you pick the wrong one.
devauthauthorization
Passkeys / WebAuthn in Practice
What shipping passkeys actually involves: registration, sign-in, recovery, account settings, and the RP ID/origin mistakes that break rollouts.
devauthpasskeys
Session Cookies vs JWTs vs PASETO
Three ways to carry auth state, three different tradeoffs. Here’s where session cookies, JWTs, and PASETO fit without stateless-auth cargo culting.
devauthsecurity
OAuth 2.1 & OpenID Connect for Builders
The auth stack most teams inherit, minus the jargon: code + PKCE, refresh tokens, ID tokens, and machine-to-machine flows that actually matter.
devauthoauth
Connection Pooling for Databases — sizing, timeouts, and “too many clients” fixes
A production-focused guide to right-sizing pools, setting timeouts that prevent stalls, and fixing Postgres/MySQL “too many clients/connections” errors with app and proxy patterns.
devdatabasespostgres
Safe File Uploads — accept untrusted files without getting owned
A battle‑tested checklist and patterns: allowlists, size limits, magic‑byte checks, streaming to object storage, virus scanning, image/PDF sanitization, signed URLs, and safe download headers.
devsecurityweb
OpenAPI Done Right — contracts, not just docs
Practical patterns for rock‑solid APIs: spec styleguide, reusable components, Problem Details errors, auth & versioning, pagination, idempotency, testing, and CI gates. Includes a copy‑paste 3.1 template.
devapiopenapi
Security Headers Cheat Sheet — copy‑paste defaults that actually help
Practical, modern defaults for CSP, HSTS, Referrer-Policy, Permissions-Policy, COOP/COEP/CORP, X-Content-Type-Options, X-Frame-Options vs frame-ancestors, cookies, and cache controls—with NGINX/Apache/Express snippets.
devsecurityweb
Events, Commands, and Sagas — coordinate cross‑service work without tight coupling
Commands say 'do X', events say 'X happened'. Use sagas (orchestration or choreography) for long‑running, cross‑service workflows with compensations, idempotency, and reliable messaging.
devarchitecturemicroservices
Make Your CLI a Joy to Use — ergonomics, DX patterns, and copy‑paste snippets
Design principles and ready-to-use patterns: consistent subcommands, great help, smart defaults, colors/TTY, progress, JSON output, config precedence, auth, errors, exit codes, and distribution.
devclidx
Kubernetes, Minimal Survival Guide — ship, debug, and sleep at night
The 80% you actually need: Pods, Deployments, Services, Ingress/Gateway, Requests/Limits, Probes, Config & Secrets, HPA, storage, and the kubectl commands you’ll use daily.
devopskubernetes
Rate Limiting Strategies — windows, buckets, and distributed guards
Fixed/sliding windows, token & leaky buckets, GCRA, and real-world implementations (Redis, NGINX, Envoy). Covers headers, bursts, backoff, multi‑DC, and tuning.
devapireliability
Time, Timezones, and Timestamps — the least boring, most dangerous part of your stack
UTC vs local time, offsets vs zones, DST edge cases, ISO 8601/RFC 3339, DB column types, and sane patterns in JS/Python/SQL. How to store, compare, schedule, and display time without pain.
devtimedatetime
JWTs — Expiration, Rotation, and Revocation
Design access + refresh flows that are safe: short-lived access tokens, rotating refresh tokens with reuse detection, device-scoped sessions, and practical revocation strategies.
devsecurityauth
Circuit Breakers & Bulkheads, Explained — fail fast, contain blast radius
Real-world settings and copy‑paste snippets for circuit breakers (closed/open/half‑open) and bulkheads (bounded concurrency/queues). Works with HTTP, gRPC, and message calls.
devreliabilityresilience
The Testing Pyramid (That Actually Works) — fast feedback, minimal flakes
Pragmatic ratios, what to test where, and how to keep CI under 10 minutes: unit vs integration vs E2E, contract & component tests, data management, and flake-killers.
devtestingqa
HTTP Caching Deep‑Dive — headers that actually make things fast
Freshness, validators, and directives: Cache-Control, ETag/Last-Modified, Vary, s-maxage, stale-while-revalidate, immutable. Patterns for APIs, HTML, and assets—plus CDN tips.
devwebperformance
The JavaScript Event Loop — macro/microtasks, rendering, and avoiding jank
The event loop is where fast UIs quietly get won or lost: tasks, microtasks, rendering, and the patterns that keep 60fps intact.
devjavascriptweb
Queues 101 — At‑Least‑Once (and Why “Exactly‑Once” Is a Myth)
Design for duplicates and reordering. Use idempotency, an inbox/outbox, and per‑key ordering to get effectively‑once processing in real systems.
devarchitecturemessaging
Dockerfile Best Practices — fast builds, small images, safer containers
Multi-stage builds, cache-friendly layering, non-root users, and sane defaults for ENTRYPOINT/CMD, healthchecks, and secrets. Copy‑paste patterns for Node, Python, and Go.
devcontainersdocker
Text Beyond UTF‑8 — Unicode gotchas every dev should know
Normalization, grapheme clusters, collation, bidi, and emojis—why 'string length' and 'toLowerCase' can betray you, with practical recipes in JS/Python/SQL.
devi18nunicode
Google Ads API — the essentials (tiny playbook)
Developer token + OAuth, account hierarchy (manager vs customer), GAQL for reporting, safe mutations with validate_only/partial_failure, quotas, and offline conversions.
devapiads
Password Storage the Right Way — salts, peppers, and modern hashes
Use Argon2id (or bcrypt) with unique per‑user salts, optional KMS‑backed pepper, and safe on‑login migrations. Includes copy‑paste snippets for Node, Python, and Go.
devsecurityauth
Zero‑Downtime Migrations — expand/contract without breaking prod
Change schemas safely with backward‑compatible steps, dual writes, background backfills, and rolling deploys. Postgres‑flavored, but patterns apply to MySQL and friends.
devdatabasesmigrations
API Versioning Strategies — pick one and stick to it
What counts as a breaking change, URL vs header versions, deprecation signals, and how to evolve APIs without breaking clients. With routing and policy snippets you can paste today.
devapidesign
Database Indexing 101 — faster queries, fewer surprises
Indexes make some queries disappear and others slower. This walks through the patterns that matter and the traps that quietly hurt writes.
devdatabasessql
Timeouts, Retries, and Backoff — the practical playbook
Design request deadlines, hop timeouts, and idempotent retries with jitter so you protect upstreams, tame tail latency, and avoid cascading failures.
devreliabilityresilience
Web Accessibility Basics: 5 Easy Wins for Every Developer
Low‑effort, high‑impact a11y fixes: alt text, semantic HTML & landmarks, color contrast (and non‑color cues), keyboard navigation & focus, and form labels/errors—with copy‑paste examples.
devwebaccessibility
API Error Handling That Helps Clients Recover
Which status codes to use, how to shape errors consistently, and what to log so clients get clear signals and you get useful telemetry.
devapihttp
Semantic Versioning (SemVer) Explained in 3 Minutes
MAJOR.MINOR.PATCH — what each digit means, how pre‑releases work, and the practical rules you need for safe dependency upgrades.
devversioningreleases
Writing a README Your Coworkers Will Actually Appreciate
A README should answer the questions teammates ask on a bad day. This template makes sure it covers setup, testing, deploys, and debugging.
devdocumentationproductivity
How Git Actually Works (Under the Hood) — blobs, trees, commits
A gentle tour of Git’s content‑addressed storage: blobs, trees, commits, refs, and the index—so complex commands like rebase, cherry‑pick, and reset feel predictable.
devgitversion-control
The OAuth2 Flow, Decoded — roles, tokens, and the PKCE dance
A diagram-first walkthrough of OAuth 2’s Authorization Code + PKCE flow: who does what, how the redirects work, and where the tokens end up.
devsecurityoauth
Demystifying DNS Propagation — why changes aren’t instant
DNS changes feel slow because of caching everywhere: resolvers, browsers, OSes, CDNs, and parent zones. Here’s the mental model, typical timelines, and how to plan zero‑drama cutovers.
devdnsnetworking
What Happens When You Type a URL in a Browser — the tiny explainer
From DNS lookup to TLS to paint: the shortest useful tour of what the browser actually does after you hit Enter.
devwebnetworking
What is an N+1 Query and How Do You Fix It?
A fundamental database performance problem: why N+1 happens, how to spot it, and fixes with eager loading/batching in popular ORMs (Django, Rails, Prisma/Sequelize, SQLAlchemy).
devdatabasesorm
Nginx vs Apache — a practical comparison and migration guide
Event‑driven Nginx vs process/thread‑based Apache: performance, memory, config models, .htaccess, reverse proxying, PHP, HTTP/2/3, and how to switch without breaking prod.
devwebservers
Securely Managing Environment Variables (The Right Way)
Why you shouldn’t commit .env files, how to handle secrets differently in local, staging, and production, and the exact patterns to inject, validate, rotate, and audit configuration safely.
devsecuritysecrets
Base64 Encoding is Not Encryption — myth-busting what Base64 is actually for
Base64 turns bytes into ASCII text for transport and storage. It is not a security mechanism. Learn how it works, common uses (MIME, URLs, JWTs), and what to use instead when you need secrecy or integrity.
devsecurityencoding
Docker vs Podman — what’s different and how to migrate
As Podman’s daemonless, rootless approach gains traction, here’s a practical comparison with Docker—architecture, security, node networking/volumes, speed, and real migration paths.
devcontainersdocker
npm vs Yarn vs pnpm — a practical guide to speed, disk usage, and lockfiles
A no-nonsense comparison of npm, Yarn, and pnpm: real-world differences in install speed, node_modules size, and lockfile handling—plus when to pick which.
devjavascriptnode
Webpack vs Vite — why the shift and what you gain in practice
A modern, practical comparison of Webpack and Vite: how native ESM + esbuild change dev speed, what HMR feels like, what the build story is (Rollup), and when Webpack is still the right call.
devjavascripttooling
Authentication vs. Authorization — what’s the difference and how they fit together
A clear, practical comparison: authN proves who you are; authZ decides what you can do. Learn identities, sessions/tokens (OIDC/OAuth2), roles/scopes/permissions, and common pitfalls.
devsecurityauth
The Difference Between Concurrency and Parallelism — clear & concise
Concurrency is about dealing with lots of things at once; parallelism is about doing lots of things at once. Here’s the mental model, practical examples, and when to use each.
devconcurrencyparallelism
Containers 101 — what they are and why they matter
A no-jargon primer on containers: how they isolate processes, how images/layers work, and what Docker/Kubernetes actually do.
devopscontainers
SSE vs WebSockets vs Polling: which real-time transport should you use?
Live updates usually come down to one question: who needs to talk, and how often? This compares polling, SSE, and WebSockets by that decision.
devrealtimesse
When to Use an ENV File (and How to Use it Securely)
.env files are fine for some jobs and a liability for others. Here’s where they fit, where they don’t, and how to keep secrets out of repos and images.
devsecuritysecrets
SSH Keys, Minus the Mystery
Generate a key, load it into `ssh-agent`, add it to a server, and clean up your SSH config without the usual trial and error.
devsecurityssh
An Introduction to CI/CD — what Continuous Integration & Deployment actually mean
What CI/CD actually changes day to day, how a pipeline is structured, and the smallest useful version to put in place first.
devcicd
Common Design Patterns — The 5‑Minute Version
A whirlwind tour of widely used patterns—Singleton, Factory, Observer, Strategy, Adapter/Decorator—with tiny examples, when to use them, and common pitfalls.
devprogrammingdesign-patterns
Git Explained with 5 Essential Commands — beyond add/commit/push
Learn rebase, cherry-pick, undoing mistakes, and day-to-day flows with five commands that cover 90% of real-world Git.
devgitversion-control
Idempotency — What it is and Why it Matters (especially for APIs)
A quick, practical explainer of idempotency: what it means, how HTTP methods relate, and how to implement idempotent POSTs with idempotency keys to make retries safe.
devapisreliability
Monolith vs Microservices — A Quick Comparison
The practical trade‑offs: when a monolith (or modular monolith) is the right call, when microservices pay off, and how to evolve without pain.
devarchitecturemicroservices
Object-Oriented Programming (OOP) Concepts — encapsulation, inheritance, polymorphism
A brief, practical overview of the core OOP ideas with tiny examples: how encapsulation protects invariants, when inheritance fits, and how polymorphism keeps code open to extension.
devprogrammingoop
UTF-8 vs ASCII — What Every Developer Should Know
ASCII is the tiny legacy subset; UTF-8 is what your systems actually need. Here’s how bytes, characters, mojibake, and utf8mb4 fit together.
devencodingunicode
The Basics of Caching — strategies that actually move the needle
A fast primer on in-memory, distributed, and CDN caching—what they are, when to use each, and how they boost latency, throughput, and cost efficiency.
devperformancecaching
How SSL/TLS Works in 60 Seconds — the HTTPS handshake demystified
Demystify the TLS handshake—ClientHello, ServerHello, certificates, ECDHE key exchange, session keys—and why HTTPS protects confidentiality, integrity, and authenticity.
devwebhttp
SQL vs NoSQL Databases — The 2‑Minute Guide
A high-level comparison of relational and non-relational databases with common use cases for each.
devdatabasessql
What is an API Gateway? — and why you might need one
Where a gateway earns its keep, where a reverse proxy is enough, and why pushing business logic to the edge usually backfires.
devapigateway
REST vs GraphQL vs gRPC — which one should you ship?
A quick, practical guide to choosing between REST, GraphQL, and gRPC for new and existing services.
devapibackend
Understanding CORS — a tiny explainer for stuck web devs
A fast primer on Cross-Origin Resource Sharing—what “origin” means, how simple vs. preflighted requests work, when to send credentials, and the exact headers that fix the dreaded CORS error.
devwebhttp
What is DMARC (and why you should care)
DMARC tells inboxes what to do when email fails SPF/DKIM checks — and sends you reports so you can fix issues.
emailsecurityca-duh
SPF vs DKIM — simple differences
SPF says who can send. DKIM signs the message. Use both for deliverability.
emailsecurityca-duh
Cron expressions, decoded in 60 seconds
A quick mental model to read and write cron schedules without Googling.
devcronops
JWT vs server sessions — when to use which
Stateless tokens are convenient, but server sessions are still the default for many apps.
webauthca-duh
HTTP/2 vs HTTP/3 — practical upgrade notes
QUIC (HTTP/3) reduces head-of-line blocking; most CDNs support it — flip it on.
webperfca-duh
Regex cheats you’ll actually use
A handful of patterns that cover 80% of cases, with explainers.
devproductivityca-duh
Sitemap.xml vs robots.txt (and how both help SEO)
Robots controls crawling. Sitemap lists your canonical URLs. Use both.
seobasicsca-duh
OG images that look good everywhere
Make link previews consistent across platforms with the right meta tags.
seometaca-duh
UTM shortlinks that don’t look ugly
Keep branded redirects readable while preserving tracking.
marketinglinksca-duh