Tiny explainers grouped by topic. Spend less time Googling, more time building.
A battle‑tested checklist and patterns: allowlists, size limits, magic‑byte checks, streaming to object storage, virus scanning, image/PDF sanitization, signed URLs, and safe download headers.
Practical, modern defaults for CSP, HSTS, Referrer-Policy, Permissions-Policy, COOP/COEP/CORP, X-Content-Type-Options, X-Frame-Options vs frame-ancestors, cookies, and cache controls—with NGINX/Apache/Express snippets.
Fixed/sliding windows, token & leaky buckets, GCRA, and real-world implementations (Redis, NGINX, Envoy). Covers headers, bursts, backoff, multi‑DC, and tuning.
Design access + refresh flows that are safe: short-lived access tokens, rotating refresh tokens with reuse detection, device-scoped sessions, and practical revocation strategies.
Multi-stage builds, cache-friendly layering, non-root users, and sane defaults for ENTRYPOINT/CMD, healthchecks, and secrets. Copy‑paste patterns for Node, Python, and Go.
Use Argon2id (or bcrypt) with unique per‑user salts, optional KMS‑backed pepper, and safe on‑login migrations. Includes copy‑paste snippets for Node, Python, and Go.
A simple, diagram-first walkthrough of OAuth 2’s Authorization Code + PKCE flow—who does what (client, resource owner, authorization server, resource server), how the redirects work, and where tokens live.
Why you shouldn’t commit .env files, how to handle secrets differently in local, staging, and production, and the exact patterns to inject, validate, rotate, and audit configuration safely.
Base64 turns bytes into ASCII text for transport and storage. It is not a security mechanism. Learn how it works, common uses (MIME, URLs, JWTs), and what to use instead when you need secrecy or integrity.
A clear, practical comparison: authN proves who you are; authZ decides what you can do. Learn identities, sessions/tokens (OIDC/OAuth2), roles/scopes/permissions, and common pitfalls.
A practical guide to environment variables—when .env files make sense, how to load them locally, and how to keep secrets out of your repo and images.
Step-by-step: create an SSH key, add it to a server, use ssh-agent, set up ~/.ssh/config, and harden your SSH settings. Works on macOS, Linux, and Windows.
Demystify the TLS handshake—ClientHello, ServerHello, certificates, ECDHE key exchange, session keys—and why HTTPS protects confidentiality, integrity, and authenticity.
A simple explainer of API gateways—how they centralize auth, rate limiting, routing, and observability—and when to adopt one versus calling services directly.
A fast primer on Cross-Origin Resource Sharing—what “origin” means, how simple vs. preflighted requests work, when to send credentials, and the exact headers that fix the dreaded CORS error.
DMARC tells inboxes what to do when email fails SPF/DKIM checks — and sends you reports so you can fix issues.
SPF says who can send. DKIM signs the message. Use both for deliverability.