CORS Explained Without Cargo Culting
A practical guide to CORS for builders: origins, preflights, credentials, common browser errors, and the server configs that actually fix them without opening your API to the world.
devsecurityweb
Posts tagged “web”
Tiny explainers grouped by topic. Spend less time Googling, more time building.
CSRF Still Matters
A practical guide to CSRF protection in modern apps: SameSite cookies, synchronizer tokens, custom headers, Fetch Metadata, and the CORS mistakes that quietly reopen old holes.
devsecuritycsrf
Session Cookies vs JWTs vs PASETO
A practical guide to choosing session cookies, JWTs, or PASETO for web apps, SPAs, mobile apps, and APIs without cargo-culting stateless auth.
devauthsecurity
Safe File Uploads — accept untrusted files without getting owned
A battle‑tested checklist and patterns: allowlists, size limits, magic‑byte checks, streaming to object storage, virus scanning, image/PDF sanitization, signed URLs, and safe download headers.
devsecurityweb
Security Headers Cheat Sheet — copy‑paste defaults that actually help
Practical, modern defaults for CSP, HSTS, Referrer-Policy, Permissions-Policy, COOP/COEP/CORP, X-Content-Type-Options, X-Frame-Options vs frame-ancestors, cookies, and cache controls—with NGINX/Apache/Express snippets.
devsecurityweb
HTTP Caching Deep‑Dive — headers that actually make things fast
Freshness, validators, and directives: Cache-Control, ETag/Last-Modified, Vary, s-maxage, stale-while-revalidate, immutable. Patterns for APIs, HTML, and assets—plus CDN tips.
devwebperformance
The JavaScript Event Loop — macro/microtasks, rendering, and avoiding jank
A practical mental model of tasks vs microtasks, when the browser renders, and patterns to keep 60fps: rAF, chunking, debouncing, and avoiding microtask traps.
devjavascriptweb
Web Accessibility Basics: 5 Easy Wins for Every Developer
Low‑effort, high‑impact a11y fixes: alt text, semantic HTML & landmarks, color contrast (and non‑color cues), keyboard navigation & focus, and form labels/errors—with copy‑paste examples.
devwebaccessibility
Demystifying DNS Propagation — why changes aren’t instant
DNS changes feel slow because of caching everywhere: resolvers, browsers, OSes, CDNs, and parent zones. Here’s the mental model, typical timelines, and how to plan zero‑drama cutovers.
devdnsnetworking
What Happens When You Type a URL in a Browser — the tiny explainer
A concise, modern walkthrough of the path from address bar to pixels: DNS lookup, HTTP/3 & TLS 1.3 handshakes, CDNs & caching, request/response, and the rendering pipeline.
devwebnetworking
Nginx vs Apache — a practical comparison and migration guide
Event‑driven Nginx vs process/thread‑based Apache: performance, memory, config models, .htaccess, reverse proxying, PHP, HTTP/2/3, and how to switch without breaking prod.
devwebservers
UTF-8 vs ASCII — What Every Developer Should Know
A simple guide to character encoding: what ASCII is, how UTF‑8 works, why bytes ≠ characters, and the real-world gotchas (mojibake, emojis, normalization, MySQL utf8mb4).
devencodingunicode
How SSL/TLS Works in 60 Seconds — the HTTPS handshake demystified
Demystify the TLS handshake—ClientHello, ServerHello, certificates, ECDHE key exchange, session keys—and why HTTPS protects confidentiality, integrity, and authenticity.
devwebhttp
Understanding CORS — a tiny explainer for stuck web devs
A fast primer on Cross-Origin Resource Sharing—what “origin” means, how simple vs. preflighted requests work, when to send credentials, and the exact headers that fix the dreaded CORS error.
devwebhttp
JWT vs server sessions — when to use which
Stateless tokens are convenient, but server sessions are still the default for many apps.
webauthca-duh
HTTP/2 vs HTTP/3 — practical upgrade notes
QUIC (HTTP/3) reduces head-of-line blocking; most CDNs support it — flip it on.
webperfca-duh