TLS / HTTPS: the parts that break in production
Cert chains, renewals, mTLS, HSTS, and handshake debugging, explained from the operator’s side.
devsecurityweb
Posts tagged “web”
Tiny explainers grouped by topic. Spend less time Googling, more time building.
CORS Explained Without Cargo Culting
What actually breaks in CORS, which headers matter, and the server configs that fix browser errors without accidentally opening your API.
devsecurityweb
CSRF Still Matters
CSRF never really left. Here’s how SameSite cookies, synchronizer tokens, custom headers, and Fetch Metadata fit together in modern apps.
devsecuritycsrf
Session Cookies vs JWTs vs PASETO
Three ways to carry auth state, three different tradeoffs. Here’s where session cookies, JWTs, and PASETO fit without stateless-auth cargo culting.
devauthsecurity
Safe File Uploads — accept untrusted files without getting owned
A battle‑tested checklist and patterns: allowlists, size limits, magic‑byte checks, streaming to object storage, virus scanning, image/PDF sanitization, signed URLs, and safe download headers.
devsecurityweb
Security Headers Cheat Sheet — copy‑paste defaults that actually help
Practical, modern defaults for CSP, HSTS, Referrer-Policy, Permissions-Policy, COOP/COEP/CORP, X-Content-Type-Options, X-Frame-Options vs frame-ancestors, cookies, and cache controls—with NGINX/Apache/Express snippets.
devsecurityweb
HTTP Caching Deep‑Dive — headers that actually make things fast
Freshness, validators, and directives: Cache-Control, ETag/Last-Modified, Vary, s-maxage, stale-while-revalidate, immutable. Patterns for APIs, HTML, and assets—plus CDN tips.
devwebperformance
The JavaScript Event Loop — macro/microtasks, rendering, and avoiding jank
The event loop is where fast UIs quietly get won or lost: tasks, microtasks, rendering, and the patterns that keep 60fps intact.
devjavascriptweb
Web Accessibility Basics: 5 Easy Wins for Every Developer
Low‑effort, high‑impact a11y fixes: alt text, semantic HTML & landmarks, color contrast (and non‑color cues), keyboard navigation & focus, and form labels/errors—with copy‑paste examples.
devwebaccessibility
Demystifying DNS Propagation — why changes aren’t instant
DNS changes feel slow because of caching everywhere: resolvers, browsers, OSes, CDNs, and parent zones. Here’s the mental model, typical timelines, and how to plan zero‑drama cutovers.
devdnsnetworking
What Happens When You Type a URL in a Browser — the tiny explainer
From DNS lookup to TLS to paint: the shortest useful tour of what the browser actually does after you hit Enter.
devwebnetworking
Nginx vs Apache — a practical comparison and migration guide
Event‑driven Nginx vs process/thread‑based Apache: performance, memory, config models, .htaccess, reverse proxying, PHP, HTTP/2/3, and how to switch without breaking prod.
devwebservers
UTF-8 vs ASCII — What Every Developer Should Know
ASCII is the tiny legacy subset; UTF-8 is what your systems actually need. Here’s how bytes, characters, mojibake, and utf8mb4 fit together.
devencodingunicode
How SSL/TLS Works in 60 Seconds — the HTTPS handshake demystified
Demystify the TLS handshake—ClientHello, ServerHello, certificates, ECDHE key exchange, session keys—and why HTTPS protects confidentiality, integrity, and authenticity.
devwebhttp
Understanding CORS — a tiny explainer for stuck web devs
A fast primer on Cross-Origin Resource Sharing—what “origin” means, how simple vs. preflighted requests work, when to send credentials, and the exact headers that fix the dreaded CORS error.
devwebhttp
JWT vs server sessions — when to use which
Stateless tokens are convenient, but server sessions are still the default for many apps.
webauthca-duh
HTTP/2 vs HTTP/3 — practical upgrade notes
QUIC (HTTP/3) reduces head-of-line blocking; most CDNs support it — flip it on.
webperfca-duh