Long-form notes on debugging, dev tools, and privacy-respecting workflows. Each post links the tools that solve the problem.
Introspection lets any client download your entire schema — every type, field, argument, and deprecation note — with one query. Great in development, a reconnaissance gift in production. What __schema returns, how it is abused, and the right way to lock it down.
A .har export from your browser Network panel captures every request and response — Authorization headers, session cookies, CSRF tokens, full request bodies. Here is what is inside, why support keeps asking for one, and how to redact it safely.
The three base64url segments of a JWT are readable by anyone — decoding tells you what a token claims, not whether the claim is true. The structure, the decode-versus-verify gap, and the alg:none and RS256-to-HS256 attacks that turn that gap into account takeover.
The Unix epoch is simple until it is not. Milliseconds versus seconds, signed 32-bit overflow in 2038, leap-second smearing, and timezone assumptions cause real production bugs. The field guide with the conversions that actually matter.
Base64 is a reversible text encoding with no key. Anyone can decode it in one line. Here is why it keeps getting mistaken for protection — in Basic Auth, JWTs, and Kubernetes Secrets — and what each of those actually relies on.
PDFs carry an Info dictionary and an XMP stream that record author name, the exact software and version that made the file, timestamps, and sometimes earlier revisions. Here is what is in there and how to remove it without uploading the file anywhere.
Random UUID v4 primary keys scatter inserts across a B-tree, causing page splits and cache churn. UUID v7 is time-ordered and inserts append to the right edge. Here is the mechanism, per database engine.
A practical look at ffmpeg compiled to WebAssembly — what video work it does well in a browser tab, where it stalls, the COOP/COEP headers it needs to run multithreaded, and the size cost of shipping a video editor with no backend.
iPhones record 4K HEVC at 16:9 by default. YouTube Shorts wants 9:16 vertical MP4 under 60 seconds. The mismatch causes silent upload failures, letterboxed playback, and quality loss. Here is the conversion in two browser-only steps, with no upload to a third-party service.
A 4-word EFF diceware passphrase has more entropy than a 12-character random password and is dramatically easier to remember. NIST has recommended length over complexity since 2017. Here is the math, the standards, and why memorable-sentence generators are the right default in 2026.
Sunday is 0 in POSIX cron, 1 in Quartz, and 1 in AWS EventBridge — and the difference silently shifts your job by a day. A field-by-field guide to the four dialects you will actually encounter, with a side-by-side comparison and the conversion rules.
Decoding the most common JSON.parse error in JavaScript: how to find the byte offset, what each variant of the message means in Chrome / Firefox / Safari, and the five mistakes that trigger it.
A fast browser-only workflow for syntax-checking a YAML manifest, converting it to JSON for tooling that does not speak YAML, and avoiding the silent type coercions that bite production deploys.
