Guides
Practical write-ups on the parts of web data that quietly break things — the failure modes behind our tools, with real code, measured numbers, and the fixes that actually work.
Base64 Is Not Encryption: A Field Guide to What It Actually Does
Base64 encodes, it does not encrypt — anyone reverses it instantly with no key. The encode-vs-encrypt confusion, and the AES contrast that makes it concrete.
Reading an API Response Fast: A Debugging Workflow
A messy API response, decoded fast: a repeatable order of operations for status, shape, encoded fields, and finding the real error.
The Encoding Bugs Behind Mojibake, Emoji Length, and Broken Hashes
Mojibake, emoji counted as length 2, and hash mismatches all trace to one seam: bytes vs code units vs code points. The encoding model that explains all three.
What 'Runs in Your Browser' Really Means for Your Data
A tool that 'runs in your browser' never uploads your paste. How to prove it with the Network tab, and why it matters for secrets and PII.
Where Tokens Actually Live in the Browser (and Where They Shouldn't)
localStorage is readable by any XSS; httpOnly cookies dodge that but invite CSRF. The real tradeoff map for where a JWT should live in the browser.
Markdown Is Not Safe HTML: The Sanitization Step Everyone Skips
CommonMark passes raw HTML through by design, so <script> and javascript: links survive marked.parse(). The exact sanitization step — and why order matters.
A JSON Debugging Checklist: Why Valid-Looking JSON Throws
JSON.parse threw but the data looks perfect? A checklist of the real culprits — trailing commas, BOM, NaN, and why 'position N' points to the wrong place.
Formatting JSON Client-Side: Why It Matters for Secrets
Pasting JSON with secrets into a server tool leaks it. Client-side formatting keeps it local — and survives 64-bit IDs.
Why Your Fancy Unicode Text Reverts to Plain Letters
Mathematical-bold letters are compatibility-equivalent to ASCII, so NFKC flattens them on save. Why, and where it bites.
Seconds vs Milliseconds: The Timestamp Bug That Lands You in 1970
Feed seconds into new Date() and you land in January 1970. The off-by-1000 bug, timezone traps, and 2038.
The Hidden Size Limits of Base64 Data URIs
Base64 adds a fixed 33% and some sanitizers drop data URIs over ~64KB. The thresholds that decide inline vs file.
Never Store Passwords With SHA-256 — Here's the Math
A single GPU does ~22 billion SHA-256/s. Why that destroys password security, and what to use instead.
Why You Can't Just atob() a JWT (and the base64url Fix)
atob() chokes on JWT segments because they're base64url. The why, the fix, and the alg:none trap.