Developer Guides

In-depth explainers on the formats, protocols, and concepts behind the tools on this site. Each guide is written to be technically accurate and practically useful - covering real-world use cases, common mistakes, and the reasoning behind best practices.

What these guides cover

Each guide on this site is written to answer the questions that come up during real work — not as introductory tutorials, but as references you reach for when debugging a production issue, reviewing a security configuration, or making an architecture decision. The goal is to explain why something works the way it does, not just how to use it, so that the knowledge transfers to situations the guide does not explicitly cover.

The guides are organized around three broad areas: data formats (JSON, Base64, YAML), authentication and security (JWT, cryptographic hashing, web security headers), and networking (IP addressing, CIDR subnetting). These are the domains that appear repeatedly in backend development, DevOps, and security work — understanding them well means spending less time looking things up and more time making decisions with confidence.

Data formats

JSON is everywhere — API responses, configuration files, event payloads, log structured output. The JSON Complete Developer Guide goes past basic syntax to cover schema validation, type coercion edge cases (the Norway problem with YAML, number precision in JavaScript), and situations where JSON is the wrong choice. If you work with APIs or build any kind of data pipeline, understanding JSON's actual semantics — not just its syntax — prevents whole categories of subtle bugs.

Base64 is one of the most misunderstood encodings in common use. Developers who know it only as "that thing that makes binary safe to put in JSON" are regularly surprised when a Base64-encoded value fails to decode because it uses the URL-safe alphabet instead of the standard one, or because padding characters were stripped. The Base64 Encoding guide explains both alphabets, where you encounter each (JWTs use Base64url; MIME email uses standard Base64; data URIs have their own rules), and — critically — why encoding is not encryption and should never be treated as security.

Authentication and security

JSON Web Tokens appear in virtually every modern authentication system, but they are also a common source of security vulnerabilities when implemented without understanding the format. The JWT guide covers the three-part structure (header, payload, signature), the algorithm field security problem (the alg:none vulnerability and why you must validate algorithm before signature), the difference between symmetric (HS256) and asymmetric (RS256, ES256) signing, and the registered claims that control token lifetime. Understanding JWTs properly means knowing both how to use them and where implementations go wrong.

Cryptographic hashing underlies password storage, file integrity verification, digital signatures, and content addressing. The practical hashing guide explains what a hash function actually does (deterministic, one-way, fixed-output-length mapping), why MD5 and SHA-1 are no longer appropriate for security-sensitive uses, and the difference between hashing and message authentication codes (MACs). The companion algorithm comparison gives a side-by-side view of output length, collision resistance status, and current appropriate use cases.

Web security headers — CSP, HSTS, X-Frame-Options, Referrer-Policy, Permissions-Policy — are one of the highest-leverage security improvements available to any web application. They are also consistently underutilized because the configuration options are complex and the consequences of misconfiguration (either too permissive or accidentally broken) are not immediately visible. The Web Security Headers guide walks through each header, what it controls, how to configure it correctly, and how to test that it is doing what you expect.

Networking

IP addresses exist at the intersection of human-readable notation and binary arithmetic, and most networking confusion traces back to not fully internalizing that the dotted-decimal form is just a display convention. The IP Addressing guide covers all four representations (dotted-decimal, binary, hexadecimal, unsigned integer), how they relate to each other, the private address ranges (RFC 1918), and the IPv6 structure. Understanding address representations at this level makes CIDR notation, subnet masking, and routing table logic intuitive rather than formulaic.

CIDR subnetting is one of those topics that most developers learn just enough of to get by, then have to look up again every time they need to size a VPC subnet or configure a firewall rule. The CIDR Subnetting guide works through the math with real examples — how to calculate network address, broadcast address, and usable host range from a CIDR block; how to subdivide a large block into smaller subnets; and how route summarization works. After reading it, the jump from "I need about 200 hosts" to "/24 gives 254 usable addresses" should be immediate.