Notes from the workshop.
Writing about small tools, web performance, and the craft of shipping useful things on the internet. Short, practical, no fluff. Follow along via Atom feed or the newsletter below.
What file conversion actually does (and what you lose).
Conversion is decode-plus-re-encode, not translation — and four things get lost on the way: quality generations stack, format gaps truncate silently, metadata is a coin flip, and rasterization never reverses.
Read the guideAnatomy of a URL: what every part of a link does.
Seven machines in one trench coat: the protocol choice, the mostly-scam identity slot, the address, the door number, the routing key, the parameter channel — and the fragment, which never reaches the server at all.
Read the guideWhy your JSON won't parse: a field guide.
The eight ways hand-written JSON breaks — trailing commas, wrong quotes, sneaky comments, invisible bytes — how to read the parser's error message, and the two failures that aren't errors at all.
Read the guideWhy your PDF is so much bigger than it needs to be.
Scanned pages are photographs in a trench coat, fonts sometimes ship every glyph they own, and edits leave sediment. Where PDF weight actually lives, and what compression can safely remove.
Read the guideSort and dedupe: why "10" comes before "9".
Sorting compares character codes, not meaning — so "10" beats "9", uppercase exiles lowercase, and identical-looking lines refuse to dedupe over a character you can't see. The traps, decoded.
Read the guideWhat word count actually measures.
Three counters, three numbers — whitespace rules, reading-time WPM, CJK segmentation, and why you shouldn't paste drafts into server-side counters.
Read the guideShadow IT at the browser: free tools and sensitive data.
Employees paste JWTs and customer files into random converter sites. What shadow IT looks like now, what actually leaves the machine, and why self-hosted client-side tools are the boring fix.
Read the essayASCII explained: the 128 characters that run the web.
The 1963 teleprinter code that still underpins every URL and source file. Why the table's layout is a set of deliberate tricks — digits that carry their value, case as a single bit — and how UTF-8 made ASCII immortal.
Read the guideAspect ratios: the math behind 16:9 and friends.
Width against height, reduced by the gcd — that's the whole trick. The ratios you'll actually meet, the one formula for resizing without warping, crop-vs-letterbox-vs-stretch, and why "21:9" monitors are really 64:27.
Read the guideHEX, RGB, HSL: one color, three spellings.
#F4A940, rgb(244 169 64), and hsl(35 89% 60%) are the same pixels described three ways. What each notation encodes, when HSL earns its keep, and the perceptual gotcha that none of them solve.
Read the guideHow diff works: the algorithm behind every code review.
Green lines, red lines, @@ headers — something decided which lines "changed." The longest-common-subsequence problem underneath, Myers' shortest-path search, and why moved code always shows as delete-plus-add.
Read the guideRoman numerals: the rules everyone half-remembers.
Why 49 is XLIX and not IL: seven letters, an additive core, and exactly six legal subtractive pairs. Plus the digit-by-digit trick that makes conversion foolproof, the 3999 ceiling, and why clocks say IIII.
Read the guideBase64 explained: why encoded files are 33% bigger.
It's not compression and it's definitely not encryption — Base64 re-spells bytes into 64 text-safe characters, 6 bits per character. How the encoding works bit by bit, where the fixed +33% comes from, and when a data URI helps or hurts.
Read the guideURL encoding: why spaces become %20 (and sometimes +).
Percent-encoding protects a URL's grammar from its data. Which characters need encoding, why a space has two spellings, the JavaScript function most people pick wrong, and the double-encoding bug that turns %20 into %2520.
Read the guideCRC32 vs MD5 vs SHA-256: picking the right check.
They all produce a short fingerprint, but they defend against different threats. CRC32 catches accidental corruption, SHA-256 resists deliberate forgery, and MD5 sits awkwardly in between. What each guarantees and which to use when.
Read the guideOpen Graph tags: how link previews actually work.
The card that appears when you paste a link is built from meta tags by a JavaScript-blind, cache-happy crawler. The eight lines that cover every platform, the image size that works everywhere, and why your fix isn't showing up.
Read the guideKB vs KiB: why your 1TB drive shows 931 gigabytes.
Nobody stole your disk space — "kilobyte" has meant both 1000 and 1024 bytes for half a century, and the gap compounds to 10% at terabyte scale. Where both meanings came from, the exact math, and when to write KiB.
Read the guideMagic numbers: how a file knows what it is.
An extension is a sticker anyone can change; a file's real type lives in its first few bytes. How signatures like %PDF and PK work, why containers share them, and where byte-sniffing stops being reliable.
Read the guideHex, binary, and why programmers count differently.
Every base is one idea — digits times powers. Why programmers reach for 16 and 2, how one hex digit maps to four bits, and the floating-point trap that silently corrupts large hexadecimal values.
Read the guideReading chmod: what 755 actually means.
It's not an incantation — it's three little sums of read (4), write (2), and execute (1). How to read any mode at a glance, what rwx means on a directory, and the setuid/setgid/sticky bits.
Read the guideWhat WCAG contrast ratios actually mean.
It's not the difference between two colors — it's a ratio of relative luminance, weighted toward green, from 1:1 to 21:1. What the formula computes, why a passing pair can still look wrong, and what AA and AAA really require.
Read the guideHow strong is your password, really?
Password strength is entropy, measured in bits — not how many symbols you sprinkle in. What entropy means, why length beats complexity, what the bits mean in real cracking time, and how many you actually need.
Read the guideLorem ipsum: where it comes from.
It's garbled Cicero, and its meaninglessness is the point. Where the text actually comes from, why fake copy helps you judge a layout, and the moment you should rip it out for real words.
Read the guideUUIDv4 vs UUIDv7: why ordered IDs matter.
Random v4 keys fragment your database index and slow inserts at scale. v7 prefixes a timestamp so IDs sort by creation time. The bit layout byte by byte, the trade-offs, and when each version wins.
Read the guideWhy your regex can hang the server.
Catastrophic backtracking, in 1500 words: how a 12-character regex can DoS a service, the three patterns to recognize, and the four ways to actually defend.
Read the guideWhat CSS color-scheme actually controls.
The one-line meta tag that fixes white scrollbars on dark pages. What it changes, what it doesn't, and how it differs from prefers-color-scheme.
Read the guideWhy your SVGs are 3× larger than they need to be.
Most SVGs from Figma, Illustrator, or Inkscape carry 50-80% bloat. Where the bloat comes from, which parts are safe to strip, and which parts will quietly break things.
Read the guideWhat "client-side" actually means.
Five different meanings of "client-side," three ways it still leaks your data, and how to verify any tool's claim for yourself in 90 seconds with DevTools.
Read the essayJSON vs YAML vs TOML: when to use what.
Three formats for roughly the same job, three completely different philosophies. How to pick one without ending up in yet another pull request comment thread nobody wins.
Read the guideA practical Markdown reference.
Compact walkthrough of GFM: what every construct renders to, the traps (hard breaks, tight vs loose lists, underscores-in-words, smart punctuation), and the bits different editors disagree on — footnotes, math blocks, callouts, frontmatter.
Read the referenceWhat's actually in a favicon.ico file, byte by byte.
A binary format from 1995, kept alive on the web by browser habit. An ICO file is a multi-resolution container — BMP and PNG blobs with a small directory at the top. The height-doubling trap, the AND mask, and the eight gotchas worth knowing.
Read the deep diveHTTP status codes: the fifteen that actually matter.
Sixty-plus status codes exist. Fifteen are worth memorizing for REST API design. The ranking, the mistakes I see most often in real-world APIs (401 vs 403, 400-for-everything, missing Retry-After), and what to do about the other forty-eight.
Read the guideColor palettes from photographs: three algorithms, three trade-offs.
Sampling, k-means, median cut. The same photo gives three different palettes — all correct. Which one to pick depends entirely on what question you're trying to answer.
Read the guideCron expressions: a practical guide for the patterns you'll actually use.
Five fields plus a small vocabulary. The patterns that cover 90% of real-world cron, the four mistakes that quietly cause outages, and where cron isn't the right tool.
Read the guideThe LLM JSON problem: why your model's output won't parse.
You asked GPT or Claude or Gemini to return JSON. It returned something that looks like JSON. Your JSON.parse() threw. The four categories of fix that almost always work, in the right order.
JWT decoded: what's actually inside your auth token.
Three Base64 chunks separated by dots. Most developers can identify a JWT on sight; fewer can name what's in each part. A walk through every claim, why the signature matters, and the four mistakes worth knowing about.
Read the guideISO 8601 vs Unix epoch vs human-readable: when to use which.
Three ways to represent a date, three contexts where each one wins — and the five time-handling mistakes I see in production code often enough that I stopped being surprised.
Read the guideA practical regex cheatsheet for forgetful minds.
The tokens, character classes, and patterns you actually reach for — in the order you reach for them, with notes on the ones that trip people up.
Read the cheatsheetEvery favicon size, explained.
Why modern sites need six favicon sizes plus a multi-res .ico and an SVG. What each file does, where to put it, and the HTML snippet that ties them together.
Read the guideQR codes aren't dead — here's what they're good for.
After years of mockery, QR codes quietly became useful again. Here are the six cases they actually solve — and the ones where they're still a cop-out.
Read the essayWhy most "free" online tools aren't actually free.
The five hidden costs of "free" tools — data harvesting, attention arbitrage, upsell funnels, watermarks, account lock-in — and how to spot each before you upload anything sensitive.
Read the essayThe complete guide to image compression in 2026.
A practical, no-nonsense reference for web developers, designers, and bloggers. JPG vs PNG vs WebP vs AVIF, quality settings explained, batch workflows, and the 15-minute checklist that cuts your image weight by 60–80%.
Read the guideThe iPhone HEIC problem — and how to fix it forever.
If you've ever sent an iPhone photo to a Windows user and gotten "I can't open this," you've met HEIC. Here's what it is, why it exists, and three ways to stop caring about it.
Read the guide