Notes from the workshop.
Writing about small tools, web performance, and the craft of shipping useful things on the internet. Short, practical, no fluff. Follow along via Atom feed.
Why your regex can hang the server.
Catastrophic backtracking, in 1500 words: how a 12-character regex can DoS a service, the three patterns to recognize, and the four ways to actually defend.
Read the guideWhat CSS color-scheme actually controls.
The one-line meta tag that fixes white scrollbars on dark pages. What it changes, what it doesn't, and how it differs from prefers-color-scheme.
Read the guideWhy your SVGs are 3× larger than they need to be.
Most SVGs from Figma, Illustrator, or Inkscape carry 50-80% bloat. Where the bloat comes from, which parts are safe to strip, and which parts will quietly break things.
Read the guideWhat "client-side" actually means.
Five different meanings of "client-side," three ways it still leaks your data, and how to verify any tool's claim for yourself in 90 seconds with DevTools.
Read the essayJSON vs YAML vs TOML: when to use what.
Three formats for roughly the same job, three completely different philosophies. How to pick one without ending up in yet another pull request comment thread nobody wins.
Read the guideA practical Markdown reference.
Compact walkthrough of GFM: what every construct renders to, the traps (hard breaks, tight vs loose lists, underscores-in-words, smart punctuation), and the bits different editors disagree on — footnotes, math blocks, callouts, frontmatter.
Read the referenceWhat's actually in a favicon.ico file, byte by byte.
A binary format from 1995, kept alive on the web by browser habit. An ICO file is a multi-resolution container — BMP and PNG blobs with a small directory at the top. The height-doubling trap, the AND mask, and the eight gotchas worth knowing.
Read the deep diveHTTP status codes: the fifteen that actually matter.
Sixty-plus status codes exist. Fifteen are worth memorizing for REST API design. The ranking, the mistakes I see most often in real-world APIs (401 vs 403, 400-for-everything, missing Retry-After), and what to do about the other forty-eight.
Read the guideColor palettes from photographs: three algorithms, three trade-offs.
Sampling, k-means, median cut. The same photo gives three different palettes — all correct. Which one to pick depends entirely on what question you're trying to answer.
Read the guideCron expressions: a practical guide for the patterns you'll actually use.
Five fields plus a small vocabulary. The patterns that cover 90% of real-world cron, the four mistakes that quietly cause outages, and where cron isn't the right tool.
Read the guideThe LLM JSON problem: why your model's output won't parse.
You asked GPT or Claude or Gemini to return JSON. It returned something that looks like JSON. Your JSON.parse() threw. The four categories of fix that almost always work, in the right order.
JWT decoded: what's actually inside your auth token.
Three Base64 chunks separated by dots. Most developers can identify a JWT on sight; fewer can name what's in each part. A walk through every claim, why the signature matters, and the four mistakes worth knowing about.
Read the guideISO 8601 vs Unix epoch vs human-readable: when to use which.
Three ways to represent a date, three contexts where each one wins — and the five time-handling mistakes I see in production code often enough that I stopped being surprised.
Read the guideA practical regex cheatsheet for forgetful minds.
The tokens, character classes, and patterns you actually reach for — in the order you reach for them, with notes on the ones that trip people up.
Read the cheatsheetEvery favicon size, explained.
Why modern sites need six favicon sizes plus a multi-res .ico and an SVG. What each file does, where to put it, and the HTML snippet that ties them together.
Read the guideQR codes aren't dead — here's what they're good for.
After years of mockery, QR codes quietly became useful again. Here are the six cases they actually solve — and the ones where they're still a cop-out.
Read the essayWhy most "free" online tools aren't actually free.
The five hidden costs of "free" tools — data harvesting, attention arbitrage, upsell funnels, watermarks, account lock-in — and how to spot each before you upload anything sensitive.
Read the essayThe complete guide to image compression in 2026.
A practical, no-nonsense reference for web developers, designers, and bloggers. JPG vs PNG vs WebP vs AVIF, quality settings explained, batch workflows, and the 15-minute checklist that cuts your image weight by 60–80%.
Read the guideThe iPhone HEIC problem — and how to fix it forever.
If you've ever sent an iPhone photo to a Windows user and gotten "I can't open this," you've met HEIC. Here's what it is, why it exists, and three ways to stop caring about it.
Read the guide