Articles
Longer reads that go deeper than a single tool: the math, the standards, and the trade-offs behind the things we build.
Mouse sensitivity math: cm/360, eDPI, and why pros recalibrate
Why your in-game sensitivity number is meaningless on its own, how cm/360 and eDPI fix it, and why pros recalibrate.
Web Gamepad API: DirectInput, XInput, and the mapping confusion
Why Xbox pads just work in the browser but no-name controllers scramble their buttons — standard mapping, XInput, and DirectInput explained.
JSON RFC 8259: subtle details that trip up production parsers
Duplicate keys, big-integer precision, BOMs, and the details RFC 8259 leaves unspecified — where production JSON parsers quietly disagree.
Why 100% client-side tools are safer than self-hosted SaaS for personal data
Why processing personal data entirely in the browser is structurally safer than a self-hosted SaaS tool — and where the trade-offs really lie.
WCAG contrast ratios in real product design — case studies and pitfalls
The exact WCAG AA/AAA thresholds, why grey-on-white fails, the pitfalls contrast checkers miss, and where WCAG 3's APCA is heading.
Human reaction time: simple vs choice RT, age curves, and what actually improves it
Why simple and choice RT are different measures, how Hick's Law governs decision speed, and what exercise, sleep, and practice actually do for your reaction time.
JWT anatomy: header, payload, signature, base64url, and why decoding is not verifying
Three dots, three parts: how JWT encodes header, payload, and signature in base64url, what registered claims do, and why anyone can decode a JWT but only the server can verify it.
Base64 explained: 6-bit grouping, ~33% size inflation, padding, and base64url vs standard
Why three input bytes always become four base64 characters, how the 64-character alphabet was chosen, what the equals-sign padding means and when it can be omitted, and how base64url differs for URL-safe contexts.
Cron expressions demystified: five fields, ranges, steps, and the day-of-week OR trap
How the five cron fields work, what asterisks, slashes, and commas actually do, why setting both day-of-month and day-of-week fires on either match (not both), and why cron on a UTC server fires your @daily job at midnight UTC, not your local midnight.
YAML vs JSON vs TOML: strengths, use cases, and YAML's implicit-typing foot-guns
YAML's unquoted NO becomes boolean false (the Norway problem), tabs silently break indentation, and anchors enable expansion attacks. JSON is deterministic but comment-free. TOML is strongly typed with built-in datetime. Here is when to use each.
HTTP security headers that matter: CSP, HSTS, X-Content-Type-Options, X-Frame-Options, and Referrer-Policy explained
CSP stops script injection. HSTS prevents SSL stripping. X-Content-Type-Options kills MIME sniffing. X-Frame-Options blocks clickjacking. Referrer-Policy stops token leakage via the Referer header. Here is how each one works and why all five belong on every site.
Aspect ratio vs resolution: 16:9, 21:9, 4:3 explained, letterboxing, and gaming FOV
Resolution counts pixels; aspect ratio describes shape. A 1920x1080 and 3840x2160 display are both 16:9, but '21:9' ultrawide panels are actually 64:27 or 43:18. Hor+ FOV scaling means wider screens show more of the game world, not the same scene stretched.
Colour spaces for the web: sRGB, DCI-P3, Rec.2020, gamma, and why the same hex looks different on two screens
sRGB's red primary coordinates, why DCI-P3 is 26% wider, how Rec.2020 approaches monochromatic primaries, why sRGB gamma is piecewise not pure 2.2, and why the same hex can look over-saturated on a P3 display without OS colour management.