April 27, 2026 6 min read

The Lie of the .env File

Your secrets aren't safe just because they're not in the code. They're hiding in a different place.

appsecsecrets managementinfrastructure

April 21, 2026 7 min read

The Number Dispenser

Rate limiting sounds boring until it's the only thing between your system and total collapse.

appsecinfrastructureresilience

April 14, 2026 7 min read

The Bouncer That Confuses Everyone

CORS isn't a security feature. It's a relaxation of one. That gap is where the misconfigurations live.

appsecweb securityfundamentals

April 9, 2026 6 min read

The Silent Partner

Refresh tokens do the quiet work of keeping you logged in. They're also the thing nobody thinks to protect.

appsecidentitysession security

April 7, 2026 8 min read

The Dialog Box You Never Read

That "Allow Access?" screen is doing more than you think. And sometimes less.

appsecidentityoauth

March 30, 2026 6 min read

The Self-Signed Permission Slip

JWTs feel like freedom until you need to take one back

appsecidentitytokens

March 26, 2026 5 min read

The Flimsy Wristband

Why the thing keeping you logged in matters more than your password

appsecidentitysession security

March 5, 2026 3 min read

Turns Out I've Been Taking Notes

How a pile of scratch notes became whatever this is