Dev Desk

Developer Tools Editor

The dev desk covers JSON, XML, YAML, JWT, Base64, regex, cron, hashing and anything else that earns a spot in your bookmarks between commits. Every claim is backed by the RFC or the reference implementation.

21 posts · RSS

JSONXMLJWTBase64regular expressionscronHMACSHA-2UUIDcharacter encoding

Encoding
Base64 encoding across 5 languages: JavaScript, Python, Go, Rust, PHP
Idiomatic Base64 and Base64URL encoding/decoding in JS, Python, Go, Rust, and PHP — with the standard-library one-liners and the gotchas each language buries.
Read
Encoding
Hashing in 2026: SHA-256, HMAC and PBKDF2 across Node, Python, Go, Rust
Which stdlib function to reach for, which library to avoid, and the one-liner that gets you SHA-256 + HMAC-SHA256 in each of the big runtimes.
Read
Developer
Generating UUIDs across languages: stdlib vs libraries in 2026
v4 and v7 in JavaScript, Python, Go, Rust and PHP — which ships in the standard library, which needs a package, and the one-liner that works today.
Read
Cheatsheet
HTTP status codes: the only reference you'll need
Every HTTP status code with plain-English meaning — when to send which, when to care about the distinction, and the codes you can usually ignore.
Read
Cheatsheet
ISO 8601 date format cheatsheet: every variant with examples
The only date format you should be storing and serialising in 2026. Every shape, the pitfalls, and the quick reference for parsing.
Read
Encoding
How to verify webhook signatures: Stripe, GitHub, Slack
Every major webhook provider signs their requests with HMAC. Here's the working verification code for each, the timing-attack pitfall everyone hits, and a universal template.
Read
Developer
Why your regex is slow: catastrophic backtracking explained
The reason `(a+)+b` hangs on `aaaaaaaaac` — and the five patterns that turn a 10ms validator into a 30-second ReDoS attack.
Read
Data
CSV parsing is harder than you think (and why `split(',')` isn't enough)
Quoted fields, escaped quotes, embedded newlines, UTF-8 BOMs, Excel's opinions. A tour of every CSV footgun and the libraries that handle them.
Read
Data
NaN, null and undefined in JSON: what serialises to what
JSON has null. JavaScript has null, undefined and NaN. Python has None. This is the table of what survives each conversion — and the traps everyone hits.
Read
Developer
Timezone conversion: the edge cases that bite
DST, half-hour offsets, timezones with historical changes, and the midnight that doesn't exist. If your code assumes 24 hours a day, it's wrong.
Read
Encoding
How to generate a strong password (and what entropy means)
Length beats complexity. Here's the math, the actual number of bits you need, and why `correct horse battery staple` is stronger than `P@ssw0rd!`.
Read
Encoding
Base64URL vs Base64: when the extra characters matter
The + / = characters in standard Base64 break URLs, filenames, and JWT headers. Base64URL is the fix — and it's almost but not quite a drop-in replacement.
Read
Encoding
What is HMAC (and why SHA-256 alone isn't enough)?
HMAC is how you prove a message wasn't tampered with. It's SHA-256 plus a clever wrapping you should never try to reinvent.
Read
Cheatsheet
Cron schedule cheatsheet: 50 patterns with explanations
Copy-paste cron expressions for every common cadence — every minute, every night, every weekday, every quarter, business hours only, and 45 more.
Read
Developer
UUID v4 vs v7: which should you use in 2026?
v4 is random. v7 is time-sortable. Here's what that means for your database, your caches, and whether you can stop using auto-increment IDs.
Read
Cheatsheet
Complete regex cheatsheet (with copy-paste patterns that actually work)
Every metacharacter, every flag, and 30 real-world patterns for email, IP, date, URL, slug, credit-card and more. All testable in the browser.
Read
Data
How to convert JSON to YAML (and back) without breaking things
JSON ↔ YAML looks simple until you hit anchors, multi-line strings, booleans that aren't booleans, and the Norway problem.
Read
Developer
Cron syntax explained: a no-nonsense guide
Cron is five fields in a line of text. This is what each one means, what the specials do, and why `0 0 * * 0` runs weekly.
Read
Encoding
Base64 explained: what it is, what it isn't, and when to use it
Base64 is everywhere — emails, JWTs, data URLs, certificates. Here's what it actually does, and what it doesn't (encryption!).
Read
Data
JSON vs XML in 2026: which should you actually use?
JSON won the API war — but XML still rules in finance, government, and SOAP. Here's a no-nonsense breakdown of when each makes sense.
Read
Developer
What is a JWT? A practical guide for developers in 2026
JSON Web Tokens explained simply: what they are, how they work, when to use them — and how to inspect one safely.
Read

Dev Desk

Base64 encoding across 5 languages: JavaScript, Python, Go, Rust, PHP

Hashing in 2026: SHA-256, HMAC and PBKDF2 across Node, Python, Go, Rust

Generating UUIDs across languages: stdlib vs libraries in 2026

HTTP status codes: the only reference you'll need

ISO 8601 date format cheatsheet: every variant with examples

How to verify webhook signatures: Stripe, GitHub, Slack

Why your regex is slow: catastrophic backtracking explained

CSV parsing is harder than you think (and why `split(',')` isn't enough)

NaN, null and undefined in JSON: what serialises to what

Timezone conversion: the edge cases that bite

How to generate a strong password (and what entropy means)

Base64URL vs Base64: when the extra characters matter

What is HMAC (and why SHA-256 alone isn't enough)?

Cron schedule cheatsheet: 50 patterns with explanations

UUID v4 vs v7: which should you use in 2026?

Complete regex cheatsheet (with copy-paste patterns that actually work)

How to convert JSON to YAML (and back) without breaking things

Cron syntax explained: a no-nonsense guide

Base64 explained: what it is, what it isn't, and when to use it

JSON vs XML in 2026: which should you actually use?

What is a JWT? A practical guide for developers in 2026