> blog

short posts on the tools this site ships and the plumbing behind them.

• Base64 isn't encryption

  2026-04-18 · base64 · encoding · security

  Base64 is a reversible mapping. Anyone can reverse it. If the raw value is secret, base64 doesn't help.

• How to decode a JWT without verifying

  2026-04-18 · jwt · auth · security

  Inspecting a token's payload is a read operation. Verification is a trust decision. They are not the same step, and conflating them causes auth bugs.

• DNS over HTTPS: a Cloudflare primer

  2026-04-18 · dns · doh · cloudflare · privacy

  Classical DNS is plaintext UDP — anyone on the path can read or forge your queries. DoH moves resolution over HTTPS, encrypting the transport. Here is how Cloudflare's endpoint works and why the JSON format matters for browser-side tools.

• Reading the real client IP from Vercel edge headers

  2026-04-18 · vercel · edge · http-headers · nextjs

  Behind a CDN the socket address is always the edge node. The real client IP travels in x-forwarded-for — here is how to read it safely in a Next.js 15 route handler.

• UUIDv4 vs UUIDv7: why timestamp ordering matters for databases

  2026-04-18 · uuid · postgres · databases · performance

  Random UUIDs fragment btree indexes. UUIDv7 fixes that with a millisecond timestamp prefix while keeping the same wire format as UUIDv4.