Series

How the Internet Works: The Full Journey

The complete map — every stage of the journey from typing google.com to pixels on your screen. Start here. Every other post in this series is one leg of this same trip.

What Happens When You Press Enter?

Before a single packet leaves your machine, the browser runs four silent checks — HSTS enforcement, Service Worker intercept, DNS cache, HTTP cache. Only if all four miss does it touch the network. This post maps every step.

DNS Resolution: How google.com Becomes an IP Address

Your browser knows "google.com" but routers only understand IP addresses. DNS is the distributed translation system between the two — a 5-hop conversation that happens in under 20ms. This post traces every step.

DNS Records, dig, Glue Records & Modern DNS

The DNS resolution journey ends at a nameserver holding DNS records. This post covers every record type that matters in practice, how to read and query them with dig, the glue record bootstrap problem, the DNS wire format, and how DoH and DoT encrypt the query.

Promises in Depth - Series Intro

A complete guide to JavaScript Promises — from why they exist to building a spec-compliant polyfill from scratch. 30 posts covering everything a JavaScript developer needs to truly understand async.

The World Before Promises

Before you can truly understand Promises, you need to understand the environment they were built for. This post covers the JavaScript event loop, call stack, task queues, and what blocking the thread actually looks like in practice.

Callbacks — The Original Async Pattern

Callbacks were JavaScript's first answer to async programming. They worked — until they didn't. This post covers how callbacks actually work, why they collapse under complexity, and the two deeper problems that no amount of refactoring can fix.

Security for Frontend Engineers: Beyond the Basics

The attack surface map — four layers where a web app gets compromised, and the skills this series builds from scratch. Eleven posts, one fictional app, every major frontend attack vector covered end to end. Start here.

XSS Anatomy: Every Variant, Every Vector

XSS is not one attack — it's four. This post dissects every variant, maps every sink and source, and shows exactly which React patterns undo framework-level protection.

Content Security Policy: Not Just a Header

CSP is the second line of defence after XSS prevention fails. This post goes beyond "add the header" — nonce strategy, strict-dynamic, bypass patterns, and how to deploy without breaking your app.

CORS: Beyond 'Just Add the Header'

Most CORS fixes are copied and pasted. This post builds the Same-Origin Policy from first principles, traces the full preflight, and shows the wildcard trap, Vary header problem, and CORS misconfigurations that ship to production.

CSRF: How Browsers Betray You (and the Token That Stops It)

CSRF exploits the fact that browsers attach cookies to every cross-site request — automatically, invisibly, without asking. This post shows the attack in full, explains why CORS doesn't stop it, and builds the server-side defences that do.

Cookie Defences: SameSite, Prefixes, and Fetch Metadata

Synchronizer tokens stop CSRF at the server. SameSite, __Host- prefix, and Fetch metadata stop it at the browser — before the forged request ever reaches business logic. This post covers every cookie security attribute and the Fetch metadata guard that completes the defence.

HTTP Security Headers: Closing the Gaps CSP Doesn't Cover

CSP and CORS get the attention, but five other HTTP response headers each close a specific attack vector that everything else leaves open. This post covers clickjacking, SSL stripping, MIME sniffing, referrer leakage, and cross-origin window access — and the one-line server changes that stop each one.

Supply Chain Attacks: When Your Dependencies Attack You

The average React app has over a thousand transitive dependencies you never reviewed. A supply chain attack compromises one of them upstream — and every downstream user is affected without changing a line of their own code. This post shows how it works and what actually helps.

Subresource Integrity & Third-Party Script Trust

Every third-party script you load from a CDN extends your attack surface to include that CDN's entire security posture. SRI locks a script to a specific content hash — if the CDN is compromised and the file changes, the browser refuses to execute it. This post covers SRI, its limits, and what comes after it.

The Frontend Security Interview Playbook

Senior frontend security interviews don't test recall — they test structured reasoning. This post gives you the threat-model framework, a repeatable audit answer structure, decision tools for XSS mitigation choices, four scenario walkthroughs, and a code review red flags checklist.

Frontend Security: Live Interview Simulation

Four complete interview scenarios with escalating follow-up questions — XSS/CSP, CORS, CSRF/cookies, and supply chain. See how a strong answer sounds, what a partial answer is missing, and how follow-ups test whether the reasoning is real.

The Security Mindset: From Checklist to Instinct

The series is done. The practice isn't. This post closes DevForum's story with a complete before/after security posture, four mental models that outlast any specific vulnerability, the evergreen questions to ask in any code review, and where to go next.