<?xml version="1.0" encoding="UTF-8"?><rss version="2.0"><channel><title>Bytefork — blog</title><description>Long-form notes on debugging, dev tools, AI, hardware, and privacy-respecting workflows.</description><link>https://bytefork.tools/</link><language>en-us</language><item><title>GraphQL introspection: what it exposes and when to turn it off</title><link>https://bytefork.tools/blog/graphql-introspection-exposure/</link><guid isPermaLink="true">https://bytefork.tools/blog/graphql-introspection-exposure/</guid><description>Introspection lets any client download your entire schema — every type, field, argument, and deprecation note — with one query. Great in development, a reconnaissance gift in production. What __schema returns, how it is abused, and the right way to lock it down.</description><pubDate>Sat, 13 Jun 2026 00:00:00 GMT</pubDate><category>graphql</category><category>security</category><category>api</category><enclosure url="https://bytefork.tools/blog/graphql-introspection-exposure/hero.webp" length="26860" type="image/webp"/></item><item><title>What a HAR file leaks — and how to scrub it before you share it</title><link>https://bytefork.tools/blog/har-file-leaks-tokens-and-cookies/</link><guid isPermaLink="true">https://bytefork.tools/blog/har-file-leaks-tokens-and-cookies/</guid><description>A .har export from your browser Network panel captures every request and response — Authorization headers, session cookies, CSRF tokens, full request bodies. Here is what is inside, why support keeps asking for one, and how to redact it safely.</description><pubDate>Sat, 13 Jun 2026 00:00:00 GMT</pubDate><category>security</category><category>privacy</category><category>http</category><enclosure url="https://bytefork.tools/blog/har-file-leaks-tokens-and-cookies/hero.webp" length="14004" type="image/webp"/></item><item><title>A JWT is not encrypted, and decoding it is not verifying it</title><link>https://bytefork.tools/blog/jwt-alg-none-and-decode-vs-verify/</link><guid isPermaLink="true">https://bytefork.tools/blog/jwt-alg-none-and-decode-vs-verify/</guid><description>The three base64url segments of a JWT are readable by anyone — decoding tells you what a token claims, not whether the claim is true. The structure, the decode-versus-verify gap, and the alg:none and RS256-to-HS256 attacks that turn that gap into account takeover.</description><pubDate>Sat, 13 Jun 2026 00:00:00 GMT</pubDate><category>security</category><category>jwt</category><category>authentication</category><enclosure url="https://bytefork.tools/blog/jwt-alg-none-and-decode-vs-verify/hero.webp" length="20068" type="image/webp"/></item><item><title>Unix timestamp bugs: seconds vs milliseconds, Y2038, and the off-by-1000 that ships</title><link>https://bytefork.tools/blog/unix-timestamp-pitfalls-ms-vs-seconds/</link><guid isPermaLink="true">https://bytefork.tools/blog/unix-timestamp-pitfalls-ms-vs-seconds/</guid><description>The Unix epoch is simple until it is not. Milliseconds versus seconds, signed 32-bit overflow in 2038, leap-second smearing, and timezone assumptions cause real production bugs. The field guide with the conversions that actually matter.</description><pubDate>Sat, 13 Jun 2026 00:00:00 GMT</pubDate><category>javascript</category><category>time</category><category>debugging</category><enclosure url="https://bytefork.tools/blog/unix-timestamp-pitfalls-ms-vs-seconds/hero.webp" length="46066" type="image/webp"/></item><item><title>Base64 is not encryption — stop treating it like a secret</title><link>https://bytefork.tools/blog/base64-is-not-encryption/</link><guid isPermaLink="true">https://bytefork.tools/blog/base64-is-not-encryption/</guid><description>Base64 is a reversible text encoding with no key. Anyone can decode it in one line. Here is why it keeps getting mistaken for protection — in Basic Auth, JWTs, and Kubernetes Secrets — and what each of those actually relies on.</description><pubDate>Thu, 04 Jun 2026 00:00:00 GMT</pubDate><category>security</category><category>base64</category><category>encoding</category><enclosure url="https://bytefork.tools/blog/base64-is-not-encryption/hero.webp" length="48274" type="image/webp"/></item><item><title>What your PDF quietly leaks — and how to strip it in the browser</title><link>https://bytefork.tools/blog/pdf-metadata-leaks-and-how-to-strip-them/</link><guid isPermaLink="true">https://bytefork.tools/blog/pdf-metadata-leaks-and-how-to-strip-them/</guid><description>PDFs carry an Info dictionary and an XMP stream that record author name, the exact software and version that made the file, timestamps, and sometimes earlier revisions. Here is what is in there and how to remove it without uploading the file anywhere.</description><pubDate>Thu, 04 Jun 2026 00:00:00 GMT</pubDate><category>pdf</category><category>privacy</category><category>metadata</category><enclosure url="https://bytefork.tools/blog/pdf-metadata-leaks-and-how-to-strip-them/hero.webp" length="63108" type="image/webp"/></item><item><title>UUID v7 vs v4: why random primary keys wreck your index</title><link>https://bytefork.tools/blog/uuid-v7-vs-v4-database-index-locality/</link><guid isPermaLink="true">https://bytefork.tools/blog/uuid-v7-vs-v4-database-index-locality/</guid><description>Random UUID v4 primary keys scatter inserts across a B-tree, causing page splits and cache churn. UUID v7 is time-ordered and inserts append to the right edge. Here is the mechanism, per database engine.</description><pubDate>Thu, 04 Jun 2026 00:00:00 GMT</pubDate><category>database</category><category>uuid</category><category>performance</category><enclosure url="https://bytefork.tools/blog/uuid-v7-vs-v4-database-index-locality/hero.webp" length="104086" type="image/webp"/></item><item><title>ffmpeg.wasm in 2026: what actually runs in a browser tab and what does not</title><link>https://bytefork.tools/blog/ffmpeg-wasm-browser-video-2026/</link><guid isPermaLink="true">https://bytefork.tools/blog/ffmpeg-wasm-browser-video-2026/</guid><description>A practical look at ffmpeg compiled to WebAssembly — what video work it does well in a browser tab, where it stalls, the COOP/COEP headers it needs to run multithreaded, and the size cost of shipping a video editor with no backend.</description><pubDate>Sat, 23 May 2026 00:00:00 GMT</pubDate><category>video</category><category>wasm</category><category>performance</category><enclosure url="https://bytefork.tools/blog/ffmpeg-wasm-browser-video-2026/hero.webp" length="26566" type="image/webp"/></item><item><title>iPhone video to YouTube Shorts: why your 4K HEVC clip gets rejected and how to fix it in the browser</title><link>https://bytefork.tools/blog/iphone-video-to-youtube-shorts-browser/</link><guid isPermaLink="true">https://bytefork.tools/blog/iphone-video-to-youtube-shorts-browser/</guid><description>iPhones record 4K HEVC at 16:9 by default. YouTube Shorts wants 9:16 vertical MP4 under 60 seconds. The mismatch causes silent upload failures, letterboxed playback, and quality loss. Here is the conversion in two browser-only steps, with no upload to a third-party service.</description><pubDate>Sat, 23 May 2026 00:00:00 GMT</pubDate><category>video</category><category>codecs</category><category>workflow</category><enclosure url="https://bytefork.tools/blog/iphone-video-to-youtube-shorts-browser/hero.webp" length="51322" type="image/webp"/></item><item><title>Passphrases beat passwords on every axis except habit — and the math is not close</title><link>https://bytefork.tools/blog/passphrase-vs-password-memorable-sentences/</link><guid isPermaLink="true">https://bytefork.tools/blog/passphrase-vs-password-memorable-sentences/</guid><description>A 4-word EFF diceware passphrase has more entropy than a 12-character random password and is dramatically easier to remember. NIST has recommended length over complexity since 2017. Here is the math, the standards, and why memorable-sentence generators are the right default in 2026.</description><pubDate>Sat, 23 May 2026 00:00:00 GMT</pubDate><category>security</category><category>passwords</category><category>entropy</category><enclosure url="https://bytefork.tools/blog/passphrase-vs-password-memorable-sentences/hero.webp" length="35294" type="image/webp"/></item><item><title>Cron day-of-week numbering: POSIX vs Quartz vs AWS (the trap that bites everyone moving expressions between systems)</title><link>https://bytefork.tools/blog/cron-day-of-week-numbering-trap/</link><guid isPermaLink="true">https://bytefork.tools/blog/cron-day-of-week-numbering-trap/</guid><description>Sunday is 0 in POSIX cron, 1 in Quartz, and 1 in AWS EventBridge — and the difference silently shifts your job by a day. A field-by-field guide to the four dialects you will actually encounter, with a side-by-side comparison and the conversion rules.</description><pubDate>Thu, 14 May 2026 00:00:00 GMT</pubDate><category>cron</category><category>devops</category><category>kubernetes</category></item><item><title>JSON.parse error: &quot;Unexpected token at position N&quot; — what it means and how to fix it</title><link>https://bytefork.tools/blog/json-parse-unexpected-token/</link><guid isPermaLink="true">https://bytefork.tools/blog/json-parse-unexpected-token/</guid><description>Decoding the most common JSON.parse error in JavaScript: how to find the byte offset, what each variant of the message means in Chrome / Firefox / Safari, and the five mistakes that trigger it.</description><pubDate>Thu, 14 May 2026 00:00:00 GMT</pubDate><category>json</category><category>debugging</category><category>javascript</category></item><item><title>How to validate a Kubernetes manifest in 10 seconds without kubectl</title><link>https://bytefork.tools/blog/validate-kubernetes-manifest-in-10-seconds/</link><guid isPermaLink="true">https://bytefork.tools/blog/validate-kubernetes-manifest-in-10-seconds/</guid><description>A fast browser-only workflow for syntax-checking a YAML manifest, converting it to JSON for tooling that does not speak YAML, and avoiding the silent type coercions that bite production deploys.</description><pubDate>Thu, 14 May 2026 00:00:00 GMT</pubDate><category>kubernetes</category><category>yaml</category><category>devops</category></item></channel></rss>