Web Foundations

Protocols, security, accessibility, and core browser APIs that underpin the web.

Browse by Topic

Security & Auth

Web Foundations · 5 articles

Application security, auth models, and defensive controls.

Networking & Protocols

Web Foundations · 7 articles

HTTP, TLS, DNS, and protocol negotiation for the modern web.

Browser APIs

Web Foundations · 4 articles

Core browser APIs for DOM, storage, networking, and workers.

Accessibility Standards

Web Foundations · 2 articles

WCAG guidance, testing, and inclusive design patterns.

All Articles (18 articles)

  • CSRF and CORS Defense for Modern Web Applications

    Web Foundations / Security & Auth 15 min read

    A deep dive into Cross-Site Request Forgery (CSRF) and Cross-Origin Resource Sharing (CORS)—their threat models, specification-level mechanics, and defense-in-depth implementation patterns for production web applications.

  • OAuth 2.0 and OIDC Flows: Authorization Code to PKCE

    Web Foundations / Security & Auth 16 min read

    A comprehensive technical analysis of OAuth 2.0 authorization flows, OpenID Connect (OIDC) identity layer, PKCE security mechanism, and token lifecycle management for secure authentication and authorization implementations.

  • Web Application Security Architecture

    Web Foundations / Security & Auth 15 min read

    A defense-in-depth guide to security controls, threat mitigation strategies, and implementation patterns for modern web applications—covering security headers, authentication, cryptography, and the OWASP Top 10:2025.

  • Authentication Foundations: Sessions, Tokens, and Trust

    Web Foundations / Security & Auth 23 min read

    An in-depth technical analysis of AAA frameworks for expert practitioners, exploring modern authentication mechanisms, authorization models, access control paradigms, and their implementation patterns with Node.js examples.

  • OWASP Top 10: Web Application Security Risks

    Web Foundations / Security & Auth 12 min read

    The OWASP Top 10 is a ranked list of the most critical web application security risks, derived from real-world vulnerability data. The 2025 edition analyzed 2.8 million applications with 589 CWE (Common Weakness Enumeration) mappings across 248 categories, making it the definitive baseline for application security priorities.

  • HTTP/3 and QUIC: Transport Layer Revolution

    Web Foundations / Networking & Protocols 16 min read

    HTTP/3 eliminates TCP’s head-of-line blocking by building HTTP directly on QUIC, a UDP-based transport with integrated TLS 1.3. This article covers QUIC’s design rationale, the TLS 1.3 integration that enables 1-RTT handshakes, 0-RTT security trade-offs, and the DNS/Alt-Svc discovery mechanisms browsers use for protocol negotiation.

  • HTTP/1.1 to HTTP/2: Bottlenecks and Multiplexing

    Web Foundations / Networking & Protocols 10 min read

    How HTTP/1.1’s request-response model and application-layer head-of-line (HOL) blocking led to HTTP/2’s binary framing, HPACK header compression, and stream multiplexing. This article covers the architectural constraints, design trade-offs, and remaining TCP-layer limitations that motivated HTTP/3.

  • TLS 1.3 Handshake and HTTPS Hardening

    Web Foundations / Networking & Protocols 15 min read

    How TLS 1.3 achieves 1-RTT handshakes, enforces forward secrecy by design, and what production HTTPS hardening actually requires—from certificate chains and OCSP stapling to HSTS preload and 0-RTT replay risks.

  • DNS Security and Privacy: DNSSEC, DoH, and DoT

    Web Foundations / Networking & Protocols 18 min read

    Traditional DNS transmits queries in plaintext over UDP port 53—visible to any network observer and trivially spoofable. This created two distinct security gaps: authenticity (how do you know the response is legitimate?) and confidentiality (who can see what you’re querying?). DNSSEC (Domain Name System Security Extensions) addresses authenticity through cryptographic signatures. DoH (DNS over HTTPS) and DoT (DNS over TLS) address confidentiality through encryption. These technologies solve different problems and operate independently—a zone can be DNSSEC-signed without using encrypted transport, and encrypted DNS works without DNSSEC validation.

  • DNS Troubleshooting Playbook

    Web Foundations / Networking & Protocols 17 min read

    A systematic approach to diagnosing DNS outages, propagation delays, and resolution failures. This playbook provides decision trees for symptom-driven triage, command recipes for isolating failures across the resolution chain, and DNSSEC (Domain Name System Security Extensions) debugging workflows for the most common signing failures.

  • DNS Records, TTL Strategy, and Cache Behavior

    Web Foundations / Networking & Protocols 16 min read

    DNS records encode more than addresses—they define routing policies, ownership verification, security constraints, and service discovery. TTL (Time To Live) values control how long resolvers cache these records, creating a fundamental trade-off between propagation speed and query load. This article covers record types in depth, TTL design decisions for different operational scenarios, and the caching behaviors that determine how quickly DNS changes take effect.

  • DNS Resolution Path: Stub to Recursive to Authoritative

    Web Foundations / Networking & Protocols 13 min read

    A DNS query traverses multiple actors before returning an answer: stub resolver, recursive resolver, and a chain of authoritative servers (root, TLD, domain). Each hop introduces latency, caching decisions, and potential failure modes. Understanding this path is essential for diagnosing resolution delays, debugging SERVFAIL responses, and architecting systems that depend on DNS availability.

  • Web Workers and Worklets for Off-Main-Thread Work

    Web Foundations / Browser APIs 15 min read

    Concurrency primitives for keeping the main thread responsive. Workers provide general-purpose parallelism via message passing; worklets integrate directly into the browser’s rendering pipeline for synchronized paint, animation, and audio processing.

  • Service Workers and Cache API

    Web Foundations / Browser APIs 17 min read

    A comprehensive exploration of offline-first web architecture, examining how the Service Worker API (W3C Working Draft, January 2026) enables network interception and background processing, how the Cache API provides fine-grained storage for request/response pairs, and how update flows ensure clients transition safely between versions. These APIs form the foundation of Progressive Web Apps (PWAs): service workers intercept fetches and decide response sources, Cache API stores those responses durably, and the lifecycle model ensures exactly one version controls clients at any time.

  • Fetch, Streams, and AbortController

    Web Foundations / Browser APIs 20 min read

    A comprehensive exploration of the modern web’s network primitives, examining how the Fetch Standard (WHATWG Living Standard, January 2026) unifies request/response handling across all platform features, how the Streams Standard enables incremental data processing with automatic backpressure, and how AbortController/AbortSignal (DOM Standard Section 3.3) provide composable cancellation semantics. These three APIs form an integrated system: Fetch exposes response bodies as ReadableStreams, Streams propagate backpressure through pipe chains, and AbortSignal enables cancellation at any point in the pipeline.

  • DOM API Essentials: Structure, Traversal, and Mutation

    Web Foundations / Browser APIs 22 min read

    A comprehensive exploration of DOM APIs, examining the interface hierarchy design decisions, selector return type differences, and the modern Observer pattern for efficient DOM monitoring. The DOM Standard (WHATWG Living Standard, last updated January 2026) defines a layered inheritance model where each interface adds specific capabilities while maintaining backward compatibility—understanding this design reveals why certain methods exist on Element rather than HTMLElement and why selector APIs return different collection types with distinct liveness semantics.

  • Accessibility Testing and Tooling Workflow

    Web Foundations / Accessibility Standards 14 min read

    A practical workflow for automated and manual accessibility testing, covering tool selection, CI/CD integration, and testing strategies. Automated testing catches approximately 57% of accessibility issues (Deque, 2021)—the remaining 43% requires keyboard navigation testing, screen reader verification, and subjective judgment about content quality. This guide covers how to build a testing strategy that maximizes automated coverage while establishing the manual testing practices that no tool can replace.

  • WCAG 2.2: Practical Accessibility Guide

    Web Foundations / Accessibility Standards 16 min read

    Web Content Accessibility Guidelines (WCAG) 2.2 became a W3C Recommendation in October 2023, adding 9 new success criteria focused on cognitive accessibility, mobile interaction, and focus visibility. This guide covers implementation strategies for semantic HTML, ARIA patterns, and testing methodologies—practical knowledge for building inclusive web experiences that meet legal requirements in the US (ADA) and EU (European Accessibility Act).