The AldeaCode
Blog.
Technical posts on web performance, security, SEO, JWT, Web Crypto, Base64, regex, slugs, password hashing, and everything else that text utilities touch. No fluff, real RFC citations, working code samples in JS, Python, SQL.
Latest
60+ Free Privacy-First Web Tools (2026)
A curated list of 60+ browser-based web tools you can use without signup, without upload, without subscription. Privacy-first by design.
All articles
43 moreFree SEO Tools You Can Use Without an Account (2026)
20+ free SEO tools that work in your browser without signup: slug generator, URL cleaner, contrast checker, alt text helper and more. No login, no upload.
X / Twitter Character Limits in 2026 (+ LinkedIn, SEO, SMS)
Character limits for X (Twitter), LinkedIn, Instagram, SEO meta tags, SMS and push notifications in 2026. With a free counter that runs in your browser.
Convert Hex to OKLCH (and RGB, HSL): When to Use Each
Convert hex, RGB, HSL and OKLCH the right way in CSS. Plain rules for modern color spaces and design tokens that stay coherent.
How to Create a Strong Password You Can Remember (2026)
What makes a strong password in 2026, why length beats clever tricks, and how to generate one in your browser. No app, no upload, no account needed.
Convert Unix Timestamp to Date: Avoid the Timezone Bug
Convert Unix timestamps to dates without timezone or seconds-vs-milliseconds bugs. Snippets for Bash, Python, PostgreSQL and Go.
Base64 vs Hex: Which Encoding to Use and When
Base64 vs hex encoding compared: output size, readability, URL safety and edge cases. Choose the right encoding for tokens, hashes and binary data.
Common CSV Problems and How to Fix Them
Common CSV file problems explained: delimiters, quoting, embedded newlines, UTF-8 encoding and locale decimals. Practical fixes you can run in your browser.
How to Convert CSV to JSON Without Losing Data
Convert CSV to JSON step by step: delimiters, quoted fields, headers, encoding and the silent BOM. A practical checklist you can run in your browser.
How to Hash Passwords in 2026: bcrypt vs Argon2id (OWASP)
Hash passwords safely in 2026: bcrypt cost 12, Argon2id 64 MB memory, scrypt as fallback. Pick parameters, add a pepper, plan migration. OWASP-aligned.
JSON vs YAML vs TOML: Which One to Use
JSON vs YAML vs TOML compared: syntax, comments, parser support and common errors. Pick the right config file format for APIs, configs and data.
Where to Store JWT Tokens: Cookies vs localStorage
Where to store a JWT in 2026: HttpOnly cookies, readable sidecars, CSRF and XSS tradeoffs. The pragmatic JWT cookie pattern, with code.
How to Decode a JWT: Header, Payload, Signature
Decode a JWT and read the header, payload and signature in your browser. No upload, no token leak. A 30 second routine for debugging JWT tokens.
JWT vs Session Cookies: Which to Use in 2026
JWT vs session cookies compared on revocation, scaling, size and attack surface. A clear guide to picking the right auth approach in 2026.
What Does Lorem Ipsum Mean? Origin and Better Alternatives
Where lorem ipsum comes from (Cicero, 45 BCE), why it became the default placeholder text, when filler hurts UX work and modern alternatives worth using.
Regex Lookahead and Lookbehind: 4 Patterns That Work in 2026
Positive lookahead, negative lookbehind, variable width: the 4 regex patterns you actually need. Where each one works across JavaScript, Python, PCRE, Go and Rust.
What Is ROT13? History, Examples and Where It Still Works
ROT13 is a Caesar cipher with offset 13, born on Usenet in the 1980s. How it works, why it is not real encryption and where it still has a job in 2026.
How to Write Good URL Slugs for SEO (2026 Guide)
Pick URL slugs that age well: strip accents, use hyphens not underscores, set a Unicode policy and avoid migrations that bleed link equity.
How WordPress, Ghost, Contentful and 6 More Generate Slugs
How nine CMS platforms turn titles into URL slugs: WordPress, Ghost, Contentful, Strapi, Webflow and more. Defaults, gotchas, migration tips.
Text Diff Algorithms Explained: Myers, Patience, Histogram
How text diff algorithms work: Myers, Hunt-Szymanski, patience and histogram. Which one Git uses by default and when to switch for cleaner pull requests.
encodeURIComponent vs encodeURI: URL Encoding Cheatsheet
When to use encodeURIComponent vs encodeURI in JavaScript, plus reserved characters, the plus sign space bug and percent encoding rules that work.
How to Generate a UUID in JavaScript (2026 Guide)
Generate a UUID in JavaScript with crypto.randomUUID, no npm package needed. When to choose ULID, when to add salt, plus browser and Node.js examples.
UUID vs Auto Increment ID: Which Primary Key to Use
UUID vs auto increment integer primary keys compared: index performance, security, distribution and the new UUIDv7 option for PostgreSQL and MySQL.
What is the Web Crypto API: A Practical Guide
What the Web Crypto API is, what SubtleCrypto can do, when to use it and when to skip it. Key storage, limits and real footguns explained.
SHA-256 in JavaScript: Hash in the Browser
Compute SHA-256 in JavaScript with crypto.subtle. Hash strings and files in the browser, pick the right algorithm, avoid the password hashing trap.
Is bcrypt Still Secure in 2026? bcrypt vs Argon2id
Is bcrypt safe to use in 2026? Compare bcrypt vs Argon2id on cost factor, GPU resistance and memory hardness. When bcrypt is still the safer default.
AEPD Cookie Banner Compliance: Reject Button Rules 2026
AEPD requires reject to be as easy as accept. Technical checklist for a legal cookie consent banner: buttons, layout, logging, and granular control.
Cookie Banner Dark Patterns in Newspapers: What's Illegal
Asymmetric buttons, pay or OK walls, and pre-ticked legitimate interest. The dark patterns the EDPB and AEPD have already ruled illegal.
llms.txt File: How to Set It Up (Astro, WordPress, Shopify)
What llms.txt is and how to add it to your site so ChatGPT, Claude, and Perplexity can read it. Copy paste setup for Astro, WordPress, Shopify, Nginx.
Clickjacking: X-Frame-Options vs CSP frame-ancestors
How to prevent clickjacking attacks with X-Frame-Options and CSP frame-ancestors. Header config examples for Nginx, Apache, and Cloudflare.
Content Security Policy (CSP): Beginner Guide for 2026
Content Security Policy header explained for beginners. Stop XSS attacks with strict-dynamic, nonces, and the directives that actually matter.
Global Privacy Control (GPC): How to Detect It Server-Side
What the GPC signal is, how to read Sec-GPC on the server, and how it works with CHIPS and Privacy Sandbox in the post-cookie web.
Performance Budget Guide: How to Keep Web Apps Fast
Set a performance budget your CI can enforce. Long tasks, web workers, lazy loading and real user metrics, with copy-ready code.
How to Fix INP Score: Interaction to Next Paint Guide
Diagnose and fix a poor INP score. What the metric measures, how scheduler.yield() helps, and how to track INP with the web-vitals library.
When to Use WebAssembly Instead of JavaScript (2026)
When WebAssembly beats JavaScript on real workloads in 2026, what the Component Model fixed, and when reaching for Wasm is the wrong call.
WebP vs JPG vs PNG vs AVIF: Which Format to Use
Compare WebP, JPG, PNG and AVIF with real file sizes and clear rules. Includes a copy-ready picture element for fast image delivery.
Zero Trust Frontend: BFF Pattern and DPoP for OAuth
Stop storing OAuth access tokens in the browser. The Backend for Frontend (BFF) pattern and DPoP explained, with code examples.
Real User Monitoring for Core Web Vitals (2026 Guide)
Wire up RUM to track LCP, INP and CLS from real users. Plain explanations, thresholds and a working setup you can copy today.
HSTS Header Explained: Stop SSL Stripping in 2026
How the HSTS header works, how to deploy it safely on Nginx, Apache, or Cloudflare, and how to join the browser preload list.
How to Write Alt Text for SEO and Accessibility (Examples)
Write alt text Google ranks and screen readers respect. Good vs bad examples, width, height and srcset rules that boost image SEO without keyword stuffing.
Hreflang and Canonical Tags Explained (with Examples)
How hreflang and canonical tags work together for international SEO. Code examples, reciprocity rules, and the small mistakes that break rankings.
Does HTTPS Affect SEO Rankings? The Honest 2026 Answer
HTTPS is required, security headers help indirectly, mixed content kills you. The 5 security signals that move Google rankings in 2026, plus how to test each.
Semantic HTML for SEO: The 5 Tags Google Actually Reads
The 5 semantic HTML tags Google uses to understand your page: h1, main, article, nav, section. Plus a 10-minute audit checklist to find what your site is missing.
GDPR Article 32: Technical Measures Beyond a Signed DPA
GDPR Article 32 demands technical security, not just contracts. Practical measures: CSP, SRI, and supply chain controls auditors check.