Tuanhadev Blog

My experience of using AI Agents

Tuan Tran Van — Thu, 19 Mar 2026 11:39:48 GMT

AI Questions

What are the real differences between Vibe Coding and Agentic Engineering?

This is the part most explainers get wrong. They describe agentic engineering as “using better AI tools” or “more automation.” That’s not it.

Vibe coding means going with the vibes and not reviewing the code. That’s the defining characteristic. You prompt, you accept, you run it, you see if it works. If it doesn’t, you paste the error back in and try again.

The problem isn’t the AI. The problem is the human not reviewing what the AI built.

Agentic engineering means AI does the implementation, human owns the architecture, quality, and correctness. You might write only a fraction of the code by hand. The rest comes from agents working under your direction. That’s agentic. And you’re applying engineering discipline throughout.

Same tools. Completely different discipline.

The one-line distinction:

Vibe coding = YOLO. Agentic engineering = AI builds, human owns.

What is Harness Engineering?

To understand where harness engineering fits, here’s how it relates to the other disciplines you’ve probably heard about:

Prompt Engineering → Single interaction to craft the best input to the model (single request-response interaction).
Context Engineering → Control what the model sees during a whole session (multiple interactions until clearing).
Harness Engineering → Designs the environment, tools, guardrails, and feedback loops (multiple sessions).
Agent Engineering → Design the agent’s internal reasoning loop (define specialized agents).
Platform Engineering → Infrastructure to manage deployment, scaling, and cloud operations (where agents can run).

Prompt engineering is about what you say to the model.

Context engineering is about what the model sees.

Harness engineering is about the entire world the model operates in. It includes the tools the agent can call, the constraints it cannot violate, the documentation structure it reads, and the automated feedback loops that catch its mistakes before they reach production

What is the llm.txt for?

llm.txt is a site-level instruction file for AI/LLM agents, like robots.txt but for models. It tells models what the site is about and which sources to prioritize. Example: a site could point models to its official docs and API reference; the spec and examples are described at https://llmstxt.org/ (which you can follow to publish your own).

What even is the difference? They all seem like "AI configuration stuff."

Yep, fair. Think of it this way:

Instructions = Passive rules are always applied in the background
Agents = Custom AI personas you manually switch into
Skills = Step-by-step playbooks you explicitly invoke for a specific task

So instructions just... always run?

Yes — automatically. The applyTo frontmatter pattern controls when they're injected. For example, context-engineering.instructions.md has applyTo: '**' so it's always active. The nextjs.instructions.md has applyTo: '**/*.tsx, **/*.ts, ...' so it only kicks in when you're editing TypeScript/JSX files.

You don't call them. Copilot just silently reads them and adjusts its suggestions accordingly. They're like a standing memo on your desk — always there.

When would I actually switch to a custom agent mode?

When you want a fundamentally different persona and toolset for a session. Look at debug.agent.md — it locks in a specific tool list (terminal, tests, problems panel) and a structured debugging workflow. Or expert-nextjs-developer.agent.md — it declares expertise, forces certain behaviors, and even pins a model (GPT-4.1).

Basically: use an agent when "default Copilot" isn't the right mindset for the job. Debugging, writing a PRD, doing a technical spike — those all benefit from a mode switch.

What about skills — do those auto-load like instructions?

Nope. Skills are NOT automatically loaded. They're on-demand playbooks. You invoke them explicitly by referencing them in a prompt, or by having an agent that knows to use them.

For example, conventional-commit won't do anything unless you tell Copilot "use the conventional-commit skill" or you build it into an agent's workflow. Think of skills as reusable procedures stored in a drawer — they only run when someone pulls them out.

What's the loading order/hierarchy when Copilot runs?

Roughly:

copilot-instructions.md — loaded first, always, the main entry point
.github/instructions/*.instructions.md — auto-applied based on applyTo matching your open file
.github/agents/*.agent.md — only loaded when you explicitly switch to that agent mode in the Copilot chat panel
.github/skills/*/SKILL.md — only loaded when explicitly invoked

When do I use each?

Instructions: Set-and-forget rules (tech constraints, code style, a11y rules, security guidelines)
Custom Agent: When you need a different "mode" — debugging, planning, writing specs
Skill: When you have a repeatable multi-step workflow you want to reuse without re-explaining every time

What is AGENTS.md, and who is it for?

AGENTS.md is a universal guide following the agents.md open spec. It targets any AI coding agent (Claude, Gemini, OpenAI Codex, etc.) and covers setup commands, project structure, testing patterns, and workflow — anything tool-agnostic.

What is copilot-instructions.md, and who is it for?

It's a GitHub Copilot-specific file loaded automatically by VS Code. It focuses on IDE-level code generation rules: version constraints, ❌ NEVER / ✅ ALWAYS generation constraints, and pointers to granular context files in the copilot with applyTo glob patterns.

What content belongs in each file?

Content	AGENTS.md	copilot-instructions.md
Setup / install commands	✅	❌ (link to AGENTS.md)
Project structure	✅	❌ (link to AGENTS.md)
Testing instructions	✅	❌ (link to AGENTS.md)
Code generation constraints	❌	✅
`applyTo` instruction files	❌	✅
Version compatibility rules	❌	✅

Should they duplicate content?

No. copilot-instructions.md should delegate to AGENTS.md for shared content to avoid drift. Your current setup already does this correctly

What is the single most important design principle?

AGENTS.md is the single source of truth for project facts. copilot-instructions.md is a Copilot-specific lens on top of it — not a copy.

Why shouldn't we let AI write the AGENTS.md?

This is the big one. Research has shown (Gloaguen et al., ETH Zurich) that LLM-generated AGENTS.md files offer no benefit and can marginally reduce success rates (~3% on average) while increasing inference costs by over 20%. Developer-written context files, by contrast, provide a modest ~4% improvement. Never let an agent write to AGENTS.md directly. The lead must approve every line. Keep it shorter with clear sections:

https://addyosmani.com/blog/agents-md/

Why does AI-generated AGENTS.md increase the cost of AI?

Here’s the core problem with auto-generated context files. What does /init produce? Codebase overviews. Directory structure. Tech stack description. Module explanations. The ETH Zurich paper found that 100% of Sonnet 4.5’s auto-generated context files contained codebase overviews. 99% of GPT-5.2’s did the same.

These are precisely the things an agent can discover on its own by listing directories and reading your existing READMEs - which it does anyway, regardless of whether AGENTS.md exists. So you’ve added a file that the agent reads, then goes and confirms by reading your actual code, and now has to reconcile two sources of truth. More reasoning tokens. More steps. Same outcome, except slower and more expensive.

What information should we put in the AGENTS.md?

The practical filter is simple: can the agent discover this on its own by reading your code? If yes, delete it. Every line should represent information that isn’t already in the repo.

That means your AGENTS.md should look more like:

Use uv for package management
Always run tests with –no-cache or you’ll get false positives from the fixture setup
The auth module uses a custom middleware pattern; do not refactor to standard Express middleware
The legacy/ directory is deprecated but imported by three production modules - don’t delete anything in it

And almost nothing else.

What is the right mindset of AGENTS.md?

Stop running /init. The auto-generated output is redundant with your existing documentation and adds overhead without benefit, unless your repo has genuinely zero documentation - in which case it’s marginally better than nothing.
Before adding any line to AGENTS.md, ask: can the agent find this by reading the code? If yes, don’t write it.
When an agent struggles with something repeatedly, treat it as a codebase problem before treating it as a context problem. Restructure the code. Add a linter rule. Improve the test coverage. Reach for AGENTS.md only after you’ve exhausted those options.
If you’re running agents at scale in CI/CD or automated review pipelines, the 15-20% cost overhead from context files compounds across thousands of runs. Calculate it before assuming the tradeoff is worth it.
Consider building a maintenance agent whose job is keeping the context file accurate rather than letting it rot.
And hold your intuitions about what the agent needs loosely. What seems obviously useful to you might be noise to the model. The empirical evidence suggests the gap between what we think agents need and what actually helps them is substantial - and probably not in the direction we’d expect.
The instinct to onboard your coding agent like a new hire - give it the office tour, explain the org chart, walk it through the architecture - comes from a reasonable place. But coding agents aren’t new hires. They can grep the entire codebase before you finish typing your prompt. What they need isn’t a map. They need to know where the landmines are.
One technique worth trying: start your AGENTS.md nearly empty, and add a single instruction: “If you encounter something surprising or confusing in this project, flag it as a comment.” Most of the agent’s proposed additions aren’t things you want to keep permanently - they’re indicators of where the codebase is unclear. Fix those. Keep the file minimal.

Why do AI Agents fail on large files?

Large Language Models are probabilistic engines. They predict the next token based on patterns in their context window. When the context window is filled with thousands of lines of structured data, the model’s attention gets diluted. It correctly identifies the node you want to modify, but it loses track of sibling keys, nested brackets, and structural integrity. The result is a file that looks right at the point of change but is broken somewhere else.

What are the common issues that lead to AI failures?

The AI breaks in five specific ways:

Hallucination from missing context: The agent doesn’t have the information it needs, so it fills the gap with confident fiction. You asked for a login page and it invented an auth library that doesn’t exist.
State loss in long workflows: At 10K tokens, the agent is sharp. At 150K, it forgets you wanted dark mode and rebuilds the entire UI in blinding white. Three times.
Tool misuse: Wrong tool, bad parameters, or just ignoring the output entirely. The agent has access to 15 tools and picks the worst one for the job.
Unproductive loops: Same failed approach, over and over. Burning tokens with zero progress. The agent version of pulling a door that says “push.”
Silent failure at scale: Here’s the math nobody mentions: if your agent is 95% accurate per decision and makes 20 decisions per task, it fails more often than it succeeds. Small inaccuracies compound. At production scale, 95% isn’t good enough.

Why do our AI agents get worse over time due to the increase in context window?

LLM output quality degrades as context fills. This isn’t a bug. It’s a property of how transformer attention works. Sharp at 10K tokens. Noticeably worse at 150K on the same tasks.

Think of context management like packing for a backpacking trip. You could bring your entire wardrobe. You’d move slowly and nothing would be easy to find. Pack light instead. Know where to resupply.

In context (what you carry): system prompt, instruction files, skill headers, the current task.

On disk (available when needed): full file contents, web search results, codebase, git history. The agent loads these on demand through tools.

In practice, you’ll find that system prompts, MCP tool definitions, and memory files can eat 8-9K tokens before you’ve typed a word. That’s context space not available for reasoning. Audit regularly. Trim what you can.

Compaction happens when the context hits its limit. The platform summarizes your conversation to free space. It works, but details get lost. Early decisions compress. Tool outputs disappear. Don’t let it surprise you — manage context proactively so the agent doesn’t lose important state at the worst moment.

How many levels of applying AI Agents in coding work?

Steve Yegge recently described eight stages of how developers grow with AI tools. It's a helpful way to see where you are and where you're going.

Most developers are at Level 3-4. Level 6 begins the orchestration stage, needing different skills than Level 5.

What is the shift from conductor to orchestrator?

In the conductor setup, you work with one AI agent in real-time, kind of like pair programming. It's all about guiding that single agent, and everything happens one step at a time within a fixed context. Tools like Claude Code CLI and Cursor's in-editor mode fit this style.

Switching to the orchestrator model is like managing a whole team. You've got multiple agents, each doing their thing with their own context, and they're working independently. You plan everything out, assign tasks, and check in now and then. Tools like Agent Teams, Conductor, Codex, and Copilot Coding Agent are perfect for this approach.

What are the single-agent limits?

Every developer eventually runs into three main issues with a single agent: context overload, lack of specialization, and zero coordination. Subagents tackle the first two, while Agent Teams handle all three.

Why can't one agent handle everything? There are three main reasons.

First, context overload. A single agent can only process so much info. Large codebases can overwhelm it, causing you to lose important details as the conversation drags on.

Second, lack of specialization. When one agent tries to do it all—data layer, API, UI, tests—it becomes a jack of all trades, master of none. An agent focused solely on the data layer, for instance, will write much better database code than a generalist trying to juggle everything.

Lastly, no coordination. Even if you bring in helpers, they can't communicate, share tasks, or manage dependencies. Adding more agents without coordination just makes things messier.

Why do we need multi-agents?

Parallelism, specialization, isolation, and compound learning don't just add up—they multiply. Three focused agents consistently do better than one generalist working three times as long.

Four reasons to use multiple agents:

Parallelism (3x speed) - Three agents work on frontend, backend, and tests at the same time.

Specialization (focused work) - Each agent handles only its own files. An agent focused on db.js writes better database code than one managing everything.

Isolation (safe work) - Git worktrees give each agent its own space. No merge conflicts while they work.

Compound learning - An AGENTS.md file collects patterns and tips, improving each session.

What is the Subagents pattern?

Subagents are the simplest multi-agent pattern and the one you should try first.

Subagents use the Task tool to spawn specialized child agents from a parent orchestrator. The parent decomposes a task into pieces, spawns subagents for each piece, and manages the dependency graph manually.

What subagents solve: context isolation per agent, specialization, parallel execution for independent tasks, and it's cost-neutral at roughly 220k tokens total.

What is still missing: the parent must manually manage the dependency graph. There's no peer messaging between agents. There's no shared task list. And if you're sloppy about file scoping, two agents could write to the same file.

Bottom line: subagents give you parallel execution with manual coordination. That is great for simple decomposition. But when coordination becomes the bottleneck, you need Agent Teams.

The pro tip of working with hierarchical subagents?

Don't just delegate once. Create feature leads that have their own specialists. This allows for deeper task breakdown without overwhelming anyone.

Instead of the orchestrator creating six subagents, it should create two feature leads. Each lead then creates two or three specialists.

The main orchestrator only communicates with two agents, keeping things simple. Feature Lead A, for example, gets the task "Build the search feature" and breaks it down into Data, Logic, and API subagents. The main orchestrator doesn't need to know these details.

This approach is similar to real engineering teams, where tasks are assigned through layers of tech leads, not directly from the VP of Engineering to individual engineers.

What is the Agent Team pattern?

Agent Teams add the coordination primitives that subagents lack: a shared task list with dependency tracking, peer-to-peer messaging between teammates, and file locking to prevent conflicts.

Agent Teams are Claude Code's experimental feature for true parallel execution. Enable it with:

export CLAUDE_CODE_EXPERIMENTAL_AGENT_TEAMS=1

The architecture has three layers:

Team Lead at the top - decomposes work, creates the task list, synthesizes results
Shared Task List in the middle - tasks with statuses (pending, in_progress, completed, blocked), dependency tracking, and file locking
Teammates at the bottom - each an independent Claude Code instance with its own context window, running in tmux split panes

Teammates self-claim tasks from the shared list. They message each other directly - peer-to-peer, not through the lead. When a teammate finishes and marks a task complete, any blocked tasks that depended on it automatically unblock. Press Ctrl+T at any time to toggle a visual overlay of the task list.

How does the Agent Teams work?

Two mechanisms make Agent Teams work: a shared task list with automatic dependency resolution, and peer-to-peer messaging that prevents the lead from becoming a bottleneck.

The shared task list gives each task a status: pending, in_progress, completed, or blocked. Blocked tasks have explicit dependencies. When the backend teammate marks the search API as completed, the blocked test-writing task automatically flips to pending and a teammate picks it up. File locking prevents two teammates from editing the same file simultaneously.

Peer messaging is the other critical piece. The backend agent tells the frontend agent the API contract directly: "GET /search?q= returns [{id,title,url}]." This doesn't go through the lead. When a teammate goes idle, the lead is automatically notified. This peer-to-peer approach prevents the lead from becoming a coordination bottleneck.

How can you manage with 5, 10, or 20+ agents across multiple repos and features?

When you need to manage 5, 10, or 20+ agents across multiple repos and features, you need purpose-built orchestration tools. Every tool in 2026 fits one of three tiers - pick the right tier for the job.

The 2026 tool landscape breaks into three tiers:

Tier 1: In-process subagents and teams

Claude Code subagents and Agent Teams. Single terminal session, no extra tooling needed. Start here.

Tier 2: Local orchestrators

Your machine spawns multiple agents in isolated worktrees. You stay in the loop with dashboards, diff review, and merge control. Best for 3-10 agents on known codebases. Tools include Conductor, Vibe Kanban, Gastown, OpenClaw + Antfarm, Claude Squad, Antigravity, and Cursor Background Agents.

Tier 3: Cloud async agents

Assign a task, close your laptop, return to a pull request. Agents run in cloud VMs. No terminal, no local setup. Tools include Claude Code Web, GitHub Copilot Coding Agent, Jules by Google, and Codex Web by OpenAI.

Most developers in 2026 will use all three tiers - Tier 1 for interactive work, Tier 2 for parallel sprints, Tier 3 to drain the backlog overnight.

How do we keep shipping the high-quality code when working with multiple agents?

Three quality gates make agent output trustworthy: plan approval catches bad architecture before code exists, hooks enforce automated checks on every lifecycle event, and AGENTS.md compounds learning across sessions.

Plan approval. Require teammates to write a plan before they start coding. The lead reviews the approach and approves or rejects. It's far cheaper to fix a bad plan than to fix bad code. The flow looks like:

teammate >>> writes plan >>> lead review >>> approve/reject >>> implement

Hooks. Automated checks on lifecycle events. A TeammateIdle hook verifies all tests pass before allowing an agent to stop working. A TaskCompleted hook runs lint and tests before marking a task as done. If the hook fails, the agent keeps working until it passes:

task done >>> hook runs npm test >>> pass? allow  |  fail? keep working

AGENTS.md for compound learning. This file captures discovered patterns, gotchas, and style preferences. Every agent reads it at the start of a session, and every session adds to it. Session one learns about a testing pattern, AGENTS.md is updated, session two avoids the same mistake.

What is the Ralph Loop?

The Ralph Loop pattern breaks development into small atomic tasks and runs an agent in a stateless-but-iterative loop. Each iteration: pick task, implement, validate, commit if pass, reset context and repeat. This avoids context overflow while maintaining continuity through external memory.

The five-step cycle:

Pick - select the next task from tasks.json
Implement - make the change
Validate - run tests, types, lint
Commit - if checks pass, commit and update task status
Reset - clear the agent context and start fresh with the next task

The key insight is stateless-but-iterative. By resetting each iteration, the agent avoids accumulating confusion. Small bounded tasks produce cleaner code with fewer hallucinations than one enormous prompt.

AI Tips

Establish AI guidelines for the project

=> Review the guidelines on instructions, agents, and skills from the Awesome Copilot GitHub repository, identify the useful ones, and download them to our source code. To simplify the download process, install the awesome Copilot extension from the VS Code marketplace. After downloading the guidelines, carefully review them to ensure they fit our codebase.

There are some useful GitHub repos that we can refer to for useful AI Agent guidelines: https://github.com/anthropics/skills/tree/main, https://github.com/obra/superpowers, https://github.com/addyosmani/agent-skills, https://github.com/codejunkie99/agentic-stack

Below are some AI guidelines from the GitHub Copilot repository that I use the most:

Copilot Instructions

code-review-generic.instructions.md: Instructions for creating effective and portable Agent Skills that enhance GitHub Copilot with specialized capabilities, workflows, and bundled resources.
context-engineering.instructions.md: Principles for helping GitHub Copilot understand your codebase and provide better suggestions.
context7.instructions.md: Use Context7 proactively whenever the task depends on authoritative, current, version-specific external documentation that is not present in the workspace context.
markdown-accessibility.instructions.md: Markdown accessibility guidelines based on GitHub's 5 best practices for inclusive documentation
markdown.instructions.md: Markdown formatting aligned to the CommonMark specification (0.31.2).
memory-bank.instructions.md: Coding standards, domain knowledge, and preferences that AI should follow.
nextjs-tailwind.instructions.md: Instructions for high-quality Next.js applications with Tailwind CSS styling and TypeScript.
nextjs.instructions.md: Best practices for building Next.js (App Router) apps with modern caching, tooling, and server/client boundaries (aligned with Next.js 16.1.1).
performance-optimization.instructions.md: The most comprehensive, practical, and engineer-authored performance optimization instructions for all languages, frameworks, and stacks.
security-and-owasp.instructions.md: Comprehensive secure coding instructions for all languages and frameworks, based on OWASP Top 10 and industry best practices.

Custom Agents

4.1-Beast.agent.md: It is a custom “agent profile” that tells Copilot how to behave: keep working until the task is fully solved, use lots of research (including web fetches), plan with to-do lists, test rigorously, and follow specific workflow rules. In short, it is a strict, autonomous mode configuration for long, research-heavy tasks.
Thinking-Beast-Mode.agent.md: A transcendent coding agent with quantum cognitive architecture, adversarial intelligence, and unrestricted creative freedom.
aem-frontend-specialist.agent.md: IExpert assistant for developing AEM components using HTL, Tailwind CSS, and Figma-to-code workflows with design system integration
blueprint-mode.agent.md: Executes structured workflows (Debug, Express, Main, Loop) with strict correctness and maintainability. Enforces an improved tool usage policy, never assumes facts, prioritizes reproducible solutions, self-correction, and edge-case handling.
critical-thinking.agent.md: Challenge assumptions and encourage critical thinking to ensure the best possible solution and outcomes.
debug.agent.md: Debug your application to find and fix a bug.
demonstrate-understanding.agent.md: Validate user understanding of code, design patterns, and implementation details through guided questioning.
devils-advocate.agent.md: I play the devil's advocate to challenge and stress-test your ideas by finding flaws, risks, and edge cases
expert-nextjs-developer.agent.md: Expert Next.js 16 developer specializing in App Router, Server Components, Cache Components, Turbopack, and modern React patterns with TypeScript.
expert-react-frontend-engineer.agent.md: Expert React 19.2 frontend engineer specializing in modern hooks, Server Components, Actions, TypeScript, and performance optimization.
principal-software-engineer.agent.md: Provide principal-level software engineering guidance with focus on engineering excellence, technical leadership, and pragmatic implementation.
refine-issue.agent.md: Refine the requirement or issue with Acceptance Criteria, Technical Considerations, Edge Cases, and NFRs

Agent Skills

PatternsDev/skills: Patterns.dev JavaScript Skills: 58 Agent Skills bringing JS, React, and Vue design patterns into your agentic coding workflow!
agentic-eval: Patterns and techniques for evaluating and improving AI agent outputs.
architecture-blueprint-generator: Comprehensive project architecture blueprint generator that analyzes codebases to create detailed architectural documentation
autoresearch: Autonomous iterative experimentation loop for any programming task.
breakdown-epic-arch: Prompt for creating the high-level technical architecture for an Epic, based on a Product Requirements Document.
chrome-devtools: Expert-level browser automation, debugging, and performance analysis using Chrome DevTools MCP. Use for interacting with web pages, capturing screenshots, analyzing network traffic, and profiling performance.
context-map: Generate a map for all relevant files to a task before making changes
conventional-commit: Prompt and workflow for generating conventional commit messages using a structured XML format
copilot-intructions-blueprint-generator: Technology-agnostic blueprint generator for creating comprehensive copilot-intructions.md files that guide GitHub Copilot to produce code consistent with project standards, architecture patterns, and exact technology versions by analyzing existing codebase patterns and avoiding assumptions.
create-agentsmd: Prompt for generating an AGENTS.md file for a repository
create-implementation-plan: Create a new implementation plan file for new features, refactoring existing code or upgrading packages, design, architecture or infrastructure.
create-specification: Create a new specification file for the solution, optimized for Generative AI consumption.
create-technical-spike: Create time-boxed technical spike documents for researching and resolving critical development decisions before implementation
documentation-writer: Diátaxis Documentation Expert. An expert technical writer specializing in creating high-quality software documentation, guided by the principles and structure of the Diátaxis technical documentation authoring framework
doublecheck: Three-layer verification pipeline for AI output. Extracts verifiable claims, finds supporting or contradicting sources via web search, runs adversarial review for hallucination patterns, and produces a structured verification report with source links for human review
skill-creator: Create new skills, modify, and improve existing skills, and measure skill performance. Use when the user wants to create a skill from scratch, edit, or optimize an existing skill, run evals to test a skill, benchmark skill performance with variance analysis, or optimize a skill's description for better triggering accuracy.
model-recommendation: Analyze chatmode or prompt files and recommend optimal AI models based on task complexity, required capabilities, and cost-efficiency
prd: Generate high-quality Product Requirements Documents (PRDs) for software systems and AI-powered features. Includes executive summaries, user stories, technical specifications, and risk analysis.
project-workflow-analysis-blueprint-generator: Comprehensive technology-agnostic prompt generator for documenting end-to-end application workflows.
refactor: Surgical code refactoring to improve maintainability without changing behavior.
remember: Transforms lessons learned into domain-organized memory instructions (global or workspace)
dispatching-parallel-agents: Use when facing 2+ independent tasks that can be worked on without shared state or sequential dependencies
executing-plans: Use when you have a written implementation plan to execute in a separate session with review checkpoints
systematic-debugging: Use when encountering any bug, test failure, or unexpected behavior, before proposing fixes
using-agent-skills: Discovers and invokes agent skills. Use when starting a session or when you need to discover which skill applies to the current task. This is the meta-skill that governs how all other skills are discovered and invoked
code-review-and-quality: Conducts multi-axis code review. Use before merging any change. Use when reviewing code written by yourself, another agent, or a human. Use when you need to assess code quality across multiple dimensions before it enters the main branch.
context-engineering: Optimizes agent context setup. Use when starting a new session, when agent output quality degrades, when switching between tasks, or when you need to configure rules files and context for a project.

MCP

Chrome DevTools MCP: chrome-devtools-mcp lets your coding agents (such as Gemini, Claude, Cursor, Copilot) control and inspect a live Chrome browser. It acts as a Model Context Protocol (MCP) server, giving your AI coding assistance access to the full power of Chrome DevTools for reliable automation, in-depth debugging, and performance analysis.
Context7 MCP: Without Context7, LLMs rely on the generic and outdated information about the libraries we use. To resolve that, Context7 pulls up-to-date, version-specific documentations and code examples straight from the source and places them directly into your prompt.
Playwright MCP: This MCP provides browser automation capabilities using Playwright. This server enables LLMs to interact with webpages through structured accessibility snapshots, bypassing the need for screenshots and visually turned models.
Atlassian MCP Server: The Atlassian Rovo MCP server is a cloud-based bridge between your Atlassian cloud site and compatible tools. Once configured, it enables those tools to interact with Jira, Confluence, and Compass data in real time. This functionality is powered by secure authentication using OAuth 2.1 or API tokens, which ensures all actions respect the user's existing access controls.
Figma MCP Server: The Figma MCP Server brings Figma directly into your workflow by providing important design information and context to AI Agents. generating code from Figma design files.
shadcn/ui MCP: The Shadcn Server allows the AI Assistant to interact with items from registries. We can browse available components, search for specific ones, and install them directly into our project with natural language.
Github MCP Server: The Github MCP Server connects AI tools directly into Github's platform. This gives AI agents, assistants, and chatbots the ability to read repositories and code files, manage issues and PRs, analyze code, and automate workflows all through natural language interactions.
Permit's MCP-gateway: Permit MCP Gateway is a drop-in zero-trust proxy that adds authentication, fine-grained authorization, consent, and audit logging to any MCP server. Swap one URL. No code changes. Works with Salesforce, GitHub, Slack, Jira, and any MCP server you already use.

Hooks

secret-scanner: Scans files modified during a Copilot coding agent session for leaked secrets, credentials, and sensitive data
session-auto-commit: Automatically commits and pushes changes when a Copilot coding agent session ends
session-logger: Logs all Copilot coding agent session activity for audit and analysis
tool-guardian: Blocks dangerous tool operations (destructive file ops, force pushes, DB drops) before the Copilot coding agent executes them

=> Let's set up a rule for the AI so that whenever project guideline files are updated or there's a big change in our source code, like updating package versions, the AI automatically checks other documents to ensure everything stays consistent.

=> When searching for specific agents, instructions, or skills, simply run the suggest-awesome-copilot-agents, instructions, or skills tools. This will help you find exactly what you need from the awesome Copilot repository.

Agentic Harness Patterns

https://generativeprogrammer.com/p/12-agentic-harness-patterns-from

Persistent Instruction File Pattern

Without a persistent instruction file, every agent session starts blank. The user repeats the same conventions, commands, and boundaries each time. The agent makes the same mistakes in session five that it made in session one.

This pattern introduces a durable project-level configuration file loaded automatically at the start of every session. It defines build commands, test commands, architecture rules, naming conventions, and coding standards. It ships with the repo, not with the user’s clipboard.

Use this when your agent works on a codebase across multiple sessions. The main trade-off is the maintenance burden: the file must stay current as the project evolves, and a stale instruction file can be worse than none if it teaches the agent outdated rules.
Scoped Context Assembly Pattern
A single instruction file works for small projects. As a codebase grows, one file either becomes a giant blob that gets ignored, or stays too generic to be useful for any specific directory.

This pattern loads instructions dynamically from multiple files at different scopes: organization, user, project root, parent directories, and child directories. The agent sees different rules depending on where in the codebase it is working. Import syntax allows splitting large instruction sets across files without duplication.

Use this in monorepos, multi-language projects, or any codebase where different directories follow different conventions. The main trade-off is discoverability: when instructions live in many files, it becomes harder to understand what the agent actually sees. Conflicting rules across scopes can produce surprising behavior.
Tiered Memory Pattern

An agent that remembers everything the same way ends up remembering nothing well. Loading all memory into the context window every session wastes tokens, hits size limits, and buries useful information under noise.

This pattern organizes agent memory into distinct layers with different loading strategies. A compact index (capped at 200 lines in Claude Code) stays in context at all times. Topic-specific files load on demand when the current task matches them. Full session transcripts stay on disk and are only searched when needed. One of the most detailed breakdowns of the leaked code confirmed this three-layer design.

Use this when your agent runs across multiple sessions and needs to retain preferences, decisions, or workflow state. The main trade-off is the added complexity in deciding what goes where, when to promote or demote information between layers, and how to keep the index in sync with the underlying files.
Dream Consolidation Pattern

Even with tiered memory, agent memory degrades over time. Duplicate entries accumulate, outdated facts contradict new ones, and the index grows until it is no longer compact.

This pattern runs a background process that periodically reviews, deduplicates, prunes, and reorganizes agent memory during idle time. Think of it as garbage collection for agent state. The leaked code revealed an “autoDream” mode that merges duplicates, prunes contradictions, and keeps the index tight. A separate analysis found 8 phases of memory management and 5 types of context compaction.

Use this when your agent accumulates memory across many sessions and you cannot rely on users to curate it manually. The main trade-off is that the consolidation process itself uses tokens and can make mistakes. An overly aggressive prune might delete something the user still needs.
Progressive Context Compaction Pattern

Long agent sessions eventually hit the context window limit. The agent either loses its earliest context entirely or stops working. Neither is acceptable for tasks that require sustained reasoning across many turns.

This pattern applies multiple stages of compression tuned for different ages of the conversation. Recent turns stay at full detail. Older turns get lightly summarized. Very old turns get aggressively collapsed. The leaked code used four layers: HISTORY_SNIP, Microcompact, CONTEXT_COLLAPSE, and Autocompact, each progressively more aggressive.

Use this when sessions regularly exceed 20-30 turns. The main trade-off is lossy compression: every summarization step discards detail, and if the agent later needs something from a collapsed segment, it may hallucinate rather than admit it forgot.
Explore-Plan-Act Loop Pattern
When an agent jumps straight to editing files, it makes changes based on incomplete understanding. The result is edits to the wrong files, missed dependencies, and approaches that ignore existing patterns.

This pattern separates the workflow into three phases with increasing write permissions. In the explore phase, the agent can only read, search, and map the codebase. In the plan phase, it discusses the approach with the user. Only in the act phase does it get full tool access. The leaked code showed distinct plan and act phases with system prompts that steer the agent away from editing before it understands the codebase.

Use this for any task that touches an unfamiliar codebase or involves non-trivial changes across multiple files. The main trade-off is speed: enforcing exploration and planning adds turns before the agent produces output, which feels slow for simple tasks.
Context-Isolated Subagents Pattern

In a long agentic session, the context window accumulates everything: research findings, planning discussions, code edits, test output, error logs. By the time the agent is deep into editing, its context is polluted with irrelevant material from earlier phases.

This pattern runs separate agents with their own context windows, system prompts, and restricted tool access. Research agents cannot edit code. Planning agents cannot execute commands. Each subagent sees only what it needs for its specific task.

Use this when sessions are long, multi-phase, or involve tasks with very different context needs. The main trade-off is coordination overhead: the main agent must decide what to pass to each subagent, and important nuance from an earlier phase can get lost in the handoff.
Fork-Join Parallelism Pattern

Large tasks that could be split into independent units still run sequentially if the agent can only work on one thing at a time. A migration across 20 files takes 20 sequential steps even though most of those files have no dependencies on each other.

This pattern spawns multiple subagents in parallel, each working in an isolated git worktree on an independent copy of the repo. The parent’s cached context is reused by each fork, making parallel branching essentially free in token cost. Results merge when all branches complete.

Use this when a task decomposes into independent units that do not depend on each other’s output. The main trade-off is merge complexity: when parallel branches touch overlapping files, the merge can produce conflicts harder to resolve than sequential work would have been.
Progressive Tools Expansion Pattern

Giving an agent access to every available tool at once creates a selection problem. With 60 tools visible, the model spends more time deciding which to use and is more likely to pick the wrong one.

This pattern starts with a small default set (fewer than 20 tools in Claude Code) and activates additional tools on demand. Justin Schroeder noted the deliberately small default set. The agent starts with Read, Edit, Write, Bash, Grep, Glob, and a handful of others. MCP tools, remote tools, and custom skills activate only when needed.

Use this when your agent has access to many tools but most tasks only need a few. The main trade-off is that the expansion logic adds complexity: the harness must decide when to activate tools, and activating too late means the agent wastes turns without the right capability.
**Command Risk Classification Pattern
**
Letting an agent run arbitrary shell commands without inspection is dangerous. But asking the user to approve every command creates fatigue, and users end up clicking “yes” to everything.

This pattern applies deterministic pre-parsing and per-tool permission gating before execution. Each tool has individual allow, ask, and deny rules with pattern matching. Shell commands pass through a classification layer that parses the verb, flags, and target to assess risk. The auto-mode classifier found in the code auto-approves low-risk actions while keeping a safety classifier for anything dangerous.

Use this when your agent can execute shell commands or interact with external systems. The main trade-off is rigidity: a deterministic classifier cannot anticipate every safe or dangerous command, so the rules need ongoing tuning.
**Single-Purpose Tool Design Pattern
**
When an agent routes every file operation through a general shell (cat, sed, grep, find), the commands are harder to review, harder to permission, and harder for the model to use correctly. A sed command that edits a file looks identical in structure to one that corrupts it.

This pattern replaces the general shell with purpose-built tools for each common operation: FileReadTool, FileEditTool, GrepTool, GlobTool. Each tool has typed inputs, a constrained scope, and its own permission rules. Raschka calls this out explicitly: the harness provides “predefined tools with validated inputs and clear boundaries” rather than allowing improvised commands.

Use this when your agent performs common file and search operations frequently. The main trade-off is flexibility: purpose-built tools cannot cover every edge case, so you still need a general shell as a fallback.
Deterministic Lifecycle Hooks Pattern

Some actions must happen every time without exception: run the formatter after every edit, validate commands before execution, reload configuration when the working directory changes. Relying on the model to remember these through prompt instructions is unreliable. The model will forget, skip, or reinterpret the instruction depending on context pressure.

This pattern runs shell commands or other actions automatically at specific points in the agent lifecycle, outside the prompt entirely. The leaked code includes 25+ hook points such as PreToolUse, PostToolUse, SessionStart, and CwdChanged. Anything that must happen every time belongs in a hook, not in an instruction.

Use this when you have invariant behaviors that should never be skipped. The main trade-off is debugging difficulty: when something goes wrong in a hook, it can be harder to diagnose than a prompt-level instruction because hooks run outside the conversation.

Experience of Working with AI

Spec-driven development

Plan your work before you write code. But rather than writing plans for humans, we're writing plans and tasks for agents.

What is spec-driven development?

Instead of prompting first and figuring it out as you go, you start with a spec. It's a short document that defines what you're building, the constraints, and the key decisions—a contract for how your code should behave. The spec becomes the source of truth the agent uses to generate code. Less guesswork. Fewer surprises.

I see people conflating PRDs, design docs, and specs all the time. They serve completely different purposes, and mixing them up — especially when working with AI agents — causes a lot of confusion down the line.

Here's how I separate them:

Product Requirements Document (PRD) — For humans. Product managers, stakeholders. Covers what we're building and why — user stories, success metrics, business value. This is your debate document.

Technical Design Document — For engineers. Covers how we're building it — architecture decisions, scalability trade-offs, security implications. Also reviewed and debated with the team.

AI Spec — For agents. This is a pure execution document. No debates, no open questions. It translates the finalized decisions from the PRD and design doc into something an agent can act on directly.

Traditional software development has always followed this pattern:

The process is the same. The audience is different.

My Workflow:

Generate the PRD
I use spec-driven-instructions-workflow.md combined with skills like prd/skill.md, prd.agent.md, or breakdown-epic-pm to generate the initial PRD. For large epics, I first use breakdown-feature-prd to break them down into feature-level PRDs before any implementation starts.

Important: always use your most capable (most expensive) model for these root documents. And never trust the first generated version. My verification pipeline:

Run doublecheck skill — surfaces inconsistencies and gaps => Run agentic-eval — makes updates based on the doublecheck report => Manual review using critical-thinking — go through every single point and make sure you genuinely understand it => Use agents like principle-software-engineer, devils-advocate, demonstrate-understanding, and refine-issue to stress-test assumptions further.
Generate the Technical Architecture
With a solid prd.md, use the breakdown-epic-arch skill to produce the high-level technical architecture for the epic. This becomes your design.md.
Generate the Spec
With both prd.md and design.md ready, generate a detailed spec using the create-specification skill combined with the spec-driven-workflow instructions. This spec.md is what agents will actually work from.
Generate the Implementation Plan
From spec.md, use create-implementation-plan/SKILL.md to produce a task-by-task plan.md.

At this point you have all four core documents:

File	Purpose
`prd.md`	What & why
`design.md`	How (architecture)
`spec.md`	Execution details for agents
`plan.md`	Task-by-task implementation steps

Review all four before touching any code.

During Implementation

Even with a solid plan, I don't just hand tasks over and walk away. My rules:

Run doublecheck before every task — pull in external resources to verify the approach and understand the full impact of each change before it's made.
Understand everything the AI produces — not "looks fine." Actually understand each decision and each line. If something's unclear, ask the agent to explain it with demonstrate-understanding.
One task = one commit — every task on the plan gets its own commit. Keeps history clean and makes it easy to trace what changed and why.
One big task = a new chat session -- every big task on the plan should be implemented in the new chat session. It keeps the context window fresh; the context window won't be poisoned by the irrelevant information from those previous responses.
Mark tasks as Done — always tell the agent to update the Complete column in plan.md after finishing each task. Small habit, makes tracking much easier.
For tasks that are too big or too complex, it's better to split them into multiple tasks. If a big task can't be split, we should ask the AI to apply rules or instructions like those in (copilot-thought-logging.instructions.md) for noting AI thoughts to a dedicated memory file to avoid losing context.

=> We can build a skill named executing-plans => this skill will contain 2 modes (mode 1 : phase review mode, mode 2: task implementation mode) => mode 1 process (load phase => using agentic-eval skill to review => use double-check skill to review => update relevant docs for consistency => Report) => mode 2 process (load task => implement => verify: using verification-before-completion skill => review: using code-review skill => Mark complete on plan.md)

=> For example, skills like verification-before-completion, code-review, we can look at an example on this powerful Github repo (remember to customize those skills to be suitable with our project, tools, and AI Agent)

=> So every time we need to review each phase before implementation or implement each task in the phase => we just need to attach executing-plans skill to AI Agent

After we completed all tasks in the plan

When we are in this step, there are several things I constantly follow up:

Requesting AI to review and ensure the current AI documents, such as AGENTS.md, copilot-instructions.md, and other guidelines, are consistent with the updates made in plan.md.
We completed all tasks in plan.md, which doesn't mean we have completely finished the feature. We need to carefully verify the AI's work for any issues we find and ask AI to fix them. Remember to ask AI to note these in the spec folder, keeping those documents up to date with our code changes.
To fix any issues we find, let's develop a debugging skill (contain verification health check skill, code-review skill, commit-convention skill, ...) for verifying and resolving them. We can use the debugging skill template available at https://github.com/obra/superpowers.By doing this, we simply attach a debugging skill, include the spec folder with all the necessary context for the AI Agent, and provide an issue description. This allows the AI to quickly assist in resolving issues.

Keeping Docs in Sync

Docs live in multiple places — the specs/ folder in the repo, Jira tickets, Confluence pages — and they drift apart fast.

My rule: whenever a doc changes in one place, all related docs must be updated too. I explicitly tell the AI agent: if you modify a file in the specs/ folder, identify and update all related documents across Jira, Confluence, and any other linked sources. It's not a perfect system, but it cuts down on the drift problem significantly.

=> More upfront work than just prompting and hoping for the best — but once all four documents are locked in and the verification habit is in place, implementation gets surprisingly smooth. And more importantly, you actually understand what was built when it's done.

Spec-Driven Workflow with Linear

Use Linear MCP to give Claude Code direct access to your project management. The agent reads tickets, updates status, creates sub-issues, and follows your workflow — without you copy-pasting descriptions.

For larger features, combine specs with Linear tickets:

Write the spec
Read my spec template and generate a spec for: user authentication with JWT tokens. Save it to specs/auth.md
Create tickets from the spec
Read specs/auth.md and create a parent Linear issue titled "JWT Authentication" in the Auth project, team Engineering.

Then create one sub-issue per task from the spec, linked to the parent. Each sub-issue should reference the spec: "Spec: specs/auth.md"
Works on tickets
/implement PROJ-43 The agent reads the ticket, finds the spec reference, reads the spec, and implements with full context.
Track Progress
Your Linear board now shows:
- Parent issue with progress bar (auto-calculated from sub-issues)
- Each sub-issue moving through: Todo → In Progress → In Review → Done
- Comments with PR links on each ticket
You get visibility without doing any project management manually.

Review AI Code

https://newsletter.owainlewis.com/p/how-i-use-ai-to-review-ai-code

Here’s the four-layer setup I use. Each layer filters out a category of problems so the next layer sees less noise.

Automated checks run your linter, tests, and security scanner before the agent can finish.
Local AI review gets a second agent to review the code before you push.
CI review runs AI code review automatically on every PR. The safety net for when you skip step two (it happens)
Human review handles what’s left: architecture, business logic, and “should we even build this?”

By the time a human looks at the code, the only things remaining are the things only a human can judge.

Layer 1: Automate The Obvious

Claude Code has a feature called hooks. A hook is a shell script that runs automatically at certain points in the agent lifecycle (like when the agent finishes a task). If the script fails, the agent is blocked from completing and has to fix the issues first.

I use a Stop hook that runs my linter and scanner every time Claude finishes work.

The config goes in your Claude Code settings:

{
  "hooks": {
    "Stop": [
      {
        "hooks": [
          {
            "type": "command",
            "command": ".claude/hooks/stop-checks.sh"
          }
        ]
      }
    ]
  }
}

The script itself is just whatever checks you already run:

#!/bin/bash
set -e
rubocop .
brakeman -q
bundle exec rspec --fail-fast

Swap those for whatever your project uses. Ruff and pytest for Python. ESLint for JavaScript. The point is the same: the agent can’t say “done” until these pass.

This alone catches a surprising amount. Formatting issues, unused imports, type errors, broken tests. None of that makes it into a review.

Layer 2: Agent Review

After automated checks pass, review the code yourself and get an AI second opinion before you push.

Two things matter here. First, actually run the code. This sounds obvious but it catches the most embarrassing bugs in two minutes. Second, read the diff. You don’t need to understand every line; understand the shape of the change. What files were touched? Does the scope match what you asked for? Did the agent silently change something you didn’t ask it to?

For the AI review, the key is a fresh context window. Don’t ask the same agent that wrote the code to review it. It has sunk-cost bias and is less likely to challenge its own decisions.

There are a few ways to do this:

Custom Claude Code command. A review prompt in .claude/commands/review.md, paired with a REVIEW file at the project root that encodes your project-specific rules. Portable across tools, fully customisable. Claude Code also ships with some built in plugins.
Codex /review**.** Four presets covering every scenario (base branch, uncommitted changes, specific commit, custom instructions). Priority-ranked findings. The best local review UX I’ve seen. Bonus: writing with Claude and reviewing with Codex means cross-model review built into your workflow. Different models have different blind spots.
CodeRabbit. /coderabbit:review locally. 40+ linters and scanners running behind the scenes, purpose-built for code review. There are many other great code review tools like Greptile to explore also.

I use a custom review command that reads a REVIEW file at the project root. This file has project-specific rules, things I always want checked.

# REVIEW.md

## Project Patterns
- Repository pattern for data access. Direct DB queries in handlers are a flag.
- New API routes need an integration test. Flag if missing.

The general review catches general problems. The project-specific rules catch the things that are unique to your codebase.

Layer 3: External Review

Sometimes I forget to run the local review. Sometimes I’m in a rush. So I have an automated check on GitHub that reviews every PR before a human sees it.

There are a few options for this. Codex has a GitHub integration that reviews PRs automatically. CodeRabbit has a GitHub App that does the same thing. Anthropic has an open source GitHub Action for security-focused review.

I like having this as a separate layer because it catches things even when I skip the local step. Set it up once, runs on every PR for free.

Layer 4: Human Review

By the time a teammate opens the PR, the linter has passed, tests are green, and an AI has already flagged obvious issues. The human reviewer doesn’t need to catch formatting problems or unused variables.

What’s left is the stuff only a human can judge. Is this the right approach? Does it solve the actual business problem? Will this cause issues in three months? Five minutes of focused review on those questions is more valuable than thirty minutes of line-by-line reading.

TL;DR

I spent a long time trying to find the perfect code review setup. The experience was frustrating. There are hundreds of tools, plugins, and approaches, many of them doing the same thing in slightly different ways.

Don’t get lost looking for the perfect solution or perfect prompt. Start with Layer 1. Set up your linter and your hooks; that alone eliminates an entire category of review noise. Then find one way to get an AI review locally that you trust. Add CI when you’re ready.

Start simple and never accept the first output from an agent.

References

https://github.com/owainlewis/youtube-tutorials/tree/main

https://github.com/obra/superpowers

https://ainative.to/p/ai-agents-full-course-2026

https://addyosmani.com/blog/code-agent-orchestra/

https://awesome-copilot.github.com/learning-hub/

https://ai.plainenglish.io/vibe-coding-is-dead-heres-what-replaced-it-aa7d2889b05a

AI Handbook

Tuan Tran Van — Mon, 23 Feb 2026 12:13:19 GMT

AI Mindset

Tech hiring in the AI era: Why everyone’s at zero

How AI amplifies developers instead of replacing them, and why this is the React moment all over again.

Headlines scream about tech layoffs at Netflix, Amazon, and Microsoft, but what’s happening beneath the surface tells a different story. In this episode, Taylor Desseyn, VP of Global Community at Torc, joins the We Love Open Source podcast to share why tech hiring isn’t actually dead, how AI changes team composition without replacing developers, and why everyone’s on the same playing field when it comes to learning these new tools.

https://www.youtube.com/watch?v=KvflH9NMaiU

Taylor reframes the tech hiring narrative by looking beyond big tech. While FAANG companies (or MANGO, as he’s heard it called now) make layoff headlines, the startup ecosystem is thriving. AI-specific tech startup funding is through the roof. Torc and Randstad are both growing, driven largely by the AI boom. The reality beneath the headlines shows tech hiring evolving, not dying.

AI won’t replace developers, but it will change headcount dynamics. Taylor frames it simply: Think of an engineer as 1.0. With AI tools like Claude or Cursor, that engineer becomes 1.25, 1.5, or even 1.75. A team that previously needed 50 engineers might now need 25 or 20 really good engineers who know how to use AI effectively. It’s not about replacement, it’s about amplification.

For developers worried about AI taking their jobs, Taylor draws a parallel to earlier shifts. He’s been recruiting since 2011, through .NET MVC replacing VB.NET and React’s emergence. AI is the same kind of inflection point. The key insight: Everyone’s at zero right now. Senior, staff, and principal engineers are just getting started with Claude alongside junior developers. It’s a level playing field, but only if you engage.

Key takeaways

Tech hiring is evolving, not dying: Startup ecosystem and AI-specific funding are thriving while big tech layoffs make headlines. Look beneath the surface to see where growth is actually happening.
AI amplifies engineers rather than replacing them: Teams will hire fewer developers but those developers become 1.5x or 1.75x more productive with AI tools. The focus shifts to hiring engineers who know how to use Claude and Cursor effectively.
Everyone’s at zero with AI right now: Senior and junior developers alike are just getting started. Find a mentor, document your learning publicly, and be known for how you’re using AI.

Taylor’s message is clear: This is the React moment for AI. You can ignore it or you can learn it, but everyone who’s learning is starting from the same place. The opportunity is there for developers who take it seriously.

https://allthingsopen.org/articles/tech-hiring-ai-era-everyone-at-zero?ref=dailydev

https://medium.com/@tsecretdeveloper/be-thankful-that-you-were-there-at-the-beginning-of-ai-b47142053d0b

https://leadershipinchange.com/p/stop-learning-ai-tools

https://substack.com/home/post/p-188178090?source=queue

Most Important AI Concepts

LLMs

https://medium.com/mr-plan-publication/not-everything-is-an-llm-8-ai-model-types-you-need-to-know-in-2025-6fb026bcdc82

https://substack.com/home/post/p-188649002

What is Generative AI?

While today’s generative models are built upon a decade of progress, 2022 was the year when they triggered an “Aha!” moment for most. Generative AI is a subfield of machine learning. It involves training artificial intelligence models on large volumes of real-world data to generate new content (text, images, code, etc.) that resembles human creation.

This may have been a mouthful. Let’s clarify these terms first before we jump into LLMs. Here’s a plain-English map of those first words you’ll see.

AI is the big umbrella: getting computers to do things that look intelligent.
Machine learning (ML) lives inside AI: systems learn from data instead of hard-coded rules.
Deep learning (DL) is a way for computers to learn patterns by practicing on a huge number of examples.
NLP (natural language processing) is the part of AI that works with human language. As simple as that.
Generative AI is the branch that creates new content (text, images, audio, code). Whatever it is, it just means it generates things rather than predicts things, as done with more classical AI systems.
LLMs (Large Language Models) are deep learning models within the generative AI family that specialize in text generation.

That’s all you need for now: AI → ML → DL → (NLP) → LLMs. With the labels straight, we can understand what an LLM actually does.

What is an LLM?

An LLM is a powerful autocomplete system. It’s a machine built to answer one simple question over and over again: “Given this sequence of text, what is the most probable next token?” That “piece of text” is called a token—it can be a word, a part of a word (like runn and ing), or punctuation.

For example, if a user asks ChatGPT, “What is fine-tuning?”, it doesn’t “know” the answer. It just predicts the next token, one at a time:

The most probable first token is “Fine-tuning”.
Given that, the next most probable token is “is”.
Next is “the”, and so on...

Until it generates a full sentence: “Fine-tuning is the process of training a pre-trained model further on a smaller, specific dataset.”

It’s called a Large Language Model for three simple reasons:

Large: It has billions of internal variables (called parameters) and was trained on a massive amount of text.
Language: It’s specialized for understanding and generating human language.
Model: It’s a mathematical representation of the patterns it learned.

So, at its heart, an LLM is just a very advanced guessing machine: predicting the next token again and again until a full answer appears. So, how does it get good at making those guesses in the first place?

To get there, the model undergoes a long study session of its own—a process called pre-training. For example, if a student is asked to read every book in a giant library (a huge slice of the internet, in the case of LLMs). They’re not trying to memorize pages word-for-word. Instead, they learn patterns—how words, sentences, and ideas fit together—well enough to predict the next piece of text in any sentence. This is how a base model like GPT-5 is built during pre-training.

https://newsletter.systemdesign.one/p/llm-concepts?utm_source=publication-search

AI Agents

AI Workflows

AI workflows can be either non-agentic or agentic.

Non-Agentic Workflow: An LLM is given an instruction and produces a response. For example, in a question answering workflow, the input is a question, the LLM generates an answer, and the workflow returns that answer.

Even if you give the LLM an extra tool, the workflow is still non-agentic if it follows a fixed path and the LLM has no control over decisions or actions.
Agentic Workflow: An agentic workflow is a set of connected steps carried out by an agent or multiple agents to complete a task or goal. These workflows use key features of AI agents, such as reasoning, planning, tool use, and memory.

Now let’s take a closer look at AI agents.

AI Agents

AI agents are systems that use LLMs for reasoning and decision-making, along with tools to interact with the real world. This allows them to handle complex tasks with minimal human input. Each agent is given a specific role and a certain level of autonomy to achieve its goal. They also have memory, which helps them learn from past actions and improve over time.

https://newsletter.systemdesign.one/p/ai-agents-explained

https://substack.com/home/post/p-181466313

Components of an AI Agent

Reasoning: AI agents work well because they can reason step by step. This ability comes from the LLM (with a defined role and task) and supports two main functions: Planning and reflecting.
Memory: Stores context and relevant information. Short-Term memory tracks the current interaction, while Long-Term memory holds past knowledge and experiences.
Tools (vector search, web search, APIs, etc.): Extends the agent’s abilities beyond text generation, giving it access to external data, real-time information, or APIs.

Agentic Patterns

These patterns enable agents to dynamically adapt, plan, and collaborate, ensuring that the system can handle complex, real-world tasks with precision and scalability.

Reflection

The reflection pattern is a self-feedback mechanism, enabling agents to iteratively evaluate and refine their outputs.

Reflection is especially useful for tasks like coding, where the agent may not succeed right away. For example, it can write code, test it, analyze any errors, and use that feedback to fix and improve the code until it works.

By critiquing its own work and learning from each step, the agent can improve without human help. These reflections can be saved in memory so the agent solves future problems faster and adapts to user needs over time.

Tool Use

Agents interact with external tools like vector search, APIs, or web search to expand their capabilities.

This pattern allows agents to gather information, perform computations, and manipulate data beyond their pre-trained knowledge. By dynamically integrating tools into workflows, agents can adapt to complex tasks and provide more accurate and contextually relevant outputs.

ReAct

Reflection’s good. Tools are good. But when you let your agent think and act in loops, it gets even better.

That’s what the ReAct pattern is all about: Reasoning + Acting.

Instead of answering everything in one go, the model reasons step-by-step and adjusts its actions as it learns more.

Example:

Goal: “Find the user’s recent invoices.”
Step 1: “Query payments database.”
Step 2: “Hmm, results are outdated. Better ask the user to confirm.”
Step 3: Adjust query, repeat.

It’s not just responding — it’s navigating.

To make ReAct work, you’ll need three things:

Tools (for taking action)
Memory (for keeping context)
A reasoning loop (to track progress)

ReAct makes your agents flexible. Instead of sticking to a rigid script, they think through each step, adapt in real-time, and course-correct as new information comes in.

If you want to build anything beyond a quick one-off answer, this is the pattern you need.

Planning

Planning is a key agentic pattern that enables agents to autonomously decompose complex tasks into smaller, manageable subtasks.

Planning works best when the path to the goal is unclear and flexibility is important. For example, to fix a software bug, an agent might first read the bug report, find the relevant code, list possible causes, and then choose a debugging method. If the first fix fails, it can adjust based on the new error.

This is useful for solving complex problems that require flexibility and multiple steps.

Multi-Agent

Multi-agent collaboration allows agents to specialize in different tasks and work in parallel. Agents share progress and results to keep the overall workflow efficient and consistent.

By breaking complex tasks into smaller parts and assigning them to different agents, this approach makes workflows more scalable and flexible. Each agent can use its own memory, tools, reflection, or planning, which supports dynamic and collaborative problem-solving.

Benefits of Agentic Workflows

Flexible and adaptable: Agentic workflows adjust to changing tasks and challenges. Unlike rule-based systems, they evolve based on task complexity and can be customized using different patterns.
Efficiency Gains: Agentic workflows can automate repetitive tasks with high accuracy.
Self-correcting and learning: Using feedback and memory, agents refine their actions over time. This leads to better performance with each use.
Better at complex tasks: By breaking complex problems into smaller steps, agents handle complex tasks more effectively.

Challenges of Agentic Workflows

Overkill for simple tasks: AI agents can create extra overhead when used for simple tasks, leading to unnecessary complexity and higher costs.
Less predictable: More autonomy means more unpredictability. Without proper guardrails, agent outputs can become unreliable or hard to control.
Ethical concerns: Not all decisions should be left to AI. Sensitive tasks need human oversight to avoid mistakes or harm.

Agentic workflows are powerful, but they come with extra complexity and computation. Use them only when needed.

Context Engineering vs Prompt Engineering

Prompt Engineering

The “Static Script”.

If you’ve been working with LLMs, you already know Prompt Engineering. It’s the craft of writing effective instructions for a model, and for the past two years, it’s been the primary way developers have tried to improve AI output.

Think of an LLM as a talented improv actor:

Prompt Engineering is the script you hand them before the curtain rises. It defines their character, the scene's tone, and the rules of engagement. A good script can make a significant difference in performance.

The standard developer toolkit for prompt engineering includes:

Role Assignment – Setting the persona with instructions like “You are an expert travel agent.” This primes the model to use vocabulary and behaviors associated with that role.
Few-Shot Examples – Providing input/output pairs demonstrating the exact format you want. For example, showing the model three examples of properly formatted JSON responses before asking it to generate one.
Chain of Thought (CoT) – Instructions like “Let’s think step by step” that encourage the model to show its reasoning. This dramatically reduces errors in logic and math problems by forcing the model to “work through” the problem rather than jumping to an answer.
Constraint Setting – Hard limits on output, like “Limit your response to 50 words,” or “Respond only with valid JSON.”

These techniques are valuable and worth mastering.

But they share a fundamental limitation that becomes apparent when you move from demos to production.

The “Paris, Kentucky” Failure

The limitation of Prompt Engineering is that it is static.

Let’s return to our travel agent. The user says: “Book me a hotel in Paris for the DevOps conference.”

An agent relying only on prompt engineering sees the words “Paris” and “DevOps.” It has no access to external data, so it does what LLMs do when they lack information: it makes a probabilistic guess. There’s a Paris in France, sure, but there’s also a Paris in Kentucky, Texas, Tennessee, and several other states. Without additional context, the model has no way of knowing which one you mean.

The result?

Your user gets booked into the Best Western in Paris, Kentucky.

No amount of clever prompt phrasing can fix this. You could write “Always book hotels in major international cities”—but what about the user who actually wants Paris, Texas? The problem isn’t the prompt. The problem is that the model lacks three critical pieces of information:

User lives in London (suggesting international travel is more likely)
DevOps conference this year is actually in Paris, France
The user’s company policy requires booking Marriott properties under €200/night

This is where the paradigm shifts.

We need to move from optimizing static scripts to dynamically assembling the right information at runtime. We need Context Engineering.

https://andrewships.substack.com/p/prompt-driven-development

https://newsletter.systemdesign.one/p/context-engineering-vs-prompt-engineering

https://addyo.substack.com/p/the-prompt-engineering-playbook-for

https://blog.bytebytego.com/p/a-guide-to-effective-prompt-engineering

What is Context?

https://newsletter.systemdesign.one/p/what-is-context-engineering

Before getting into techniques or frameworks, it helps to be clear about what “context” actually means.

When you send a message to an AI assistant, it doesn’t just see your latest question. It sees the information included with your message, such as system instructions that guide its behavior, relevant parts of the conversation so far, any examples you provide, and sometimes documents or tool outputs.

All of that together is the context.

This matters because the model lacks long-term memory as humans do. It cannot recall past conversations unless that information is included again. Each response is generated solely from the current context.

The model can pay attention to only a limited amount of text at once. This limit is often called the context window. Dumping more into that space often makes answers worse, not better.

Context engineering is about managing that working space.

The goal is not to give the model as much information as possible, but to give it the right information at the moment it needs to respond.

Why does this matter for agents?

This becomes more important when the AI is doing more than answering a single question.

A simple chatbot takes your question, replies, and stops. But more advanced AI systems, often called agents, work on tasks that unfold over many steps. They might search for information, read results, summarize what matters, and then decide what to do next.

Each step generates new information that is added to what the model sees next, such as search results, summaries, and intermediate notes. Over time, the context grows, and much of it becomes no longer relevant to the current step. This is called context rot, where useful information gets buried under outdated details.

Agents often work well on focused tasks.

But when a task is broad and requires many steps, the quality can vary. As the context gets heavier, important details from earlier can get lost.

The Anatomy of Context

Understanding what causes context rot is the first step.

The next is knowing exactly what goes into the context window so you can control it.

When an AI generates a response, it is not just reacting to your last message. It is responding to a structured bundle of inputs. Each part plays a different role, but they all compete for the same limited space.

System Prompt and User Prompt

The system prompt determines the model's overall behavior.

It describes how the assistant should act, the rules it should follow, and the kinds of responses expected.

Most of the time, you do not see the system prompt directly. It’s defined by the product or application you are using. This is why two assistants built on the same underlying model can behave very differently.

For example, ChatGPT tends to answer politely, refuse certain requests, and format responses in predictable ways, even if you never explicitly asked it to do so.

The user prompt is your message.

This includes your current question and, in a chat setting, earlier messages that are still included.

Both are sent to the model together. The system prompt guides behavior, and the user prompt describes what to do right now.

If you are building an AI feature and you control the system prompt, the hard part is balance. If the instructions are too strict, the assistant can become brittle when something unexpected occurs. If they are too vague, responses become inconsistent.

A practical approach is to start minimal, test with real use cases, and add rules only when you see specific failures.

Examples

Sometimes the clearest way to guide an AI is to show it what you want.

Instead of writing a long list of rules, you can include one or two example inputs and the exact outputs you expect. This is often called few-shot prompting.

You have probably done this in ChatGPT without realizing it. If you say, “Format it like this,” and paste a sample answer, the model will usually follow the pattern.

Examples work because they remove ambiguity. They show tone, structure, and level of detail in a way that instructions often cannot.

The tradeoff is space. Examples take up room in the context window, so they need to earn their spot. A few well-chosen examples are usually better than a long list.

Message History

In a chat, the model can respond to follow-up questions because earlier messages remain in context.

For example, if you ask ChatGPT, “What is the capital of France?” and then ask, “What is the population?”, it can usually infer you still mean the capital you just discussed.

This works because the conversation so far acts like shared scratch paper. The model does not truly remember the earlier exchange. It is simply reading it again as part of the input.

The problem is that the message history grows over time. As more turns accumulate, older messages take up space even when they are no longer relevant. That can make the model less focused. It may repeat itself, follow outdated assumptions, or miss a detail that matters now.

Managing message history usually means keeping what is still relevant, summarizing what is settled, and letting the rest drop out of the active context.

Tools

On its own, an LLM can only generate text. Tools let it do more than that.

Tools allow an agent to search the web, read documents, run code, query databases, or interact with external systems. When a tool is used, the result is usually fed back into the context so the model can use it in the next step.

You have seen this in ChatGPT when it searches the web or analyzes a file you uploaded. The output becomes part of what the model sees before it responds.

Tools are powerful, but every tool call adds more text that competes for attention. If a tool returns too much information or in an unclear format, it can overwhelm the model rather than help it.

Good tool design keeps results focused and predictable. Clear names, narrow responsibilities, and concise outputs make it easier for the model to use tools effectively.

Data

Beyond messages and tools, agents often work with external data.

This can be a document you upload, an article you paste into the chat, or files the system can access. When that information is included, it becomes part of the context.

Large documents do not always behave the way you expect. The model may focus on the wrong section or miss details. This is often a context management problem, not carelessness.

Managing documents usually means breaking them into smaller pieces, pulling in what is relevant to the current step, and leaving the rest out of the active context until needed.

Context Retrieval Strategies

System instructions, examples, tools, and message history are the context in which you can write directly.

But often the most important information is not known in advance. It has to be retrieved during the task.

For example, if you ask ChatGPT a question about a PDF you uploaded, it needs to find the relevant section. If you ask it to search the web, it has to decide what to search for and which results matter.

How an agent retrieves and injects information is a major part of context engineering. There are two main approaches: loading everything upfront, or retrieving as you go.

Loading Upfront

The simplest approach is to retrieve relevant information before the model starts responding, then include it in the context all at once.

This is what happens when ChatGPT searches the web and then writes an answer using the results it just found. The model is not answering from memory. It is answering based on the information that was retrieved and added to its context.

This pattern is commonly called retrieval augmented generation (RAG).

https://newsletter.systemdesign.one/p/how-rag-works

Loading upfront works well when the question is clear, and the agent can predict what information will be useful. The downside is that the agent makes an early retrieval decision and may stick with it.

If something important is missing or the task changes direction, it can be harder to correct course.

Just-in-Time Retrieval

Another approach is to retrieve information as the task unfolds.

Instead of loading everything at the start, the agent takes a step, looks at what it has learned so far, and retrieves more information only when needed. You can sometimes see this in ChatGPT when it searches, reads, refines the query, and searches again during longer tasks.

This keeps the context cleaner because only the information actually needed gets pulled in. The tradeoff is that it takes more steps and requires the agent to decide when to retrieve and when to stop.

A useful pattern within just-in-time retrieval is to start broad and then drill down. This specification is called Progressive Disclosure.

Rather than loading full documents immediately, the agent may start with short snippets or summaries, identify what looks relevant, and pull in more detail only then.

This is how humans tackle research, too.

You do not read every article in a database. You scan titles, read abstracts of promising ones, and dive deep only into the sources that matter.

Hybrid Strategy

Fortunately, you don’t have to pick one or the other.

Many agents combine both approaches. They load a small amount of baseline information upfront, then retrieve more as needed.

You can see this in tools like ChatGPT. Some instructions and conversation history are already present, and additional information, such as search results or document excerpts, is pulled in based on what you ask.

For simpler use cases, loading upfront is often enough. As tasks get more complex and span multiple steps, retrieving as you go becomes more important.

The right choice depends on how predictable your agent’s information needs are.

Techniques for Long-Horizon Tasks

Retrieval helps an agent pull in the right information.

But some tasks create a different problem. They run long enough that the agent produces more text than can fit in the context window.

You may have seen this in ChatGPT during long conversations or research tasks. Early responses are clear, but after many steps, the answers can drift or repeat themselves, especially when you send very long instructions, like asking for help with entire code bases. Over a long task, the agent can encounter far more information than it can keep in working memory at once.

Larger context windows are not a complete solution. They can be slower and more expensive, and they still accumulate irrelevant information over time. A better approach is to actively manage what stays in context and preserve the important parts as the task grows.

Three techniques help with this:

compressing the context when it gets full,
keeping external notes,
splitting work across multiple agents.

Compaction

When the context approaches its limit, one option is to compress what’s there.

The agent summarizes the conversation so far, keeping the essential information and discarding the rest. This compressed summary becomes the new starting point, and the conversation continues from there.

You may have noticed something like this in long ChatGPT conversations. After many messages, earlier details can fade. This often happens because older parts of the conversation are shortened or dropped to make room for new input.

The hard part is deciding what to keep.

The goal, key constraints, open questions, and decisions that affect future steps should stay. Raw tool outputs that have already been used can usually go. Repeated back and forth that does not change the plan can go too.

There is always a risk of losing something that matters later. A common safeguard is to store important details outside the context before discarding them, so the agent can retrieve them if needed.

Structured Note Taking

Compaction occurs when you’re running out of space. Structured note-taking happens continuously.

As the agent works, it keeps a small set of notes outside the context window. These notes capture stable information, such as the goal, constraints, decisions made so far, and a short list of what remains.

You can see a user-level version of this idea in features like ChatGPT’s memory. If you tell it to remember something, that information can persist beyond a single conversation and be brought back when relevant.

This works well for tasks with checkpoints or tasks that span multiple sessions.

A coding agent might keep a checklist of completed steps. A support assistant might store user preferences so that it does not have to ask the same questions again.

Sub-Agent Architectures

Sometimes the best approach is to break a large task into pieces and assign each piece to a separate agent with its own context window.

In many research-style agent designs, a main agent coordinates the overall task, while sub-agents handle focused subtasks. A sub-agent explores one area in depth, then returns a short summary. The main agent keeps the summary and moves on without carrying all the raw details forward.

You can think of research features in tools like ChatGPT as an example of the kind of workflow where this pattern is useful.

This works well when subtasks can run independently or require deep exploration.

The tradeoff is complexity. Coordinating multiple agents is harder than managing a single one, so it is usually best to start with simpler techniques and add sub-agents when a single agent becomes overwhelmed.

Choosing the Right Technique

There’s no one-size-fits-all solution. The right approach depends on your “agent and your use case”. These rules of thumb can help:

Compaction works best for long, continuous conversations where context gradually accumulates.
Structured notes work best for tasks with natural checkpoints or when information needs to persist across sessions.
Sub-agents work best when subtasks can run in parallel or require deep, independent exploration.

These techniques can be combined. Start with the simplest approach and add complexity as needed.

Putting It All Together

Context engineering is not a single technique.

It’s an approach to designing AI systems. At each step, you decide what goes into the model’s context, what stays out, and what gets compressed.

The components we covered work together.

System prompts and examples shape behavior. Message history maintains continuity. Tools let the agent take actions. Data gives it information to work with. Retrieval strategies determine how and when that information gets loaded. For long-running tasks, compaction, external notes, and sub-agents help manage context that would otherwise overflow.

When something goes wrong, context is often the place to look. If the agent hallucinates, it might need better retrieval to ground its answers. If it picks the wrong tool, the tool descriptions might be unclear. If it loses track after many turns, the message history might need summarization.

A practical approach is to start simple.

Test with small tasks first. If it works, scale up. If it fails, identify what went wrong and address the specific issue.

How Does Memory For AI Agents Work?

https://www.decodingai.com/p/how-does-memory-for-ai-agents-work

AI Agent's Memory

One year ago at ZTRON, we faced a challenge that many AI builders encounter: how do we give our agent access to the right information at the right time? Like most teams, we jumped straight into building a complex multimodal Retrieval-Augmented Generation (RAG) system. We built the whole suite: embeddings for text, embeddings for images, OCR, summarization, chunking, and multiple indexes.

Our ingestion pipeline became incredibly heavy. It introduced unnecessary complexity around scaling, monitoring, and maintenance. At query time, instead of a straight line from question to answer, our agent would zigzag through 10 to 20 retrieval steps, trying to gather the right context. The latency was terrible, costs were high, and debugging was a nightmare.

Then we realized something essential. Because we were building a vertical AI agent for a specific use case, our data wasn’t actually that big. Through virtual multi-tenancy and smart data siloing, we could retrieve relevant data with simple SQL queries and fit everything comfortably within modern context windows—around 65,000 tokens maximum, well within Gemini’s 1 million token input capacity.

We dropped the entire RAG layer in favor of Context-Augmented Generation (CAG) with smart context window engineering. Everything became faster, cheaper, and more reliable. This experience taught me that the fundamental challenge in building AI agents isn’t just about retrieval. It is about understanding how to architect memory systems that match your actual use case.

The core problem we are solving is the fundamental limitation of LLMs: their knowledge is vast but frozen in time. They are unable to learn by updating their weights after training, a problem known as “continual learning”. An LLM without memory is like an intern with amnesia. They might be brilliant, but they cannot recall previous conversations or learn from experience.

To overcome this, we use the context window as a form of “working memory.” However, keeping an entire conversation thread plus additional information in the context window is often unrealistic. Rising costs per turn and the “lost in the middle” problem—where models struggle to use information buried in the center of a long prompt limit this approach. While context windows are increasing, relying solely on them introduces noise and overhead.

Memory tools act as the solution. They provide agents with continuity, adaptability, and the ability to “learn” without retraining. When we first started building agents, working with 8k or 16k token limits forced us to engineer complex compression systems. Today, we have more breathing room, but the principles of organizing memory remain essential for performance.

In this article, we will explore:

The four fundamental types of memory for AI agents.
A detailed look at long-term memory: Semantic, Episodic, and Procedural.
The trade-offs between storing memories as strings, entities, or knowledge graphs.
The complete memory cycle, from ingestion to inference.

The 4 Memory Types for AI Agents

To build effective agents, we must distinguish between the different places information lives. We can borrow terms from biology and cognitive science to categorize these layers useful for engineering.

There are four distinct memory types based on their persistence and proximity to the model’s reasoning core.

Internal Knowledge: This is the static, pre-trained knowledge baked into the LLM’s weights. It is the best place to store general world knowledge—models know about whole books without needing them in the context window. However, this memory is frozen at the time of training.
Context Window: This is the slice of information we pass to the LLM during a specific call. It acts as the RAM of the LLM. It is the only “reality” the model sees during inference.
Short-Term Memory: This is the RAM of the entire agentic system. It contains the active context window plus recent interactions, conversation history, and details retrieved from long-term memory. We slice this short-term memory to create the context window for a single inference step. It is volatile and fast, simulating the feeling of “learning” during a session
Long-Term Memory: This is the external, persistent storage system (disk) where an agent saves and retrieves information. This layer provides the personalization and context that internal knowledge lacks and short-term memory cannot retain [4].

The dynamic between these layers creates the agent’s intelligence. First, part of the long-term memory is “retrieved” and brought into short-term memory. This retrieval pipeline queries different memory types in parallel. Next, we slice the short-term memory into an active context window through context engineering. Finally, during inference, the LLM uses its internal weights plus the active context window to generate output.

Another useful way to visualize this is by proximity to the LLM. Internal memory is intrinsic, while long-term memory is the furthest away, requiring specific retrieval mechanisms to become useful.

Categorizing memory this way is critical for engineering. Internal knowledge handles general reasoning. Short-term memory manages the immediate task. Long-term memory handles personalization and continuity. No single layer can perform all three functions effectively. To better understand long-term memory, we can further apply cognitive science definitions to specific data types.

MCP - A Deep Dive

https://portkey.ai/blog/understanding-mcp-authorization/?ref=dailydev

In November 2024, Anthropic launched the Model Context Protocol (MCP) to fix this problem. This wasn’t just another developer tool. It aimed to tackle a key infrastructure issue in AI engineering.

The challenge?

Every AI application needs to connect to data sources. Until now, they had to build custom integrations from scratch. This approach creates a fragmented ecosystem that does not scale.

For example, the world isn’t frozen in time, but LLMs are…

If you want an AI to “monitor server logs,” you can’t feed it a file. You would have to build a data pipeline that polls an API every few seconds. Filter out noise, then push only the relevant anomalies into the AI’s context window. If the API changes its rate limits or response format, your entire agent breaks.

A better way to think of MCP is like a USB-C port.

The Old Way (Before USB):

If you bought a mouse, it had a PS/2 plug. A printer had a massive parallel port. A camera had a proprietary cable. If you wanted to connect these to a computer, the computer needed a specific physical port for each one.

This is the “N×M” problem:

Each device maker had to figure out how to connect to each computer. So, computer makers had to create ports for every device.

The MCP Way (With USB-C):

Now, everything uses a standard port.

Computer (AI Model) needs one USB-C port. It doesn’t need to know if you are plugging in a hard drive or a microphone; it just speaks “USB.”
Device (Data Source) requires a USB-C port. It doesn’t need to know if it’s plugged into a Mac, a PC, or an iPad.

The result: you can plug anything into anything instantly.

The analogy makes sense in theory. But to understand why MCP matters, you need to see how painful the current reality actually is…

The Integration Complexity Problem

Every AI assistant needs context to be useful:

Claude needs access to your codebase. ChatGPT may require your Google Drive files. Custom agents need database connections. But how do these AI systems actually get that context?

Traditionally, each connection requires a custom integration.

If you’re building an AI coding assistant, you need to:

Write code to connect to the GitHub API.
Add authentication and security.
Create a way to change GitHub’s data format into a version that your AI can understand.
Handle rate limiting, errors, and edge cases.
Repeat this entire process for GitLab, Bitbucket, and every other source control system.

This creates the N×M problem:

‘N’ AI assistants multiplied by ‘M’ data sources equals N×M unique integrations that need to be built and maintained.

When Cursor wants to add Notion support, they build it from scratch. When GitHub Copilot wants the same thing, they build it again. The engineering effort gets duplicated across every AI platform.

The traditional approaches have fundamental limitations:

Static, build-time integration:

Integrations are hard-coded into applications. You can’t add a new data source without updating the application itself. This makes rapid experimentation impossible and forces users to wait for official support.

Application-specific security implementations:

Every integration reinvents authentication, authorization, and data protection. This leads to inconsistent security models and increases the attack surface.

No standard way to discover:

AI systems can’t find out what capabilities a data source has. Everything needs clear programming. This makes it hard to create agents that adapt. They can’t use the new tools on their own.

The result is a ‘broken’ ecosystem!

Innovation is stuck because of integration work. Users can access only the connections that application developers create. So that’s a mess.

Now let’s look at how MCP cleans it up…

How MCP Solves It

MCP’s solution is straightforward: define a single protocol that functions across all systems.

Instead of building N×M integrations, you build N clients (one per AI application) and M servers (one per data source). The total integration work drops from N×M to N+M.

When a new AI assistant wants to support all existing data sources, it just needs to implement the MCP client protocol once.

When a new data source wants to be available to all AI assistants, it just needs to implement the MCP server protocol once.

Two critical architectural features power this efficiency:

1. Dynamic Capability Discovery

In traditional integrations, the AI application must know the data source details in advance.

If the API changes, the application breaks…

MCP flips this. It uses a “handshake” model. When an AI connects to an MCP server, it asks, “What can you do?”.

The server returns a list of available resources and tools in real time.

RESULT:

You can add a new tool to your database server, like a “Refund User” function. The AI agent finds it right away the next time it connects. You won’t need to change any code in the AI application.

2. Decoupling Intelligence from Data

MCP separates the thinking system (AI model) from the knowing system (the data source).

For Data Teams: They can build robust, secure MCP servers for their internal APIs without worrying about which AI model will use them.
For AI Teams: They can swap models without having to rebuild their data integrations.

This decoupling means your infrastructure doesn’t become obsolete whenever a new AI model gets released.

You build your data layer once, and it works with whatever intelligence layer you choose to plug into it.

An AI agent using MCP doesn’t need to know in advance what tools are available. It simply connects, negotiates capabilities, and uses them as needed. This enables a level of flexibility and scale that is impossible with traditional static integrations.

The high-level concept is straightforward.

But the real elegance is in how the architecture actually works under the hood…

MCP Architecture Deep Dive

MCP’s architecture has three main layers.

These layers separate concerns and allow for easy scalability:

The Three-Layer Model

Hosts are user-facing apps.

This includes the Claude Desktop app, IDEs like VSCode, or custom AI agents you create. Hosts are where users connect with the AI. They are also where requests begin. They do more than display the UI; they orchestrate the entire user experience.

The host application interprets the user’s prompt.

It decides whether external data or tools are needed to fulfill the request. If access is necessary, the host creates and manages several internal clients. It keeps one client for each MCP server it connects to.

The protocol layer handles the mechanics of data access.

Clients are protocol-speaking connection managers that run on hosts.

Each client maintains a dedicated 1:1 connection with a single MCP server. They serve as the translation layer.

They convert abstract AI requests from the host into clear MCP messages. These messages, like tools/call or resources/read, can be understood by the server. Clients do more than send messages. They manage the entire session lifecycle. This includes handling connection drops, reconnections, and state.

When a connection starts, the client takes charge of capability negotiation. It asks the server which tools, resources, and prompts it supports.

Servers provide context.

They act as the layer that connects real-world systems, such as PostgreSQL databases, GitHub repositories, or Slack workspaces.

A server connects the MCP protocol to the data source. It translates MCP requests into the system’s native operations. For example, it turns an MCP read request into a SQL SELECT query. They are very flexible. They can run on a user’s machine for private access or remotely as a cloud service.

Servers share their available capabilities when connected. They inform the client about the Resources, Prompts, and Tools they offer.

https://newsletter.systemdesign.one/p/how-mcp-works

AGENTS.MD

An AGENTS.md file is a markdown file you check into Git that customizes how AI coding agents behave in your repository. It sits at the top of the conversation history, right below the system prompt.

Think of it as a configuration layer between the agent's base instructions and your actual codebase. The file can contain two types of guidance:

Personal scope: Your commit style preferences, coding patterns you prefer
Project scope: What the project does, which package manager you use, your architecture decisions

The AGENTS.md file is an open standard supported by many - though not all - tools.

Why Massive AGENTS.MD Files Are a Problem

There's a natural feedback loop that causes AGENTS.md files to grow dangerously large:

The agent does something you don't like
You add a rule to prevent it
Repeat hundreds of times over months
File becomes a "ball of mud"

Different developers add conflicting opinions. Nobody does a full style pass. The result? An unmaintainable mess that actually hurts agent performance.

Another culprit: auto-generated AGENTS.md files. Never use initialization scripts to auto-generate your AGENTS.md. They flood the file with things that are "useful for most scenarios" but would be better progressively disclosed. Generated files prioritize comprehensiveness over restraint.

The Instruction Budget

Kyle from Humanlayer's article mentions the concept of an "instruction budget":

Frontier thinking LLMs can follow ~ 150-200 instructions with reasonable consistency. Smaller models can attend to fewer instructions than larger models, and non-thinking models can attend to fewer instructions than thinking models.

Every token in your AGENTS.md file gets loaded on every single request, regardless of whether it's relevant. This creates a hard budget problem:

Scenario	Impact
Small, focused `AGENTS.md`	More tokens available for task-specific instructions
Large, bloated `AGENTS.md`	Fewer tokens for the actual work; agent gets confused
Irrelevant instructions	Token waste + agent distraction = worse performance

Taken together, this means that the ideal AGENTS.md file should be as small as possible.

Stale Documentation Poisons Context

Another issue for large AGENTS.md files is staleness.

Documentation goes out of date quickly. For human developers, stale docs are annoying, but the human usually has enough built-in memory to be skeptical about bad docs. For AI agents that read documentation on every request, stale information actively poisons the context.

This is especially dangerous when you document file system structure. File paths change constantly. If your AGENTS.md says "authentication logic lives in src/auth/handlers.ts" and that file gets renamed or moved, the agent will confidently look in the wrong place.

Instead of documenting structure, describe capabilities. Give hints about where things might be and the overall shape of the project. Let the agent generate its own just-in-time documentation during planning.

Domain concepts (like "organization" vs "group" vs "workspace") are more stable than file paths, so they're safer to document. But even these can drift in fast-moving AI-assisted codebases. Keep a light touch.

Cutting Down Large AGENTS.md File

Be ruthless about what goes here. Consider this the absolute minimum:

One-sentence project description (acts like a role-based prompt)
Package manager (if not npm; or use corepack for warnings)
Build/typecheck commands (if non-standard)

That's honestly it. Everything else should go elsewhere.

The One-Liner Project Description

This single sentence gives the agent context about why they're working in this repository. It anchors every decision they make.

Example: This is a React component library for accessible data visualization.

That's the foundation. The agent now understands its scope.

Package Manager Specification

If you're In a JavaScript project and using anything other than npm, tell the agent explicitly:

This project uses pnpm workspaces.

Without this, the agent might default to npm and generate incorrect commands.

Use Progressive Disclosure

Instead of cramming everything into AGENTS.md, use progressive disclosure: give the agent only what it needs right now, and point it to other resources when needed.

Agents are fast at navigating documentation hierarchies. They understand context well enough to find what they need.

Move Language-Specific Rules to Separate Files

If your AGENTS.md currently says:

Always use const instead of let.
Never use var.
Use interface instead of type when possible.
Use strict null checks.
...

Move that to a separate file instead. In your root AGENTS.md:

For TypeScript conventions, see docs/TYPESCRIPT.md

Notice the light touch, no "always," no all-caps forcing. Just a conversational reference.

The benefits:

TypeScript rules only load when the agent writes TypeScript
Other tasks (CSS debugging, dependency management) don't waste tokens
File stays focused and portable across model changes

Nest Progressive Disclosure

You can go even deeper. Your docs/TYPESCRIPT.md can reference docs/TESTING.md. Create a discoverable resource tree:

docs/
├── TYPESCRIPT.md
│   └── references TESTING.md
├── TESTING.md
│   └── references specific test runners
└── BUILD.md
    └── references esbuild configuration

You can even link to external resources, Prisma docs, Next.js docs, etc. The agent will navigate these hierarchies efficiently.

Use Agent Skills

Many tools support "agent skills" - commands or workflows the agent can invoke to learn how to do something specific. These are another form of progressive disclosure: the agent pulls in knowledge only when needed.

AGENTS.MD in Monorepos

You're not limited to a single AGENTS.md at the root. You can place AGENTS.md files in subdirectories, and they merge with the root level.

This is powerful for monorepos:

What Goes Where:

Level	Content
Root	Monorepo purpose, how to navigate packages, shared tools (pnpm workspaces)
Package	Package purpose, specific tech stack, package-specific conventions

Root AGENTS.md:

This is a monorepo containing web services and CLI tools.
Use pnpm workspaces to manage dependencies.
See each package's AGENTS.md for specific guidelines.

Package-level AGENTS.md (in packages/api/AGENTS.md):

This package is a Node.js GraphQL API using Prisma.
Follow docs/API_CONVENTIONS.md for API design patterns.

Don't overload any level. The agent sees all merged AGENTS.md files in its context. Keep each level focused on what's relevant at that scope.

Fix A Broken Agents.md with this prompt

If you're starting to get nervous about the AGENTS.md file in your repo, and you want to refactor it to use progressive disclosure, try copy-pasting this prompt into your coding agent:

I want you to refactor my AGENTS.md file to follow progressive disclosure principles.

Follow these steps:

1. **Find contradictions**: Identify any instructions that conflict with each other. For each contradiction, ask me which version I want to keep.

2. **Identify the essentials**: Extract only what belongs in the root AGENTS.md:
   - One-sentence project description
   - Package manager (if not npm)
   - Non-standard build/typecheck commands
   - Anything truly relevant to every single task

3. **Group the rest**: Organize remaining instructions into logical categories (e.g., TypeScript conventions, testing patterns, API design, Git workflow). For each group, create a separate markdown file.

4. **Create the file structure**: Output:
   - A minimal root AGENTS.md with markdown links to the separate files
   - Each separate file with its relevant instructions
   - A suggested docs/ folder structure

5. **Flag for deletion**: Identify any instructions that are:
   - Redundant (the agent already knows this)
   - Too vague to be actionable
   - Overly obvious (like "write clean code")

Don’t Build a Ball of Mud

When you're about to add something to your AGENTS.md, ask yourself where it belongs:

Location	When to use
Root `AGENTS.md`	Relevant to every single task in the repo
Separate file	Relevant to one domain (TypeScript, testing, etc.)
Nested documentation tree	Can be organized hierarchically

The ideal AGENTS.md is small, focused, and points elsewhere. It gives the agent just enough context to start working, with breadcrumbs to more detailed guidance.

Everything else lives in progressive disclosure: separate files, nested AGENTS.md files, or skills.

This keeps your instruction budget efficient, your agent focused, and your setup future-proof as tools and best practices evolve.

Agent Skills

What are the Claude Skills?

Claude Skills, officially launched as "Agent Skills" in October 2024 and significantly expanded in December 2024, are modular capabilities that teach Claude how to perform specific tasks in a repeatable, specialized way.

Think of Skills as custom training modules. Instead of explaining the same process to Claude every single time ("Here's how our company formats PRDs" or "Here's how we analyze user data"), you package those instructions once into a Skill. From then on, Claude automatically recognizes when that Skill is relevant and applies it.

The technical definition: Skills are folders containing instructions, scripts, and resources that Claude loads dynamically when needed to perform specialized tasks. They can include:

Markdown files with instructions and procedures
Executable code for complex operations
Templates and examples
Domain-specific knowledge

The practical reality: Skills turn Claude from a general-purpose AI into a specialist that knows your workflows, your brand guidelines, your data analysis methods, and your organizational processes.

https://resources.anthropic.com/hubfs/The-Complete-Guide-to-Building-Skill-for-Claude.pdf?hsLang=en

A Brief History: How Skills Evolved

Understanding when and why Anthropic introduced Skills helps explain why this matters now:

October 2024: Anthropic quietly launched Agent Skills as a beta feature. Initially, it was developer-focused—available through the API and Claude Code. The idea was simple: let developers package specialized capabilities that Claude could invoke when relevant.

December 18, 2024: The major expansion. Anthropic made Skills available across claude.ai, introduced organization-wide management for Team and Enterprise plans, launched a Skills Directory with partner-built skills from companies like Notion, Figma, Canva, and Atlassian, and most importantly, published Agent Skills as an open standard at agentskills.io.

January 2025: Skills became integrated with other Claude features like Memory, Extended Thinking, and the new Cowork agent. The Skills Directory expanded significantly, and custom skill creation became more accessible to non-technical users.

Current State (January 2026): Skills are now available to Pro, Max, Team, and Enterprise users. You can use pre-built Anthropic Skills (for Excel, PowerPoint, Word, PDFs), install partner Skills from the directory, or create custom Skills tailored to your exact workflows.

The evolution shows Anthropic's strategy: start with developers, prove the concept, then democratize it for everyone. And it's working.

What Claude Skills do?

Teach Claude ONCE, Benefit FOREVER (Zero Re-Explaining): Skills are instruction folders Claude loads automatically when relevant. Stop re-explaining your preferences, processes, and domain expertise in every single conversation. One folder = permanent memory of your workflow. Build in 15-30 minutes using the built-in skill-creator tool. Works for frontend design, research methodology, document creation, sprint planning, customer onboarding, and compliance workflows. Saves hours weekly across teams and individual users.
Progressive Disclosure = Minimal Token Usage (3-Level System): The 3-level system is genius: Level 1 (YAML frontmatter) always stays in Claude's system prompt — just enough for Claude to know WHEN to activate. Level 2 (SKILL.md body) loads only when relevant. Level 3 (linked files) loads only as needed. Result: specialized expertise without bloating every conversation. Same AI power, fraction of the token cost. An estimated 50%+ reduction in tokens per workflow session versus re-prompting every chat. Keep SKILL.md under 5,000 words, move detailed docs to references/ folder
One Skill = All Surfaces (100% Portability): Build a skill ONCE, and it works identically on Claude.ai, Claude Code, and API — no modifications needed. This is unprecedented in AI tooling. Competitors lock you into one interface. Skills follow you everywhere. Deploy to individuals, teams, or your entire organization from one central folder. Organization-wide deployment launched December 18, 2025, with automatic updates and centralized admin management for enterprise teams.
MCP + Skills = Your AI Employee (Kitchen Analogy): MCP provides the professional kitchen: real-time access to Notion, Asana, Linear, Slack, GitHub, and Figma. Skills provide the recipes: step-by-step instructions optimized for YOUR workflow. Without Skills, MCP users get tool access but no workflow guidance — resulting in support tickets and inconsistent results. With Skills, pre-built workflows activate automatically. Anthropic data shows users blame the MCP connector when the real issue is missing workflow knowledge.
5 Battle-Tested Patterns (Real-World Workflows): Anthropic released 5 proven workflow patterns from early adopters: Pattern 1 (Sequential Workflow) for multi-step processes in exact order. Pattern 2 (Multi-MCP Coordination) for workflows spanning Figma, Drive, Linear, and Slack simultaneously. Pattern 3 (Iterative Refinement) for self-validating output loops. Pattern 4 (Context-Aware Tool Selection) for smart routing to the right tool. Pattern 5 (Domain-Specific Intelligence) for compliance, finance, and legal workflows with embedded rules.
OPEN Standard = Platform-Independent (Like MCP): Anthropic published Agent Skills as an OPEN standard. Like MCP, skills work across AI platforms — not locked to Claude. Early ecosystem adoption already underway. Partners from Asana, Atlassian, Canva, Figma, Sentry, and Zapier have published skills. The GitHub repo anthropics/skills contains production-ready skills you can customize TODAY instead of building from scratch. Community-built skills are multiplying fast — early publishers gain maximum visibility and downloads.
Skill File Structure (15-Minute Setup): A skill is JUST a folder with 4 possible items: SKILL.md (required — Markdown with YAML frontmatter), scripts/ (optional Python or Bash), references/ (optional docs loaded on demand), assets/ (optional templates and icons). Folder name MUST be kebab-case (sprint-planner, NOT Sprint Planner or sprint_planner). SKILL.md must be EXACTLY that spelling — case-sensitive. No README.md inside the skill folder. Start with just SKILL.md — that is the entire minimum viable skill.
API Integration = Production-Scale Deployment (/v1/skills): For production applications, the /v1/skills endpoint lets you manage skills programmatically. Add skills to Messages API requests via the container.skills parameter. Version control through Claude Console. Works with Claude Agent SDK for custom AI agents. Requires Code Execution Tool beta access. Use the API for production deployments, automated pipelines, and agent systems. Individual users should use Claude.ai. API skills unlock enterprise-grade AI workflow automation at unlimited scale.
Trigger Optimization = 90%+ Auto-Activation Rate: The description field is EVERYTHING. Target: skill triggers on 90%+ of relevant queries automatically. Good descriptions include WHAT the skill does AND WHEN to use it with specific trigger phrases. Bad: "Helps with projects." Good: "Manages Linear sprint planning. Use when user mentions 'sprint', 'Linear tasks', or asks to 'create tickets'." Run 10-20 test queries. Ask Claude directly: "When would you use the [skill name] skill?" — Claude quotes your description back and reveals exactly what is missing.
Organization-Wide Skills Deployment (December 2025): Admins can now deploy skills workspace-wide — launched December 18, 2025. Automatic updates push to all users simultaneously. Centralized management from admin panel. One skill update standardizes EVERY team member's workflow instantly. No more inconsistent AI results between teammates who prompt differently. Companies building skills libraries NOW gain compounding efficiency advantages against competitors still re-explaining context every single chat session. This is the AI operations layer enterprises have been waiting for.

Why This Changes Everything

The End of Prompt Engineering (Finally): Prompt engineering required constant re-explanation, relied on individual memory, produced inconsistent results, and could not be shared easily. Skills are shareable, versioned, auto-activating, and organization-deployable. The shift is from art (crafting the perfect prompt) to engineering (building a reliable system). Early adopters building skills libraries NOW will have a 6-12 month workflow advantage over teams still copying prompts from Notion docs and Slack messages.
Solves the "New Chat = New Explanation" Problem: Every new Claude conversation resets context completely. Skills eliminate this permanently. Claude loads your workflow automatically based on what you say — no explicit trigger needed. Power users currently spend 10-20% of their AI time re-establishing context every session. Skills compress that to near-zero. The compounding time savings across 1,000+ sessions per year is enormous — estimated 200+ hours annually per person recovered from pure context-setting overhead.
Democratizes Expert AI Workflows: Previously, getting Claude to follow expert workflows required prompt engineering knowledge, time, and extensive trial-and-error. Skills democratize this: download a community-built skill from GitHub, upload to Claude.ai in 60 seconds, and instantly access workflows built by domain experts. A junior marketer can now operate with the same AI workflow sophistication as a senior AI engineer. The public skills marketplace is still early — first movers can publish skills that thousands of users download and benefit from.
MCP Adoption Accelerator (Critical for Developers): Without skills, MCP integrations face user abandonment: users connect the tool but don't know how to use it effectively. With skills, MCP becomes turnkey. Anthropic's research shows users blame the MCP connector when the real issue is missing workflow guidance. Skills fix this permanently. If you've built an MCP server, adding a companion skill dramatically increases user retention, reduces support tickets, and differentiates your product from the growing field of MCP-only competitors.
Compounding Efficiency = Compounding Advantage: Every skill you build is a one-time investment that pays dividends indefinitely. Build a 30-minute skill today, save 5 minutes per workflow session. At 10 sessions per day = 50 minutes saved daily = 250 minutes per week = 200+ hours per year per person. Teams of 10 = 2,000+ hours annually recovered from a single well-built skill. Organizations building skills libraries systematically gain structural productivity advantages that compound over time against competitors still working session-by-session.

When something deserves to become a Skill

The Skill doesn’t come first. What comes first is a pattern.

Every time I faced messy strategic notes, I was unconsciously applying the same mental structure:

Clarify the context → Extract key signals → Surface risks → Compare trade-offs → Present structured options → Define next steps

That repetition is what changed everything.

Because repetition is the signal that something deserves structure.

Here are the problems I had before using skills (and what they led to):

No defined role → Inconsistent responses
No rules → Shifts in tone
No boundaries → Unnecessary creative drift
No environment → Constant repetition

That shift didn’t happen because I created a Skill. It happened because I stopped improvising.

Structure came first. Automation came second.

The hidden step most people skip can be summarized like this:

The difference is massive. In the first case (left side), you automate an idea. In the second case (right side), you automate a proven framework.

A Skill is not a clever idea. It is a structure that has already proven it works multiple times.

Skills vs. Other Claude Features: What's the Difference?

Claude has several features that sound similar. Here's how they differ:

Skills vs. Projects:

Projects provide static background context that's always loaded when you're in that project
Skills provide dynamic procedures that only load when relevant
Use Projects for persistent knowledge, Skills for repeatable processes

Skills vs. Custom Instructions:

Custom Instructions apply broadly to all your conversations
Skills are task-specific and only activate when needed
Custom Instructions set general preferences; Skills provide specialized procedures

Skills vs. MCP Connectors:

MCP Connectors give Claude access to external tools and data (like Notion, Slack)
Skills teach Claude how to use those tools effectively
They work together: MCP provides access, Skills provide process

Example: An MCP connector gives Claude access to your Notion workspace. A Skill teaches Claude how to format meeting notes according to your team's specific template within Notion.

Potential Drawbacks and Limitations

Let's be honest about where Skills fall short:

1. Requires Code Execution to be Enabled
Skills use Claude's code execution capability. If you've disabled this for security reasons, Skills won't work. This is a consideration for enterprises with strict security policies.

2. Initial Setup Time
Creating good Skills takes time. You need to document processes clearly, provide examples, and iterate based on results. The ROI is there, but it's not instant.

3. Not Ideal for Highly Dynamic Processes
If your workflow changes constantly, maintaining Skills becomes overhead. They're best for processes that are reasonably stable.

4. Potential for Over-Reliance
There's a risk that teams become dependent on Skills without understanding the underlying processes. Junior PMs might use a "Feature Spec" Skill without learning what makes a good spec.

5. Quality Depends on Quality of Instructions
Garbage in, garbage out. Poorly written Skill instructions produce inconsistent results. This requires thoughtful documentation.

6. Limited to Available Plans
Skills are only available on Pro, Max, Team, and Enterprise plans. Free-tier users can't access them.

Finding & Installing Third-Party Skills

Official Anthropic Repositories

github.com/anthropics/skills → Official skill examples + production document skills (docx, pdf, pptx, xlsx). Apache 2.0 for examples; source-available for doc skills. Functions as a Claude Code Plugin marketplace.

github.com/anthropics/claude-plugins-official → Official plugin marketplace directory. Third-party partners can submit.

github.com/anthropics/knowledge-work-plugins → 11 role-based plugins (Sales, Support, Product Management, Finance, Data, etc.) with skills, commands, and MCP connectors. Open source.

github.com/anthropics/life-sciences → Life sciences MCP servers and skills (PubMed, BioRender, etc.)

Community Skill Directories & Marketplaces

skills.sh → Primary distribution hub. npx skills add . Leaderboard, multi-platform.

skillsmp.com → Independent directory, aggregates from GitHub. Min 2-star filter.

skillhub.club → 20K+ skills with AI-evaluated quality ratings. Has a playground.

hub.skild.sh → Another community registry

agentskill.sh → 25K+ skills directory, browseable by category/platform

Key Community Projects

obra/superpowers → Complete software dev workflow: brainstorm → plan → TDD → implement → review. 20+ battle-tested skills. The gold standard for skill composition. Install: /plugin marketplace add obra/superpowers-marketplace then /plugin install superpowers@superpowers-marketplace

obra/superpowers-skills → Community-editable extension to Superpowers

obra/superpowers-lab → Experimental skills (tmux for interactive commands, etc.)

travisvn/awesome-claude-skills → Curated awesome-list of skills, resources, and tools

numman-ali/openskills → Universal skills loader. npx openskills install anthropics/skills. Works across Claude Code, Cursor, Windsurf, Aider, Codex, etc.

vercel-labs/agent-skills → Vercel’s official skills: React, Next.js, React Native patterns + Vercel deploy skill

qufei1993/skills-hub → Desktop app: “Install once, sync everywhere” — manages skills across multiple AI tools

inference.sh skills → 150+ cloud AI app skills (image gen, video, TTS, search) via infsh CLI

Building Your Own Skills — Best Practices

Design Principles

Single-purpose: “SEO optimization for blog posts” is good. “Content marketing helper” is too broad. “Add meta descriptions” is too narrow.
Description is king: Claude routes based on the description field. Vague = missed triggers. Overly generic = false triggers. Be specific about when and what.
Progressive disclosure: Keep SKILL.md lean. Reference files for deep details. Scripts for deterministic steps.
Imperative instructions: Write as if onboarding a smart junior engineer. Be explicit about steps, inputs, outputs.
Include examples: Show expected inputs and outputs. Show what “good” looks like.
Token budget: Metadata ~50-100 tokens. Full SKILL.md < 5000 tokens. Reference files on-demand.

The Description Field — Most Important 200 Characters You’ll Write

Bad:

yaml

description: Helps with code

Good:

yaml

description: >-
  Generate FastAPI backend with React+Vite frontend, Tailwind, shadcn/ui,
  and OpenAI integration. Use when asked to scaffold a full-stack AI app.

Claude uses semantic matching, not keyword matching — but vague descriptions still reduce accuracy.

Skill Structure Patterns

Pattern 1: Instructions-only (simplest)

my-skill/
└── SKILL.md     # All instructions in one file

Pattern 2: Instructions + References

brand-guidelines/
├── SKILL.md           # Overview + when to apply
└── references/
    ├── colors.md      # Detailed color specs
    ├── typography.md   # Font rules
    └── voice.md       # Tone of voice guide

Pattern 3: Instructions + Scripts (executable)

data-pipeline/
├── SKILL.md
├── scripts/
│   ├── validate.py
│   └── transform.sh
└── templates/
    └── output-schema.json

Pattern 4: Full production skill (like the built-in docx skill)

docx/
├── SKILL.md
├── LICENSE.txt
├── scripts/
│   ├── office/
│   │   ├── soffice.py
│   │   ├── unpack.py
│   │   └── validate.py
│   └── accept_changes.py
├── references/
│   └── REFERENCE.md
└── examples/
    └── sample-doc.docx

Creating Skills with the Skill-Creator

Claude has a built-in skill-creator skill (available in claude.ai and as a plugin). The workflow:

Tell Claude “I want to create a skill for X”
It interviews you about the workflow
Generates the SKILL.md and folder structure
Creates test prompts
Runs Claude-with-skill on them
You evaluate results
Iterate until satisfied

You can also use the eval/benchmark system for more rigorous testing:

Eval mode: Test individual prompts, compare with/without skill
Improve mode: Iterative optimization with blind A/B comparisons
Benchmark mode: Standardized measurement with variance analysis (3x runs per config)

Claude Code-Specific Features

In Claude Code, skills gain extra powers via frontmatter:

yaml

---
name: deep-research
description: Research a topic thoroughly
context: fork          # Runs in a forked subagent
agent: Explore         # Uses the Explore agent (read-only tools)
---

Options for context:

Default (omitted): Claude loads it when relevant
fork: Runs as a separate subagent task

Options for agent:

Explore: Read-only codebase exploration
Plan: Planning-focused
Custom: Any subagent from .claude/agents/

Skills can also be invoked as slash commands:

.claude/skills/review/SKILL.md creates /review
(This replaced the older .claude/commands/ system)

Getting-Up-To-Speed - Practical Plan

Here I outline a practical approach on how to multiply your productivity by integrating agentic skills into your day-to-day workflow with Claude, Codex, or any other AI agent tool of your choice (using Claude as an example).

Foundation (2-3 hours)

Understand the landscape

Read the Agent Skills specification (15 min)
Read Anthropic’s blog post introducing skills (10 min)
Read the how to create skills guide (15 min)
Read the Claude Code skills docs (15 min)
Read Lee Han Chung’s deep dive on skill architecture (20 min)

Explore existing skills

Browse github.com/anthropics/skills — read 3-4 example SKILL.md files to see patterns
Browse skills.sh and skillsmp.com to see what the community has built
Install Superpowers in Claude Code: /plugin marketplace add obra/superpowers-marketplace + /plugin install superpowers@superpowers-marketplace
Read Jesse Vincent’s blog post on Superpowers — this is the best practical write-up on skill composition
Browse travisvn/awesome-claude-skills for curated resources

Try it hands-on

Ask Claude (in claude.ai or Claude Code) to “create a skill for [something you do repeatedly]” — use the skill-creator
Test the generated skill on a real task
Iterate once or twice based on results

Build Your System (3-4 hours)

Set up your skills infrastructure

Create a GitHub repo for your personal skills (your-username/claude-skills)
Add a marketplace.json to make it a Claude Code marketplace
Set up Obsidian vault with the Skills/ and Workflows/ structure described above
Install the Obsidian Git plugin and connect to your skills repo
Create a SKILL.md template in Obsidian Templater

Build your first 3 skills Start with workflows you repeat across projects:

Your project scaffolding workflow — how you set up a new project (tech stack, folder structure, CI, etc.)
Your code review checklist — your standards for reviewing code
Your product spec process — how you go from idea to spec

For each:

Document the workflow in Obsidian Workflows/
Draft the SKILL.md
Push to Git
Register your marketplace in Claude Code
Test on a real task
Iterate

Day 5: Explore the API surface

Read the Skills API docs
Try uploading a custom skill via the API
Understand the /v1/skills endpoints for programmatic management

Scale & Parallelize (3-4 hours)

Build product-specific skills For each of your product ideas, create:

Domain knowledge skill (what this product does, its entities, its terminology)
Architecture skill (your preferred stack, patterns, conventions for this product)
Testing skill (how you want tests structured for this product)

Explore advanced patterns

Read the MCP builder skill — skills + MCP is a powerful combination
Try context: fork and subagent delegation in Claude Code
Explore anthropics/knowledge-work-plugins for the plugin architecture pattern
Install openskills (npx openskills install anthropics/skills) for cross-tool skill management

Automate and refine

Set up GitHub Actions to validate your skills on push (use skills-ref Python library)
Create a “meta-skill” that helps you create new skills faster (or use the built-in skill-creator as a base)
Document your skills system in your Obsidian vault so future-you (and future-Claude) can maintain it

https://codeagentsalpha.substack.com/p/claude-agent-skills-complete-getting

https://sifuyik.substack.com/p/anthropic-dropped-the-32-page-internal

https://artificialcorner.com/p/claude-code-skills

https://medium.com/product-powerhouse/claude-skills-the-ai-feature-thats-quietly-changing-how-product-managers-work-aad5d8d0640a

https://www.youngleaders.tech/p/claude-skills-commands-subagents-plugins

https://aiblewmymind.substack.com/p/claude-skills-36-examples

https://medium.com/@mohit15856/i-tested-anthropics-skill-creator-plugin-on-my-own-skills-here-s-what-i-found-23ad406b0825

Spec-Driven Development

Like with many emerging terms in this fast-paced space, the definition of “spec-driven development” (SDD) is still in flux. Here’s what I can gather from how I have seen it used so far: Spec-driven development means writing a “spec” before writing code with AI (“documentation first”). The spec becomes the source of truth for the human and the AI.

GitHub: “In this new world, maintaining software means evolving specifications. […] The lingua franca of development moves to a higher level, and code is the last-mile approach.”

Tessl: “A development approach where specs — not code — are the primary artifact. Specs describe intent in structured, testable language, and agents generate code to match them.”

After looking over the usages of the term, and some of the tools that claim to be implementing SDD, it seems to me that in reality, there are multiple implementation levels to it:

Spec-first: A well thought-out spec is written first, and then used in the AI-assisted development workflow for the task at hand.
Spec-anchored: The spec is kept even after the task is complete, to continue using it for evolution and maintenance of the respective feature.
Spec-as-source: The spec is the main source file over time, and only the spec is edited by the human, the human never touches the code.

All SDD approaches and definitions I’ve found are spec-first, but not all strive to be spec-anchored or spec-as-source. And often it’s left vague or totally open what the spec maintenance strategy over time is meant to be.

What Is Spec-Driven Development?

The key question in terms of definitions of course is: What is a spec? There doesn’t seem to be a general definition, the closest I’ve seen to a consistent definition is the comparison of a spec to a “Product Requirements Document”.

The term is quite overloaded at the moment, here is my attempt at defining what a spec is:

A spec is a structured, behavior-oriented artifact - or a set of related artifacts - written in natural language that expresses software functionality and serves as guidance to AI coding agents. Each variant of spec-driven development defines their approach to a spec’s structure, level of detail, and how these artifacts are organized within a project.

There is a useful difference to be made I think between specs and the more general context documents for a codebase. That general context are things like rules files, or high level descriptions of the product and the codebase. Some tools call this context a memory bank, so that’s what I will use here. These files are relevant across all AI coding sessions in the codebase, whereas specs only relevant to the tasks that actually create or change that particular functionality.

The challenge with evaluating SDD tools

It turns out to be quite time-consuming to evaluate SDD tools and approaches in a way that gets close to real usage. You would have to try them out with different sizes of problems, greenfield, brownfield, and really take the time to review and revise the intermediate artifacts with more than just a cursory glance. Because as GitHub’s blog post about spec-kit says: “Crucially, your role isn’t just to steer. It’s to verify. At each phase, you reflect and refine.”

For two of the three tools I tried it also seems to be even more work to introduce them into an existing codebase, therefore making it even harder to evaluate their usefulness for brownfield codebases. Until I hear usage reports from people using them for a period of time on a “real” codebase, I still have a lot of open questions about how this works in real life.

That being said - let’s get into three of these tools. I will share a description of how they work first (or rather how I think they work), and will keep my observations and questions for the end. Note that these tools are very fast evolving, so they might have already changed since I used them in September.

The Three Documents (and Why They’re Different)

I see people conflating PRDs, design docs, and specs constantly. They serve different purposes.

Product Requirements Document (PRD): For humans; product managers, stakeholders. Covers what we’re building and why. Business value, user stories, success metrics. This is a debate document.

Technical Design Document: For engineers. Covers how we’re building it. Architecture decisions, scalability considerations, security implications. Also debated and reviewed.

AI Spec: For agents. This is an execution document - not a debate, a plan. It translates decisions from the PRD and design doc into something an agent can act on.

In practice, you don’t always write all three. For a small feature, you might skip straight to a spec. For a large initiative, you’d have a PRD that spawns multiple design docs, each spawning multiple specs. The spec is always the final translation layer before code.

Anatomy of a Good Spec

A spec has four parts:

1. Why (Brief Context)

Keep this short. One or two sentences about the problem you’re solving. This helps the agent make intelligent decisions if it encounters ambiguity.

2. What (Scope)

Define the boundaries. What features are you building? Be specific about implementation details the agent would otherwise guess about.

Example: “JWT-based auth with one-hour access tokens and seven-day refresh tokens. Users can register, login, and refresh tokens.”

3. Constraints (Boundaries)

This is where you prevent the agent from being too eager. What libraries to use. What patterns to follow. What’s explicitly out of scope.

Example: “Use bcrypt for password hashing. Store user data in Postgres via Prisma. Must not add new dependencies. Must not store tokens in the database. Out of scope: password reset, OAuth, email verification.”

4. Tasks (Discrete Work Units)

Break the work into small, verifiable chunks. Each task should specify what to build, which files to touch, and how to verify completion.

Example:

Task 1: Add user model to Prisma schema. Verify: npx prisma generate succeeds.
Task 2: Create registration endpoint. Verify: Test with curl, user appears in database.
Task 3: Create login endpoint. Verify: Returns valid JWT on correct credentials.

When Specs Go Wrong

Specs fail in two directions.

Over-specified: You’ve constrained the agent so tightly it can’t solve the problem. Signs: the agent keeps asking for permission, or produces convoluted code to satisfy contradictory constraints. Fix: loosen constraints, focus on outcomes rather than implementation details.

Under-specified: The agent still has to guess. Signs: you review the code and find unexpected decisions - new files, different patterns, surprise dependencies. Fix: add the missing constraints. Each surprise is a constraint you forgot to write down.

The goal is a spec tight enough that the agent can’t make decisions you’d disagree with, but loose enough that it can solve problems you didn’t anticipate.

My Workflow

It’s important to point out that this level of planning isn’t always needed. If you’re fixing a simple bug, you likely don’t need extensive planning. Just do it. If you’re working on something large that might split into many tasks or run over multiple sessions - write a spec.

Here’s how I actually use specs day to day:

Step 1: Generate. I describe what I want to build to the agent and ask it to write a spec—not implement the feature. I use a /spec command for this.

Step 2: Iterate. I review the spec carefully. The agent will make assumptions. I correct them, add constraints I forgot, remove scope creep. This is where I catch problems before they become code.

Step 3: Execute. I open a fresh session. I ask the agent to read the spec and implement Task 1. Review the code. Commit. Move to Task 2.

“Read and implement T1”

Step 4: Adapt. Review the code. Could it be improved? Maybe Task 3 reveals a flaw in the spec. I go back and update it. This isn’t waterfall, it’s iterative. The spec is a living document.

The key insight: don’t ask the same agent to plan the work and do the work. Planning and execution are different modes. An agent that’s planning will think through edge cases. An agent that’s executing will rush to ship.

Skip the Frameworks?

There are a lot of spec-driven development frameworks out there. OpenSpec. Kiro. GitHub Spec Kit. I’ve tried them.

To me, they felt like overkill.

They generate tons of files. They want you to define user stories in markdown. They add ceremony that slows you down without adding value.

Here’s what you actually need: one slash command that acts as a meta-prompt to generate a spec.

> “/spec implement rate limiting in the API.

The power of spec-driven development isn’t in the tooling. It’s in the practice of thinking before prompting. A fancy framework won’t fix sloppy thinking. A simple markdown file that forces you to articulate constraints is probably enough.

If you want a comparison of these tools, I recommend the excellent article Understanding Spec-Driven-Development: Kiro, spec-kit, and Tessl by Birgitta Böckeler.

Why This Creates Leverage

Spec-driven development isn’t new. Software teams have always worked this way. PRD > Design doc > Task breakdown > Implementation. The only difference is we’re handing tasks to agents instead of other developers.

But here’s what changes: an agent that executes well-defined specs can move faster than any human. The bottleneck shifts from implementation to specification. Your job becomes defining work clearly enough that an agent can execute it autonomously.

https://newsletter.owainlewis.com/p/how-i-code-with-ai-agents-spec-driven

https://martinfowler.com/articles/exploring-gen-ai/sdd-3-tools.html

https://heeki.medium.com/using-spec-driven-development-with-claude-code-4a1ebe5d9f29

https://marmelab.com/blog/2025/11/12/spec-driven-development-waterfall-strikes-back.html?ref=dailydev

https://github.blog/ai-and-ml/generative-ai/spec-driven-development-with-ai-get-started-with-a-new-open-source-toolkit/

Claude Code Ralph Loop

Every Claude Code session has the same hidden flaw; Claude stops when it thinks the job is done.

Tests broken
API half-implemented,
Edge cases untouched

But it declares complete and exits. And the longer and more complex the task, the worse it gets.

There is a technique designed to fix this problem. You have probably heard the word “Ralph” thrown around.

It’s a simple idea that forces Claude to keep iterating until the work is genuinely completed.

Surprisingly, this technique has been used to ship entire projects overnight at a fraction of the actual cost.

In this newsletter, I’ll take you from understanding why Claude fails on complex tasks to building the full Ralph Loop system and running it on real projects.

We’ll cover the Ralph core mechanism, the PRD and memory architecture, and everything you need to put Ralph Loop to work.

Let’s start with the basics.

What is Ralph Loop?

Let me start with something that might surprise you.

Ralph Loop isn’t a framework, and it is not a sophisticated AI orchestration system. At the core, it’s a Bash while loop.

while true; do
  cat prompt.md | claude
done

The technique was created by Jeffrey Huntley

The name comes from Ralph Wiggum, arguably the dumbest character in The Simpsons. Ralph fails constantly, making silly mistakes. But stubbornly continues in an endless loop until he eventually succeeds.

This childlike persistence is the philosophy behind the technique.

With Ralph Loop, Claude is no longer allowed to exit when it thinks it’s done. It’s forced to keep working until the task is truly finished.

The key insight is that Ralph Loop treats failure as expected, not exceptional.

Each iteration builds on the last. The AI sees what it did before, recognizes what’s still broken, and improves.

Why Claude Code Needs Ralph

Claude Code has a limitation that most developers don’t recognize until they’ve hit it repeatedly.

It operates in single-pass mode.

Even though Claude reasons extremely well, it stops as soon as it believes the output is “good enough.”

The model has what you might call an implicit execution budget. Once it feels like it’s done reasonable work, it wraps up and exits.

The problem is that “ good enough”, according to Claude, often isn’t good enough.

I’ve seen this pattern dozens of times:

Claude builds a feature, declares it complete, but the edge cases are broken
Claude writes tests, says they pass, but they don’t actually run
Claude implements an API, marks it done, but forgot error handling

It believes it’s finished, but it’s making that judgment based on what the code looks like, not whether it works.

Another problem that makes this worse is the context rot.

As the conversation with Claude gets longer, the context window fills up. The model’s reasoning quality degrades as it has to juggle more information.

Jeffrey Huntley calls this “compaction” — when the context gets summarized and loses important details. The model starts forgetting things it knew earlier in the conversation. It makes mistakes it wouldn’t have made with a fresh context.

This is why the single-pass approach fails for complex tasks.

By the time Claude reaches the end of a big feature, its context is bloated with attempts, errors, and fixes. The quality of its reasoning has degraded.

Ralph Loop solves both problems:

Forces verification — Claude can’t exit until it proves the work is done
Fresh context — Each iteration starts clean, avoiding context rot

https://newsletter.claudecodemasterclass.com/p/claude-code-ralph-loop-from-basic

Conductors to Orchestrators: The Future of Agentic Coding

AI coding assistants have quickly moved from novelty to necessity where up to 90% of software engineers use some kind of AI for coding. But a new paradigm is emerging in software development - one where engineers leverage fleets of autonomous coding agents. In this agentic future, the role of the software engineer is evolving from implementer to manager, or in other words, from coder to conductor and ultimately orchestrator.

Over time, developers will increasingly guide AI agents to build the right code and coordinate multiple agents working in concert. This write-up explores the distinction between Conductors and Orchestrators in AI-assisted coding, defines these roles, and examines how today’s cutting-edge tools embody each approach. Senior engineers may start to see the writing on the wall: our jobs are shifting from “How do I code this?” to “How do I get the right code built?” - a subtle but profound change.

What’s the tl;dr of an orchestrator tool? It supports multi-agent workflows where you can run many agents in parallel without them interfering with each another. But let’s talk terminology more first.

https://addyo.substack.com/p/conductors-to-orchestrators-the-future

Critical Thinking during the age of AI

In a time where AI can generate code, design ideas, and occasionally plausible answers on demand, the need for human critical thinking is greater than ever. Even the smartest automation can’t replace the ability to ask the right questions, challenge assumptions, and think independently at this time.

This essay explores the importance of critical thinking skills for software engineers and technical teams using the classic “Who, what, where, when, why, how” framework to structure pragmatic guidance.

Critical thinking checklist for AI-augmented teams

Who: Don’t rely on AI as an oracle. Verify its output.
What: Define the real problem before rushing to a solution.
Where: Context is king. A fix that works in a sandbox might break in production.
When: Know when to use a quick heuristic (triage) vs. deep analysis (root cause).
Why: Use the “5 Whys” technique to uncover underlying causes.
How: Communicate with evidence and data, not just opinions.

We’ll dive into how each of these question categories applies to decision-making in an AI-augmented world, with concrete examples and common pitfalls. The goal is to show how humble curiosity and evidence-based reasoning can keep projects on track and avoid downstream issues.

https://addyo.substack.com/p/critical-thinking-during-the-age

Harness Engineering

Why AI Agents Fail on Large Files

Most engineers today interact with AI coding tools the same way: open Cursor, Claude Code, or Codex, type a prompt, review the output, repeat. For small files and isolated tasks, this works beautifully. But the moment the problem involves a large amount of files, the whole approach falls apart.

We have to understand that Context Window isn’t the same as Context Attention. As a human, I can store hundreds of items in a storage unit, but I will remember about a fraction of the items I have there.

Same with LLMs. Performance degrades as the context window gets filled (and costs).

Did you know that every message you send is sending all the previous conversation in an API call? Yes, you’re billed also for those past messages. The servers in the cloud don’t keep any state, they only have a cache.

When the model fails to make an update, the instinct is to write a better prompt.

Add more constraints.

Tell the model to “preserve the surrounding structure.”

“Make no mistakes.”

But that is like asking someone to juggle while blindfolded and then giving them more detailed instructions about hand positioning. The problem is not the instructions. The problem is the blindfold.

The context window itself becomes a liability when it’s packed with thousands of lines of repetitive structure. No prompt can fix that.

I covered in this post how to scale AI, setting up guardrails

What Is Harness Engineering?

Harness engineering is the discipline of designing the systems, architectural constraints, execution environments, and automated feedback loops that wrap around AI agents to make them reliable in production.

The term was first coined by Mitchell Hashimoto, the founder of HashiCorp. The metaphor comes from horse riding. Think of the LLM as a powerful horse. It has raw energy, speed, and strength. But without reins, a saddle, and a bridle, that energy is undirected and potentially destructive (the horse kicks you, the LLM runs a rm -rf, and I don’t know which is worse). The harness allows the rider to direct the horse’s power productively.

To understand where harness engineering fits, here’s how it relates to the other disciplines you’ve probably heard about:

Prompt Engineering → Single interaction to craft the best input to the model (single request-response interaction).
Context Engineering → Control what the model sees during a whole session (multiple interactions until clearing).
Harness Engineering → Designs the environment, tools, guardrails, and feedback loops (multiple sessions).
Agent Engineering → Design the agent’s internal reasoning loop (define specialized agents).
Platform Engineering → Infrastructure to manage deployment, scaling, and cloud operations (where agents can run).

Prompt engineering is about what you say to the model.

Context engineering is about what the model sees.

https://strategizeyourcareer.com/p/harness-engineering-ai-agents

AI Best Practices

LLM Coding Workflow

https://addyo.substack.com/p/my-llm-coding-workflow-going-into

https://newsletter.systemdesign.one/p/ai-coding-workflow?ref=dailydev

https://escobyte.substack.com/p/writing-high-quality-production-code

AI coding assistants became game-changers this year, but harnessing them effectively takes skill and structure. These tools dramatically increased what LLMs can do for real-world coding, and many developers (myself included) embraced them.

At Anthropic, for example, engineers adopted Claude Code so heavily that today ~90% of the code for Claude Code is written by Claude Code itself. Yet, using LLMs for programming is not a push-button magic experience - it’s “difficult and unintuitive” and getting great results requires learning new patterns. Critical thinking remains key. Over a year of projects, I’ve converged on a workflow similar to what many experienced devs are discovering: treat the LLM as a powerful pair programmer that requires clear direction, context and oversight rather than autonomous judgment.

Start with a clear plan (specs before code)

https://addyo.substack.com/p/how-to-write-a-good-spec-for-ai-agents

Don’t just throw wishes at the LLM - begin by defining the problem and planning a solution.

One common mistake is diving straight into code generation with a vague prompt. In my workflow, and in many others’, the first step is brainstorming a detailed specification with the AI, then outlining a step-by-step plan, before writing any actual code. For a new project, I’ll describe the idea and ask the LLM to iteratively ask me questions until we’ve fleshed out requirements and edge cases. By the end, we compile this into a comprehensive spec.md - containing requirements, architecture decisions, data models, and even a testing strategy. This spec forms the foundation for development.

Next, I feed the spec into a reasoning-capable model and prompt it to generate a project plan: break the implementation into logical, bite-sized tasks or milestones. The AI essentially helps me do a mini “design doc” or project plan. I often iterate on this plan - editing and asking the AI to critique or refine it - until it’s coherent and complete. Only then do I proceed to coding. This upfront investment might feel slow, but it pays off enormously. As Les Orchard put it, it’s like doing a “waterfall in 15 minutes” - a rapid structured planning phase that makes the subsequent coding much smoother.v

Having a clear spec and plan means when we unleash the codegen, both the human and the LLM know exactly what we’re building and why. In short, planning first forces you and the AI onto the same page and prevents wasted cycles. It’s a step many people are tempted to skip, but experienced LLM developers now treat a robust spec/plan as the cornerstone of the workflow.

Scope management is everything - feed the LLM manageable tasks, not the whole codebase at once.

A crucial lesson I’ve learned is to avoid asking the AI for large, monolithic outputs. Instead, we break the project into iterative steps or tickets and tackle them one by one. LLMs do best when given focused prompts: implement one function, fix one bug, add one feature at a time. For example, after planning, I will prompt the codegen model: “Okay, let’s implement Step 1 from the plan”. We code that, test it, then move to Step 2, and so on. Each chunk is small enough that the AI can handle it within context and you can understand the code it produces.

This approach guards against the model going off the rails. If you ask for too much in one go, it’s likely to get confused or produce a “jumbled mess” that’s hard to untangle. Developers report that when they tried to have an LLM generate huge swaths of an app, they ended up with inconsistency and duplication - “like 10 devs worked on it without talking to each other,” one said. I’ve felt that pain; the fix is to stop, back up, and split the problem into smaller pieces. Each iteration, we carry forward the context of what’s been built and incrementally add to it. This also fits nicely with a test-driven development (TDD) approach - we can write or generate tests for each piece as we go (more on testing soon).

Several coding-agent tools now explicitly support this chunked workflow. For instance, I often generate a structured “prompt plan” file that contains a sequence of prompts for each task, so that tools like Cursor can execute them one by one. The key point is to avoid huge leaps. By iterating in small loops, we greatly reduce the chance of catastrophic errors and we can course-correct quickly. LLMs excel at quick, contained tasks - use that to your advantage.

Provide extensive context and guidance

LLMs are only as good as the context you provide - show them the relevant code, docs, and constraints.

When working on a codebase, I make sure to feed the AI all the information it needs to perform well. That includes the code it should modify or refer to, the project’s technical constraints, and any known pitfalls or preferred approaches. Modern tools help with this: for example, Anthropic’s Claude can import an entire GitHub repo into its context in “Projects” mode, and IDE assistants like Cursor or Copilot auto-include open files in the prompt. But I often go further - I will either use an MCP like Context7 or manually copy important pieces of the codebase or API docs into the conversation if I suspect the model doesn’t have them.

Expert LLM users emphasize this “context packing” step. For example, doing a “brain dump” of everything the model should know before coding, including: high-level goals and invariants, examples of good solutions, and warnings about approaches to avoid. If I’m asking an AI to implement a tricky solution, I might tell it which naive solutions are too slow, or provide a reference implementation from elsewhere. If I’m using a niche library or a brand-new API, I’ll paste in the official docs or README so the AI isn’t flying blind. All of this upfront context dramatically improves the quality of its output, because the model isn’t guessing - it has the facts and constraints in front of it.

There are now utilities to automate context packaging. I’ve experimented with tools like gitingest or repo2txt, which essentially “dump” the relevant parts of your codebase into a text file for the LLM to read. These can be a lifesaver when dealing with a large project - you generate an output.txt bundle of key source files and let the model ingest that. The principle is: don’t make the AI operate on partial information. If a bug fix requires understanding four different modules, show it those four modules. Yes, we must watch token limits, but current frontier models have pretty huge context windows (tens of thousands of tokens). Use them wisely. I often selectively include just the portions of code relevant to the task at hand, and explicitly tell the AI what not to focus on if something is out of scope (to save tokens).

I think Claude Skills have potential because they turn what used to be fragile repeated prompting into something durable and reusable by packaging instructions, scripts, and domain-specific expertise into modular capabilities that tools can automatically apply when a request matches the Skill. This means you get more reliable and context aware results than a generic prompt ever could and you move away from one off interactions toward workflows that encode repeatable procedures and team knowledge for tasks in a consistent way. A number of community-curated Skill Collections exist, but one of my favorite examples is the but one of my favorite examples is the frontend-design skill which can “end” the purple design aesthetic prevalent in LLM generated UIs. Until more tools support Skills officially, workarounds exist.

Finally, guide the AI with comments and rules inside the prompt. I might precede a code snippet with: “Here is the current implementation of X. We need to extend it to do Y, but be careful not to break Z.” These little hints go a long way. LLMs are literalists - they’ll follow instructions, so give them detailed, contextual instructions. By proactively providing context and guidance, we minimize hallucinations and off-base suggestions and get code that fits our project’s needs.

Choose the right model (and use multiple when needed)

Not all coding LLMs are equal - pick your tool with intention, and don’t be afraid to swap models mid-stream.

In 2025 we’ve been spoiled with a variety of capable code-focused LLMs. Part of my workflow is choosing the model or service best suited to each task. Sometimes it can be valuable to even try two or more LLMs in parallel to cross-check how they might approach the same problem differently.

Each model has its own “personality”. The key is: if one model gets stuck or gives mediocre outputs, try another. I’ve literally copied the same prompt from one chat into another service to see if it can handle it better. This “model musical chairs” can rescue you when you hit a model’s blind spot.

Also, make sure you’re using the best version available. If you can, use the newest “pro” tier models - because quality matters. And yes, it often means paying for access, but the productivity gains can justify it. Ultimately, pick the AI pair programmer whose “vibe” meshes with you. I know folks who prefer one model simply because they like how its responses feel. That’s valid - when you’re essentially in a constant dialogue with an AI, the UX and tone make a difference.

Personally I gravitate towards Gemini for a lot of coding work these days because the interaction feels more natural and it often understands my requests on the first try. But I will not hesitate to switch to another model if needed; sometimes a second opinion helps the solution emerge. In summary: use the best tool for the job, and remember you have an arsenal of AIs at your disposal.

Leverage AI coding across the lifecycle

Supercharge your workflow with coding-specific AI help across the SDLC.

On the command-line, new AI agents emerged. Claude Code, OpenAI’s Codex CLI and Google’s Gemini CLI are CLI tools where you can chat with them directly in your project directory - they can read files, run tests, and even multi-step fix issues. I’ve used Google’s Jules and GitHub’s Copilot Agent as well - these are asynchronous coding agents that actually clone your repo into a cloud VM and work on tasks in the background (writing tests, fixing bugs, then opening a PR for you). It’s a bit eerie to witness: you issue a command like “refactor the payment module for X” and a little while later you get a pull request with code changes and passing tests. We are truly living in the future. You can read more about this in conductors to orchestrators.

That said, these tools are not infallible, and you must understand their limits. They accelerate the mechanical parts of coding - generating boilerplate, applying repetitive changes, running tests automatically - but they still benefit greatly from your guidance. For instance, when I use an agent like Claude or Copilot to implement something, I often supply it with the plan or to-do list from earlier steps so it knows the exact sequence of tasks. If the agent supports it, I’ll load up my spec.md or plan.md in the context before telling it to execute. This keeps it on track.

We’re not at the stage of letting an AI agent code an entire feature unattended and expecting perfect results. Instead, I use these tools in a supervised way: I’ll let them generate and even run code, but I keep an eye on each step, ready to step in when something looks off. There are also orchestration tools like Conductor that let you run multiple agents in parallel on different tasks (essentially a way to scale up AI help) - some engineers are experimenting with running 3-4 agents at once on separate features. I’ve dabbled in this “massively parallel” approach; it’s surprisingly effective at getting a lot done quickly, but it’s also mentally taxing to monitor multiple AI threads! For most cases, I stick to one main agent at a time and maybe a secondary one for reviews (discussed below).

Just remember these are power tools - you still control the trigger and guide the outcome.

Keep a human in the loop - verify, test, and review everything

AI will happily produce plausible-looking code, but you are responsible for quality - always review and test thoroughly. One of my cardinal rules is never to blindly trust an LLM’s output. As Simon Willison aptly says, think of an LLM pair programmer as “over-confident and prone to mistakes”. It writes code with complete conviction - including bugs or nonsense - and won’t tell you something is wrong unless you catch it. So I treat every AI-generated snippet as if it came from a junior developer: I read through the code, run it, and test it as needed. You absolutely have to test what it writes - run those unit tests, or manually exercise the feature, to ensure it does what it claims. Read more about this in vibe coding is not an excuse for low-quality work.

In fact, I weave testing into the workflow itself. My earlier planning stage often includes generating a list of tests or a testing plan for each step. If I’m using a tool like Claude Code, I’ll instruct it to run the test suite after implementing a task, and have it debug failures if any occur. This kind of tight feedback loop (write code → run tests → fix) is something AI excels at as long as the tests exist. It’s no surprise that those who get the most out of coding agents tend to be those with strong testing practices. An agent like Claude can “fly” through a project with a good test suite as safety net. Without tests, the agent might blithely assume everything is fine (“sure, all good!”) when in reality it’s broken several things. So, invest in tests - it amplifies the AI’s usefulness and confidence in the result.

Even beyond automated tests, do code reviews - both manual and AI-assisted. I routinely pause and review the code that’s been generated so far, line by line. Sometimes I’ll spawn a second AI session (or a different model) and ask it to critique or review code produced by the first. For example, I might have Claude write the code and then ask Gemini, “Can you review this function for any errors or improvements?” This can catch subtle issues. The key is to not skip the review just because an AI wrote the code. If anything, AI-written code needs extra scrutiny, because it can sometimes be superficially convincing while hiding flaws that a human might not immediately notice.

I also use Chrome DevTools MCP, built with my last team, for my debugging and quality loop to bridge the gap between static code analysis and live browser execution. It “gives your agent eyes”. It lets me grant my AI tools direct access to see what the browser can, inspect the DOM, get rich performance traces, console logs or network traces. This integration eliminates the friction of manual context switching, allowing for automated UI testing directly through the LLM. It means bugs can be diagnosed and fixed with high precision based on actual runtime data.

The dire consequences of skipping human oversight have been documented. One developer who leaned heavily on AI generation for a rush project described the result as an inconsistent mess - duplicate logic, mismatched method names, no coherent architecture. He realized he’d been “building, building, building” without stepping back to really see what the AI had woven together. The fix was a painful refactor and a vow to never let things get that far out of hand again. I’ve taken that to heart. No matter how much AI I use, I remain the accountable engineer.

In practical terms, that means I only merge or ship code after I’ve understood it. If the AI generates something convoluted, I’ll ask it to add comments explaining it, or I’ll rewrite it in simpler terms. If something doesn’t feel right, I dig in - just as I would if a human colleague contributed code that raised red flags.

It’s all about mindset: the LLM is an assistant, not an autonomously reliable coder. I am the senior dev; the LLM is there to accelerate me, not replace my judgment. Maintaining this stance not only results in better code, it also protects your own growth as a developer. (I’ve heard some express concern that relying too much on AI might dull their skills - I think as long as you stay in the loop, actively reviewing and understanding everything, you’re still sharpening your instincts, just at a higher velocity.) In short: stay alert, test often, review always. It’s still your codebase at the end of the day.

Commit often and use version control as a safety net. Never commit code you can’t explain.

Frequent commits are your save points - they let you undo AI missteps and understand changes.

When working with an AI that can generate a lot of code quickly, it’s easy for things to veer off course. I mitigate this by adopting ultra-granular version control habits. I commit early and often, even more than I would in normal hand-coding. After each small task or each successful automated edit, I’ll make a git commit with a clear message. This way, if the AI’s next suggestion introduces a bug or a messy change, I have a recent checkpoint to revert to (or cherry-pick from) without losing hours of work. One practitioner likened it to treating commits as “save points in a game” - if an LLM session goes sideways, you can always roll back to the last stable commit. I’ve found that advice incredibly useful. It’s much less stressful to experiment with a bold AI refactor when you know you can undo it with a git reset if needed.

Proper version control also helps when collaborating with the AI. Since I can’t rely on the AI to remember everything it’s done (context window limitations, etc.), the git history becomes a valuable log. I often scan my recent commits to brief the AI (or myself) on what changed. In fact, LLMs themselves can leverage your commit history if you provide it - I’ve pasted git diffs or commit logs into the prompt so the AI knows what code is new or what the previous state was. Amusingly, LLMs are really good at parsing diffs and using tools like git bisect to find where a bug was introduced. They have infinite patience to traverse commit histories, which can augment your debugging. But this only works if you have a tidy commit history to begin with.

Another benefit: small commits with good messages essentially document the development process, which helps when doing code review (AI or human). If an AI agent made five changes in one go and something broke, having those changes in separate commits makes it easier to pinpoint which commit caused the issue. If everything is in one giant commit titled “AI changes”, good luck! So I discipline myself: finish task, run tests, commit. This also meshes well with the earlier tip about breaking work into small chunks - each chunk ends up as its own commit or PR.

Finally, don’t be afraid to use branches or worktrees to isolate AI experiments. One advanced workflow I’ve adopted (inspired by folks like Jesse Vincent) is to spin up a fresh git worktree for a new feature or sub-project. This lets me run multiple AI coding sessions in parallel on the same repo without them interfering, and I can later merge the changes. It’s a bit like having each AI task in its own sandbox branch. If one experiment fails, I throw away that worktree and nothing is lost in main. If it succeeds, I merge it in. This approach has been crucial when I’m, say, letting an AI implement Feature A while I (or another AI) work on Feature B simultaneously. Version control is what makes this coordination possible. In short: commit often, organize your work with branches, and embrace git as the control mechanism to keep AI-generated changes manageable and reversible.

Customize the AI’s behavior with rules and examples

Steer your AI assistant by providing style guides, examples, and even “rules files” - a little upfront tuning yields much better outputs.

One thing I learned is that you don’t have to accept the AI’s default style or approach - you can influence it heavily by giving it guidelines. For instance, I have a CLAUDE.md file that I update periodically, which contains process rules and preferences for Claude (Anthropic’s model) to follow (and similarly a GEMINI.md when using Gemini CLI). This includes things like “write code in our project’s style, follow our lint rules, don’t use certain functions, prefer functional style over OOP,” etc. When I start a session, I feed this file to Claude to align it with our conventions. It’s surprising how well this works to keep the model “on track” as Jesse Vincent noted - it reduces the tendency of the AI to go off-script or introduce patterns we don’t want.

Even without a fancy rules file, you can set the tone with custom instructions or system prompts. GitHub Copilot and Cursor both introduced features to let you configure the AI’s behavior globally for your project. I’ve taken advantage of that by writing a short paragraph about our coding style, e.g. “Use 4 spaces indent, avoid arrow functions in React, prefer descriptive variable names, code should pass ESLint.” With those instructions in place, the AI’s suggestions adhere much more closely to what a human teammate might write. Ben Congdon mentioned how shocked he was that few people use Copilot’s custom instructions, given how effective they are - he could guide the AI to output code matching his team’s idioms by providing some examples and preferences upfront. I echo that: take the time to teach the AI your expectations.

Another powerful technique is providing in-line examples of the output format or approach you want. If I want the AI to write a function in a very specific way, I might first show it a similar function already in the codebase: “Here’s how we implemented X, use a similar approach for Y.” If I want a certain commenting style, I might write a comment myself and ask the AI to continue in that style. Essentially, prime the model with the pattern to follow. LLMs are great at mimicry - show them one or two examples and they’ll continue in that vein.

The community has also come up with creative “rulesets” to tame LLM behavior. You might have heard of the “Big Daddy” rule or adding a “no hallucination/no deception” clause to prompts. These are basically tricks to remind the AI to be truthful and not overly fabricate code that doesn’t exist. For example, I sometimes prepend a prompt with: “If you are unsure about something or the codebase context is missing, ask for clarification rather than making up an answer.” This reduces hallucinations. Another rule I use is: “Always explain your reasoning briefly in comments when fixing a bug.” This way, when the AI generates a fix, it will also leave a comment like “// Fixed: Changed X to Y to prevent Z (as per spec).” That’s super useful for later review.

In summary, don’t treat the AI as a black box - tune it. By configuring system instructions, sharing project docs, or writing down explicit rules, you turn the AI into a more specialized developer on your team. It’s akin to onboarding a new hire: you’d give them the style guide and some starter tips, right? Do the same for your AI pair programmer. The return on investment is huge: you get outputs that need less tweaking and integrate more smoothly with your codebase.

Embrace testing and automation as force multipliers

Use your CI/CD, linters, and code review bots - AI will work best in an environment that catches mistakes automatically.

This is a corollary to staying in the loop and providing context: a well-oiled development pipeline enhances AI productivity. I ensure that any repository where I use heavy AI coding has a robust continuous integration setup. That means automated tests run on every commit or PR, code style checks (like ESLint, Prettier, etc.) are enforced, and ideally a staging deployment is available for any new branch. Why? Because I can let the AI trigger these and evaluate the results. For instance, if the AI opens a pull request via a tool like Jules or GitHub Copilot Agent, our CI will run tests and report failures. I can feed those failure logs back to the AI: “The integration tests failed with XYZ, let’s debug this.” It turns bug-fixing into a collaborative loop with quick feedback, which AIs handle quite well (they’ll suggest a fix, we run CI again, and iterate).

Automated code quality checks (linters, type checkers) also guide the AI. I actually include linter output in the prompt sometimes. If the AI writes code that doesn’t pass our linter, I’ll copy the linter errors into the chat and say “please address these issues.” The model then knows exactly what to do. It’s like having a strict teacher looking over the AI’s shoulder. In my experience, once the AI is aware of a tool’s output (like a failing test or a lint warning), it will try very hard to correct it - after all, it “wants” to produce the right answer. This ties back to providing context: give the AI the results of its actions in the environment (test failures, etc.) and it will learn from them.

AI coding agents themselves are increasingly incorporating automation hooks. Some agents will refuse to say a code task is “done” until all tests pass, which is exactly the diligence you want. Code review bots (AI or otherwise) act as another filter - I treat their feedback as additional prompts for improvement. For example, if CodeRabbit or another reviewer comments “This function is doing X which is not ideal” I will ask the AI, “Can you refactor based on this feedback?”

By combining AI with automation, you start to get a virtuous cycle. The AI writes code, the automated tools catch issues, the AI fixes them, and so forth, with you overseeing the high-level direction. It feels like having an extremely fast junior dev whose work is instantly checked by a tireless QA engineer. But remember, you set up that environment. If your project lacks tests or any automated checks, the AI’s work may slip through with subtle bugs or poor quality until much later.

So as we head into 2026, one of my goals is to bolster the quality gates around AI code contribution: more tests, more monitoring, perhaps even AI-on-AI code reviews. It might sound paradoxical (AIs reviewing AIs), but I’ve seen it catch things one model missed. Bottom line: an AI-friendly workflow is one with strong automation - use those tools to keep the AI honest.

Continuously learn and adapt (AI amplifies your skills)

Treat every AI coding session as a learning opportunity - the more you know, the more the AI can help you, creating a virtuous cycle.

One of the most exciting aspects of using LLMs in development is how much I have learned in the process. Rather than replacing my need to know things, AIs have actually exposed me to new languages, frameworks, and techniques I might not have tried on my own.

This pattern holds generally: if you come to the table with solid software engineering fundamentals, the AI will amplify your productivity multifold. If you lack that foundation, the AI might just amplify confusion. Seasoned devs have observed that LLMs “reward existing best practices” - things like writing clear specs, having good tests, doing code reviews, etc., all become even more powerful when an AI is involved. In my experience, the AI lets me operate at a higher level of abstraction (focusing on design, interface, architecture) while it churns out the boilerplate, but I need to have those high-level skills first. As Simon Willison notes, almost everything that makes someone a senior engineer (designing systems, managing complexity, knowing what to automate vs hand-code) is what now yields the best outcomes with AI. So using AIs has actually pushed me to up my engineering game - I’m more rigorous about planning and more conscious of architecture, because I’m effectively “managing” a very fast but somewhat naïve coder (the AI).

For those worried that using AI might degrade their abilities: I’d argue the opposite, if done right. By reviewing AI code, I’ve been exposed to new idioms and solutions. By debugging AI mistakes, I’ve deepened my understanding of the language and problem domain. I often ask the AI to explain its code or the rationale behind a fix - kind of like constantly interviewing a candidate about their code - and I pick up insights from its answers. I also use AI as a research assistant: if I’m not sure about a library or approach, I’ll ask it to enumerate options or compare trade-offs. It’s like having an encyclopedic mentor on call. All of this has made me a more knowledgeable programmer.

The big picture is that AI tools amplify your expertise. Going into 2026, I’m not afraid of them “taking my job” - I’m excited that they free me from drudgery and allow me to spend more time on creative and complex aspects of software engineering. But I’m also aware that for those without a solid base, AI can lead to Dunning-Kruger on steroids (it may seem like you built something great, until it falls apart). So my advice: continue honing your craft, and use the AI to accelerate that process. Be intentional about periodically coding without AI too, to keep your raw skills sharp. In the end, the developer + AI duo is far more powerful than either alone, and the developer half of that duo has to hold up their end.

Real-Case Workflows

https://blog.algomaster.io/p/using-ai-effectively-in-large-codebases

https://boristane.com/blog/how-i-use-claude-code/?utm_source=substack&utm_medium=email

Noted Things

Some Key Notes

Use llms.txt pages: https://llmstxt.org/
MCPs: https://mcpmarket.com/server, https://github.com/upstash/context7#installation, https://github.com/vercel/next-devtools-mcp, https://github.com/ChromeDevTools/chrome-devtools-mcp, https://docs.sentry.io/ai/mcp/, https://github.com/GLips/Figma-Context-MCP
Claude prompting best practices: https://platform.claude.com/docs/en/build-with-claude/prompt-engineering/claude-4-best-practices
Open AI prompting best practices: https://help.openai.com/en/articles/6654000-best-practices-for-prompt-engineering-with-the-openai-api
Vercel Skills: https://skills.sh/anthropics/skills/pptx, https://github.com/vercel-labs/agent-skills/blob/main/skills/react-best-practices/SKILL.md
AI agent real UI component knowledge — best practices, layout patterns, and design-system conventions for 60+ interface components: https://github.com/carmahhawwari/ui-design-brain/tree/main
If GitHub Copilot can't fix a bug after 3 tries, stop. You're making it worse.
Here's what most devs do - they paste the error message back into the chat. Agent tries something. Doesn't work. Paste the new error. Agent tries again. Doesn't work. You're now 10 messages deep and your code is more broken than when you started.
This happens because the context window is poisoned. The agent is so fixated on its previous failed attempts that it's basically guessing at this point.
Here's what you do instead. When the agent gets stuck, don't give it another error message. Give it a job
Say exactly this: "Add whatever logging we need to reproduce this bug."
The agent knows your codebase. It'll drop console statements in exactly the right places - the ones it actually needs to understand what's happening.
Not random logging. Strategic logging.
The agent can't fix what it can't see. Give it visibility first, then ask for the fix. Works every single time.

References

https://craftbettersoftware.com/p/the-vibe-coding-stack-for-2026

https://blog.bytebytego.com/p/how-cursor-shipped-its-coding-agent

https://medium.com/vibe-coding/the-concept-every-ai-coder-learns-too-late-c63dd872f923

https://addyo.substack .co m/p/ho w-to-write-a-good-spec-for-ai-agents

https://www.aihero.dev/a-complete-guide-to-agents-md#what-goes-where

https://substack.com/home/post/p-188588325?source=queue

https://awesomeneuron.substack.com/p/a-visual-guide-to-ai-agents

https://medium.com/data-science-collective/stop-prompting-start-designing-5-agentic-ai-patterns-that-actually-work-a59c4a409ebb

Senior Front-end Engineer Interview Handbook

Tuan Tran Van — Sun, 11 Jan 2026 12:52:33 GMT

List of the Technical Questions

Programming Languages (JavaScript/TypeScript)

What is a closure in JavaScript, and how does it work?

As you know, JavaScript functions can be nested within each other, which creates a hierarchy of scope. Each function has its own local variables and is able to access the variables from the outer function. Closure is a powerful JavaScript feature that allows a function to access the outer scope even if the outer function is already finished executing. For example, you define a new createCounter() function. This function contains a variable called counter and returns a new function called calculateFunction that returns counter++. Even after the createCounter() function is finished executing, the calculateFunction is still able to access the counter variable. That’s how the JavaScript closure works.

function createCounter() {
  let count = 0;
  return function() {
    count++;
    return count;
  };
}
const counter = createCounter();
console.log(counter()); // 1
console.log(counter()); // 2

What is hoisting in JavaScript, and how does it work with const and let?

Hoisting is a feature that JavaScript will hoist the variables to the top of the global scope. For example, when you try to log a variable above the line where it was defined, then JavaScript will log undefined without throwing any errors. Most programmers only think that the hoisting feature only works with the var variable and doesn’t work with the const and let variables because they see JavaScript throw an error when they do that. But the truth is, you should notice the error JavaScript throws. When you try to log let, const variables before initialization, then the error message will be “Can not access before initialization, “ but when you try to log a variable that is not defined, then the error will be “Variable is not defined“. That means JavaScript knows the variable but doesn’t automatically initialize a value for that variable as it does with a var variable.

Modern Front-end Frameworks (React.js/Next.js)

Can you explain how the React Rendering Process works under the hood?

I already published a detailed explanation about this topic on my blog. In short, when a React Component is rendered, it goes through two main phases: the render phase and the commit phase. On the render phase, React will create a new virtual DOM by converting the React component to JSX and then to a React Element, and the final result is a new Virtual DOM. When we have a new Virtual DOM, React will start to compare the new one with the previous one by using React’s Reconciliation mechanism to figure out the list of changes that need to be updated to the actual DOM. Now React knows exactly the changes that need to be made, which is why we don’t need to update the full DOM when a state update happens. Next to the commit phase, React will start to commit to the DOM based on the list of changes we have in the render phase by calling the DOM API like (createElement, setAttribute, appendChild,…), and the useEffectLayout will run after that. When the commit to the DOM process is done, it is time for the browser to work by executing the calculate layout, paint, and composite, so I will not talk about it. When the browser’s work is done, it’s time for the micro queue of useEffect to run. That is how React works under the hood.

What is the difference between a controlled and an uncontrolled component?

A controlled component is a component that React will be in charge of managing the behavior of the component by using state.

On the other side, an uncontrolled component is a component that just lets the DOM manage its own states by using refs.

A controlled component is mostly used in the project because it allows more controls and predictable behaviours.

In opposite, if your component is just a file upload input, no need for validations, no need for dependencies, then an uncontrolled component is preferred.

Can you explain the difference between useEffect and useLayoutEffect?

The main difference between useEffect and useLayoutEffect is when those functions are called and their purpose. Those are all running in the commit phase, but the useLayoutEffect is run before the browser paints process, while the useEffect runs after the browser paints. Also, the useLayoutEffect runs the code in a synchronous way, while the useEffect runs the code in an asynchronous way. That’s why React recommends you should be careful when using useLayoutEffect because the code run inside the useLayoutEffect will block the rendering process. React recommends we should use useLayoutEffect when we need to handle an immediate task relevant to DOM measurement, calculating the element’s position to prevent flicker, and use useEffect when we need to handle side effect tasks.

Can you list down all the factors that make the component re-render?

Well, that is the interesting question, but it takes quite take time to answer. Firstly, I think we should understand that React’s re-render happens when React needs to update the UI with some new data. Necessary re-renders themself are not the problem, but too much unnecessary re-renders are the big problem for the performance. There are four reasons why a component would re-render itself: state changes, parents re-render, props change, context changes, and hook changes.

When the state changes, the component would re-render itself
When a parent component re-renders, then all of its children will also re-render. It always goes down the tree; the re-render of a child component doesn’t trigger the parent component's re-renders.
When props change, they are mostly updated by the parent component. That means the parent component would have to re-render and trigger all of its component re-renders regardless of its props.
When a value of the Context Provider changes, then all the components that use this context will re-render, even if that component doesn’t use the changed portion of the data directly.
Everything that happens inside a hook belongs to the component that uses it. That means the same rules regarding State and Context apply here. And, we should notice that the hook can be chained; the same rules apply to all of them.

How many approaches do you know that we can use to prevent unnecessary re-rendering?

Wow, that is a big question. There are many ways we could use to prevent unnecessary re-rendering. Firstly, we should understand that unnecessary re-renders themself are not actually a big problem. React is fast and able to deal with them without users noticing anything. However, if it happens too often and on a heavy component, then that could cause the performance issue to end users.

We should avoid creating a new component inside other components. On every re-render, React will re-mount the component (destroy it and recreate it from scratch), which is going to be much slower than the normal render.
We should move the state down as close to the component that consumes it. For example, instead of putting open/close dialog state on the parent component, we should move it down to the dialog component, then every time the state changes, only the dialog component will be re-rendered, not affecting the parent component
We should encapsulate the state changes into a smaller component by passing slow components as props. Because the props are not affected by the state changes, heavy components won’t re-render.
We can prevent unnecessary re-renders by using React.memo, useMemo, useCallback
We also need to implement the React key in the correct way if we don’t want our elements to be re-rendered every time.
We can prevent re-renders caused by Context with those techniques, like memoizing context value, splitting data into chunks, and context selectors

Those are all the techniques that I can remember right now for preventing unnecessary re-renders in React.

Can you explain exactly the usage of useMemo and useCallback, and when we should avoid them?

Most of the Front-end engineers know about the usage of those memoized React hooks like useMemo and useCallback. The useMemo hook is used to memoize a value when that value requires a heavy calculation. The useCallback hook is used to memoize a function. But they don’t actually understand how these functions work under the hood and how to implement them correctly to prevent heavy components from re-rendering. I used to like them and blindly used those hooks without understanding. React only uses value to compare if the prop is a primitive value; if the prop is an object or a function, React will use reference to compare. That is why we need to memoize the function and the object prop type. For example, if I already memoized the heavy value and pass it as a prop to a child component, the child component still re-renders if we don’t wrap the child inside React.memo function. Also, if we want to put an object or a function into the dependency array of useEffect, we have to memoize them first if we don’t want useEffect to always re-run. And, we shouldn’t overuse these React memoized functions because the memoization is not free, it adds a few extra works like storing previous value, comparing the dependency array,… in every re-render. We should only use it when it is actually needed.

What are React keys used for, and what happens if we don’t use them correctly?

React’s key is the mechanism that allows React to control the rendering process by identifying which element of a list has changed and needs to be re-rendered. The React key needs to be both unique and static. The best practice is to use the id property in each item as a key, or we could use the index of the array as a key if that array can’t be modified (but we don’t recommend that way). If you don’t use the React key in the correct way, like using Math.random(), it will be a disaster for the performance of the website. You will destroy the most important DOM reconciliation mechanism of React and will make the whole array element re-render, causing some mysterious UI bugs that are really hard to trace.

How does React’s reconciliation process work?

Well, that is an interesting question that requires a deep understanding of how React works under the hood. React’s reconciliation process is a really important mechanism in React that allows React to compare the Virtual DOM to figure out specific changes that need to be made to the actual DOM. That technique made React re-render elements efficiently, only re-rendering the changed parts instead of re-rendering the whole DOM. React’s reconciliation algorithm is based on two simple assumptions:

Two elements of different types will produce two different trees. For example, if an element changes from the span into the div, then React will assume that everything inside has changed and rebuild the entire subtree. And, if the element tag is not changed, then React will start comparing props and states. React does a shallow comparison so you have to use those memo techniques if you don’t want that element will be re-rendered
The React key provides stability hints: React requires us to provide a key for each item element when we want to build a listing. By doing that, React will know exactly which item on that list has changed, been added, deleted, or no changes need to be made.

Tell me what you know about CSR?

Client-side rendering is the strategy where the server only sends the minimum HTML to the client, and the data fetching, templating, and routing required to display content for the page are handled by JavaScript that executes on the browser. Almost all of the UI is generated on the browser. The entire application is loaded on the first request. CSR enables the creation of a Single-Page application that supports navigation without page refreshes and provides a great user experience. As the user navigates to another page by clicking a link, there is no request to the server to generate a new page; the code runs on the client to change the view/data. While CSR provides a rich interactive experience after the initial load, it has the well-known drawback of negatively impacting first-page load performance and SEO, which means users must see a blank page before the large JavaScript bundle is fully downloaded and executed.

Tell me what you know about SSR?

SSR is one of the oldest methods of rendering web content, where the HTML is rendered on the server and sent to the client browser as a response. With SSR, every request is treated individually and will be processed as a new request to the server. It helps to reduce the JavaScript bundle size sent to the browser and improve the user experience by reducing the time for the page content to be visible. We still have to wait for the data to be fetched and pre-rendered on the server before sending it to the client, and also wait for the hydration process to be finished before the user can interact with the UI.

Tell me what you know about SSG?

SSG comes to resolve the weakness of SSR by moving the rendering HTML process from the runtime to the build time and serving the page as a static site. For example, when users request a page, that page is already generated at build time and is served as a static file by CDN or served from cache. That static file is immediately sent to the browser without waiting for data to be fetched, waiting for HTML to be prepared, and users can see the page instantly. SSG is ideal for the static content.

Tell me what you know about ISG?

As you know, SSG is only suitable for static content. It has limitations for applying to dynamic content or content that changes frequently. The Incremental Static Generation was introduced as an upgrade to SSG. It allows for refetching new content in the background at a period of time and automatically applies it to the old one without the need for a full rebuild. Once generated, the new version of the static file becomes available and will be served for any new requests in subsequent minutes.

What are Suspense and Streaming in React?

In the normal SSR implementation, the server will wait to generate all the HTML it is going to as a string and send it to the client as a big chunk. That made you have to wait for all the data for the entire page to prepare before you can see, hydrate, and interact with anything.

With streaming SSR implementation, the server will first create a Node.js stream. Then, it will use renderToPipeableStream to render the React app chunk by chunk into that Node stream. It lets React “flush whatever parts of HTML are ready and postpone slow parts for later“

The chunk boundaries for this process are those components that are wrapped by . Whenever you wrap a component with , that means you tell React not to wait for the data of this component, and start streaming HTML for the rest of the page, and show the fallback UI for that component instead.

What are Server Components?

The biggest issue with SSR is “no interactivity gap“. While SSR helps reduce the load time for the initial load but users need to wait and can’t interact with it until the hydration process is finished. RSCs were introduced at React 18 to allow you to render part of the UI on the server ahead of time without sending any JavaScript to the browser, dramatically shrinking client bundles. RSCs are rendered on the server and send a special data format called the React Server Component Payload to the browser. The client-side React runtime then uses the payload to hydrate HTML. The Container/Presentation pattern is a great candidate for RSCs, while the container component could be an RSC that fetches data and passes it as props to the presentational client component, meaning the fetching logics never ship to the browser.

Will React Server Components replace the SSR?

No. RSCs do not replace SSR. They complement it. In practice, we can still do SSR for the initial render, but many components can be RSC then significantly reduces the JavaScript needed to ship to the browser.

There are a few differences between SSR and RSCs:

Code of the RSC is never sent to the browser, while on some implementations of SSR, their code is still included in the JavaScript bundle and sent to the browser.
SRCs enable access to the back end everywhere on the tree. But on the SSR implementation, for example, in Next.js. We have to fetch all of the data via getServerSideProps, which has limitations of only working on the top of the page.
SRCs may be refetched in the background while maintaining the client-side state of the tree. This is because the main transport mechanism is richer than just pain HTML that allows re-fetch on the server parts without blowing up the client state, such as search input text, focus.

How does React insert real data into a streaming component?

For the first render, React will send the fallback UI, like the loading skeleton, immediately to the user and attach an ID to that element while waiting for the actual data to be loaded and streamed. Once it’s ready, React includes it in the ongoing HTML stream, along with the lightweight JavaScript that handles the magic: replace the new actual data with the old placeholder based on the ID we attached before. This makes this transition feel smooth and effortless to the user due to no full rerenders, no flicker, just progressive enhancements. It’s a part of the internal React streaming process, not something that we can handle manually. But understanding it helps connect the dots between the fallback we see on the screen and seamlessly be replaced by the real content.

What are the hydration, Progressive hydration, and Selective Hydration? How does the selective hydarion solve the pain points of traditional hydaration?

In the traditional SSR rendering before React 18, when the user first sees the page, the user can’t interact with the page, such as clicking on a button, or see any animations. The user needs to wait for the JS bundle of the whole page to be loaded and executed before they can become responsive to interaction. The hydration is the process that the browser attaches event handlers and everything to the DOM, which makes the page become interactive. This process takes a while, so users have to wait.

Progressive hydration is a new approach that was released in React 18 for resolving the pain point of traditional hydration. Instead of hydrating the entire page at once, we can also progressively hydrate the DOM nodes. Progressive hydration makes it possible to individually hydrate nodes over time, which makes it possible to only request the minimum necessary JavaScript. It delays hydration of the less important parts of the page, like those parts that aren’t visible in the first viewport. On the downside, progressive hydration may not be suitable for a dynamic app where every element on the screen is available to the user and needs to be made interactive on load.

The selective hydration is a new hydration mechanism that was introduced in React 18, along with a progressive hydration approach. Besides trying to hydrate as soon as possible based on the DOM tree, it prioritizes what matters most to the user — the parts they touch. This creates an illusion of instant hydration because interactive components are hydrated first, even if they are deeper in the component tree. For example, both the blog component and header component could stream on the server independently. By default, React starts with the first Suspense boundary it encounters in the tree — it’s header component in this case. But, imagine users click on the blog section before it is hydrated. Instead of waiting for the header component to finish, React intercepts the event during the capture phase and synchronously hydrates the blog section first, so the interaction works immediately.

How do you structure a large-scale React application for scalability and maintainability?

That is a big question that takes a lot of time to fully answer. There are a few important points that I constantly follow up on when I am setting up a large-scale React application:

Firstly, I organize files not just by technical roles, but also by domain responsibilities. Organizing files based on technical roles might be fast at the start. But when the application grows, updating things like cart features, we need to go through multiple folders, such as components/, stores/, and utils/. This separation slows you down and creates mental overhead. On the other hand, when grouping components by domain responsibilities, everything related to the feature lives in one folder. Features become self-contained, refactoring becomes safer, and your team grows; each squad might handle different domains without tight coupling and conflicts with each other. This clear boundary makes parallel development much easier. Teams can refactor their own features without worrying about breaking others.
I always prefer to create a dedicated common module for all generic components and utilities used across different pages and modules. This helps avoid redundancy and promotes reusability across the application.
For each module, I apply the Locality of Behaviour principle by keeping things as close to where they are used. For example, I locate child components, hooks, and utils near where they are used within the application. This strategy improves readability and maintainability as when a developer works on a feature, they have all the related files in proximity, which makes it easier to understand and maintain.
I also apply Layered Architecture with the Separation of Concerns Principle (refer to the next questions for better explanation)
Furthermore, I also apply the Atomic Design Pattern for managing the growing complexity of component structures (refer to the next question)

Can you tell me more about the Layered Architecture with Separation of Concerns?

When we design a Front-end application, it is better to split the application into multiple layers for easier management and to avoid causing bugs in unrelated parts. Most scalable Front-end systems can be thought of as layers, each with a purpose. Each layer has its own responsibilities and knows only as much as it needs. This separation creates clarity, reduces bugs, and increases developer speed. Commonly, we could split an application into 5 layers: UI Layer, Behavior Layer, State Management Layer, Services Layer, and Utilities/Core Logic Layer.

The UI Layer should be predictable and reusable. No useEffect, no useState, just props in and UI out. It knows nothing about where data comes from, just receives props and renders markup.
The Behavior Layer is where the logic lives. It lives in a custom hook and is responsible for local states, effects, and interaction logics. We can plug the same behavior for different UIs without duplicating a line of logic.
The State Management Layer is where we centralize shared states. When our app grows, we need a place to manage our shared state to be shared across components. We can use React Context for small apps and other popular libraries, such as Redux and Zustand, for large apps
The Service Layer is where we are talking with the outside world. This layer is our interface with APIs, storage, and anything that lives outside of the app.
The Utilities/Core Logic Layer is where shared helpers, validation functions, formatters, and pure logic reside.

What is the Atomic Design Pattern?

When we build scalable applications in React, we often encounter challenges in managing the growing complexity of component structures. The Atomic Design Pattern has emerged as a powerful methodology for organizing and structuring applications. This pattern suggests breaking down the interface into multiple fundamental building blocks, promoting a more modular and scalable approach to application design.

The Atomic Design Methodology breaks down design into 5 distinct levels:

Atoms: These are basic building blocks of an application, such as inputs, buttons, etc.
Molecules: Molecules are groups of atoms that are combined together to form a functional unit, such as a search feature that includes a label, an input, and a submit button.
Organisms: Organisms are relatively complex UI components composed of groups of molecules and atoms, such as a header of a page.
Templates: Templates are page-level objects that place components into a layout. They usually consist of groups of organisms, representing a complete layout.
Pages: Pages are specific instances of templates that show what a UI looks like with real data.

The Atomic Design Pattern aligns perfectly with React’s component-based architecture and brings a lot of benefits, such as promoting reusability, ensuring consistency, etc. While it provides many benefits, we should be cautious not to over-engineer and introduce unnecessary complexity.

How many React patterns do you know?

Well. There are several popular React patterns that we can apply in our React code to make it more optimized, readable, and maintainable, such as the Higher Order Pattern, Render Props Pattern, Container/Presentation Pattern, Hooks Pattern, and Compound Pattern.

A HOC is a component that receives another component. The HOC contains a certain logic that we want to apply to the other component by passing that component as a parameter. This pattern allows us to share the same logic throughout multiple components. For example, when we want to apply a custom loading logic called useLoading to multiple components, we can apply HOC.
Another way of making components more reusable is by applying the Render Props Pattern. A Render Prop is a prop on a component whose value is a function that returns JSX. The component itself does not render anything, but calls the render prop.
In React, one way to enforce separation of concerns is by using the Container/Presentation Pattern. With this pattern, we can separate the view from the logic. For example, when we want to create a component to display a list of products, container components are responsible for fetching the data, formatting it, and passing the data as props to the presentational components to show.
Hooks were the new feature that was released on React 16.8. Although Hooks are not necessarily a design pattern but they play a very vital role in React applications. The traditional ways to share code across multiple components are by using HOC and the Render Props Pattern. Although both patterns are still valid and good practice but Hooks mostly replaced them.
The Compound pattern is really useful when we have to deal with multiple components that belong to each other through a shared state. The Compound Component Pattern allows you to create a component that all work together to perform a task. For example, when we want to create a custom complex select component that contains multiple select items and other sub-components.

How can you structure state management architecture for a large-scale application?

Not all states are the same, so instead of treating it as one thing, we should clarify it into layers, with its own natural place in the application.

The local state should stay local, and we should keep it as close as possible to where it is used. For example, a simple open/close state of a modal should be local and not belong to Redux or Context. Components died, local states died
Server States are anything that originates from the external sources, like API responses, data from the backend. It usually comes with its own complexities (state data, retries, invalidation), so it should be treated as a dedicated layer. That is exactly why tools like React Query, Apollo, or SWR exist. They handle caching, refetching, and synchronization for us, allowing client state to remain cleanly separate from server data.
Everything that is happening in the website’s URL is a state in a way, then we can treat it as a separate layer. For example, we can pass some queries or parameters to reflect the UI. When the URL changes, then the UI changes. These days, some of the routers also provide built-in methods like useSearchParams for you to easily manage the URL states, or you can use a popular library like nuts instead
Not all states can stay isolated. Sometimes, data has to move beyond a single component. That’s where the shared state layer comes in. But the shared client state needs boundaries. And we should follow the simple principle that “The State should rise only as high as its consumers require“. If it is just shared between siblings, prop drilling, then a small Context is perfectly fine. If it cuts across multiple features or pages, then it earns its place in a dedicated store like Redux, Zustand.

By drawing these lines, the decision of how to manage a state becomes clearer.

Can you explain what React Context is and how it works?

As we know, when a React app grows then the amount of state grows. Additionally, React uses one-way data flow, which means data can only go down the component tree, making passing state between components at the same level a really hard task. If we don’t manage it properly in time, it could lead to uncontrolled data flow, causing props drilling issues, and making it harder to debug. React Context is a built-in mechanism that creates a kind of “global store“ for specific parts of the application. React Context allows us to pass data through the component tree without manually passing props through immediate components. However, while Context is a great choice for providing access to data, it has some limitations, such as Context does not provide a standardized way to modify states, and it becomes harder to track where state changes occur because we have multiple contexts that wrap different parts of the project.

Can you list a few ways to optimize React Context?

We all know React Context allows us to pass the props from a component to other deep components in the React tree without passing props through multiple components. Passing data in this way can improve the performance of our React app by avoiding the re-rendering of components in between. However, it could be dangerous if we don’t manage it properly because all components that consume state from the Context Provider will be re-rendered if a state in the Provider gets updated. Even if components do not consume the changed parts, there are no standard memorization techniques that can prevent it. Below are some techniques that we can use to optimize the usage of React Context:

To minimize the React Context re-renders, we should always memoize the value we pass to the Context Provider.
We can split from one provider to multiple providers to further minimize re-renders. Switching from useState to useReducer can help with this.
Even though we don’t have the proper selectors for Context like Redux, we can use the trick by combining the Higher-Order Function and React.memo.

What is Redux, and how does it work?

Redux is a state management library that implements ideas inspired by the Flux architecture. It ensures a one-way data flow that makes the application state flow more predictable and easier to track.

Redux introduces a more structured approach with clearly defined elements:

A Store element holds the entire application state in a single object and manages dispatching actions. The logic for how state changes is defined in reducers, not in the store itself.

Action elements are plain JavaScript objects that describe what happened in the application.

Dispatch is a function that sends actions to the store and starts the update process.

Reducer elements are pure functions that take the previous state and an action and return the next state.

Selector elements are functions that read or derive specific pieces of data from the Redux state.

And the standard Redux flow is:

The user interacts with the view, then creates an action by clicking on a button → The action is dispatched to send the action to the store → The store receives the action and passes it to the reducers → The reducer receives the action and previous state and returns a new state → The store replaces the old state with the new state returned by the reducers → Components use selectors to read the updated state and re-render.

What are the differences between React Context and Redux?

Well. React Context is a built-in feature of React, while Redux is an external library inspired by the Flux architecture. They are both developed by the React team and provide abilities for managing global state across the application. React Context is more suitable for a small app, or when we just need to share the state across multiple components in the hierarchy. On the other hand, Redux is a preferred choice for managing state in a large application where we need to share the state across multiple features or pages. Additionally, React Context is only good for providing access to data and does not provide a standardized way to modify states. Also, it becomes harder to track where state changes occur since we have multiple Contexts that wrap different parts of the project. In contrast, Redux introduces a more structured approach with defined elements such as (Store, Reducer, Dispatchers, Actions,….) and ensures one-way data flow that makes the state flow of the application more predictable and easier to track.

Can you explain the approach for managing complex global state?

For managing a complex global state, where using React Context is not enough, I will look into state management libraries, such as Redux, Zustand, Jotai, and MobX. Honestly, I haven’t joined any business projects that applied those libraries before. I used to apply Redux and MobX to my pet project for learning a few years ago. I worked with the React Context mostly because it is enough. I do know the Flux architecture and the core data flow of Redux. There is a pattern that I have read somewhere that: “A State should rise only as high as its consumers require“. We should keep the boundaries clear and avoid both over-engineering and unnecessary sprawl.

What is useEffect? How do you use it in the project?

As its core, useEffect is a powerful hook that runs after the browser’s paint process. This hook allows us to perform side-effect tasks that go beyond the pure render logic, such as API calls and DOM mutations. Because it’s about keeping React components in sync with something outside of React, so if we are using useEffect to synchronize one piece of React state to another piece, we are doing it wrong. We should treat useEffect as the last option instead of the first option.

What do you care about data fetching on the client?

Nowadays, instead of writing a lot of code for fetching data over the network, to cover various aspects such as error handling, caching, and canceling requests. We have several libraries that will handle almost everything for us, like axios, swr, and tanstack query. But I do believe that the choice of technology doesn’t matter much here, and no library can improve the performance of the app by itself. I do focus on the fundamentals of data fetching and data orchestration patterns and techniques. I am aware of the browser limitations of parallel requests, prefetching critical resources even before React is initialized, and techniques for handling waterfalls and race conditions issues.

What is the React Server Action?

React Server Action is a way to write server-side code, the stuff usually handled by API Routes, that can now be written inside the React Component. In Next.js, we just need to add the directive “use server“at the top of the file to tell Next.js that this function should only be called on the server. The React Server doesn’t mean to replace the API Routes entirely; it’s a game-changer for tasks deeply tied to the UIs.

How does Next.js Server Actions work under the hood?

Firstly, to mark a function as a Next.js Server Action, we only need to put a “use server“ directly at the top of the file. By doing so, it will tell Next.js that every exported function in that file is a Next Server Action. When we call Server Actions on Client-side components, it is not just a regular function call. Next.js does some magic behind the scenes; it’s like an RPC(Remote Procedure Call) process. The flow will be: the client code calls the Server Action function => Next.js serializes arguments, converting them into a format that can be sent over the network => the POST request is fired off to the special Next.js endpoint => The server receives the request, deserializes arguments, and executes the code => When the process on the server is finished, the server then serializes the returned value and send it back to the client => The client receives the responses, deserializes it and automatically re-renders the relevant parts of the UI. The best part is no more manually refetching the data or updating the state after mutation. Next.js will automatically re-render the parts that need to be changed because of it.

Can you list all the benefits of the Server Action?

As we know, managing the communication between the client and the server is the real pain. Server Action comes to resolve that real pain by letting us put the server-side code right into the components. That makes things simpler, no more APi routes, no more re-fetching after mutation. React Server also boosts the performance by reducing those back-and-forth trips between the client and the server. Security is also another win when we put sensitive information like database queries and keys on the server.

Can you list all the downsides of using the Server Action?

While Server Actions bring a lot of benefits, it also has some downsides like any other technology. Below are some of them:

One of the biggest issues is the potential for tight-coupling. By allowing the server logic to live right inside the component, it is easy to end up less modular and harder to maintain codebase. Changing the server logic might force the front-end to be updated.
The second one is a learning curve. While understanding the basic Server Action is simple, learning advanced things like serialization, caching, and error handling takes time.
The third issue is debugging. When something goes wrong with Server Action, we cannot just rely on the network tab of the Chrome Dev Tool. We need to get comfortable with debugging techniques on the server-side.
The last issue is about performance if we overuse React Actions. Each Server Action is a network request; if there are too many network requests, that could make things worse.

Server Action is a powerful tool, but like other tools, it can be misused. It is best for data mutations and operations where the server logic tight couple with the UI and needs to be lived on the server.

When should we use Server Actions?

The Server Actions align perfectly with tasks like Performing Data Mutations. It allows performing server operations and database mutations without exposing the credentials and sensitive information to the client. It also dramatically reduces and simplifies the code by removing the need to write API routes for your operations.

What are the potential pitfalls with Server Actions?

While Server Actions bring us a lot of benefits, if we use them everywhere without understanding how it works, it could hurt our application’s performance. I could list some of the mistakes when we use Server Actions in the wrong way:

For client-side fetching, Server Actions might not be the best option. They automatically use the POST requests, so the data can’t be cached like with the GET requests. Furthermore, Server Actions shouldn’t be used with the Server Components. Because using Server Actions here would delay the data availability, as it causes extra network requests.
Even though Server Actions handle server-side logic, under the hood, they are just another API route, and Next.js handles the POST requests automatically. Because of that, Server Actions do not hide the requests, and anyone can replicate them by using the Rest Client. That is why we should use proper authentication and authorization checks when working with sensitive data.
Using Server Action might be convenient, but every action comes at a cost. We should avoid using them everywhere and consider before using them. For tasks that could be easily handled on the client side, keep them on the client side.
When we need our API to be accessible to multiple clients, classic API routes might be a more appropriate solution. Imagine if we need the same logic for both web app and mobile app, duplicating the same Server Action logic will duplicate the work and make it complicated for maintenance.

Can you list some common mistakes when applying Server Actions?

Server Actions help to simplify our code, reduce the code boilerplate, and look like the future of data mutations in Next.js. But if we don’t use it in the right way, it would cause a serious problem with our application’s performance.

The most common mistake is not using the useTransition hook for the pending state. The user clicks on a submit button again and again, the Server Action is running, but the UI provides zero feedback. We need to wrap our action inside the useTransition to make the interface interactive and avoid users spamming the Submit button
The second mistake is that we are skipping validation on the client side. For example, it it so waste of resources if we trigger a Server Action and make the full network round trip to tell the user that they are missing a required field. It’s better to validate the input before passing it to Server Action.
The third mistake is that we are missing adding validateTag or validatePath after calling the Server Action. This mistake is not slowing the performance, but it will make the user still see the stale data after executing the data mutations. By adding those functions, it will tell Next.js to refetch the data that was changed, and the user can see the new data.
The fourth mistake is that we are importing the large client-side library into a server actions file. Server Actions are server-side code; they run in a Node.js environment. If we import a massive client-side library, we will get errors. And the solution is that we should choose the server-side compatible library.

What is a Route Group in Next.js, and what is it used for?

A Route Group is a folder wrapped in parentheses (e.g., (marketing)) in the App Router. The parentheses signal to Next.js to exclude that segment from the URL path, so the folder exists purely in the file system. This lets you organize routes and share layouts without polluting the URL structure — for example, (marketing)/about/page.tsx still resolves to /about, not /marketing/about.

What are the main use cases?

Shared layouts without URL pollution — wrap related routes in a group with a common layout.tsx. For example, (auth) routes share a minimal layout with no nav, while (app) routes share a full shell with sidebar and header — all without those group names appearing in the URL.
Code organization — group routes by feature, team, or domain (e.g., (shop), (blog), (admin)) purely for developer clarity. This is especially valuable in large codebases where a flat app directory becomes hard to navigate.
Multiple root layouts — each group can define its own root layout.tsx, giving entirely different page shells to different sections of the app. This avoids messy conditional rendering inside a single root layout.

What is unstable_cache in Next.js?

unstable_cache is a Next.js utility that lets you cache the result of any async function — not just fetch calls. It wraps a function and stores its return value in the Next.js Data Cache, with support for cache tags, revalidation intervals, and on-demand invalidation via revalidateTag. The unstable_ prefix signals it's a stable-enough API but still subject to change before a finalized name is given.

import { unstable_cache } from 'next/cache';

const getCachedUser = unstable_cache(
  async (id: string) => db.user.findUnique({ where: { id } }),
  ['user'],          // cache key parts
  { revalidate: 60, tags: ['users'] }
);

Why is it necessary for non-fetch data sources?

Next.js automatically caches and deduplicates fetch requests in Server Components. However, database queries, ORM calls, third-party SDKs, filesystem reads, or any non-HTTP data access bypass that cache entirely — they re-execute on every request by default. unstable_cache fills that gap by bringing those data sources under the same caching model as fetch, giving you equivalent control over revalidation without changing your data-fetching layer.

Where should context providers be placed in the App Router, and why can't they go directly in a Server Component?

Context providers rely on createContext and React's runtime context API, which are client-only features. Server Components cannot render providers directly because they don't participate in the React component tree at runtime on the client. Placing a provider in a Server Component will throw an error. Instead, you must extract the provider into a dedicated 'use client' wrapper component, then use that wrapper inside your layout.

// app/providers.tsx
'use client';
import { ThemeProvider } from './ThemeContext';

export function Providers({ children }: { children: React.ReactNode }) {
  return {children};
}

Where exactly in the App Router tree should the Providers wrapper be placed?

It belongs in the root layout.tsx (or the closest layout that covers all routes needing that context), wrapping {children}. This keeps the provider as high as needed but no higher — following the principle of placing context at the lowest common ancestor.

// app/layout.tsx  (Server Component)
import { Providers } from './providers';

export default function RootLayout({ children }: { children: React.ReactNode }) {
  return (
    
      
        {children}
      
    
  );
}

What is revalidatePath and how does it differ from revalidateTag?

revalidatePath purges the cache for a specific URL path, causing that page to be re-rendered on the next request. revalidateTag purges all cached data entries carrying a specific tag, regardless of which pages consume them. The core difference is: revalidatePath thinks in terms of pages, revalidateTag thinks in terms of data.

revalidatePath('/blog/my-post');   // purges the /blog/my-post page cache
revalidateTag('contentful-post-123'); // purges the data tagged across any page that uses it

When should you use revalidateTag over revalidatePath?

Prefer revalidateTag when the same data appears on multiple pages — a product price shown on a listing page, a detail page, and a related items widget all need to update together. Using revalidatePath would require knowing and calling every affected URL manually, which is brittle and doesn't scale. revalidateTag lets you invalidate the data once and every page consuming it gets fresh content on next request.

Use revalidatePath when the invalidation is inherently page-scoped — e.g., a user submits a form that only affects one specific page's output, or you want to force a layout re-render that isn't tied to a tagged fetch. It's simpler and more explicit when the data-to-page relationship is 1:1.

What is revalidateTag and what problem does it solve?

revalidateTag is a Next.js server-side function that purges all cached data associated with a specific tag on demand. Without it, cached data only refreshes on a time-based interval (revalidate: 60). That model is too blunt for real-world apps — if a user updates their profile, you want that data fresh immediately, not after 60 seconds. revalidateTag lets you invalidate precisely the right cache entries the moment the underlying data changes.

// app/actions/updateUser.ts
'use server';
import { revalidateTag } from 'next/cache';

export async function updateUser(id: string, data: UserData) {
  await db.user.update({ where: { id }, data });
  revalidateTag('users'); // purges all cache entries tagged 'users'
}

How does it work end-to-end with fetch and unstable_cache?

Tags are assigned at the data-fetching layer and consumed by revalidateTag at the mutation layer:

With fetch: pass { next: { tags: ['users'] } } in the options.
With unstable_cache: pass { tags: ['users'] } in the config object.

When revalidateTag('users') is called — inside a Server Action, Route Handler, or middleware — Next.js marks every cached entry carrying that tag as stale. The next request for that data triggers a fresh fetch and re-populates the cache.

Why did the Page Router cause 30-minute rebuilds for small Contentful changes?

In the Page Router with static rendering (getStaticProps), pages are pre-built at deploy time into static HTML. Any content change in Contentful required a full next build to regenerate every static page — even if only one blog post title changed. While Page Router did offer ISR (revalidate: N), it was time-based and page-scoped, meaning you still had to wait for the interval to expire or trigger a manual redeploy. There was no efficient way to say "only rebuild the pages affected by this specific content change."

How does the App Router with revalidateTag solve this?

With the App Router, pages are Server Components that fetch and cache data at runtime — not at build time. You tag your Contentful fetches with meaningful identifiers, then configure Contentful webhooks to call a Route Handler that fires revalidateTag the moment a content entry is published:

// app/api/revalidate/route.ts
import { revalidateTag } from 'next/cache';
import { NextRequest } from 'next/server';

export async function POST(req: NextRequest) {
  const { contentType, entryId } = await req.json();
  revalidateTag(`contentful-\({contentType}-\){entryId}`);
  return Response.json({ revalidated: true });
}

// Contentful fetch tagged at the data layer
const post = await fetch(https://cdn.contentful.com/..., { next: { tags: [contentful-blogPost-${entryId}] } });

Now when a Contentful editor publishes a change, the webhook fires instantly, revalidateTag purges only that entry's cache, and the next visitor gets fresh content within milliseconds — no rebuild, no waiting, no CI pipeline involved.

What happens internally the moment revalidateTag is called?

When revalidateTag('users') is called, Next.js does not immediately delete or refetch the cached data. Instead, it writes a staleness marker against all cache entries carrying that tag in the Next.js Data Cache (an in-memory + persistent cache layer managed by the Next.js server runtime). The cached data is still physically there — it's just flagged as stale. No network requests are made, no pages are re-rendered at this point. It's a near-instant, low-cost operation.

What happens on the next incoming request after the tag is invalidated?

When a request comes in for a page that depends on the invalidated tag, Next.js detects the stale marker during rendering and re-executes the original data-fetching function (the fetch or unstable_cache wrapped function) to get fresh data. The result is stored back into the Data Cache with a new freshness timestamp, replacing the stale entry. The page is then re-rendered with the fresh data and the new HTML is served — and optionally written to the Full Route Cache if the route is statically cacheable. Subsequent requests hit the warm cache again until the next invalidation.

How did static pages work in the Page Router, and what changes in the App Router?

In the Page Router, static pages were explicitly opted into with getStaticProps — Next.js pre-rendered them to HTML at build time and served them as flat files. In the App Router, every Server Component is statically rendered by default — there is no getStaticProps. If a route has no dynamic behavior (no cookies, headers, search params, or uncached data fetches), Next.js automatically pre-renders it to static HTML at build time without any configuration. The mental model shifts from "opt in to static" to "static unless you introduce something dynamic."

What determines whether an App Router page stays static or becomes dynamic after migration?

Next.js inspects the route at build time and checks for dynamic signals:

Signal	Effect
`cookies()`, `headers()`	Forces dynamic rendering
`searchParams` prop	Forces dynamic rendering
`fetch` with `no-store`	Forces dynamic rendering
`export const dynamic = 'force-dynamic'`	Forces dynamic rendering

If none of these are present and all fetches are cached, the route is statically rendered and written to the Full Route Cache as HTML. After migrating from Page Router, pages that previously used getStaticProps with no user-specific data will automatically become static in the App Router — often with zero extra configuration needed.

What is the key behavioral difference to watch for post-migration?

In the Page Router, getStaticProps pages were rebuilt only on redeploy or ISR interval. In the App Router, static pages cached in the Full Route Cache can be invalidated at runtime via revalidateTag or revalidatePath — without a redeploy. This means post-migration your static pages are no longer tied to the build pipeline, which is a significant operational improvement but also means you need to be intentional about cache invalidation strategy. A page that was "always fresh on deploy" now needs explicit revalidation logic if its data changes between deploys.

Does the App Router with Server Components replace SSG?

Functionally, yes — but the underlying mechanism is different. In the Page Router, SSG was an explicit pattern you opted into with getStaticProps + getStaticPaths. In the App Router, static generation is the default behavior: if a Server Component route has no dynamic signals, Next.js automatically pre-renders it to static HTML at build time and caches it in the Full Route Cache. You get the same end result — pre-built HTML served at the edge — without writing any SSG-specific APIs. The concept of SSG didn't disappear; it was absorbed into the default rendering model.

What does the App Router give you that SSG couldn't?

SSG was an all-or-nothing commitment at the page level — the entire page was either static or dynamic. The App Router introduces per-component granularity. A single page can have a statically rendered Server Component shell (cached) wrapping a dynamically rendered section using , with client-interactive islands via 'use client'. This means you can statically cache the expensive parts (navigation, product listings) while keeping user-specific parts (cart count, personalized recommendations) dynamic — something SSG fundamentally couldn't express without client-side hydration workarounds.

When would you still think in "SSG terms" in the App Router?

When dealing with dynamic route segments at scale — e.g., /blog/[slug] with thousands of posts. App Router still supports generateStaticParams (the successor to getStaticPaths) to pre-render known paths at build time. Without it, those pages render on first request and get cached afterward, meaning the very first visitor to a new URL pays the render cost. For high-traffic or SEO-critical pages, pre-generating them at build time via generateStaticParams is still the right call — so SSG as a strategy remains relevant even if SSG as an API is gone.

Do Client Components appear in the initial HTML on first load in the App Router?

Yes — and this is a common misconception. Despite being called "Client Components," they are still server-rendered to HTML on the first request. Next.js renders the entire component tree (both Server and Client Components) to HTML on the server for the initial page load, so the user sees meaningful content immediately without waiting for JavaScript. The 'use client' directive doesn't mean "skip server rendering" — it means "this component needs to be hydrated and made interactive on the client after the HTML arrives."

What is the difference then between Server and Client Components in terms of the initial HTML?

Both appear in the initial HTML, but what happens after that HTML lands in the browser is different:

Server Components — rendered to HTML on the server, never hydrated. No JavaScript is sent to the client for them. They are inert HTML.
Client Components — rendered to HTML on the server (for the initial load), then their JavaScript bundle is sent to the browser and React hydrates them — attaching event listeners and restoring interactive state.

The practical implication is that both contribute to First Contentful Paint, but only Client Components add to the JavaScript bundle size and hydration cost.

What is the senior-level insight about hydration and the "use client" boundary?

The 'use client' boundary defines where the React component tree splits — everything below that boundary in the import tree is bundled and sent to the client for hydration. This is why keeping the boundary as deep and narrow as possible matters: a 'use client' on a large layout component pulls its entire subtree into the client bundle, increasing JS payload and hydration time. The optimal pattern is to push interactivity to small leaf components (a button, a dropdown) while keeping data-heavy parent components as Server Components — maximizing static HTML and minimizing what React needs to hydrate.

Web Performance

What is “Critical Rendering Path“?

As we know, the browser needs to know exactly the minimum resources required to download before rendering to avoid presenting an obviously broken experience. On the other hand, the browser can’t let the user wait for too long to download unnecessary resources for presenting some of the content to the user. The sequence of processes that the browser takes before rendering content on the first render is called the “critical rendering path“. Since the browser can’t complete the initial rendering without those critical resources, it is known as “rendering blocking resources“. The browser absolutely needs at least three types of resources:

The initial HTML that is received from the server to construct the actual DOM
The important CSS files are used to style the initial HTML. Otherwise, if the browser keeps proceeding without waiting for them, the user will see the weird “flash“ of unstyled elements.
The critical JavaScript files are used to construct the layout synchronously.

Can you tell me the overall process of rendering the“Critical Rendering Paths“?

The Critical Rendering Path includes the Document Object Model (DOM), the CSS Object Model (CSSOM), the render tree, and layout.

A request for a web page or application starts with an HTTP request, and the server sends back an HTML response. The browser then begins parsing the HTML and converts the received bytes into the DOM tree. While parsing the HTML, the browser discovers external resources such as stylesheets, scripts, and images, and starts downloading them in parallel.

The browser continues parsing the HTML and building the DOM until it reaches the end of the document. At the same time, CSS files are parsed to build the CSSOM. Once both the DOM and CSSOM are ready, the browser combines them to build the render tree, which contains only the visible elements and their computed styles.

After the render tree is created, the browser performs layout to calculate the size and position of each element. Finally, the browser paints the pixels on the screen, rendering the page that the user sees.

What are “Google Web Vitals“ and “Core Web Vitals“?

Google Web Vitals is a set of standardized performance metrics defined by Google to measure the real user experience of the website. They focus on how fast it loads, how responsive it feels, and how stable it is visually while loading.

Core Web Vitals are a subset of Web Vitals that Google considers the most critical for user experience and uses as ranking signals in search results. There are three metrics that can be seen as Core Web Vitals: Largest Contentful Paint, Interaction To Next Paint, and Cumulative Layout Shift.

Largest Contentful Paint (LCP): It is used to measure how long it takes for the largest visible content element to appear
Interaction to Next Paint (INP): It is a relatively new metric that was introduced in 2023, which measures how fast the app responds to user interaction with it. Basically, how “snappy“ the interaction feels
Cumulative Layout Shift (CLS): It is used to measure unexpected layout shifts while the page is loading

Can you explain the “Time To First Byte (TTFB)“ Metric?

When we open the browser and navigate to a website, the browser first sends a GET request to the server and receives an initial HTML in return. The time it takes to do that is known as the “Time To First Byte“ metric

Can you explain the "Time To Interactive (TTI)" Metric?

Time to Interactive is a lab metric for measuring load responsiveness. It helps identify the case when the page looks interactive but actually isn't. A fast TTI helps to ensure the page is usable with fully interactive elements. This metric was removed from Lighthouse and Core Web Vitals, but it is still useful to measure the performance of the SSR app. For example, an SSR app can lead to a scenario where a page looks interactive (links and buttons are visible on the screen), but it is not interactive because the main thread is blocked or the JavaScript controlling those elements hasn't loaded. To measure, just look at the end time of the longest task before the quiet window.

When do the DOMContentLoaded and Load Event occur?

DOMContentLoaded and Load are two key browser events that mark the different stages of page loading.

The DOMContentLoaded is fired when the HTML document has been completely parsed, and the DOM tree is built. That indicates the page structure is ready for user interaction, but it may not be fully complete yet

The Load Event is fired when the entire page and all its dependent resources have finished loading. That indicates the page is fully loaded and visually complete.

What are the “First Contentful Paint (FCP)“ and “Largest Contentful Paint (LCP)“?

First Contentful Paint is one of the most important performance metrics since it measures the perceived initial load. Basically, it is the user’s first impression of how fast your website is. Until this moment, the user has to stare at the blank screen. According to Google, FCP is ideally below 1.8 seconds before users lose interest in the website.

Somewhere in the FCP process is where the Largest Contentful Paint (LCP) happens. Instead of the very first element, like FCP, it represents the main content of the page, the largest text, image, or video visible in the viewport. According to Google, this number should ideally be below 2.5 seconds. More than that, users will think our website is slow.

Tell me about the “Lighthouse“ tool?

Lighthouse is the Google performance tool integrated in the Chrome Dev Tools and can also be run as a shell script, web interface, and a Node module. We can use a Node module to run it inside our build and detect regressions before they hit production. Those Google metrics can be measured by this tool.

Lighthouse only gives surface-level information and doesn’t allow for simulating different scenarios, like a slow network or low CPU. It’s just a great entry point and an awesome tool to track the performance changes over time. To dig deeper into what is happening, we need the “Performance“ panel.

How important is CDN in improving the website’s load time?

The primary purpose of any CDN (Content Delivery Network) is to reduce the latency and deliver content to users as soon as possible. They implement multiple strategies for this, but the two most important ones are “caching“ and “distributed servers“.

A CDN server will have several servers in various geographical locations. These servers are closer to the end user and are able to store those copies of static files on your website and send them to users when they request.

How would you know the resource is getting from the browser’s cache instead of getting a new version?

When a server receives a request for a file, it could check when the file was last modified. The browser knows because the browser sends cache validation headers like If-Modified-Since and If-None-Match allowing the server to compare versions. If the date is the same as the cached file on the browser’s side, it returns with a 304 status code with an empty body(that’s why the size is too small). This indicates to the browser that it’s safe to reuse it and there's no need to re-download it.

Can you explain the behaviour of the Cache-Control header that servers set in the response?

The Cache-Control header can contain multiple directives in different combinations, but the most important:

max-age with a number controls how long the particular response is going to be stored
must-revalidate directs the browser always send the request for a refreshed version if the response is stale. The response will be stale if it lives in the cache for longer than the max-age setting.

If we set the max-age=0 and must-revalidate, the browser will always check with the server and never use the cache right away. And if we set to max-age=31536000(1 year), it will tell the browser to get the content right away from the browser’s cache.

Do modern bundlers like Vite, Rollup, and Webpack always create “immutable“ JS and CSS files?

Well, they are not truly "immutable", of course. But those tools generate file names with a hash string that depends on the file's content. If the file's content changes, then the hash changes, and the name of the file changes. As a result, when the website is deployed, the browser will re-fetch a completely fresh copy of the file regardless of the cache settings. The cache is "busted", exactly like in the exercise before when we manually renamed the CSS file.

How does the component of those libraries, such as Next.js, Remix, Tanstack, work under the hood?

All of those modern frameworks give us a component that prevents the default link behaviour and some ways to render different pages for different routes without reloading the page itself. From regex pattern matching to folder-based routing. There is no more “traditional” page navigation, which includes asking the server for the new HTML, parsing it, and so on. Instead, the already initialized JavaScript just destroys the entire page or a part of it and then generates a new page and injects it into the old page. This part is usually invisible to us and is handled entirely by React.

For example:

Somewhere in the code, there is a Link component, inside of which there is this code:

 { 
  e.preventDefault();
  navigate(href); 
}}>
{children}

A normal tag, where the default behavior on click is prevented - i.e., the "normal" link redirect won't happen. Instead, the navigation to the next page is triggered by JavaScript via navigate(href). Which is not a "navigation to the next page" per se, actually. Inside this navigate function, there will be something like this:

window.history.pushState({}, '', newPath); 
dispatchEvent(new PopStateEvent('popstate', { state: {} }));

Where window.history.pushState will simply update the URL part of the browser, and that's it, no redirects. The dispatchEvent part then dispatches a JavaScript event that can be listened to via addEventListener .

Somewhere else entirely, there will be a part that listens to that event and sets the state with the pathname value:

window.addEventListener('popstate', () => { 
  setPath(window.location.pathname);
});

And then somewhere in the third place, there will be code that renders different pages based on that state value:

switch (path) {
  case "/login":
    return ;
  default:
    return ;
}

Why are no JavaScript environments so important?

The fact that real people are not the ones who can access the website. There are two other major things:

Search engine bots (crawlers), especially Google crawlers
Various social media and messages’ preview functionality

All of them work in a similar manner. First, they somehow get the URL of the website. This usually happens when users share the website through social media or when search bots mindlessly crawl through miliions websites out there.

Second, the bots send the request to the server and receive the response, like the browser usually does

Third, from the received HTML, they extract useful information like text, links, and meta tags. Based on that, they form the search index, and the page becomes “Googleable “. Social media previews grab the meta tags and build the nice preview we all have seen with the large picture, title, and sometimes a short description.

Many old web crawler bots have no JavaScript involved, but some of the popular search engines wait for JavaScript. However, this process means that the indexing of a website relies heavily on JavaScript and might be slow and budget-intensive. Then, it’s really important for the server to return the “proper“ HTML with all critical information on the very first request.

Can you tell me "the cost of server pre-rendering"?

When the server receives any requests, it reads the index.html file that the build step generated in advance, converts it to a string, and sends it back to whoever requests it. It is basically what all hoisting platforms that support SPA will do for us. To fix the "no JavaScript" problem, where the browser only receives the empty div without JavaScript enabled, we need to modify the HTML on the server now because nothing stops us from modifying that string before sending it back.

Adding a simple pre-rendering script, it introduces two problems in complexity:

The first problem is where we should deploy the app now. From now on, we need a server and no longer keep the hosting cost at zero for hosting static resources.
The second problem is the performance impact of having a server. Having a server introduces several problems with latency, including an unavoidable round-trip to the server for every initial load request.

Can you tell me what the "Server React DOM API" is and list all its methods?

The react-dom/server APIs let you server-side render React components to HTML. These API are only used on the top level of the React app to generate initial HTML. The framework calls them for us, and we mostly don't need to import them manually. There are three types of React server APIs:

Server APIs for Web Streams(renderToReadableStream, resume): These methods are only available in environments with Web Streams, which includes browser, Deno, and some modern edge runtimes.
Server APIs for Node.js Streams(renderToPipeableStream, resumeToPipeableStream, preRenderToNodeStream): These methods are only available in environments with Node.js Streams.
Legacy Server API for non-streaming environments(renderToString, renderToStaticMarkup): These methods can be used in environments that don't support streams

Explain to me the renderToString API method?

React calls the renderToString method to render our app to an HTML string, which can be sent with our server response. This will produce the initial non-interactive HTML output of our React components. On the client, we need to call hydrateRoot method to hydrate the server-generated response to make it interactive. renderToString method returns the string immediately; it does not support streaming content as its load. We could use other modern streaming methods as alternative solutions. For server-side rendering, they can stream content in chunks as it resolves on the server, so users can see the page being progressively filled in before the client loads. For static generation, they can wait for all content to be resolved before generating the static HTML.

What are the differences between createRoot and hydrateRoot?

createRoot lets us create a root to display React components inside the browser DOM node.

hydrateRoot lets us display React components inside the browser DOM node whose HTML content was previously generated by react-dom/server.

The main difference is createRoot will clear the existing HTML before generating the new HTML using JavaScript and inject it into the browser DOM node. On the other hand, hydration will reuse the generated HTML that is received on the Server and only attaches the event handlers. If our app is SPA, then we use createRoot. In contrast, if our app is server-rendered, createRoot is not supported, and we need to use the hydrateRoot method.

Can SSR make LCP worse?

Unstable, there are no silver bullets in performance. If someome tell us that SRR is a 100% increase in initial load for out SPA app, they are mistaken. In the scenario when the CPU is really fast, the networking is really slow and the browser's cache is turned on, the FCP/LCP metric in SPA seems better than SSR. That is because the browser took a long time to download the initial HTML due to the slowest network in SSR. In contrast, the size of the initial HTML in SPA is really small, while the CPU is really fast for JavaScript execution. So if your app is targeting that specific niche primarily, and our app is already SPA, trying to introduce SSR to it might make it worse.

Why does implemting conditional SSR Rendering is a big mistake?

We all know that some browsers' APIs, such as window, document, .. can't be used in the server's environment. A typical way to fix it would be to use a conditional check to determine whether the window is undefined or not, and then decide which parts of the code should be executed on server or browser environment. Another way that we can put the client code inside the useEffect or useLayoutEffect is because those hooks are called after hydration happens and won't be run on the server side.

const Component = () => {
// don't render anything while in SSR mode
if (typeof window === "undefined") return null;
  // render stuff when the Client mode kicks in
return ...
}

The natural temptation of implementing conditional SSR rendering is not going to work in the correct way. React expects that the same HTML produced by the server code is exactly the same as the HTML produced by the client code. Implementing this way makes the content on the server is different with the content on the client, that confuse it so much and React will replace the entire content of the "root" div and repalces with the freshly generated elements. The hydration mechanism is totally destroyed, with all the downsides that come with that. Sometimes, it can just introduce really weird layout bugs due to the rehydration issue.

The correct way to do this is to rely on React's life cycle to "hide" the non-SSR compatible blocks.

const Component = () => {
// initially, it's not mounted
const [isMounted, setIsMounted] = useState(false);
};

const Component = () => {
// initially, it's not mounted
const [isMounted, setIsMounted] = useState(false);
useEffect(() => { 
    setIsMounted(true);
}, []); 
};

On first render, both client and server receive the same null content, so the server thinks that I can trust this DOM and the hydration mechanism won't be broken.

Why does compressing JavaScript help to improve the web performance?

We all know that the more large in size in JavaScript bundle, the more time users need to wait for the browser complete downloading. Having a few megabytes of JavaScript on the page just feels wrong, so the issue of the bundle size and how to reduce it dominates performance-related discussions. In real life, when sending those files to users, we often would first compress them with something like gzip and brotli to reduce the size. Most of the hoisting providers have compression enabled by default, especually we are using CDN.

What is the JavaScript Evaluation?

If we are profiling a web application that ships a lot of JavaScript code, we might see a long task that is labeled with Evaluate Script. Script evaluation is a necessary part of executing JavaScript code in the browser, as JavaScript is compiled just-in-time before execution. When the JavaScript is evaluated, it is first parsed for errors. If the parser doesn't find any errors, then the script is compiled into bytecode, and the continue onto the execution part. The network cost of downloading JavaScript is the only thing users need to pay for once on the first visit. After that, resources can be gotten from cache, but the cost ofthe JavaScript Evaluation process is what users need to pay for every visit.

Which tools do you use to improve the performance of the website?

Well, there are a few tools that I use to measure the performance of the website. In the development phase, I use the React Profiler of the React Dev Tool to check if any components render unnecessarily. It helps me to identify which components are slow and why. I use the Performance tab on Chrome Dev Tools to analyze the main thread and identify what is blocking the UI during interactions. For example, when users report janky scrolling, you might find the long-running JS tasks causing frames drop. I use the Network tab when investigating slow load times. The waterfall chart reveals API delays, building issues, and caching problems. I also use the webpack-bundler-analyzer to identify dependencies that are inflating my bundle size. And Lighthouse is my go-to for auditing the overall performance, accessibility, and SEO before pushing to production.

Can you explain those terms, like minification and tree-shaking in the bundler?

Minification is the simplest optimization step, but surprisingly powerful. It will help you to remove all the redundant things from your final code without affecting the execution. Things such as whitespaces, comments, long variable names, and formatting, those are don’t need on your final bundle. Your final code works exactly the same, but becomes smarter, faster to download, and faster to parse.

Tree-shaking is a way to let the bundler remove the dead code, unused code from your final bundle. For example, you define 5 functions, but you only use one; the 4 left are never used in your codebase. Tree-shaking will remove those 4 dead code from your final bundle, which makes the final bundle to be more smaller. Tree-shaking relies heavily on ES modules (import/export). Because ES modules are static. The bundler can analyze them at build time and see which exports are actually used.

How do we need to use the Code Splitting technique to reduce bundle size?

The idea behind the Code Splitting technique is that when we have to send a large 5MB file to the users, if those 5Mb are packed into a single file, downloading that file will take more than a minute. So the question is: Why don't we just split that large file into multiple chunks, then let the browser download them in parallel? It will help me reduce the download time. The hard part is that we can't just cut that file into 10 random files; that is not how JavaScript works. We need to split it into isolated, independent modules and ensure that those modules can call functions in other modules. Doing this manually would be a huge headache, but luckily, most modern bundlers can do it for us.

https://vite.dev/guide/build.html#chunking-strategy

https://webpack.js.org/guides/code-splitting/

How do you decide when to split a large JavaScript bundle into multiple chunks?

Answer: I focus on Cache Stability and Resource Criticality. First, I separate vendor code from app code. Since node_modules change rarely, splitting them allows for long-term browser caching. For the dependency tree, if a library or feature is over 100KB, I'll extract it into its own chunk. I aim for chunks between 50KB–100KB to balance parallel download speed with compression efficiency.

Can you explain the risk of having TOO MANY small chunks in a web application?

Answer: There are two main risks. First is the Protocol Bottleneck: On HTTP/1.1, browsers are limited to ~6 concurrent connections. Too many chunks can create a "waterfall" that delays critical CSS. Second is Compression Overhead: Algorithms like Brotli work better on larger text blocks. Breaking code into tiny chunks reduces the compression ratio, potentially increasing the total transfer size.

What is the difference between how local development and production environments handle chunking?

Answer: The primary difference is the protocol. Local dev servers often use HTTP/1.1, while production CDNs use HTTP/2 or HTTP/3. In local testing, you might see performance regressions from many chunks due to connection limits. In production, those same chunks are requested in parallel. It is vital to verify performance in a production-like environment before final decisions.

If you move a specific UI component into a 'components' chunk, why might it still appear in the 'index' chunk?

Answer: This happens due to how the bundler traces the dependency tree. If the index entry point imports that component directly (or via a shared utility not included in the chunk rule), the bundler may prioritize including it in the main bundle to avoid extra round-trips. You must ensure the manualChunks configuration (like in Rollup/Vite) explicitly targets the file path and that imports are structured to allow isolation.

How does code splitting improve performance beyond just the initial download speed?

Answer: It significantly reduces JavaScript Execution and Compilation time. By splitting code, the browser can parse and compile individual chunks as they arrive, rather than waiting for a single massive file to finish downloading. This frees up the Main Thread much sooner, which improves responsiveness metrics like First Input Delay (FID) or Interaction to Next Paint (INP).

How would you approach a task where the production JavaScript bundle has suddenly grown by 2MB?

Answer: I would start by running a Bundle Analyzer (like webpack-bundle-analyzer or rollup-plugin-visualizer) to generate a treemap of the production build. I’d look for large "blobs" in the node_modules section. Once a culprit is identified, I’d trace its usage in the codebase. Often, it’s a case of someone importing an entire library (like lodash or MUI) instead of specific named exports, or a new dependency being pulled in by a sub-dependency.

What are the performance implications of using import * as UI from 'library-name' ?

Answer: This pattern generally prevents the bundler from performing effective Tree-Shaking. By using the namespace import (*), you are explicitly telling the bundler that you might need any part of that library at runtime. Even if you only use UI.Button, many bundlers will include the entire library in the final chunk, leading to massive "Bundle Bloat" and increased parse/compile times for the user.

Why might a "Unified Icon Library" file (one file that exports all project icons) be a bad architectural choice?

Answer: While it provides a clean developer experience (DX) and better autocomplete, it creates a bottleneck. If that central file imports 2,000 icons from a library to re-export them, every page that needs even a single "Close" icon will end up loading all 2,000 icons. This is because the bundler sees the central file as a single dependency that requires all those icons to be present.

If a bundle analyzer shows that a library is taking up 40% of your bundle, but you only use one function from it, what are your options?

Answer: First, I would check if the library supports Named Exports (e.g., import { functionName } from 'lib') which allows for tree-shaking. If it doesn't, I’d check for "sub-path imports" (e.g., import functionName from 'lib/functionName'). If the library is simply not tree-shakeable, I’d evaluate if there is a lighter alternative (like date-fns instead of moment.js) or if I can implement that specific logic manually to save those several hundred KB.

What is the "Comment-Out" strategy in bundle optimization?

Answer: It’s a quick sanity check used during the investigation process. Before committing to a complex refactor, you comment out the suspected heavy imports and rebuild the project. Even though the app won't run, the build will complete, allowing you to see exactly how much the bundle size drops. This confirms that your "investigation" is targeting the right package before you spend hours on the actual fix.

What is Tree-Shaking, and how does it differ from traditional Dead Code Elimination?

Answer: Tree-shaking is a form of dead code elimination that relies on the static structure of ES Modules (import and export). Unlike traditional DCE, which looks at segments of code that can't be reached, tree-shaking tracks the "live" exports across the entire module graph. If a module exports a function but nothing in the dependency tree imports it, the bundler "shakes" it off the tree to keep the final bundle lean.

Why does import * as Material from '@mui/material' often cause performance issues in production?

Answer: In theory, modern bundlers can tree-shake namespace imports. However, in practice, if that Material object is ever used as a dynamic reference (like Material[componentName]) or wrapped in another exported object (like export const Theme = { Material }), the bundler loses the ability to statically analyze which specific parts of the library are needed. To be safe, it includes the entire library, which for MUI includes hundreds of components and thousands of icons.

Can you explain a scenario where a component is imported but still excluded from the final bundle?

Answer: Yes. If I import MyDialog in App.tsx but don't actually reference it in the JSX/return statement, or if it's inside a conditional block that the bundler determines is "dead" (like if (false) { ... }), the bundler will see that the component is never actually "reached." Since the branch is dead, the component and all of its unique dependencies will be omitted from the production chunk.

How would you refactor a "Global UI Wrapper" that is causing a 5MB bundle size due to Material UI imports?

Answer: I would replace the import * as Material with Direct/Named Imports. Instead of mapping the entire library to a key, I would import only the specific components we use—like Button or Snackbar—and explicitly add them to the wrapper object. This restores the bundler's ability to perform static analysis, ensuring that only those two components (and their specific dependencies) are included in the vendor chunk.

Is it possible to use the "Namespace Pattern" (e.g., ) without breaking tree-shaking?

Answer: It depends on the bundler, but generally, the safest way to maintain that DX is to build the UI object manually using named imports. For example: import { Button } from './Button'; export const UI = { Button };. As long as you aren't using import * to grab the whole directory, the bundler can see that UI.Button only requires the Button file, and it will continue to tree-shake other unused components in that directory.

Why can a bundler tree-shake your own code easily, but often fails to tree-shake older libraries like Lodash?

Answer: Tree-shaking requires the ESM (ES Modules) format. Our own code uses import and export, which allows the bundler to map the dependency tree statically. Older libraries often distribute code in CommonJS or UMD formats. Because these formats allow dynamic requires and exports, the bundler cannot be 100% sure that a piece of code is unused, so it includes the entire library to avoid breaking the app.

What is "Cherry-picking" in the context of bundle optimization?

Answer: Cherry-picking is the practice of importing a specific function directly from its file path rather than the library's main entry point—for example, import trim from 'lodash/trim' instead of import { trim } from 'lodash'. This bypasses the potentially non-tree-shakeable main index file and ensures only the code for that specific utility is included in the bundle.

If npx is-esm returns "No" for a package, what does that tell you about its impact on your bundle?

Answer: It tells me that the package does not provide a standard ES Module entry point. Consequently, standard named imports (import { x } from 'pkg') will likely fail to tree-shake, and the entire library will be bundled. In this case, I would either look for an ESM-native alternative, search the documentation for sub-path "cherry-picking" imports, or evaluate if I can replace the functionality with native JavaScript.

How do you decide between using a utility library (like Lodash) and writing native JavaScript code?

Answer: I look at Browser Support and Bundle Cost. If I only need simple functions like trim() or toLowerCase(), I use native JavaScript because it costs 0 bytes and is highly optimized by the browser engine. I only reach for a library if I need complex, battle-tested logic (like deepClone or debounce) that would be error-prone to write manually, and even then, I ensure I'm importing only the specific functions needed.

What is the difference between import { Star } from '@mui/icons-material' and import Star from '@mui/icons-material/Star'?

Answer: The first is a Named Import from the main index. If the library is properly configured for ESM, this should tree-shake. The second is a Default Import from a specific file path. The second approach is "safer"—it guarantees that only the Star icon is pulled in, regardless of how complex the library's internal tree-shaking configuration is. Many developers prefer the second one for icons because it prevents "accidental" bloat from configuration errors.

What would you do if you found three different date-manipulation libraries in a single project’s bundle?

Answer: I would perform a Unification Audit. First, I’d use a search tool to see how many times each library is used. If a heavy library like moment is only used in a few places, I’d refactor those instances to use a more modern, tree-shakeable alternative like date-fns or native Intl APIs. The goal is to standardize on the single most efficient library and then uninstall the others to shrink the vendor chunk significantly.

How do you identify why a specific package is being included in your bundle if you haven't explicitly imported it?

Answer: I would use a dependency tracing tool like npm-why or yarn why. These tools show the dependency chain. For example, if I see @emotion in my bundle but I only use Tailwind, npm-why might reveal that it’s being pulled in as a sub-dependency of @mui/material. To get rid of it, I’d have to either replace the parent library (MUI) or find a version that doesn't rely on that transitive dependency.

Why did replacing one @emotion component with a Tailwind class not immediately remove Emotion from the bundle?

Answer: This is a classic case of Transitive Dependencies. Even if you stop using a library directly in your code, it will remain in the bundle if another library you are still using (like Material UI) depends on it. Removing a library from a bundle often requires a "recursive" cleanup of all packages that reference it.

What is the trade-off between using a UI library like Material UI vs. a headless primitive library like Radix UI?

Answer: Bundle size vs. Development speed. Material UI comes with pre-defined styles and heavy internal dependencies (like Emotion), which can bloat the bundle to several megabytes. Radix UI provides "headless" primitives (accessible logic without styles), which are much smaller and allow you to use your own lightweight CSS-in-JS or Tailwind. In performance-critical apps, switching from MUI to Radix can often save hundreds of kilobytes.

In a "Bundle Size Initiative," how do you prioritize which libraries to refactor first?

Answer: I use the "Impact vs. Effort" matrix. I start by looking at the Bundle Analyzer. Large, non-tree-shakeable blocks that are only used in a few places are "Low Effort, High Impact" wins. Redundant libraries (like having two different icon sets) are also top priorities. I save large-scale migrations—like moving an entire themed app away from MUI—for last, as they require significant regression testing.

Others

How do you debug issues?

There are a few effective strategies I used to resolve the most complex issues and help me save time and energy:

Firstly, I try to reproduce the error consistently. We can’t fix the error when we can’t see it. Once I know how to reproduce the bug, then I will try to make it fast for able to jump straight into the problem area. After that, before digging into the problem, I will try to collect as much context as possible (confirming with the QC, checking records, logs) to make sure it’s a bug and avoid missing information.
The next part is isolating the problem. Finding bugs in a large codebase is really hard. I apply the binary search approach that divides the code into working and non-working parts by commenting out the suspicious code. Repeat that process until I find exactly the problematic area. Additionally, I usually use console.log to find issues in most cases. Besides, I also use some debugger tools like VSCode Debugger, Chrome Dev Tools, and React Developer Tools if needed.
After I found the part of the code that causes the issue, I adopted a more scientific, methodological approach instead of making random changes. I start with forming a hypothesis about the root cause, add logging and breakpoints to verify it, observe the results, fix the code based on what I learn, verify the fix, and repeat the cycle again with a new hypothesis. Finding issues and fixing them depends on how much you understand the system, the flow, and how things work under the hood. Once you have a clearly knowledege how things work, you can find the issues quickly.
When I am stuck because the bug is particularly hard, I write down what I have tried. This way helps me to prevent doing the same thing twice and expecting different results. It also makes it easier for others to help me. When I feel like my brain is being shut down after hours trying to fix a bug, but couldn’t, I will step away from my laptop to take a 15 minutes walk to refresh my mind. Sometimes, I feel like it is the fastest way to solve a bug.
AI coding tools are really powerful these days, especially if we give them the right information. The right context is the key. I mostly let AI fix bugs after I found the issue and provided the solution to AI. For some simple issues, I just let the AI do all things and only review the final code.

List of the Behaviour Questions

Can you tell me about yourself?

Hi, I'm Tuan. I am a Senior Front-End Engineer with over five years of experience. I have a degree in Computer Science, which gave me a very strong foundation in programming and problem-solving.

Throughout my career, I have specialized in React, Next.js, and TypeScript. I care a lot about the 'fundamentals'—like making sure my code is clean, SEO-friendly, and accessible for all users.

In my most recent role, I worked for a large international digital consultancy. For more than four years, I was the Senior Front-End Lead for a major e-commerce platform in the Australia and New Zealand region (ANZ). I was responsible for building and designing key features that helped the business grow.

Something that defines me is my habit of learning. For the last five years, I have read technical articles every single day. I believe a senior engineer doesn't need to know everything, but they must know how to find the right solution quickly.

I also have a blog where I share what I learn. I think my blog is the best way to see how I think and solve technical problems.

Can you tell me about your work in your recent project?

In my last project, I spent four years contributing to the front-end development for a large e-commerce website in the ANZ region.

As a senior engineer, I was responsible for the most complex parts of the project. This included things like a new login flow, color discovery features, and product detail pages. I always make sure I fully understand the requirements before I start writing any code.

My process is simple but effective:

First, I analyze the task. If it's complex, I discuss it with my team and the lead to make sure we have a good plan.
Second, I focus on 'Clean Code' principles. I want my code to be easy to read and easy to maintain.
Third, I always write unit tests. This helps me find bugs early and deliver high-quality work on time.

Because of my impact on the project, I was promoted twice during my four years there.

What do you do to enhance your technical knowledge apart from your project work?

I have a very disciplined approach to learning. My first priority is always to deliver my project tasks on time and with high quality. However, I believe that staying updated is part of a senior engineer's job.

For over five years, I have maintained a daily habit of reading technical literature. I use tools like daily.dev, and I follow industry experts on Medium and Substack. This helps me stay ahead of the latest trends in the JavaScript and React ecosystem.

When I find a truly deep or useful article, I don't just read it—I save it into my personal knowledge base. Over time, this has built a massive library of resources that help me solve complex problems quickly.

To solidify my knowledge, I also run a technical blog. I believe that 'to teach is to learn twice.' Writing about advanced topics and architectural patterns helps me understand them deeply. This habit ensures that I never fall behind and that I am always ready to adopt new technologies when the project needs them.

Tell me about a time you had a disagreement with your manager.

In my experience as a Senior Engineer, I believe that a disagreement is actually an opportunity for collaboration. I generally have a very good relationship with my leads, but when we have different opinions on a technical solution, I follow a professional process.

For example, if my manager proposes a solution that I think could be more optimized, I don't just say 'no.' Instead, I prepare a clear technical proposal. I show the pros and cons of my idea compared to the original one.

My goal is never to 'win' the argument, but to find the best solution for the project. I believe in 'Strong Opinions, Weakly Held.' This means I will advocate for the best technical path, but once a final decision is made by the lead or the team, I fully support it and work hard to make it successful.

This approach has helped me maintain high technical standards while keeping a very positive and professional environment in the team.

Tell me about a situation when you had a conflict with a teammate.

I focus on maintaining a positive team environment, so I rarely have personal conflicts. However, I once had a technical disagreement during a code review.

A teammate was trying to improve performance by using Math.random() to generate React keys everywhere on the site. I knew this would cause major performance problems because React keys must be both 'unique and stable' for the reconciliation process to work correctly.

At first, he didn't realize why this was a problem. Instead of pointing out the mistake in the public group chat, I reached out to him privately. I explained how React works 'under the hood' and why stable keys are necessary. I also suggested better solutions, like using unique IDs from our data.

He understood the explanation, updated the Pull Request, and the task was completed successfully. By handling it privately and technically, I helped my teammate grow while keeping our professional relationship very strong.

Tell me about a time you failed. How did you deal with this situation?

Early in my career, I made a mistake by focusing too much on speed and not enough on quality. I wanted to prove I was fast, so I jumped straight into coding before fully understanding the requirements. I skipped unit tests and didn't confirm unclear details with the Business Analyst.

As a result, the feature was full of bugs and didn't meet the client's needs. This delayed the release and was a very tough lesson for me. I learned that 'being fast' is useless if the work is incorrect.

Since that day, I have followed a disciplined process that ensures high quality:

First, I analyze requirements deeply and ask questions early.
Second, I break big tasks into smaller, manageable parts.
Third, I always write unit tests and perform thorough 'smoke tests' before delivery.

This failure helped me become the reliable Senior Engineer I am today. I now complete my tasks on time, with a very low bug rate and high-quality code.

Describe a time when you led a team. What was the outcome?

While I haven't held a formal 'Team Lead' title yet, I have naturally taken on informal leadership responsibilities in my senior roles.

For example, I am the primary person for code reviews on my team, and I mentor junior developers to help them follow best practices. I also take the lead on technical documentation and architectural proposals for new features.

I am very interested in moving into a formal leadership role. I have been studying management principles from industry experts to understand how to motivate a team and manage project risks. I believe my strong technical foundation and my ability to communicate clearly make me ready for this next step in my career.

Tell me about a time that you worked well under pressure

I remember a critical issue that appeared right on a major release day. A navigation feature that was working perfectly in testing suddenly started 'flickering' in the production environment. This was a high-pressure situation because the client needed a fix immediately to avoid delaying the launch.

Even though the pressure was high, I stayed calm and followed a logical debugging process:

First, I reproduced the bug in a local environment to understand the root cause.
Second, I used a 'divide and conquer' approach by isolation—commenting out sections of code to find the exact source of the flicker.
Third, once I found the issue, I analyzed the logic and implemented a stable fix.

I was able to resolve the bug within two hours. The client was very pleased with the prompt and professional response. This experience taught me that staying calm and following a methodical process is the best way to handle high-pressure situations.

How do you handle a situation when you don’t know the answer to a question?

Answer:
"In my experience, especially during client demos, it's very important to handle unknown questions professionally to maintain trust. I remember a time when a client asked me about a specific technology I hadn't used before. Instead of pretending to know the answer, I stayed honest and professional. I told the client: 'That's a great question. I want to give you the most accurate information, so I need to do a quick research before I confirm the details. I will get back to you by the next meeting.' I then researched the topic and consulted with my team. At the next meeting, I provided a confident and correct answer. I believe being honest is the best way to build long-term trust with stakeholders."

Describe a time when you received tough or critical feedback.

Answer:
"Early in my career, my Technical Lead told me that while my delivery speed was excellent, my code quality needed more focus and I needed to be more open to teammates' opinions. At first, it was hard to hear, but I realized his feedback was a gift to help me grow. I decided to change my approach immediately by taking more time for self-reviews, performing strict 'smoke tests' before delivery, and being more open-minded during discussions. My lead was very satisfied with my improvement, and this feedback actually helped me transition into a Senior role. It taught me that a great engineer must be humble and focus on quality above all else."

Describe a time when you had to give someone critical feedback. How did you handle it?

Answer:
"In my senior role, I often mentor junior developers. I once worked with a talented developer who was misusing React memoization hooks like useMemo and useCallback everywhere. I arranged a private one-on-one meeting to provide constructive feedback. Instead of just highlighting the mistake, I explained how React works under the hood and why over-memoization can actually hurt performance. I also shared deep-dive resources to help him learn. He responded well, updated his code correctly, and thanked me for the guidance. For me, giving feedback is about helping the team grow together."

Describe a time when you anticipated potential problems and developed preventive measures

Answer:
"During a major performance refactoring phase, I noticed a significant risk in our codebase. Our team had agreed to refactor React keys to improve rendering, but a teammate incorrectly implemented a utility using Math.random() to generate keys globally. I recognized immediately that this would cause React to re-mount every component on every render, leading to a performance disaster. I rejected the Pull Request and organized a meeting to explain the reconciliation process and why keys must be both unique and stable. By catching this early and mentoring my teammate on React internals, I prevented a critical production issue and helped the team adopt a more robust implementation strategy."

Describe a situation when you had to deal with a difficult customer

Answer:
"In my role as a Senior Engineer, I primarily interface with project stakeholders and onsite partners rather than direct retail customers. I’ve found that the best way to prevent 'difficult' situations with any stakeholder is through consistent transparency and high-quality delivery. For example, by providing clear technical demos during bi-weekly standups and maintaining open communication on JIRA, I’ve built a high level of trust with our international partners. Because our team consistently hits milestones and maintains a low bug rate, my interactions with stakeholders have remained very positive and collaborative."

Tell me a time when you missed a deadline. What happened, and how did you handle it?

Answer:
"I am very disciplined with planning, so I rarely miss deadlines. However, I once encountered a situation where a critical requirement was missing from a ticket late in the sprint. Instead of rushing to code a partial solution, I immediately raised the risk to my Project Manager and Business Analyst. I worked closely with them to clarify the missing logic and provided a new, realistic estimate for the update. Even though the original internal target shifted, I committed to a new delivery time and worked diligently—including extra hours—to ensure the final feature was shipped with zero bugs for the main release. This taught me that early communication is the most important tool when facing a deadline risk."

Describe when your workload was heavy and how you handled it

Answer:
"During the implementation of a new authentication flow using Azure B2C, my workload suddenly doubled when my Lead was pulled into another urgent release. I was assigned the entire authentication UI suite—including login, sign-up, and password recovery—with a very tight deadline. These tasks required a deep dive into native HTML, CSS, and JavaScript within a complex specialized platform. I handled this by first performing a risk assessment and communicating the new effort requirements to my PM. Once the stakeholders were aligned, I focused on a methodical execution. I successfully shipped all forms on time, receiving high praise from the client for delivering a complex feature smoothly under pressure."

Describe a time you had to deal with a significant change at work. How did you adapt?

Answer:
"In my experience, significant changes are best handled through a structured technical investigation. While our project requirements are usually well-defined, I am always prepared for shifts in scope. If a major change occurs, my first step is to perform a deep-dive analysis into the existing codebase to identify similar patterns. I then research the official documentation and best practices for the new requirements. Before starting any implementation, I break the solution down into technical tasks with realistic estimations. I then proactively communicate the impact and the timeline to my Project Manager and Business Analyst. This structured approach ensures that the change is integrated smoothly without risking the stability of the overall release."

Describe a situation where you saw a problem and took an initiative to correct it

Answer:
"While working on a new feature, I noticed a critical bug in a common utility function that was being used across the entire site. A teammate had implemented an asynchronous operation inside a forEach loop, which was causing intermittent race conditions and mysterious bugs. Even though this wasn't part of my assigned ticket, I took the initiative to address it. I reached out to my teammate privately and explained why forEach doesn't wait for promises and how to correctly use for...of or Promise.all. I helped him refactor the utility and verify the fix. By taking this initiative, I not only fixed a major hidden bug but also shared important technical knowledge with the team."

Describe a time when there was a conflict with your team. How did you help resolve it?

Answer:
"Early in my career, I was sometimes too protective of my own technical choices, which occasionally led to friction during code reviews. I realized that being a great engineer isn't just about writing code; it's about collaboration. I made a conscious decision to change my mindset. Now, I view every comment as an opportunity to improve the project. When a conflict arises, I stay calm, take a breath, and evaluate the feedback objectively. If I disagree with a bug report or a review comment, I don't argue; instead, I arrange a quick call to explain my logic clearly. If we still don't agree, I involve a third party like a Tech Lead or BA to provide a neutral perspective. This transition from being 'stubborn' to being 'collaborative' has significantly boosted my productivity and strengthened my relationship with my team."

Describe a time when you went out of your comfort zone. What lessons did you learn?

Answer:
"The most significant time I stepped out of my comfort zone was when I moved from a local project to an international one with English-speaking clients in the ANZ region. Initially, I was very nervous about demoing my features in English during bi-weekly standups. I even tried to avoid them at first. However, I soon realized that to grow as a Senior Engineer, I needed to master technical communication. I started preparing for my demos much more thoroughly—writing scripts and practicing my speaking. I stopped hiding and began actively presenting my weekly achievements. This experience taught me that growth happens when you face your fears. My confidence improved, my PM noticed a huge difference, and I am now very comfortable presenting complex technical flows to international stakeholders."

Describe a time when you took a big risk, and it failed

Answer:
"I am generally a risk-averse engineer who prefers careful planning, but there was a situation where I had to step up during an emergency. A teammate went on leave right before a production release, leaving a complex GraphQL change unfinished. Even though I am primarily a Front-End expert, I volunteered to handle the backend integration. I worked extra hours to learn the new GraphQL patterns and coordinated across teams to meet the deadline. In the end, I only completed about 80% of the task on my own and needed a lead's help for the final integration. While I didn't finish everything 100% independently, it was a valuable experience. I learned how to manage high-pressure cross-stack tasks, and the client was very impressed with my willingness to take on a difficult challenge to ensure the release was a success."

Describe a time you had to explain a complex technical concept to someone non-technical

Answer:
"Early in my career, I struggled to explain technical details to non-developers like BAs or QCs. I eventually realized that effective communication is a core senior skill. My approach changed from focusing on how a feature works to why it matters for the business. Now, when I explain a technical concept, I use analogies and focus on the user impact rather than the implementation detail. For example, instead of discussing 'asynchronous state synchronization,' I talk about how the system ensures the user's data remains consistent across the whole site. This shift in perspective has made my collaborations with the QA and Product teams much smoother and more productive."

Tell me a time you disagreed with your colleague. How did you handle this situation?

Answer:
"I believe that healthy technical debate is essential for a high-quality project. When I have a disagreement with a colleague, I focus on staying objective and professional. I avoid personal tension and instead move the discussion to a dedicated technical meeting where we can look at the facts. During these sessions, I practice active listening to understand their reasoning before sharing my own perspective. If we reach a stalemate, I proactively involve our Technical Lead to provide a neutral 'third party' decision. My priority is always the best interest of the project, not 'winning' the argument. This approach ensures that we remain effective teammates even after a tough technical decision."

Tell me about a complex task you have worked on recently

Answer:
"Recently, I led the front-end implementation for a major authentication migration to Azure B2C. This was a high-stakes project delivered at the end of the year. The challenge was that I had to build a modern, high-fidelity UI using native HTML, CSS, and JavaScript, as the platform did not support modern frameworks like React. The documentation was also quite limited. I handled this by performing deep-dive research into the Azure B2C Custom Policy framework and breaking the large project into modular vanilla JavaScript classes. Despite the technical constraints and tight deadlines, I delivered the full suite of Login, Sign-up, and Password Recovery flows on time with zero critical bugs. It was a great example of using core web fundamentals to solve a complex architectural problem."

How do you stay up-to-date with the latest technological advancements?

Answer:
"I view continuous learning as a daily discipline rather than an occasional task. For over five years, I have dedicated at least two hours a day to staying updated with the JavaScript and React ecosystem. I rely on a curated library of resources, including daily.dev, Medium, and various expert newsletters. To ensure my knowledge is practical and stays with me, I maintain a technical blog where I document advanced concepts and 'lessons learned' from my projects. I believe a senior engineer's value comes from their ability to bring these new, optimized solutions into their team's workflow to prevent the project from falling behind technologically."

Give me an example of a time you had to debug a challenging technical issue.

Answer:
"I recently handled a challenging cross-device issue where a production bug only appeared on mobile Safari. Because our environment was behind a strict VPN, I couldn't use standard remote debugging tools easily. To solve this, I followed a methodical 'isolation' process. I first verified the requirement to ensure it wasn't a misunderstanding, then I used logging and targeted code removal to 'scope down' the bug locally. Once I identified the root cause—a specific CSS legacy behavior in Safari—I coordinated with the team to implement a stable fix that wouldn't impact other browsers. I find that a calm, step-by-step reproduction process is the most effective way to resolve even the most difficult technical issues."

References

https://github.com/ashishps1/awesome-behavioral-interviews

https://javascript.plainenglish.io/93-of-frontend-developers-cant-explain-react-profiler-vs-lighthouse-here-s-what-actually-2bdf07b0f253

https://javascript.plainenglish.io/the-one-frontend-interview-question-that-humbled-me-after-100-interviews-42935d92496c

https://medium.com/@jaganjvvn/real-world-frontend-interview-answers-javascript-react-typescript-b531f8298a8f

https://javascript.plainenglish.io/15-react-interview-questions-every-mid-level-developer-should-be-ready-for-in-2025-38ee70bc114c

https://javascript.plainenglish.io/mastering-the-senior-react-developer-interview-real-world-questions-you-must-prepare-for-46cda3df1c82

https://www.developerway.com/posts/server-actions-for-data-fetching

https://javascript.plainenglish.io/mastering-the-senior-react-developer-interview-real-world-questions-you-must-prepare-for-46cda3df1c82

https://thetshaped.dev/p/conscious-debugging-10-effective-debugging-strategies-debug-like-pro

https://www.developerway.com/posts/debugging-with-ai

https://medium.com/@kanishks772/every-bug-i-ever-fixed-made-sense-only-after-i-understood-these-7-layers-ebcae423399b

All The New Features In Next.js

Tuan Tran Van — Sun, 03 Aug 2025 11:14:23 GMT

Next 16

Next.js 16.0.1 is live, and it is not just a point release. It tightens the App Router story, clarifies caching with Cache Components, promotes Turbopack to the default, and ships practical breaking changes that you should address before merging that upgrade pull request. The official docs header shows 16.0.1 as the latest version, so let’s treat this as the new baseline.

Cache Components — The Star of Next.js 16

One of the most significant changes is the introduction of Cache Components, a new opt-in caching model powered by the 'use cache' directive.

It’s built on top of the Partial Pre-Rendering (PPR) work started in 2023 — but now, it’s simpler and more powerful.

Instead of implicit caching rules, developers can now explicitly define what gets cached and what executes dynamically at runtime.

// next.config.ts
const nextConfig = {
  cacheComponents: true,
};
export default nextConfig;

💡 Why it matters:
Before, you had to choose between fully static or fully dynamic rendering.
Now, with Cache Components, you can mix both — static shells with dynamic data chunks.
This gives you the speed of SSG with the freshness of SSR, all within a unified architecture.

Turbopack — Now the Default Bundler

After nearly two years of testing, Turbopack is finally stable and is now the default bundler for all new Next.js projects.

Built in Rust, Turbopack delivers jaw-dropping performance gains:

🚀 2–5× faster production builds
🔁 Up to 10× faster Fast Refresh during local development

You can still fall back to Webpack if you need to:

next dev --webpack
next build --webpack

💡 Why it matters:
Shorter feedback loops mean faster iteration, smaller CI/CD times, and a smoother dev experience — especially for teams working on massive codebases or micro-frontends.

Next.js DevTools MCP — AI-Assisted Debugging

This release debuts Next.js DevTools MCP (Model Context Protocol) — bringing AI-powered insights right into your dev workflow.

What it does:

Understands your app’s routing, caching, and rendering logic
Combines browser + server logs into one view
Let’s AI agents (like Codex or Copilot) explain, debug, and suggest fixes contextually

💡 Why it matters:
This bridges the gap between AI assistance and real-world debugging.
You can finally ask “why is this route slow?” and get contextual answers — not just generic suggestions.

proxy.ts — Replacing middleware.ts

middleware.ts has officially been replaced by proxy.ts to make your network boundary explicit.

This runs only on the Node.js runtime and provides clearer semantics for request interception.

// proxy.ts
import { NextRequest, NextResponse } from 'next/server';
export default function proxy(request: NextRequest) {
  return NextResponse.redirect(new URL('/home', request.url));
}

💡 Why it matters:
It simplifies your app’s network layer and prevents confusion about where middleware logic runs.
If you were previously using middleware for redirects or auth, simply rename your file and function — you’re done.

Next.js 16 completely re-engineers routing and navigation for leaner page transitions.

Key highlights:

Layout Deduplication: Shared layouts load once, even when prefetching multiple URLs.
Incremental Prefetching: Only fetches parts not already cached.
Smart Re-Prefetching: Automatically re-fetches invalidated data when links re-enter the viewport.

💡 Why it matters:
Large apps (think dashboards, analytics, HR portals) benefit massively — lower transfer sizes, faster navigation, and near-instant reloads between sections.

New and Improved Caching APIs

Next.js 16 refines how developers manage cache invalidation and freshness.

✅ revalidateTag() (Updated)

import { revalidateTag } from 'next/cache';
// Using built-in cacheLife profile
revalidateTag('blog-posts', 'max');
// Custom revalidation
revalidateTag('products', { revalidate: 3600 });

🆕 updateTag() (New)

For immediate “read-your-writes” consistency inside Server Actions:

'use server';
import { updateTag } from 'next/cache';
export async function updateUserProfile(userId, profile) {
  await db.users.update(userId, profile);
  updateTag(`user-${userId}`);
}

🆕 refresh() (New)

For refreshing uncached data without touching cached content.

💡 Why it matters:
You now have total control over cache lifecycle — perfect for user dashboards, analytics panels, or anything requiring instant feedback after an update.

React 19.2 Support and Compiler Integration

Next.js 16 ships with React 19.2 and full support for the React Compiler (automatic memoization).

Highlights include:

View Transitions for smooth animations between pages
useEffectEvent() for better effect logic isolation
for managing background UI states

To enable the compiler:

const nextConfig = {
  reactCompiler: true,
};
export default nextConfig;

And install the plugin:

npm install babel-plugin-react-compiler@latest

💡 Why it matters:
Automatic memoization means fewer unnecessary re-renders and smoother UIs — no manual useMemo or useCallback needed.

Next.js 15

Next.js 15 Release Candidate (RC) introduces a range of new features & improvements aimed at enhancing the development experience and performance of web applications. This release builds on the strengths of the previous version while at the same time introducing innovative capabilities that promise to streamline workflows and optimize application performance. Below is a detailed overview of the key updates in Next.js 15 RC.

`create-react-app` upgrades: cleaner UI, 700x faster build

Reformed design

❌From this:

✅To this:

Webpack → Turbopack

Turbopack: The fastest module builder in the world.

700x faster than Webpack
10x faster than Vite

And now with v15, adding it to your Next.js project is easier than ever before:

Typescript configs - next.config.ts

With Next.js 15, you can finally create the config file in TypeScript directly.

The NextConfig type enables editor IntelliSense for every possible option.

React Compiler, React 19 Support, and User-Friendly Errors

React Compiler

React Compiler is a React Compiler (who would have thought)

A modern compiler that understands your React code at a deep level

Bringing optimizations like automatic memoization, destroying the need for useCallback and useMemo in the vast majority of cases.

Saving time, preventing errors, and speeding things up.

And it’s really easy to set up: You just install babel-plugin-react-compiler:

And add this to next.config.js

React Server Actions (Stable with React 19)

Say goodbye to complex API routes.

Next.js 15 supports React Server Actions, allowing you to handle server logic directly inside your component files.

You declare them using a special "use server" directive.

"use server";

export async function submitContactForm(data) {
  await db.contact.insert(data);
}

Then call them from a


  "email" />
  "message"</span> />
  <button <span class="hljs-keyword">type</span>=<span class="hljs-string">"submit"</span>>Send</button>
</form>
</code></pre>
<p><strong>✅ Benefits:</strong></p>
<ul>
<li><p>Eliminates boilerplate API files</p>
</li>
<li><p>Fully type-safe and colocated</p>
</li>
<li><p>Keeps data handling strictly server-side</p>
</li>
<li><p>No need for fetch(), Axios, or client mutation libraries</p>
</li>
</ul>
<blockquote>
<p><em>💡 Server Actions unlock a more intuitive, secure, and maintainable full-stack pattern.</em></p>
</blockquote>
<h3 id="heading-react-server-components-rsc-less-javascript-more-speed">React Server Components (RSC): Less JavaScript, More Speed</h3>
<p>React Server Components allow you to fetch data and render UI on the server without sending any unnecessary JavaScript code to the client. They are server-only by default, which improves performance dramatically:</p>
<pre><code class="lang-typescript"><span class="hljs-comment">// Server Component (default in `app/`)</span>
<span class="hljs-keyword">export</span> <span class="hljs-keyword">default</span> <span class="hljs-keyword">async</span> <span class="hljs-function"><span class="hljs-keyword">function</span> <span class="hljs-title">ProductList</span>(<span class="hljs-params"></span>) </span>{
  <span class="hljs-keyword">const</span> products = <span class="hljs-keyword">await</span> fetchProducts();
  <span class="hljs-keyword">return</span> <ul>{products.map(<span class="hljs-function"><span class="hljs-params">p</span> =></span> <li key={p.id}>{p.name}<<span class="hljs-regexp">/li>)}</u</span>l>;
}
</code></pre>
<p><strong>✅ Benefits:</strong></p>
<ul>
<li><p>30–50% smaller JS bundles</p>
</li>
<li><p>No hydration costs</p>
</li>
<li><p>Co-locates data fetching with UI</p>
</li>
<li><p>Boosts Core Web Vitals (LCP, FID, etc.)</p>
</li>
</ul>
<blockquote>
<p><em>RSCs make your apps faster, more secure, and easier to scale.</em></p>
</blockquote>
<h3 id="heading-better-hydration-errors">Better hydration errors</h3>
<p>Dev quality of life means a lot, and error messages’ usefulness plays a big part in that.</p>
<p>Next.js sets the bar higher: now making intelligent suggestions on possible ways to fix the error:</p>
<p>Before v15:</p>
<p></p>
<p>Now:</p>
<p></p>
<p>You know I have had a tough time in the past from these hydration errors, so this will certainly be an invaluable one for me.</p>
<h2 id="heading-new-caching-behavior">New Caching Behavior</h2>
<p>No more automatic caching</p>
<p>For all:</p>
<ul>
<li><p><code>fetch()</code> requests</p>
</li>
<li><p>Route handlers: <code>GET</code>, <code>POST</code>, etc.</p>
</li>
<li><p><code><Link></code> client-side navigation.</p>
</li>
</ul>
<p>This change ensures that the data served is always fresh, reducing the chances of displaying outdated information to users. Next.js development company now has more control over caching behaviors, allowing for more precise optimization of application performance.</p>
<p>But if you still want to cache <code>fetch()</code>:</p>
<p></p>
<p>Then you can cache the others with some <code>next.config.js</code> options.</p>
<h2 id="heading-partial-prerendering-ppr">Partial Prerendering (PPR)</h2>
<p>PPR combines static and dynamic rendering on the same page</p>
<p>With PPR, you can wrap dynamic UI components in a Suspend boundary and opt in specific Layouts and Pages for partial prerendering. When a request comes in, Next.js will immediately serve a static HTML shell and then render and stream the dynamic parts in the same HTTP request.</p>
<p></p>
<p>All you need is this in <code>next.config.js</code>:</p>
<p></p>
<h2 id="heading-after">after</h2>
<p>Next.js 15 gives you a clean way to separate essential from non-essential tasks from every server request:</p>
<ul>
<li><p>Essential: Auth checks, DB updates, etc.</p>
</li>
<li><p>Non-essential: Logging, analytics, etc.</p>
</li>
</ul>
<p></p>
<p>Start using it now with <code>experimental.after</code>:</p>
<p></p>
<h2 id="heading-stable-app-router-with-layouts-and-nested-routing">Stable App Router with Layouts and Nested Routing</h2>
<p>Introduced in v13 and now fully stable, the /app directory in Next.js 15 gives you modular routing with nested layouts, co-located data fetching, and component-based architecture.</p>
<p><strong>📁 Folder structure:</strong></p>
<pre><code class="lang-typescript">app/
  layout.tsx
  page.tsx
  dashboard/
    layout.tsx
    page.tsx
</code></pre>
<p><strong>🎯 Why it matters:</strong></p>
<ul>
<li><p>Improved scalability for large apps</p>
</li>
<li><p>Built-in support for error boundaries and loading states</p>
</li>
<li><p>Cleaner structure that mirrors component trees</p>
</li>
</ul>
<p><strong>Ideal for</strong>: scalable dashboard, admin panels, and modular websites.</p>
<h2 id="heading-smarter-ltimage-gt-component">Smarter <Image /> Component</h2>
<p>The <code><Image /></code> component in Next.js 15 is now:</p>
<ul>
<li><p>Faster</p>
</li>
<li><p>Lighter</p>
</li>
<li><p>Easier to use</p>
</li>
</ul>
<p><strong>Enhancements:</strong></p>
<ul>
<li><p>Native <code>loading="lazy"</code></p>
</li>
<li><p>Blur/SVG placeholders</p>
</li>
<li><p>Better AVIF/WebP support</p>
</li>
</ul>
<pre><code class="lang-typescript"><Image
  src=<span class="hljs-string">"/banner.jpg"</span>
  alt=<span class="hljs-string">"Banner"</span>
  width={<span class="hljs-number">800</span>}
  height={<span class="hljs-number">400</span>}
  placeholder=<span class="hljs-string">"blur"</span>
/>
</code></pre>
<p><strong>✅ Benefits:</strong></p>
<ul>
<li><p>Improves LCP and CLS</p>
</li>
<li><p>No need for 3rd-party CDNs</p>
</li>
<li><p>Works out of the box</p>
</li>
</ul>
<h2 id="heading-edge-middleware-fast-personalized-routing">Edge Middleware: Fast, Personalized Routing</h2>
<p>Edge Middleware runs <strong>before</strong> a page is rendered and allows you to:</p>
<ul>
<li><p>Redirect by location or cookies</p>
</li>
<li><p>Block bots</p>
</li>
<li><p>Inject A/B testing logic</p>
</li>
</ul>
<pre><code class="lang-typescript"><span class="hljs-comment">// middleware.ts</span>
<span class="hljs-keyword">import</span> { NextResponse } <span class="hljs-keyword">from</span> <span class="hljs-string">'next/server'</span>;

<span class="hljs-keyword">export</span> <span class="hljs-function"><span class="hljs-keyword">function</span> <span class="hljs-title">middleware</span>(<span class="hljs-params">req</span>) </span>{
  <span class="hljs-keyword">const</span> country = req.geo?.country;
  <span class="hljs-keyword">if</span> (country === <span class="hljs-string">'FR'</span>) {
    <span class="hljs-keyword">return</span> NextResponse.redirect(<span class="hljs-keyword">new</span> URL(<span class="hljs-string">'/fr'</span>, req.url));
  }
  <span class="hljs-keyword">return</span> NextResponse.next();
}
</code></pre>
<p><strong>✅ Benefits:</strong></p>
<ul>
<li><p>Personalization without latency</p>
</li>
<li><p>Logic at the CDN edge</p>
</li>
<li><p>Great for internationalization and auth flows</p>
</li>
</ul>
<h2 id="heading-uselinkstatus">useLinkStatus</h2>
<p>The <a target="_blank" href="https://nextjs.org/docs/app/api-reference/functions/use-link-status">useLinkStatus hook</a> was introduced in Next.js v15.3.0. It tracks the pending state in the Next.js Link component.</p>
<p>You can use it to provide inline visual feedback to the user, such as displaying spinners or text effects, while navigating to the new route.</p>
<p></p>
<p><strong>Key Features:</strong></p>
<ul>
<li><p>You can only use the useLinkStatus hook inside the Next.js Link Component.</p>
</li>
<li><p>Make sure to set the <code>prefetch={false}</code> in the Next.js Link component to use the useLinkStatus hook in your project.</p>
</li>
<li><p><code>useLinkStatus</code> hook is used to show the loading state during the navigation transitions.</p>
</li>
<li><p>The useLinkStatus must be used within a descendant of a Link component.</p>
</li>
<li><p>The useLinkStatus hook returns a pending boolean value</p>
</li>
<li><p>The useLinkStatus helps improve the user experience on slow networks</p>
</li>
</ul>
<p><strong>We use the useLinkStatus hook for:</strong></p>
<ul>
<li><p>The useLinkStatus hook is useful when prefetching (prefetch=false) is disabled in the Next.js Link component.</p>
</li>
<li><p>With the useLinkStatus hook, you want to show inline visual feedback during navigation</p>
</li>
</ul>
<h3 id="heading-how-does-the-uselinkstatus-hook-work">How does the useLinkStatus hook work?</h3>
<p>First, we create a loading indicator when we click on the link (navigation element) component. You can see the loading indicator in the link component.</p>
<pre><code class="lang-typescript"><span class="hljs-comment">// components/loading-indicator.tsx</span>

<span class="hljs-string">"use client"</span>;

<span class="hljs-keyword">import</span> { Loader2Icon } <span class="hljs-keyword">from</span> <span class="hljs-string">"lucide-react"</span>;
<span class="hljs-keyword">import</span> { useLinkStatus } <span class="hljs-keyword">from</span> <span class="hljs-string">"next/link"</span>;

<span class="hljs-keyword">export</span> <span class="hljs-keyword">default</span> <span class="hljs-function"><span class="hljs-keyword">function</span> <span class="hljs-title">LoadingIndicator</span>(<span class="hljs-params"></span>) </span>{
  <span class="hljs-keyword">const</span> { pending } = useLinkStatus();
  <span class="hljs-keyword">return</span> pending ? <Loader2Icon className=<span class="hljs-string">"animate-spin"</span> /> : <span class="hljs-literal">null</span>;
}
</code></pre>
<p>Use the LoadingIndicator component inside the Link component. When the user clicks on the navigation, you will see the loading indicator.</p>
<pre><code class="lang-typescript"><Link
  href=<span class="hljs-string">"/"</span>
  className=<span class="hljs-string">"hover:underline hover:underline-offset-2"</span>
  prefetch={<span class="hljs-literal">false</span>}
>
  <Button className=<span class="hljs-string">"rounded"</span> size=<span class="hljs-string">"lg"</span>> 
    <HomeIcon className=<span class="hljs-string">"mr-2 h-4 w-4"</span> /> {<span class="hljs-comment">/* show icon */</span>}
    <LoadingIndicator /> {<span class="hljs-comment">/* Show the indicator */</span>}
    Home
  </Button>
</Link>
</code></pre>
<p>After combining the LoadingIndicator and Link components, your header component code looks like this.</p>
<pre><code class="lang-typescript"><span class="hljs-comment">// components/Header.tsx</span>

<span class="hljs-string">"use client"</span>;

<span class="hljs-keyword">import</span> Link <span class="hljs-keyword">from</span> <span class="hljs-string">"next/link"</span>;
<span class="hljs-keyword">import</span> LoadingIndicator <span class="hljs-keyword">from</span> <span class="hljs-string">"./loading-indicator"</span>;
<span class="hljs-keyword">import</span> { CircleUserRound, HomeIcon, NotebookPen } <span class="hljs-keyword">from</span> <span class="hljs-string">"lucide-react"</span>;
<span class="hljs-keyword">import</span> { Button } <span class="hljs-keyword">from</span> <span class="hljs-string">"@/components/ui/button"</span>;

<span class="hljs-keyword">export</span> <span class="hljs-function"><span class="hljs-keyword">function</span> <span class="hljs-title">Header</span>(<span class="hljs-params"></span>) </span>{
  <span class="hljs-keyword">return</span> (
    <header className=<span class="hljs-string">"container flex justify-center items-center p-4"</span>>
      <div className=<span class="hljs-string">"max-w-2xl flex gap-5 mx-auto"</span>>
        <Link
          href=<span class="hljs-string">"/"</span>
          className=<span class="hljs-string">"hover:underline hover:underline-offset-2"</span>
          prefetch={<span class="hljs-literal">false</span>}
        >
          <Button className=<span class="hljs-string">"rounded"</span> size=<span class="hljs-string">"lg"</span>>
            <HomeIcon className=<span class="hljs-string">"mr-2 h-4 w-4"</span> />
            <LoadingIndicator />
            Home
          </Button>
        </Link>
        <Link
          href=<span class="hljs-string">"/posts"</span>
          className=<span class="hljs-string">"hover:underline hover:underline-offset-2"</span>
          prefetch={<span class="hljs-literal">false</span>}
        >
          <Button className=<span class="hljs-string">"rounded"</span> size=<span class="hljs-string">"lg"</span>>
            <NotebookPen className=<span class="hljs-string">"mr-2 h-4 w-4"</span> />
            <LoadingIndicator />
            Posts
          </Button>
        </Link>
        <Link
          href=<span class="hljs-string">"/about"</span>
          className=<span class="hljs-string">"hover:underline hover:underline-offset-2"</span>
          prefetch={<span class="hljs-literal">false</span>}
        >
          <Button className=<span class="hljs-string">"rounded"</span> size=<span class="hljs-string">"lg"</span>>
            <CircleUserRound className=<span class="hljs-string">"mr-2 h-4 w-4"</span> />
            <LoadingIndicator />
            About
          </Button>
        </Link>
      </div>
    </header>
  );
}
</code></pre>
<p>Finally, use the header component in the <code>layout.tsx</code> file.</p>
<pre><code class="lang-typescript"><span class="hljs-comment">// app/layout.tsx </span>

<span class="hljs-keyword">import</span> <span class="hljs-string">"./globals.css"</span>;
<span class="hljs-keyword">import</span> { Header } <span class="hljs-keyword">from</span> <span class="hljs-string">"@/components/Header"</span>;

<span class="hljs-keyword">export</span> <span class="hljs-keyword">default</span> <span class="hljs-function"><span class="hljs-keyword">function</span> <span class="hljs-title">RootLayout</span>(<span class="hljs-params">{
  children,
}: Readonly<{
  children: React.ReactNode;
}></span>) </span>{
  <span class="hljs-keyword">return</span> (
    <html suppressHydrationWarning={<span class="hljs-literal">true</span>} lang=<span class="hljs-string">"en"</span>>
      <body>
        <Header />
        {children}
      </body>
    </html>
  );
}
</code></pre>
<h1 id="heading-next-14">Next 14</h1>
<p>Next 14 was released on October 26, 2023, and during the <a target="_blank" href="https://www.youtube.com/watch?v=8q2q_820Sx4&t=1387s&ab_channel=Vercel">Next.js Conf</a>, Guillermo Rauch, the CEO, talked about the new features. One of the new features, termed “Partial Prerendering“, was introduced in the preview with the goal of providing both quick initial and dynamic visuals without sacrificing the developer experience.</p>
<p>Next.js 14 brings notable improvements to its TuporPack, the engine responsible for efficient compilation, now it is now faster. Furthermore, the stabilization of Server Actions and partial prerendering results in a better experience and better websites.</p>
<h2 id="heading-partial-pre-rendering">Partial Pre-rendering</h2>
<p>Partial prerendering is a technique that enhances the performance and user experience of dynamic web pages by extracting the static elements, such as logos, icons, page navigation, and fallbacks of dynamic slots. These elements are used to create a static shell, which can be delivered to users without delay. Meanwhile, the server continues to load the dynamic content in the background and displays it progressively when ready. With the ongoing debate between SSR and SSG, Next.js has decided to bring you the benefits of both worlds.</p>
<p>Here is the <code>app/CatFacts.tsx</code> file, which includes a component that interacts with a public API and showcases captivating cat facts from its response:</p>
<pre><code class="lang-typescript"><span class="hljs-keyword">async</span> <span class="hljs-function"><span class="hljs-keyword">function</span> <span class="hljs-title">getData</span>(<span class="hljs-params"></span>) </span>{
  <span class="hljs-keyword">await</span> <span class="hljs-keyword">new</span> <span class="hljs-built_in">Promise</span>(<span class="hljs-function"><span class="hljs-params">resolve</span> =></span> <span class="hljs-built_in">setTimeout</span>(resolve, <span class="hljs-number">1000</span>));

  <span class="hljs-comment">// call public API to retrieve cat facts and ensure cache is disabled</span>
  <span class="hljs-keyword">const</span> res = <span class="hljs-keyword">await</span> fetch(<span class="hljs-string">'https://cat-fact.herokuapp.com/facts/'</span>, { cache: <span class="hljs-string">'no-store'</span> });

  <span class="hljs-keyword">if</span> (!res.ok) {
    <span class="hljs-keyword">throw</span> <span class="hljs-keyword">new</span> <span class="hljs-built_in">Error</span>(<span class="hljs-string">'Failed to fetch data'</span>);
  }

  <span class="hljs-keyword">return</span> res.json();
}

<span class="hljs-keyword">export</span> <span class="hljs-keyword">default</span> <span class="hljs-keyword">async</span> <span class="hljs-function"><span class="hljs-keyword">function</span> <span class="hljs-title">CatFacts</span>(<span class="hljs-params"></span>) </span>{
  <span class="hljs-comment">// call API inside the React component</span>
  <span class="hljs-keyword">const</span> data = <span class="hljs-keyword">await</span> getData();

  <span class="hljs-keyword">return</span> (
    <ul className=<span class="hljs-string">"list-disc"</span>>
      {data.map(<span class="hljs-function">(<span class="hljs-params">{ text, _id }: { text: <span class="hljs-built_in">string</span>; _id: <span class="hljs-built_in">string</span> }</span>) =></span> (
        <li key={_id}>{text}</li>
      ))}
    </ul>
  );
}
</code></pre>
<p>Here is the fallback display of the <code>CatFacts</code> component before the page is rendered, available in the <code>app/CatFactsSkeleton.tsx</code> file.</p>
<pre><code class="lang-typescript"><span class="hljs-keyword">export</span> <span class="hljs-keyword">default</span> <span class="hljs-function"><span class="hljs-keyword">function</span> <span class="hljs-title">CatFactsSkeleton</span>(<span class="hljs-params"></span>) </span>{
  <span class="hljs-keyword">return</span> <p>Loading Cat Facts...</p>
}
</code></pre>
<p>Here is the modified <code>app/page.tsx</code> file, which displays the <code>CatFacts</code> component, along with its fallback UI.</p>
<pre><code class="lang-typescript"><span class="hljs-keyword">import</span> { Suspense } <span class="hljs-keyword">from</span> <span class="hljs-string">'react'</span>;
<span class="hljs-keyword">import</span> CatFacts <span class="hljs-keyword">from</span> <span class="hljs-string">'./CatFacts'</span>;
<span class="hljs-keyword">import</span> CatFactsSkeleton <span class="hljs-keyword">from</span> <span class="hljs-string">'./CatFactsSkeleton'</span>;

<span class="hljs-keyword">export</span> <span class="hljs-keyword">default</span> <span class="hljs-keyword">async</span> <span class="hljs-function"><span class="hljs-keyword">function</span> <span class="hljs-title">Home</span>(<span class="hljs-params"></span>) </span>{
  <span class="hljs-keyword">return</span> (
    <main className=<span class="hljs-string">"flex items-center p-24"</span>>
      <Suspense fallback={<CatFactsSkeleton />}>
        <CatFacts />
      </Suspense>
    </main>
  );
}
</code></pre>
<p>Build the production version of the app:</p>
<pre><code class="lang-typescript">% yarn build
yarn run v1<span class="hljs-number">.22</span><span class="hljs-number">.10</span>
warning ../package.json: No license field
$ next build
   ▲ Next.js <span class="hljs-number">14.1</span><span class="hljs-number">.1</span>-canary<span class="hljs-number">.17</span>

   Creating an optimized production build ...
 ✓ Compiled successfully
 ✓ Linting and checking validity <span class="hljs-keyword">of</span> types    
 ✓ Collecting page data    
 ✓ Generating <span class="hljs-keyword">static</span> pages (<span class="hljs-number">5</span>/<span class="hljs-number">5</span>) 
 ✓ Collecting build traces    
 ✓ Finalizing page optimization    

Route (app)                              Size     First Load JS
┌ λ /                                    <span class="hljs-number">136</span> B          <span class="hljs-number">85.1</span> kB
└ ○ /_not-found                          <span class="hljs-number">885</span> B          <span class="hljs-number">85.9</span> kB
+ First Load JS shared by all            <span class="hljs-number">85</span> kB
  ├ chunks/<span class="hljs-number">54</span><span class="hljs-number">-42</span>de27d3a1832522.js        <span class="hljs-number">29.8</span> kB
  ├ chunks/fd9d1056<span class="hljs-number">-9e0</span>d44545602dadc.js  <span class="hljs-number">53.4</span> kB
  └ other shared chunks (total)          <span class="hljs-number">1.86</span> kB


○  (Static)   prerendered <span class="hljs-keyword">as</span> <span class="hljs-keyword">static</span> content
λ  (Dynamic)  server-rendered on demand using Node.js

✨  Done <span class="hljs-keyword">in</span> <span class="hljs-number">13.16</span>s.
jenniferfu<span class="hljs-meta">@jenniferfu</span> my-next-app % yarn start
yarn run v1<span class="hljs-number">.22</span><span class="hljs-number">.10</span>
warning ../package.json: No license field
$ next start
   ▲ Next.js <span class="hljs-number">14.1</span><span class="hljs-number">.1</span>-canary<span class="hljs-number">.17</span>
   - Local:        http:<span class="hljs-comment">//localhost:3000</span>

 ✓ Ready <span class="hljs-keyword">in</span> <span class="hljs-number">394</span>ms
</code></pre>
<p>Execute the command <code>yarn start</code> to start the production server. Instantly, the fallback UI appears, followed by the <code>CatFacts</code> component once it is rendered.</p>
<p></p>
<p>Generate a Lighthouse report to analyze and audit the web page,and it shows a flawless performance score:</p>
<p></p>
<h2 id="heading-turbo-mode">Turbo Mode</h2>
<p><a target="_blank" href="https://turbo.build/pack">Turbopack</a> is an innovative bundler specifically designed for JavaScript and TypeScript, developed in Rust by the creators of Webpack and Next.js. It serves as a compelling alternative to Webpack, offering substantial improvements in cold start and Hot Module Replacement (HMR) performance.</p>
<p>The exceptional performance of Turbopack can be attributed to two primary factors. First, it leverages highly optimized machine code to ensure efficient execution. Second, it incorporates a sophisticated low-level incremental computation engine that enables caching at the granularity of individual functions. As a result, once Turbopack completes a task, it never needs to repeat it. With Turbopack, we can significantly enhance the speed of an application’s startup and seamlessly handle module updates during development.</p>
<p>The following execution demonstrates that a cold start of the out-of-box application typically takes <code>1886</code> milliseconds without Turbopack:</p>
<pre><code class="lang-typescript">% yarn dev  
yarn run v1<span class="hljs-number">.22</span><span class="hljs-number">.10</span>
warning ../package.json: No license field
$ next dev
   ▲ Next.js <span class="hljs-number">14.1</span><span class="hljs-number">.0</span>
   - Local:        http:<span class="hljs-comment">//localhost:3000</span>

 ✓ Ready <span class="hljs-keyword">in</span> <span class="hljs-number">1886</span>ms
</code></pre>
<p>The following execution shows that the cold start can be reduced to <code>915ms</code> with Turbopack:</p>
<pre><code class="lang-typescript">% yarn dev --turbo
yarn run v1<span class="hljs-number">.22</span><span class="hljs-number">.10</span>
warning ../package.json: No license field
$ next dev --turbo
   ▲ Next.js <span class="hljs-number">14.1</span><span class="hljs-number">.0</span> (turbo)
   - Local:        http:<span class="hljs-comment">//localhost:3000</span>

 ✓ Ready <span class="hljs-keyword">in</span> <span class="hljs-number">915</span>ms
</code></pre>
<p>The performance enhancement reaches a significant 51.5%, nearly matching the official benchmark achieved with Turbopack:</p>
<ul>
<li><p>Up to 53.3% faster local server startup</p>
</li>
<li><p>Up to 94.7% faster code updates with Fast Refresh</p>
</li>
</ul>
<p>Turpoback has successfully completed over 5000 integration tests for App and Pages Router, accounting for <a target="_blank" href="https://areweturboyet.com/">92.6% of the total tests</a>. Once it achieves 100% pass rates, Turpopack will be considered stable and will be released in an upcoming minor release.</p>
<h2 id="heading-stable-server-actions">Stable Server Actions</h2>
<p>Server Actions, also known as Server Side Rendering (SSR) functions, were introduced in Next.js 13 but they had some bugs and stability issues. In Next.js 14, Server Actions have reached production stability.</p>
<p>Developers can now define reusable server-side logic directly in their React components. This provides a seamless way to handle data fetching, API requests, and other server-side tasks without having to create separate API route files. It’s a game-changer for the developer experience. The stability improvements in Next.js 14 make it ready for production use cases. Error handling is also improved with consistent error messages.</p>
<pre><code class="lang-typescript"><span class="hljs-comment">// app/page.tsx</span>

<span class="hljs-keyword">export</span> <span class="hljs-keyword">default</span> <span class="hljs-function"><span class="hljs-keyword">function</span> <span class="hljs-title">Page</span>(<span class="hljs-params"></span>) </span>{
  <span class="hljs-keyword">async</span> <span class="hljs-function"><span class="hljs-keyword">function</span> <span class="hljs-title">create</span>(<span class="hljs-params">formData: FormData</span>) </span>{
    <span class="hljs-string">'use server'</span>;
    <span class="hljs-keyword">await</span> db.form.insertOne({ formData });
  }
  <span class="hljs-keyword">return</span> (
    <form action={create}>
      <input <span class="hljs-keyword">type</span>=<span class="hljs-string">"text"</span> name=<span class="hljs-string">"name"</span> />
      <button <span class="hljs-keyword">type</span>=<span class="hljs-string">"submit"</span>>Submit</button>
    </form>
  );
}
</code></pre>
<h2 id="heading-app-router-data-fetching-amp-streaming">App Router, Data Fetching & Streaming</h2>
<p>Next.js, powered by <a target="_blank" href="https://nextjs.org/docs/app/building-your-application/rendering/server-components">React Server Components</a>, revolutionizes web development by providing unparalleled features such as shared layouts, nested routing, loading states, error handling, and a plethora of other capabilities. To bring this visionary concept to life, Next.js relies on three essential parts:</p>
<ul>
<li><p>The App Router</p>
</li>
<li><p>Data Fetching System</p>
</li>
<li><p>Streaming Architecture</p>
</li>
</ul>
<h3 id="heading-the-app-router">The App Router</h3>
<p>The App Router is a built-in router system that defines and handles routes in a Next.js application. It is responsible for mapping URLs to specific pages or components in the application. The App Router enhances the overall user experience. Its introduction in Next.js 13.4 firmly established its credibility, earning it recommendations ever since.</p>
<p>The App Router, located in the <code>app</code> directory, utilizes a folder structure that mirrors the segments of a URL path for seamless routing. It accommodates nested routes by organizing folders within one another. Furthermore, apart from designated files, we can conveniently place our own files (such as components, styles, tests, etc.) within the <code>app</code> directory’s folders.</p>
<p><a target="_blank" href="https://medium.com/render-beyond/mastering-next-js-c7cba322a103">https://medium.com/render-beyond/mastering-next-js-c7cba322a103</a></p>
<h3 id="heading-streaming-architecture">Streaming Architecture</h3>
<p>Streaming architecture allows for incremental rendering and delivering components to the client as soon as they are ready. It provides faster page loading times by breaking down the rendering process into smaller chunks and streaming them to the client progressively. With streaming architecture, Next.js takes advantage of the streaming capabilities of Node.js and the HTTP/2 protocol to send the rendered content to the client in chunks, allowing the user to see and interact with the page while it is fetching data.</p>
<h3 id="heading-data-fetching-system">Data Fetching System</h3>
<p>Next.js 14 introduces an improved data fetching system, aimed at enhancing the developer experience when working with data mutations. This system eliminates the need for manually creating an API route. Rather than creating an additional file, developers can simply define a server-side function in the component file and call it directly from a React component. This update effectively simplifies the data fetching workflow and allows for more efficient development.</p>
<p>Below is the modified <code>app/page.tsx</code> file that defines the server-side function <code>getData</code>, which fetches cat facts from a public API <a target="_blank" href="https://cat-fact.herokuapp.com/facts/"><code>https://cat-fact.herokuapp.com/facts/</code></a>. The <code>Home</code> component calls <code>getData</code> directly without writing an extra API route.</p>
<pre><code class="lang-typescript"><span class="hljs-keyword">async</span> <span class="hljs-function"><span class="hljs-keyword">function</span> <span class="hljs-title">getData</span>(<span class="hljs-params"></span>) </span>{
  <span class="hljs-comment">// call the public API to fetch cat facts</span>
  <span class="hljs-keyword">const</span> res = <span class="hljs-keyword">await</span> fetch(<span class="hljs-string">'https://cat-fact.herokuapp.com/facts/'</span>);

  <span class="hljs-keyword">if</span> (!res.ok) {
    <span class="hljs-keyword">throw</span> <span class="hljs-keyword">new</span> <span class="hljs-built_in">Error</span>(<span class="hljs-string">'Failed to fetch data'</span>);
  }

  <span class="hljs-keyword">return</span> res.json();
}

<span class="hljs-keyword">export</span> <span class="hljs-keyword">default</span> <span class="hljs-keyword">async</span> <span class="hljs-function"><span class="hljs-keyword">function</span> <span class="hljs-title">Home</span>(<span class="hljs-params"></span>) </span>{
  <span class="hljs-comment">// call API inside the React component</span>
  <span class="hljs-keyword">const</span> data = <span class="hljs-keyword">await</span> getData();

  <span class="hljs-keyword">return</span> (
    <main className=<span class="hljs-string">"flex items-center p-24"</span>>
      <ul className=<span class="hljs-string">"list-disc"</span>>
        {data.map(<span class="hljs-function">(<span class="hljs-params">{ text, _id }: { text: <span class="hljs-built_in">string</span>; _id: <span class="hljs-built_in">string</span> }</span>) =></span> (
          <li key={_id}>{text}</li>
        ))}
      </ul>
    </main>
  );
}
</code></pre>
<p>Execute the command <code>yarn dev --turbo</code>, and we see cat facts at <a target="_blank" href="http://localhost:3000"><code>http://localhost:3000</code></a>.</p>
<p></p>
<p>What if there is an error in retrieving data?</p>
<p>Change the fetch URL to <a target="_blank" href="https://cat-fact.herokuapp_error.com/facts/"><code>https://cat-fact.herokuapp_error.com/facts/</code></a>, and we see the following error in the browser:</p>
<pre><code class="lang-typescript">Unhandled Runtime <span class="hljs-built_in">Error</span>
<span class="hljs-built_in">Error</span>: Failed to fetch data

Call Stack
getData
/Users/jenniferfu/my-next-app/.next/server/chunks/[root <span class="hljs-keyword">of</span> the server]__9d686c._.js (<span class="hljs-number">87</span>:<span class="hljs-number">15</span>)
process.processTicksAndRejections
node:internal/process/task_queues (<span class="hljs-number">95</span>:<span class="hljs-number">5</span>)
<span class="hljs-keyword">async</span> Home
/Users/jenniferfu/my-next-app/.next/server/chunks/[root <span class="hljs-keyword">of</span> the server]__9d686c._.js (<span class="hljs-number">92</span>:<span class="hljs-number">18</span>)
</code></pre>
<p>The data fetching system not only retrieves data but also incorporates caching and invalidation capabilities. Let’s provide examples illustrating the functioning of data caching.</p>
<ol>
<li><strong>Caches by default</strong></li>
</ol>
<p>Next.js includes a convenient built-in data cache that stores the results of data fetched from incoming server requests and deployments. By default, a fetch result is stored in the data cache on the server to improve performance and prevent unnecessary re-fetching of data.</p>
<pre><code class="lang-typescript"><span class="hljs-comment">// 'force-cache' is the default, and can be omitted</span>
fetch(<span class="hljs-string">'https://...'</span>, { cache: <span class="hljs-string">'force-cache'</span> })
</code></pre>
<p>In the following <code>app/page.tsx</code> file, we have used the public API <a target="_blank" href="http://www.randomnumberapi.com/api/v1.0/random"><code>http://www.randomnumberapi.com/api/v1.0/random</code></a> to generate a unique random number each time it is called. In addition, we have implemented a component to combine the results of two API calls.</p>
<pre><code class="lang-typescript"><span class="hljs-keyword">async</span> <span class="hljs-function"><span class="hljs-keyword">function</span> <span class="hljs-title">getData</span>(<span class="hljs-params"></span>) </span>{
  <span class="hljs-comment">// call the public API to fetch a random number</span>
  <span class="hljs-keyword">const</span> res = <span class="hljs-keyword">await</span> fetch(<span class="hljs-string">'http://www.randomnumberapi.com/api/v1.0/random'</span>);

  <span class="hljs-keyword">if</span> (!res.ok) {
    <span class="hljs-keyword">throw</span> <span class="hljs-keyword">new</span> <span class="hljs-built_in">Error</span>(<span class="hljs-string">'Failed to fetch data'</span>);
  }

  <span class="hljs-keyword">return</span> res.json();
}

<span class="hljs-keyword">export</span> <span class="hljs-keyword">default</span> <span class="hljs-keyword">async</span> <span class="hljs-function"><span class="hljs-keyword">function</span> <span class="hljs-title">Home</span>(<span class="hljs-params"></span>) </span>{
  <span class="hljs-comment">// call API twice inside the React component</span>
  <span class="hljs-keyword">const</span> data = <span class="hljs-keyword">await</span> getData();
  <span class="hljs-keyword">const</span> data2 = <span class="hljs-keyword">await</span> getData();

  <span class="hljs-keyword">return</span> (
    <main className=<span class="hljs-string">"flex items-center p-24"</span>>
      <ul className=<span class="hljs-string">"list-disc"</span>>
        {[...data, ...data2].map((<span class="hljs-function">(<span class="hljs-params">value: <span class="hljs-built_in">number</span>, id: <span class="hljs-built_in">number</span></span>) =></span> (
          <li key={id}>{value}</li>
        )))}
      </ul>
    </main>
  );
}
</code></pre>
<p>When executing the command <code>yarn dev --turbo</code>, it appears that the random number generated remains the same with each call. Additionally, the data persists even when the browser is refreshed, which may not be the desired behavior.</p>
<p></p>
<ol start="2">
<li><strong>Disabling caching</strong></li>
</ol>
<p>We have the option of <code>'no-store'</code> to disable caching.</p>
<pre><code class="lang-typescript"><span class="hljs-comment">// Opt out of caching for an individual fetch request</span>
fetch(<span class="hljs-string">'https://...'</span>, { cache: <span class="hljs-string">'no-store'</span> })
</code></pre>
<p>Here is the modified <code>app/page.tsx</code> file:</p>
<pre><code class="lang-typescript"><span class="hljs-keyword">async</span> <span class="hljs-function"><span class="hljs-keyword">function</span> <span class="hljs-title">getData</span>(<span class="hljs-params"></span>) </span>{
  <span class="hljs-comment">// call the public API to retrieve a random number and ensure cache is disabled</span>
  <span class="hljs-keyword">const</span> res = <span class="hljs-keyword">await</span> fetch(<span class="hljs-string">'http://www.randomnumberapi.com/api/v1.0/random'</span>, { cache: <span class="hljs-string">'no-store'</span> });

  <span class="hljs-keyword">if</span> (!res.ok) {
    <span class="hljs-keyword">throw</span> <span class="hljs-keyword">new</span> <span class="hljs-built_in">Error</span>(<span class="hljs-string">'Failed to fetch data'</span>);
  }

  <span class="hljs-keyword">return</span> res.json();
}

<span class="hljs-keyword">export</span> <span class="hljs-keyword">default</span> <span class="hljs-keyword">async</span> <span class="hljs-function"><span class="hljs-keyword">function</span> <span class="hljs-title">Home</span>(<span class="hljs-params"></span>) </span>{
  <span class="hljs-comment">// call API twice inside the React component</span>
  <span class="hljs-keyword">const</span> data = <span class="hljs-keyword">await</span> getData();
  <span class="hljs-keyword">const</span> data2 = <span class="hljs-keyword">await</span> getData();

  <span class="hljs-keyword">return</span> (
    <main className=<span class="hljs-string">"flex items-center p-24"</span>>
      <ul className=<span class="hljs-string">"list-disc"</span>>
        {[...data, ...data2].map((<span class="hljs-function">(<span class="hljs-params">value: <span class="hljs-built_in">number</span>, id: <span class="hljs-built_in">number</span></span>) =></span> (
          <li key={id}>{value}</li>
        )))}
      </ul>
    </main>
  );
}
</code></pre>
<p>When executing the command <code>yarn dev --turbo</code>, we observe that the random number changes with each call.</p>
<p></p>
<p>Alternatively, we can opt out of caching for a specific route segment, using the route segment config options.</p>
<pre><code class="lang-typescript"><span class="hljs-keyword">export</span> <span class="hljs-keyword">const</span> dynamic = <span class="hljs-string">'force-dynamic'</span>; <span class="hljs-comment">// disable caching</span>

<span class="hljs-keyword">async</span> <span class="hljs-function"><span class="hljs-keyword">function</span> <span class="hljs-title">getData</span>(<span class="hljs-params"></span>) </span>{
  <span class="hljs-comment">// call public API to fetch a random number</span>
  <span class="hljs-keyword">const</span> res = <span class="hljs-keyword">await</span> fetch(<span class="hljs-string">'http://www.randomnumberapi.com/api/v1.0/random'</span>);

  <span class="hljs-keyword">if</span> (!res.ok) {
    <span class="hljs-keyword">throw</span> <span class="hljs-keyword">new</span> <span class="hljs-built_in">Error</span>(<span class="hljs-string">'Failed to fetch data'</span>);
  }

  <span class="hljs-keyword">return</span> res.json();
}
</code></pre>
<ol start="3">
<li><strong>Time-based revalidation</strong></li>
</ol>
<p>We can also implement time-based revalidation to automatically fetch data after a specified interval. This approach proves beneficial for data that undergoes infrequent changes, where maintaining absolute real-time freshness is not as crucial.</p>
<p>Here is the modified <code>app/page.tsx</code> file:</p>
<pre><code class="lang-typescript"><span class="hljs-keyword">async</span> <span class="hljs-function"><span class="hljs-keyword">function</span> <span class="hljs-title">getData</span>(<span class="hljs-params"></span>) </span>{
  <span class="hljs-comment">// call the public API to fetch a random number, and ensure its revalidation after one second</span>
  <span class="hljs-keyword">const</span> res = <span class="hljs-keyword">await</span> fetch(<span class="hljs-string">'http://www.randomnumberapi.com/api/v1.0/random'</span>, { next: { revalidate: <span class="hljs-number">1</span> } });

  <span class="hljs-keyword">if</span> (!res.ok) {
    <span class="hljs-keyword">throw</span> <span class="hljs-keyword">new</span> <span class="hljs-built_in">Error</span>(<span class="hljs-string">'Failed to fetch data'</span>);
  }

  <span class="hljs-keyword">return</span> res.json();
}

<span class="hljs-keyword">export</span> <span class="hljs-keyword">default</span> <span class="hljs-keyword">async</span> <span class="hljs-function"><span class="hljs-keyword">function</span> <span class="hljs-title">Home</span>(<span class="hljs-params"></span>) </span>{
  <span class="hljs-comment">// call API twice inside the React component</span>
  <span class="hljs-keyword">const</span> data = <span class="hljs-keyword">await</span> getData();
  <span class="hljs-keyword">const</span> data2 = <span class="hljs-keyword">await</span> getData();

  <span class="hljs-keyword">return</span> (
    <main className=<span class="hljs-string">"flex items-center p-24"</span>>
      <ul className=<span class="hljs-string">"list-disc"</span>>
        {[...data, ...data2].map((<span class="hljs-function">(<span class="hljs-params">value: <span class="hljs-built_in">number</span>, id: <span class="hljs-built_in">number</span></span>) =></span> (
          <li key={id}>{value}</li>
        )))}
      </ul>
    </main>
  );
}
</code></pre>
<p>To confirm, run the command <code>yarn dev --turbo</code> and observe that the random number remains constant for sequential calls made within a 1-second timeframe.</p>
<p></p>
<p>However, the random numbers will change after a second by simply refreshing the browser.</p>
<p></p>
<ol start="4">
<li><strong>Revalidating tags</strong></li>
</ol>
<p>The <code>revalidateTag</code> API provides a convenient way to instantly invalidate cached data for a specific cache tag. Its tag parameter is expected to be a string that consists of 256 characters or less.</p>
<pre><code class="lang-typescript">revalidateTag(tag: <span class="hljs-built_in">string</span>): <span class="hljs-built_in">void</span>;
</code></pre>
<p>Tags is an array of strings defined in the fetch request:</p>
<pre><code class="lang-typescript"><span class="hljs-comment">// define a list of tags</span>
fetch(url, { next: { tags: [<span class="hljs-string">'tag1'</span>, <span class="hljs-string">'tag2'</span>, ...] } });
</code></pre>
<p>Below is the modified <code>app/page.tsx</code> file, where the fetch request is tagged as <code>'number'</code>, and the cache is cleared after each fetch.</p>
<pre><code class="lang-typescript"><span class="hljs-keyword">import</span> { revalidateTag } <span class="hljs-keyword">from</span> <span class="hljs-string">'next/cache'</span>;

<span class="hljs-keyword">async</span> <span class="hljs-function"><span class="hljs-keyword">function</span> <span class="hljs-title">getData</span>(<span class="hljs-params"></span>) </span>{
  <span class="hljs-comment">// call the public API to fetch a random number, and label the response with the tag 'number'</span>
  <span class="hljs-keyword">const</span> res = <span class="hljs-keyword">await</span> fetch(<span class="hljs-string">'http://www.randomnumberapi.com/api/v1.0/random'</span>, { next: { tags: [<span class="hljs-string">'number'</span>] } });

  <span class="hljs-keyword">if</span> (!res.ok) {
    <span class="hljs-keyword">throw</span> <span class="hljs-keyword">new</span> <span class="hljs-built_in">Error</span>(<span class="hljs-string">'Failed to fetch data'</span>);
  }

  <span class="hljs-keyword">return</span> res.json();
}

<span class="hljs-keyword">export</span> <span class="hljs-keyword">default</span> <span class="hljs-keyword">async</span> <span class="hljs-function"><span class="hljs-keyword">function</span> <span class="hljs-title">Home</span>(<span class="hljs-params"></span>) </span>{
  <span class="hljs-comment">// call API inside the React component</span>
  <span class="hljs-keyword">const</span> data = <span class="hljs-keyword">await</span> getData();
  revalidateTag(<span class="hljs-string">'number'</span>); <span class="hljs-comment">// revalidate the data cache</span>
  <span class="hljs-keyword">const</span> data2 = <span class="hljs-keyword">await</span> getData();
  revalidateTag(<span class="hljs-string">'number'</span>); <span class="hljs-comment">// revalidate the data cache</span>

  <span class="hljs-keyword">return</span> (
    <main className=<span class="hljs-string">"flex items-center p-24"</span>>
      <ul className=<span class="hljs-string">"list-disc"</span>>
        {[...data, ...data2].map((<span class="hljs-function">(<span class="hljs-params">value: <span class="hljs-built_in">number</span>, id: <span class="hljs-built_in">number</span></span>) =></span> (
          <li key={id}>{value}</li>
        )))}
      </ul>
    </main>
  );
}
</code></pre>
<p>When executing the command <code>yarn dev --turbo</code>, we observe that the random number changes with every call.</p>
<p></p>
<ol start="5">
<li><strong>Revalidating path</strong></li>
</ol>
<p>Alternatively, the <code>revalidatePath</code> function can also be utilized to manually refresh cached data for a specific path.</p>
<pre><code class="lang-typescript">revalidatePath(path: <span class="hljs-built_in">string</span>, <span class="hljs-keyword">type</span>?: <span class="hljs-string">'page'</span> | <span class="hljs-string">'layout'</span>): <span class="hljs-built_in">void</span>;
</code></pre>
<ul>
<li><p><code>path</code>: It is either a string representing the filesystem path associated with the data to revalidate (for example, <code>/product/[slug]/page</code>), or the literal route segment (for example, <code>/product/123</code>). It must be less than 1024 characters.</p>
</li>
<li><p><code>type</code> (optional): It is a string of <code>'page'</code> or <code>'layout'</code> to specify the type of path to revalidate. If <code>path</code> contains a dynamic segment (for example, <code>/product/[slug]/page</code>), this parameter is required.</p>
</li>
</ul>
<p>Below is the modified <code>app/page.tsx</code> file, where the cache of the data path <code>/</code> is cleared after each fetch.</p>
<pre><code class="lang-typescript"><span class="hljs-keyword">import</span> { revalidatePath } <span class="hljs-keyword">from</span> <span class="hljs-string">'next/cache'</span>;

<span class="hljs-keyword">async</span> <span class="hljs-function"><span class="hljs-keyword">function</span> <span class="hljs-title">getData</span>(<span class="hljs-params"></span>) </span>{
  <span class="hljs-comment">// call the public API to fetch a random number</span>
  <span class="hljs-keyword">const</span> res = <span class="hljs-keyword">await</span> fetch(<span class="hljs-string">'http://www.randomnumberapi.com/api/v1.0/random'</span>);

  <span class="hljs-keyword">if</span> (!res.ok) {
    <span class="hljs-keyword">throw</span> <span class="hljs-keyword">new</span> <span class="hljs-built_in">Error</span>(<span class="hljs-string">'Failed to fetch data'</span>);
  }

  <span class="hljs-keyword">return</span> res.json();
}

<span class="hljs-keyword">export</span> <span class="hljs-keyword">default</span> <span class="hljs-keyword">async</span> <span class="hljs-function"><span class="hljs-keyword">function</span> <span class="hljs-title">Home</span>(<span class="hljs-params"></span>) </span>{
  <span class="hljs-keyword">const</span> data = <span class="hljs-keyword">await</span> getData();
  revalidatePath(<span class="hljs-string">'/'</span>); <span class="hljs-comment">// revalidate the data path /</span>
  <span class="hljs-keyword">const</span> data2 = <span class="hljs-keyword">await</span> getData();
  revalidatePath(<span class="hljs-string">'/'</span>); <span class="hljs-comment">// revalidate the data path /</span>

  <span class="hljs-keyword">return</span> (
    <main className=<span class="hljs-string">"flex items-center p-24"</span>>
      <ul className=<span class="hljs-string">"list-disc"</span>>
        {[...data, ...data2].map((<span class="hljs-function">(<span class="hljs-params">value: <span class="hljs-built_in">number</span>, id: <span class="hljs-built_in">number</span></span>) =></span> (
          <li key={id}>{value}</li>
        )))}
      </ul>
    </main>
  );
}
</code></pre>
<p>When executing the command <code>yarn dev --turbo</code>, we observe that the random number changes with every call.</p>
<p></p>
<ol start="6">
<li><strong>Stable APIs</strong></li>
</ol>
<p>Server actions are deeply integrated into the entire App Router model. Here is the summary of the server API calls:</p>
<ul>
<li><p>Revalidate cached data with <code>revalidatePath()</code> or <code>revalidateTag()</code></p>
</li>
<li><p>Redirect to different routes through <code>redirect()</code></p>
</li>
<li><p>Set and read cookies through <code>cookies()</code></p>
</li>
<li><p>Handle optimistic UI updates with <code>useOptimistic()</code></p>
</li>
<li><p>Catch and display errors from the server with <code>useFormState()</code></p>
</li>
<li><p>Display loading states on the client with <code>useFormStatus()</code></p>
</li>
</ul>
<h2 id="heading-metadata-improvements">Metadata Improvements</h2>
<p>Before your page content can be streamed from the server, there is important metadata about the viewport, color scheme, and theme that needs to be sent to the browser first.</p>
<p>Ensuring these meta tags are sent with the initial page content helps a smooth experience, preventing the page from flickering by changing the theme color or shifting layout due to viewport changes.</p>
<p>In Next.js 14, decoupled blocking and non-blocking metadata. Only a small subset of metadata options are blocking, and Next.js wants to make sure non-blocking metadata will not prevent a partially pre-rendered page from serving the static shell.</p>
<p>The following metadata options are now deprecated and will be removed from metadata in a future major version:</p>
<ul>
<li><p><code>viewport</code>: Sets the initial zoom and other properties of the viewport</p>
</li>
<li><p><code>colorScheme</code>: Sets the support modes (light/dark) for the viewport</p>
</li>
<li><p><code>themeColor</code>: Sets the color the chrome around the viewport should render with</p>
</li>
</ul>
<h2 id="heading-image-optimization-and-image-component">Image Optimization and Image Component</h2>
<p>Next.js 14 introduces an enhanced and flexible image optimization feature, streamlining the process of optimizing images automatically. Here’s a brief overview of how Next.js facilitates image optimization:</p>
<ol>
<li><strong>Prioritizing Image Loading</strong></li>
</ol>
<p>Next.js intelligently prioritizes image loading. Images within the viewport are loaded first, providing a faster initial page load, and images below are loaded asynchronously as the user scrolls down.</p>
<ol start="2">
<li><strong>Dynamic Sizing and Format Selection</strong></li>
</ol>
<p>The Image component in Next.js dynamically selects the right size and format based on the user’s bandwidth and device resources. This ensures that users receive appropriately sized and optimized images.</p>
<ol start="3">
<li><strong>Responsive Image Resizing</strong></li>
</ol>
<p>Next.js simplifies responsive image handling by automatically resizing images as needed. This responsive design approach ensures that images adapt to various screen sizes, further enhancing the overall user experience.</p>
<ol start="4">
<li><strong>Support for Next-Gen Formats (WebP):</strong></li>
</ol>
<p>The image optimization in Next.js extends to supporting next-generation image formats like WebP. This format, known for its superior compression and quality, is automatically utilized by the Image component when applicable.</p>
<ol start="5">
<li><strong>Preventing Cumulative Layout Shifts:</strong></li>
</ol>
<p>To enhance visual stability and prevent layout shifts, Next.js incorporates placeholders for images. These placeholders serve as temporary elements until the actual images are fully loaded, avoiding disruptions in the layout.</p>
<p>Additionally, Next.js 14 enhances performance by efficiently handling font downloads. The framework optimizes the download process for fonts from sources such as Next/font/google.</p>
<h2 id="heading-automatic-code-splitting">Automatic code splitting</h2>
<p>Automatic code splitting in Next.js 14 is a powerful technique that significantly contributes to optimizing web performance. As discussed in the <a target="_blank" href="https://calibreapp.com/blog/nextjs-performance#dynamically-load-client-side-code-to-reduce-first-load-javascript">Calibre blog post</a>, dynamic imports, also known as code-splitting, play a key role in this process.</p>
<p>Code-splitting results in breaking JS bundles into smaller, more manageable chunks. Users only download what’s necessary, leading to a more efficient use of bandwidth. With less JS, the performance on slower devices sees a notable improvement.</p>
<p>Another insightful article on <a target="_blank" href="https://www.builder.io/blog/fast-to-faster-what-you-need-to-do-to-improve-performance-in-nextjs">Builder.io</a> expands on the two methods of code-splitting in Next.js:</p>
<p><strong>Route-based splitting</strong>: By default, Next.js splits JavaScript into manageable chunks for each route. As users interact with different UI elements, the associated code chunks are sent, reducing the amount of code to be parsed and compiled at once.</p>
<p><strong>Component-based splitting:</strong> Developers can optimize even further on a component level. Large components can be split into separate chunks, allowing non-critical components or those rendering only on specific UI interactions to be lazily loaded as needed.</p>
<p>These approaches collectively contribute to a more efficient, faster, and user-friendly web application experience, aligning with the continuous efforts to enhance performance in Next.js 14.</p>
<p><a target="_blank" href="https://medium.com/render-beyond/mastering-next-js-c7cba322a103">https://medium.com/render-beyond/mastering-next-js-c7cba322a103</a></p>
<p><a target="_blank" href="https://medium.com/@sassenthusiast/my-epiphany-with-next-js-14s-server-components-08f69a2c1414">https://medium.com/@sassenthusiast/my-epiphany-with-next-js-14s-server-components-08f69a2c1414</a></p>
<h1 id="heading-nextjs-13">Next.js 13</h1>
<p>The Vercel team posted a major announcement on their blog about the release of Next.js 13.4. To provide more context about why this is such an important release, we need to understand how the Vercel team handles releases to the public. Next.js 13 introduced so many new features, but most of them have remained in the alpha & beta versions, even though they were included in the major release.</p>
<p>So despite the fact that Next.js dropped some major new upgrades in Version 13 last October, the features have not quite been ready for prime time. Those changes in Next.js 13.4! The new 13.4 release finally provides a stable release of one of the most important new features: the App Router.</p>
<p>In this section, we will dive into some of the new features and improvements that come with this release. From the first stable release of the new app directory and app router to the latest advancements in Turpoback, there is a lot to be excited about. Let’s get started.</p>
<h2 id="heading-the-new-app-router">The New App Router</h2>
<p>As mentioned, Next.js 13.4 is the first release that takes the new app directory and app router features out of beta!</p>
<p>As someone who has been playing with these features in sample projects, I can tell you that I have been getting antsy waiting to use them in production because they make the development experience in Next that much better.</p>
<p>Also, perhaps symbolic of the importance of this release, the Next.js <a target="_blank" href="https://nextjs.org/docs">document site</a> has a major update to make the App Router the default! You can now toggle the docs between the new app Router and the previous Page Router.</p>
<p></p>
<p>Below, we will do a quick recap of the app router by diving into some of the main features.</p>
<h3 id="heading-routing-in-the-app-directory">Routing in the app directory</h3>
<p></p>
<p>Routing in the new app directory is as simple as adding the <code>page.tsx</code> file that exports a React function component. The routing of the application is defined by the hierarchy of your folders within the app directory. For example, creating a page at the / route is as easy as adding a file page.tsx file at the root of the app directory.</p>
<pre><code class="lang-typescript">.
└── app/
    └── page.tsx
</code></pre>
<pre><code class="lang-typescript"><span class="hljs-comment">// app/page.tsx</span>
<span class="hljs-keyword">export</span> <span class="hljs-keyword">default</span> <span class="hljs-function"><span class="hljs-keyword">function</span> <span class="hljs-title">Page</span>(<span class="hljs-params"></span>) </span>{
  <span class="hljs-keyword">return</span> <SomeJsx />
}
</code></pre>
<p>Next, let’s show how we can create more complex application routes using the new app router:</p>
<pre><code class="lang-typescript">.
└── app/
    ├── page.tsx
    ├── about/
    │   ├── page.tsx
    │   └── layout.tsx
    └── articles/
        └── article/
            └── [id]/
                ├── page.tsx
                ├── layout.tsx
                └── components/
                    ├── BlogArticle.tsx
                    └── Author.tsx
</code></pre>
<p>As you can see above, we are able to create a simple route such as <code>/about</code>, as well as create more complex routes like <code>/articles/article/12345</code> using Next.js’ <a target="_blank" href="https://nextjs.org/docs/app/building-your-application/routing/dynamic-routes">dynamic routes</a>.</p>
<p>With the new App Router, our pages can make use of <a target="_blank" href="https://react.dev/blog/2023/03/22/react-labs-what-we-have-been-working-on-march-2023#react-server-components">React Server Components</a>, which allows us to simplify data fetching using the familiar async/await syntax.</p>
<pre><code class="lang-typescript"><span class="hljs-comment">// app/page.tsx</span>
<span class="hljs-keyword">export</span> <span class="hljs-keyword">default</span> <span class="hljs-keyword">async</span> <span class="hljs-function"><span class="hljs-keyword">function</span> <span class="hljs-title">Page</span>(<span class="hljs-params"></span>) </span>{
  <span class="hljs-keyword">const</span> res = <span class="hljs-keyword">await</span> fetch(<span class="hljs-string">'https://api.example.com/...'</span>);
  <span class="hljs-keyword">const</span> data = res.json();
  <span class="hljs-keyword">return</span> <span class="hljs-string">'...'</span>;
}
</code></pre>
<p>In Next.js 13, files are server components by default. You can opt into client components by including the <code>'use client'</code> directive at the top of your module.</p>
<pre><code class="lang-typescript"><span class="hljs-string">'use client'</span>
<span class="hljs-keyword">export</span> <span class="hljs-keyword">default</span> <span class="hljs-function"><span class="hljs-keyword">function</span> <span class="hljs-title">ClientComponent</span>(<span class="hljs-params">{ id }: ArticleProps</span>) </span>{
  useEffect(<span class="hljs-function">() =></span> { <span class="hljs-comment">//... }, [])</span>
  <span class="hljs-keyword">return</span> <span class="hljs-comment">//...</span>
}
</code></pre>
<p>Also, notice in our sample file tree above, we added components to our blog article folder. This was difficult in previous versions of Next.js because all files within the page directory were considered pages. Next.js 13 makes this a nicer experience by enforcing special file names for <a target="_blank" href="https://nextjs.org/docs/app/building-your-application/routing/pages-and-layouts">layout, page, template</a>, etc.</p>
<h3 id="heading-route-segment-configuration">Route segment configuration</h3>
<p>Our pages can also export route segments that allow us to control how the pages render. One common practice in Next.js is to statically generate pages. We run into an issue when we use dynamic params, though. How would Next.js know what pages to statically generate? We can make use of <code>generateStaticParams</code> to solve this.</p>
<p>In the example below, we export an async function called <code>generateStaticParams</code> that loads all of our blog articles and returns an array of objects with a property that matches the name of our dynamic route segment, in this case <code>id</code>. Next.js will use this to statically generate pages for each of our blog articles.</p>
<pre><code class="lang-typescript"><span class="hljs-comment">// app/articles/article/[id]/page.tsx</span>
<span class="hljs-keyword">type</span> ArticleProps = Pick<Article, <span class="hljs-string">'id'</span>>

<span class="hljs-keyword">export</span> <span class="hljs-keyword">default</span> <span class="hljs-keyword">async</span> <span class="hljs-function"><span class="hljs-keyword">function</span> <span class="hljs-title">Page</span>(<span class="hljs-params">{ id }: ArticleProps</span>) </span>{
  <span class="hljs-keyword">const</span> article = <span class="hljs-keyword">await</span>(<span class="hljs-keyword">await</span> fetchArticleById(id)).json();
  <span class="hljs-keyword">return</span> <BlogArticle article={article} />
}

<span class="hljs-keyword">export</span> <span class="hljs-keyword">async</span> <span class="hljs-function"><span class="hljs-keyword">function</span> <span class="hljs-title">generateStaticParams</span>(<span class="hljs-params"></span>): <span class="hljs-title">ArticleProps</span>[] </span>{
  <span class="hljs-keyword">const</span> articles = <span class="hljs-keyword">await</span>(<span class="hljs-keyword">await</span> fetchArticles()).json();
  <span class="hljs-keyword">return</span> articles.map(<span class="hljs-function"><span class="hljs-params">article</span> =></span> ({ id: article.id }))
}
</code></pre>
<p>Next.js 13 gives us several route <a target="_blank" href="https://nextjs.org/docs/app/api-reference/file-conventions/route-segment-config">segment configuration</a> options to control how Next.js renders the page. Aside from <code>generateStaticParams</code>, the most commonly used route segment configuration that I’ve been using is <code>revalidate</code>. When combined with Static Site Generation (SSG), revalidate allows you to control how of the page will get regenerated.</p>
<p>Building on our previous example, we can set revalidate to 60 seconds to rebuild the page every 60 seconds. Note that it’s a bit more nuanced than that, so make sure to read up on ISR on the Next.js documentation site.</p>
<pre><code class="lang-typescript"><span class="hljs-comment">// app/articles/article/page.tsx</span>
<span class="hljs-keyword">type</span> ArticleProps = Pick<Article, <span class="hljs-string">'id'</span>>

<span class="hljs-keyword">export</span> <span class="hljs-keyword">default</span> <span class="hljs-keyword">async</span> <span class="hljs-function"><span class="hljs-keyword">function</span> <span class="hljs-title">Page</span>(<span class="hljs-params">{ id }: ArticleProps</span>) </span>{
  <span class="hljs-keyword">const</span> article = <span class="hljs-keyword">await</span>(<span class="hljs-keyword">await</span> fetchArticleById(id)).json();
  <span class="hljs-keyword">return</span> <BlogArticle article={article} />
}

<span class="hljs-keyword">export</span> <span class="hljs-keyword">async</span> <span class="hljs-function"><span class="hljs-keyword">function</span> <span class="hljs-title">generateStaticParams</span>(<span class="hljs-params"></span>): <span class="hljs-title">ArticleProps</span>[] </span>{
  <span class="hljs-keyword">const</span> articles = <span class="hljs-keyword">await</span>(<span class="hljs-keyword">await</span> fetchArticles()).json();
  <span class="hljs-keyword">return</span> articles.map(<span class="hljs-function"><span class="hljs-params">article</span> =></span> ({ id: article.id }))
}

<span class="hljs-keyword">export</span> <span class="hljs-keyword">const</span> revalidate = <span class="hljs-number">60</span>
</code></pre>
<p>We can tell Next.js not to render pages for IDs that are not returned in generateStaticParams by making use of the <a target="_blank" href="https://nextjs.org/docs/app/api-reference/file-conventions/route-segment-config#dynamicparams">dynamicParams route segment configuration</a>.</p>
<pre><code class="lang-typescript"><span class="hljs-keyword">export</span> dynamicParams = <span class="hljs-literal">false</span>
</code></pre>
<p>Finally, we can force the page to generate statically or dynamically, depending on our use case. For example, if we have a page that is making use of query params, we may want it to be dynamically server rendered when the page is requested using the <a target="_blank" href="https://nextjs.org/docs/app/api-reference/file-conventions/route-segment-config#dynamic">dynamic route segment</a>.</p>
<pre><code class="lang-typescript"><span class="hljs-keyword">export</span> dynamic = <span class="hljs-string">'force-dynamic'</span>
<span class="hljs-comment">// or: 'auto' | 'force-dynamic' | 'error' | 'force-static'</span>
</code></pre>
<h3 id="heading-layouts-and-templates">Layouts and Templates</h3>
<p>Along with pages, Next.js 13 also introduced special files for layouts and templates. In the example above, you may have noticed that we include several <code>layout.tsx</code> files at the various levels of the folder hierarchy. We created a root-level <code>layout.tsx</code>, which is a typical practice in Next.js 13.</p>
<p>Within the root layout, we can create the HTML document, add scripts and other content to the head, provide semantic structure, and wrap the app in providers. We no longer have to make use of the special <code><Head /></code> and <code><Script /></code> components from previous versions of Next. We can also add metadata here, but Next.js 13.2 introduced a new dynamic <a target="_blank" href="https://nextjs.org/docs/app/building-your-application/optimizing/metadata#dynamic-metadata">Metadata API</a> for this that we will cover in another article.</p>
<p>Note that layouts and pages should typically be server components, so you should avoid forcing them to be client components by adding hooks or other client-only functionality.</p>
<pre><code class="lang-typescript"><span class="hljs-comment">// app/layout.tsx</span>
<span class="hljs-keyword">export</span> <span class="hljs-keyword">default</span> <span class="hljs-function"><span class="hljs-keyword">function</span> <span class="hljs-title">RootLayout</span>(<span class="hljs-params">{ children }</span>) </span>{
  <span class="hljs-keyword">return</span> (
    <html lang=<span class="hljs-string">"en"</span>>
      <head>
        <script><span class="hljs-comment">//...</script></span>
      </head>
      <body>
        <main>
           <AppProvider>{children}</AppProvider>
        </main>      
      </body>
    </html>
  );
}

<span class="hljs-comment">// app/page.tsx</span>
<span class="hljs-keyword">export</span> <span class="hljs-keyword">default</span> <span class="hljs-function"><span class="hljs-keyword">function</span> <span class="hljs-title">Page</span>(<span class="hljs-params"></span>) </span>{
  <span class="hljs-keyword">return</span> <span class="hljs-comment">//...;</span>
}
</code></pre>
<p>Layout files can be added at each level of the app directory’s hierarchy to apply more specific layouts to different parts of the application. For example, let’s say that we want to add a specific AppWrapper surrounding our blog articles. We can add a new <code>layout.tsx</code> file to the <code>/app/articles/article/[id]</code> directory next to the <code>page.tsx</code> file.</p>
<pre><code class="lang-typescript"><span class="hljs-comment">// app/articles/article/[id]/layout.tsx</span>
<span class="hljs-keyword">export</span> <span class="hljs-keyword">default</span> <span class="hljs-function"><span class="hljs-keyword">function</span> <span class="hljs-title">RootLayout</span>(<span class="hljs-params">{ children }</span>) </span>{
  <span class="hljs-keyword">return</span> (
    <AppWrapper>{children}</AppWrapper>
  );
}
</code></pre>
<p>Similar to layouts, templates allow you to create a shared structure. We will not go into them deeply here, so I suggest you read up on them on the <a target="_blank" href="https://nextjs.org/docs/app/building-your-application/routing/pages-and-layouts#templates">Next.js documentation website</a>.</p>
<h3 id="heading-automatic-code-splitting-1">Automatic Code Splitting</h3>
<p>Next.js 13.4 also makes it easier than ever to code split and dynamically load content. In previous versions of Next.js, you had to make sense of <code>next/dynamic</code>. With Next.js 13, the entire application can opt into code splitting and dynamic loading by making use of <code>Suspense</code>. In fact, you can code split with a simple conditional within a client component. Check out the example below from the <a target="_blank" href="https://nextjs.org/blog/next-13-4#automatic-server-rendering-and-code-splitting">Next.js blog</a>, which returns completely different bundles depending on whether the user is logged in or not.</p>
<pre><code class="lang-typescript"><span class="hljs-comment">// app/layout.tsx</span>
<span class="hljs-keyword">import</span> { getUser } <span class="hljs-keyword">from</span> <span class="hljs-string">'./auth'</span>;
<span class="hljs-keyword">import</span> { Dashboard, Landing } <span class="hljs-keyword">from</span> <span class="hljs-string">'./components'</span>;

<span class="hljs-keyword">export</span> <span class="hljs-keyword">default</span> <span class="hljs-keyword">async</span> <span class="hljs-function"><span class="hljs-keyword">function</span> <span class="hljs-title">Layout</span>(<span class="hljs-params"></span>) </span>{
  <span class="hljs-keyword">const</span> isLoggedIn = <span class="hljs-keyword">await</span> getUser();
  <span class="hljs-keyword">return</span> isLoggedIn ? <Dashboard /> : <Landing />;
}
</code></pre>
<h3 id="heading-route-groups">Route Groups</h3>
<p><a target="_blank" href="https://nextjs.org/docs/app/building-your-application/routing/route-groups">Route Groups</a> are a nifty feature introduced in Next.js 13, especially when your app requires multiple root layouts. Next.js 13.3 removed the deprecated <code>head.js</code> special file and replaced it with the <code>generateMetadata</code> API. One downside of this approach is that it made it difficult to add scripts and other things to the <code><head /></code> when you had pages that had different content.</p>
<p>For example, let’s say part of your app has navigation that is loaded from an API. The API returns its content for its script dependencies. Route Groups give a solution to this problem by allowing you to split parts of your apps into different folders that have their own root layouts.</p>
<pre><code class="lang-typescript">.
├── (navigation)/
│   ├── dashboard/
│   │   └── page.tsx
│   └── layout.tsx
└── (navless)/
    ├── auth/
    │   └── page.tsx
    └── layout.tsx
</code></pre>
<p>In the example above, the dashboard page has its own root layout that can include the additional head content loaded from your API:</p>
<pre><code class="lang-typescript"><span class="hljs-keyword">import</span> { PropsWithChildren } <span class="hljs-keyword">from</span> <span class="hljs-string">'react'</span>

<span class="hljs-keyword">export</span> <span class="hljs-keyword">default</span> <span class="hljs-keyword">async</span> <span class="hljs-function"><span class="hljs-keyword">function</span> <span class="hljs-title">Layout</span>(<span class="hljs-params">{ children }: PropsWithChildren</span>) </span>{
  <span class="hljs-keyword">const</span> { head, header, footer } = <span class="hljs-keyword">await</span> fetchNavigationMarkup()

  <span class="hljs-keyword">return</span> (
    <html>
      <head>
        {head}
      </head>
      <body>
        {header}
        {children}
        {footer}
      </body>
    </html>
  )
}
</code></pre>
<h2 id="heading-react-server-components-rsc">React Server Components (RSC)</h2>
<p>The new Next.js 13 App Router was built in close partnership with React 18. One of the major new features of React 18 is React Server Components (RSC). In order to start working in Next.js 13, you need to wrap your head around this new paradigm.</p>
<p>In the past, React was primarily a client-side UI rendering library. With the addition of RSCs, the intention is to render as much of your application as possible on the server at build time (we will go into the different rendering modes more below)</p>
<blockquote>
<p>When a route is loaded with Next.js, the initial HTML is rendered on the server. This HTML is the progressively enhanced in the browser, allowing the client to take over the application and add interactivity, by asynchronously loading the Next.js and React client-side runtime.</p>
<p>From the <a target="_blank" href="https://nextjs.org/docs/getting-started/react-essentials">React Essentials Section</a> on the Next.js documentation site.</p>
</blockquote>
<p>In React 18, two new directives, “use client“ and “use server“ were added in order to control where components are rendered at the file level. These new directives are used in Next.js 13 to control whether the bundle code is included in the client-side bundle or not.</p>
<p>With the “use server“ directive, we can indicate that a component does not need to be included in the bundle that the client loads. The component will be rendered on the server at build or run time.</p>
<p>As you can see in the code above, we can also make use of <code>async await</code> in Server Components, which makes them great for loading data.</p>
<pre><code class="lang-typescript"><span class="hljs-comment">// ServerComponent.ts</span>
<span class="hljs-string">"use server"</span>

<span class="hljs-keyword">export</span> <span class="hljs-keyword">default</span> <span class="hljs-keyword">async</span> <span class="hljs-function"><span class="hljs-keyword">function</span> <span class="hljs-title">ServerComponent</span>(<span class="hljs-params"></span>) </span>{
  <span class="hljs-keyword">const</span> data = <span class="hljs-keyword">await</span> fetchData()

  <span class="hljs-keyword">return</span> <span class="hljs-comment">//...</span>
}
</code></pre>
<p>If a component needs to make use of React Hooks, such as <code>useEffect</code>, or it needs to access browser APIs, we can use the “use client“ directive in order to indicate that the component should be included in the client bundle.</p>
<pre><code class="lang-typescript"><span class="hljs-comment">// ClientComponent.tsx</span>
<span class="hljs-comment">// use client is needed here since we are using React hooks and accessing</span>
<span class="hljs-comment">// the localStorage browser API</span>
<span class="hljs-string">"use client"</span>
<span class="hljs-keyword">export</span> <span class="hljs-keyword">default</span> <span class="hljs-function"><span class="hljs-keyword">function</span> <span class="hljs-title">ClientComponent</span>(<span class="hljs-params"></span>) </span>{
  <span class="hljs-keyword">const</span> [todos, setTodos] = useState([])
  useEffect(<span class="hljs-function">() =></span> {
    <span class="hljs-keyword">const</span> cachedTodos = <span class="hljs-built_in">localStorage</span>.get(<span class="hljs-string">'todos'</span>)
    setTodos(todos)
  })

  <span class="hljs-keyword">return</span> (
    <>
      {todos.map(<span class="hljs-function"><span class="hljs-params">todo</span> =></span> <Todo {...todo} />)}
    </>
  )
}
</code></pre>
<p>See the original React RFC where these directives were proposed for more information: <a target="_blank" href="https://github.com/reactjs/rfcs/pull/227">https://github.com/reactjs/rfcs/pull/227</a></p>
<p><a target="_blank" href="https://tushar-tmpatel.medium.com/what-is-server-components-vs-client-components-in-next-js-13-24a5e0113105">https://tushar-tmpatel.medium.com/what-is-server-components-vs-client-components-in-next-js-13-24a5e0113105</a></p>
<h3 id="heading-server-components-are-the-default-in-nextjs">Server Components are the default in Next.js</h3>
<p>In the world of Next.js 13, server components are now the default, which means that most of your components should not need a “use server“ or “use client“ directive.</p>
<p>The only time you need to use these directives is when you are creating a boundary component.</p>
<pre><code class="lang-typescript"><span class="hljs-comment">// page.tsx</span>
<span class="hljs-comment">// React Server Component, will not be included in the client </span>
<span class="hljs-keyword">export</span> <span class="hljs-keyword">default</span> <span class="hljs-function"><span class="hljs-keyword">function</span> <span class="hljs-title">Page</span>(<span class="hljs-params"></span>) </span>{

  <span class="hljs-keyword">return</span> (
    <Provider>
      <TodoList />
    </Provider>
  )
}

<span class="hljs-comment">// TodoList.tsx</span>
<span class="hljs-comment">// use client is needed here since we are using React hooks</span>
<span class="hljs-string">"use client"</span>
<span class="hljs-keyword">export</span> <span class="hljs-keyword">default</span> <span class="hljs-function"><span class="hljs-keyword">function</span> <span class="hljs-title">TodoList</span>(<span class="hljs-params"></span>) </span>{
  useEffect(<span class="hljs-function">() =></span> {})

  <span class="hljs-keyword">return</span> (
    <>
      {todos.map(<span class="hljs-function"><span class="hljs-params">todo</span> =></span> <Todo {...todo} />)}
    </>
  )
}

<span class="hljs-comment">// TodoList.tsx</span>
<span class="hljs-comment">// No "use client" needed here, even though we are using hooks</span>
<span class="hljs-comment">// because this component is only ever rendered within another client component</span>
<span class="hljs-keyword">export</span> <span class="hljs-keyword">default</span> <span class="hljs-function"><span class="hljs-keyword">function</span> <span class="hljs-title">Todo</span>(<span class="hljs-params"></span>) </span>{
  useEffect(<span class="hljs-function">() =></span> {})

  <span class="hljs-keyword">return</span> (
    <>
      {todos.map(<span class="hljs-function"><span class="hljs-params">todo</span> =></span> <Todo {...todo} />)}
    </>
  )
}
</code></pre>
<h3 id="heading-client-components-are-rendered-on-the-server-too">Client Components are rendered on the server, too</h3>
<p>When you use a “use client“ directive to make a client component, it doesn’t means that it only renders on the client side. In fact, most client components are rendered on the server when doing server-side rendering (SSR) or static site generation (SSG).</p>
<p>The only time a client component will not be rendered on the server is when you specifically instruct it not to. One way to do this is by making use of <code>next/dynamic</code> with the <code>ssr: false</code> option (note: <a target="_blank" href="https://nextjs.org/docs/app/building-your-application/optimizing/lazy-loading">Vercel recommends</a> using <code>React.lazy</code> and <code>Suspense</code> directly instead of <code>next/dynamic</code>:)</p>
<pre><code class="lang-typescript"><span class="hljs-keyword">import</span> dynamic <span class="hljs-keyword">from</span> <span class="hljs-string">'next/dynamic'</span>;

<span class="hljs-keyword">const</span> DynamicHeader = dynamic(<span class="hljs-function">() =></span> <span class="hljs-keyword">import</span>(<span class="hljs-string">'../components/header'</span>), {
  ssr: <span class="hljs-literal">false</span>,
});
</code></pre>
<p>This enables Next.js to be a truly hybrid framework and it promotes the goal of Next, which is to statically render as much content as possible and only include what’s needed by the client.</p>
<p>What this means is that you need to think about how a client component will be rendered on the server. A way to test this is to disable JavaScript in your browser and see how the page renders. What you should see is that the page renders in its entirety, but interactive elements are disabled.</p>
<p>You will want to make sure that no layout shift is introduced when the element becomes interactive, so make sure the component renders well before JavaScript is enabled, either by rendering the content by default or by making use of skeletons.</p>
<h3 id="heading-choosing-rendering-at-component-level">Choosing Rendering at Component Level</h3>
<p>What is cool about this new approach is that you can you can interleave Server and Client Components in your application, and behind the scenes, React will seamlessly merge the work of both environments.</p>
<blockquote>
<p><em>React can render on the client and the server, and you can choose the rendering environment at the component level!</em></p>
</blockquote>
<p>In Next.js 13, all the components within the /app folder are server components by default. You will use the <code>"use client"</code> directive if you want to render Client Components.</p>
<p>In the example below, Counter is a Client Component, because it preserves local state and has event handlers for a button click. This component will have a <code>"use client"</code> directive placed on top of the component file, above the imports, to indicate that it is a Client Component.</p>
<blockquote>
<p>Once <code>"use client"</code> is defined in a file, all other modules imported into it, including child components, are considered part of the client bundle.</p>
</blockquote>
<p><em>Note</em>: This additional step could be confusing for developers and is part of the learning curve that comes with Next.js 13.</p>
<pre><code class="lang-typescript"><span class="hljs-string">'use client'</span>

<span class="hljs-comment">// Client Component, because it stores state and has the use client directive.</span>

<span class="hljs-keyword">import</span> { useState } <span class="hljs-keyword">from</span> <span class="hljs-string">'react'</span>

<span class="hljs-keyword">export</span> <span class="hljs-keyword">default</span> <span class="hljs-function"><span class="hljs-keyword">function</span> <span class="hljs-title">Counter</span>(<span class="hljs-params"></span>) </span>{
  <span class="hljs-keyword">const</span> [count, setCount] = useState(<span class="hljs-number">0</span>)

  <span class="hljs-keyword">return</span> (
    <div>
      <p>You clicked {count} times</p>
      <button onClick={<span class="hljs-function">() =></span> setCount(count + <span class="hljs-number">1</span>)}>Click me</button>
    </div>
  )
}
</code></pre>
<h3 id="heading-composing-client-and-server-components">Composing client and server components</h3>
<p>Next.js 13 offers an enhanced level of flexibility when it comes to composing your components. Server components can also render other server components and client components. On the other hand, client components can render other client components and can only render server components if they are passed in as a prop. This layered composition model allows for a high degree of interoperability and code reusability.</p>
<p>For instance, the following is not allowed in React:</p>
<pre><code class="lang-typescript"><span class="hljs-string">'use client'</span>;

<span class="hljs-comment">// ❌ You cannot import a Server Component into a Client Component</span>
<span class="hljs-keyword">import</span> MyServerComponent <span class="hljs-keyword">from</span> <span class="hljs-string">'./MyServerComponent'</span>;

<span class="hljs-keyword">export</span> <span class="hljs-keyword">default</span> <span class="hljs-function"><span class="hljs-keyword">function</span> <span class="hljs-title">ClientComponent</span>(<span class="hljs-params"></span>) </span>{
  <span class="hljs-keyword">return</span> (
    <>
      <MyServerComponent />
    </>
  );
}
</code></pre>
<p>Instead, you can pass a Server Component as a child or a prop to a Client Component as a workaround, as shown below.</p>
<pre><code class="lang-typescript"><span class="hljs-comment">// ✅ You can pass a Server Component as a child or prop of a Client Component.</span>
<span class="hljs-keyword">import</span> ClientComponent <span class="hljs-keyword">from</span> <span class="hljs-string">"./ClientComponent"</span>;
<span class="hljs-keyword">import</span> ServerComponent <span class="hljs-keyword">from</span> <span class="hljs-string">"./ServerComponent"</span>;

<span class="hljs-keyword">export</span> <span class="hljs-keyword">default</span> <span class="hljs-function"><span class="hljs-keyword">function</span> <span class="hljs-title">Page</span>(<span class="hljs-params"></span>) </span>{
  <span class="hljs-keyword">return</span> (
    <ClientComponent>
      <ServerComponent />
    </ClientComponent>
  );
}
</code></pre>
<pre><code class="lang-typescript"><span class="hljs-string">'use client'</span>;

<span class="hljs-comment">// ✅ You can pass a Server Component as a child or prop of a Client Component.</span>
<span class="hljs-keyword">export</span> <span class="hljs-keyword">default</span> <span class="hljs-function"><span class="hljs-keyword">function</span> <span class="hljs-title">ClientComponent</span>(<span class="hljs-params">{children}</span>) </span>{
  <span class="hljs-keyword">return</span> (
    <>
      {children}
    </>
  );
}
</code></pre>
<p>I get that the paragraph above is kind of mind-numbing. Here’s a nice diagram that Vercel folks created to help you visualize this concept better.</p>
<p></p>
<h3 id="heading-nextjs-13-rendering-modes">Next.js 13 Rendering Modes</h3>
<p>Next.js 13 introduces different render environments and modes, allowing you to choose the optimal rendering strategy for your app on a component-by-component basis.</p>
<p>Content is rendered in two distinct environments:</p>
<ul>
<li><p>Client side — Client Components are pre-rendered and cached on the server. JSON is generated for data used on client components and passed to React during Hydration.</p>
</li>
<li><p>Server side —Content is rendered on the server by React, and static HTML is generated. React uses static HTML to hydrate in the browser, requiring no additional JavaScript on the client.</p>
</li>
</ul>
<p>On the server, there are two different rendering modes that are used:</p>
<ul>
<li><p>Static — both client and server components are rendered as static HTML at build time. Static content can be <a target="_blank" href="https://nextjs.org/docs/app/building-your-application/data-fetching/revalidating">revalidated</a>, allowing it to be updated on a page-by-page basis in order to keep dynamic data up-to-date with its sources. Statically generated content is easily cacheable and leads to improved performance, user experience, and search engine optimization.</p>
</li>
<li><p>Dynamic — both client and server components are rendered on the server when a request is made. The content is not cached.</p>
</li>
</ul>
<p>Previous versions of Next.js had different terminology that it used for these concepts. I’m including them below and showing how they relate to the new Next.js 13 terminology.</p>
<ul>
<li><p><strong>Static-site generation (SSG)</strong>: Static rendering mode</p>
</li>
<li><p><strong>Incremental Static Regeneration (ISR)</strong>: Static rendering mode with revalidation</p>
</li>
<li><p><strong>Server-side Rendering (SSR)</strong>: Dynamic rendering mode</p>
</li>
<li><p><strong>Client-side Rendering (CSR)</strong>: Client components</p>
</li>
</ul>
<p>Make sure to check out the Next.js documentation site on the <a target="_blank" href="https://nextjs.org/docs/app/building-your-application/rendering#rendering-environments">topic</a>.</p>
<h3 id="heading-when-to-use-client-vs-server-components">When to Use Client vs. Server Components?</h3>
<p>You only need to mark components as “use client“ when they use client hooks such as <em>useState</em> or <em>useEffect</em>.</p>
<p>It’s best to leave components that do not depend on client hooks without the directive so that they can automatically be rendered as a Server Component when they aren’t imported by another Client Component.</p>
<p>This helps ensure the smallest amount of client-side JavaScript.</p>
<blockquote>
<p>The goal is to ship the smallest amount of client-side JavaScript.</p>
</blockquote>
<p><strong>Use Client Components when:</strong></p>
<ul>
<li><p>You use React hooks such as <em>useState</em>, <em>useEffect</em>, <em>useReducer,</em> etc*..*</p>
</li>
<li><p>There is interactivity within the component, with event listeners such as <em>onClick()</em>.</p>
</li>
<li><p>There are custom hooks that depend on state or effects.</p>
</li>
<li><p>Using React Class Components.</p>
</li>
</ul>
<p><strong>Use Server Components when:</strong></p>
<ul>
<li><p>You fetch data from the server API.</p>
</li>
<li><p>Sensitive information needs to be stored (tokens, API keys, etc.).</p>
</li>
<li><p>You need to access backend resources directly.</p>
</li>
<li><p>There are large dependencies.</p>
</li>
</ul>
<h3 id="heading-server-components-vs-ssr-whats-the-difference">Server Components Vs. SSR: What’s the Difference?</h3>
<p>The main difference between Server Components and SSR lies in the ‘when’ and ‘what.</p>
<p>SSR happens at the time of each page request. The server fetches data, generates the HTML, and then sends this HTML to the client. This process repeats with every request. SSR is great for pages with data that changes frequently, and it’s a fantastic boon for SEO.</p>
<blockquote>
<p><em>SSR is the rendering of an entire page (which is composed of several components) on the server; Server Component is executing an individual component on the server, generate a static HTML response, and send it to the client.</em></p>
</blockquote>
<p>On the other hand, Server Components run once at build time. They execute on the server, generate a static HTML response, and send this to the client. This process doesn’t repeat with every request. As such, Server Components are best for parts of your application that don’t change frequently, and they help in significantly reducing the amount of JavaScript shipped to the client.</p>
<h2 id="heading-streaming">Streaming</h2>
<p>Previously, the user might have had to wait for the complete page to generate. Now the server will transmit to the client small pieces of the UI as it is generated. It implies that the bigger piece won’t get in the way of the smaller ones. Of course, as of right now, just the app directory is supported for this feature, and it doesn’t seem that this will change.</p>
<p>This new feature won’t benefit individuals with a strong internet connection or speedy wifi as much as those with a weaker connection. There are more of them than you would have thought, in fact. It’s great that a faster site loading time will improve user experience.</p>
<h2 id="heading-server-actions-alpha">Server Actions (Alpha)</h2>
<p>Next.js 13.4 introduces Server Actions (currently in alpha), which brings a whole level of flexibility and power to your applications. Server Actions allow you to handle server-side logic, such as fetching data or interacting with APIs, directly in your application. This feature not only simplifies your application architecture but also enables you to create faster and more efficient applications.</p>
<p>For an in-depth look at Server Actions and how they are transforming the way we build applications, check out this article: <a target="_blank" href="https://medium.com/front-end-weekly/why-next-js-server-actions-are-game-changing-20025c9a3551">Why Next.js Server Actions are Game-Changing</a>.</p>
<h2 id="heading-turbopack-now-in-beta-and-more-feature-complete">Turbopack: Now in Beta and More Feature Complete</h2>
<p></p>
<p>With the release of Next.js 13.4, Turbopack has moved into the beta phase, offering a more feature-complete and stable experience. Turbopack is Next.js’s new Rust-based bundle designed to speed up local iterations in development, and soon, production builds. Thanks to the community’s support in testing and reporting bugs, Turbopack has grown in adoption, paving the way for a significantly faster and more efficient development experience in the future.</p>
<h1 id="heading-nextjs-12">Next.js 12</h1>
<p>Next.js has announced at their Next.js conference that Next.js 12 is going to be one of the biggest releases ever. So in this section, let’s quickly look into what the new amazing features are that Next.js 12 has provided us with:</p>
<p>There are roughly 6 new features that Next.js 12 has brought out. Let’s look into all of them.</p>
<h2 id="heading-faster-builds">Faster Builds</h2>
<p>The new Next.js 12 ships with a new Rust compiler. This compiler takes advantage of native compilation. This translates into a much faster build and faster refresh time.</p>
<p></p>
<p>How does that work? <mark>The compiler is built on top of SWC, which stands for </mark> <code>Speedy Web Compiler</code>. It does consume Typescript/JavaScript and emits JavaScript code that can be executed on old browsers. It’s a Babel replacement. It’s about 20x faster than Babel on a single thread and up to 70x on a four-core benchmark.</p>
<p>This Rust compiler is now enabled by default. The improvement of the Vercel.com build is about 50% faster. It went from 3 minutes 41 seconds down to 1 minute and 58 seconds.</p>
<p>It is still not perfect because it might lack some compatibility with popular libraries like <code>styled-components</code> or <code>emotion</code> but that support will happen soon.</p>
<p>You can also use it to minify files by simply enabling it in the config. Here’s the code:</p>
<pre><code class="lang-typescript"><span class="hljs-comment">// next.config.js</span>
<span class="hljs-built_in">module</span>.<span class="hljs-built_in">exports</span> = {
  swcMinify: <span class="hljs-literal">true</span>
}
</code></pre>
<h2 id="heading-middleware">Middleware</h2>
<p>This is one of the most exciting features. At the moment, we have to choose between CDN or Server Side Rendering for building faster apps. When we build a dynamic page that we want to cache, we might use the latter.</p>
<p>Vercel’s new Edge functions feature makes this possible. It gives <mark>the benefits of static caching with the power of dynamic execution. </mark> Now we can run dynamic functions aka middleware, right before our CDN requests complete. All that with no cold start.</p>
<p>The Cloudflare and Amazon infrastructure have also implemented a similar feature not long ago. It is called <code>edge computing</code> or <code>Lamdba@Edge</code>. What is special about the Next.js version? It’s easy and integrates within the framework.</p>
<p>How to use it? By just creating a <code>_middleware</code> function in our pages directory and deploying it. There, we can do dynamic checks right at the CDN level. These middleware functions can be scoped and composed.</p>
<pre><code class="lang-typescript"># Execution order <span class="hljs-keyword">for</span> middleware composition
- /pages
  index.tsx
  - /profile
    _middleware.ts # will run first
    profile.tsx
    - /settings
      _middleware.ts # will run second
      _settings.tsx
</code></pre>
<p>What does a <code>_middleware.ts</code> file look like? Let’s see that through an example where we create a dummy authentication middleware.</p>
<p>In the code above, we can check if the request contains a valid JWT and otherwise return an error response.</p>
<p>What are the most common use cases for using middleware?</p>
<ul>
<li><p>User Authentication</p>
</li>
<li><p>Bot protection</p>
</li>
<li><p>Redirects and rewrites</p>
</li>
<li><p>Handling unsupported browsers</p>
</li>
<li><p>Service-side analytics</p>
</li>
<li><p>Advanced 18n routing</p>
</li>
<li><p>Logging</p>
</li>
</ul>
<h2 id="heading-url-imports">URL Imports</h2>
<p>The Next.js team has been working for a while to support ES modules. It was flagged as experimental in the previous version. In this new version, they are natively supported.</p>
<p>What does that mean? The URL imports can be built on top of those.</p>
<p>Why is this feature cool? We can now import directly tooling from the CDN without any extra builds or installs. We will be able to import those from the wire rather than having to build them locally.</p>
<p>You can now use cool CDN projects like Skypack in your Next.js app. It’s a package delivery network over CDN. It creates ready-for-production tools without the hassle of compiling and bundling them. It scans NPM and builds executable ES module packages that you can import from your browser.</p>
<p>How to enable this feature? The URL has to be specified in the <code>next.config.js</code> file. You need to only enable domains that you trust.</p>
<pre><code class="lang-typescript"><span class="hljs-built_in">module</span>.<span class="hljs-built_in">exports</span> = {
  experimental: {
    urlImports: [<span class="hljs-string">'https://cdn.skypack.dev'</span>],
  },
}
</code></pre>
<p>As you can see from the config, this URL import feature is still in the experimental phase.</p>
<p>What does the Next.js workflow look like?</p>
<ul>
<li><p>on <code>next dev</code> the will amend the download and add the file in a <code>next.lock</code> file</p>
</li>
<li><p>on <code>next build</code> the engine will look up the generated <code>next.lock</code> file.</p>
</li>
</ul>
<p>Let’s see a bit of code in action:</p>
<pre><code class="lang-typescript"><span class="hljs-comment">// next.config.js</span>
<span class="hljs-built_in">module</span>.<span class="hljs-built_in">exports</span> = {
  reactStrictMode: <span class="hljs-literal">true</span>,
  experimental: {
    urlImports: [<span class="hljs-string">'https://cdn.skypack.dev'</span>],
  },
}

<span class="hljs-comment">// pages/index.js</span>
<span class="hljs-keyword">import</span> styles <span class="hljs-keyword">from</span> <span class="hljs-string">'../styles/Home.module.css'</span>
<span class="hljs-keyword">import</span> confetti <span class="hljs-keyword">from</span> <span class="hljs-string">'https://cdn.skypack.dev/canvas-confetti'</span>

<span class="hljs-keyword">export</span> <span class="hljs-keyword">default</span> <span class="hljs-function"><span class="hljs-keyword">function</span> <span class="hljs-title">Home</span>(<span class="hljs-params"></span>) </span>{
  <span class="hljs-keyword">return</span> (
    <div className={styles.container}>
      <main className={styles.main}>
        <h1 className={styles.title}>
          Welcome to <a href=<span class="hljs-string">"https://nextjs.org"</span>>Next.js!</a>
        </h1>
        <button onClick={confetti}>
          Throw Confetti
        </button>
      </main>
    </div>
  )
}
</code></pre>
<h2 id="heading-support-for-react-18-on-the-server-side">Support for React 18 on the server-side</h2>
<p>The React 18 version is coming soon, and after a boring release of React 17, it’s mainly focused on concurrency.</p>
<p>The Next.js framework is jumping early and anticipating some of React’s most-awaited features. Naturally, all these new features will also be under an experimental config flag.</p>
<h3 id="heading-html-server-side-streaming">HTML Server Side Streaming</h3>
<p>One of the coolest React 18 features is the built-in support of server-side Suspend and streaming of HTML parts of your React application. You are no longer required to load all or nothing. You can progressively ship HTML to the browser.</p>
<p>The Next.js framework supports that and provides abstractions around all those mechanisms. For dynamically importing modules, you can use its <code>next/dynamic</code> utility.</p>
<h3 id="heading-react-server-side-components">React server-side components</h3>
<p>The new React Server Component feature does simplify the SSR development and logic. They are always rendered on the server and streamed to the client. This reduces the need for handling different rendering scenarios. The usage of <code>getServerSideProps</code> and <code>getStaticProps</code> is not needed anymore. The shift the computation from the client to the server.</p>
<p>Those are big improvements; however, they still have some limitations:</p>
<ul>
<li><p>They are stateless.</p>
</li>
<li><p>They can’t use lifecycle methods like <code>useState</code> or <code>useEffect</code>.</p>
</li>
<li><p>They can’t make usage of browser-only APIs.</p>
</li>
</ul>
<p><strong>Usage</strong></p>
<p>How do you opt in to all these new React 18 goodies?</p>
<p><strong>1.</strong> First, you need to install React 18 Alpha using the following code:</p>
<pre><code class="lang-typescript">npm install next<span class="hljs-meta">@latest</span> react<span class="hljs-meta">@alpha</span> react-dom<span class="hljs-meta">@alpha</span>
</code></pre>
<p><strong>2.</strong> Enable the experimental concurrent features in Next.js configuration, as shown below:</p>
<pre><code class="lang-typescript"><span class="hljs-comment">// next.config.js</span>
<span class="hljs-built_in">module</span>.<span class="hljs-built_in">exports</span> = {
  experimental: {
    concurrentFeatures: <span class="hljs-literal">true</span>,
    serverComponents: <span class="hljs-literal">true</span>,
  },
}
</code></pre>
<p>With that, you are good to go.</p>
<h2 id="heading-on-demand-incremental-static-regeneration-stable">On-demand Incremental Static Regeneration (Stable)</h2>
<p>How many times can you redeploy in a workday? On-demand Incremental Static Regeneration (ISR) allows you to update content on your site without the need to redeploy. This makes it easy to update your site immediately when your site changes in your headless CMS or commerce platform. This is one of the most requested features from the community, and we are excited that it’s now stable.</p>
<p></p>
<p>Incremental Static Regeneration (ISR) works for any providers supporting the <a target="_blank" href="https://nextjs.org/docs/deployment#nextjs-build-api">Next.js Build API</a> (next build). When deployed to Vercel, on-demand revalidation propagates globally in ~300ms when pushing pages to the edge.</p>
<h2 id="heading-smaller-images-using-avif">Smaller Images Using Avif</h2>
<p>The Built-in Image Optimization API now supports AVIF images, enabling 20% smaller images compared to WebP.</p>
<p>AVIF images can take longer to optimize compared to WebP, so we're making this feature opt-in using the new <code>images.formats</code> property in <code>next.config.js</code>:</p>
<pre><code class="lang-typescript"><span class="hljs-built_in">module</span>.<span class="hljs-built_in">exports</span> = {  images: {    formats: [<span class="hljs-string">'image/avif'</span>, <span class="hljs-string">'image/webp'</span>],  },};
</code></pre>
<p>This list of formats is used to determine the optimized image format on demand using the request’s Accept header:</p>
<p>Since AVIF is first, it will be served if the <a target="_blank" href="https://caniuse.com/avif">browser supports AVIF</a>. If not, WebP will be served if the <a target="_blank" href="https://caniuse.com/webp">browser supports WebP</a>. If neither format is supported, the original image format will be served.</p>
<h2 id="heading-output-file-tracing">Output File Tracing</h2>
<p>In Next.js 8, we introduced the <code>target</code> option. This allowed for outputting Next.js pages as standalone JavaScript bundles by bundling all dependencies using webpack during the build. We quickly realized this wasn't ideal and instead created <code>@vercel/nft</code>. <code>@vercel/nft</code> has been used for over 2 years on all deployments on the Vercel platform.</p>
<p>Now, we're bringing these improvements directly into the Next.js framework by default, <strong>for all deployment platforms</strong>, providing a significantly improved approach over the <code>target</code> option.</p>
<p>Next.js 12 automatically traces which files are needed by each page and API route using <code>@vercel/nft</code>, and outputs these trace results next to the <code>next build</code> output, allowing integrators to leverage the traces Next.js provides automatically.</p>
<p>These changes also optimize applications deployed using tools like Docker through <code>next start</code>. By leveraging <code>@vercel/nft</code>, we will be able to make the Next.js output standalone in the future. No dependencies will be required to be installed to run the application, massively reducing the Docker image size.</p>
<p>Bringing <code>@vercel/nft</code> into Next.js supersedes the <code>target</code> approach, making <code>target</code> deprecated in Next.js 12. <a target="_blank" href="https://nextjs.org/docs/pages/api-reference/next-config-js/output">Check out the documentation</a> for more info.</p>
<h2 id="heading-bot-aware-isr-fallback">Bot Aware ISR Fallback</h2>
<p>Currently, <a target="_blank" href="https://vercel.com/docs/concepts/incremental-static-regeneration/overview">Incremental Static Regeneration (ISR)</a> with fallback: true renders a fallback state before rendering the page content on the first request to a page that was not generated yet. To block the page from loading (server-rendering), you would need to use fallback: block.</p>
<p>In Next.js 12, <a target="_blank" href="https://nextjs.org/learn/seo/introduction-to-seo/webcrawlers">web crawlers</a> will automatically server-render ISR pages using fallback: true, while still serving the previous behavior of the fallback state to non-crawler User-Agent. This prevents crawlers from indexing loading states.</p>
<h1 id="heading-references">References</h1>
<p><a target="_blank" href="https://medium.com/coding-beauty/the-new-next-js-15-changes-everything-cec14aaa50b3">https://medium.com/coding-beauty/the-new-next-js-15-changes-everything-cec14aaa50b3</a></p>
<p><a target="_blank" href="https://medium.com/@mitali_shah/why-is-next-js-15-revolutionizing-web-app-development-8164875d6f0d">https://medium.com/@mitali_shah/why-is-next-js-15-revolutionizing-web-app-development-8164875d6f0d</a></p>
<p><a target="_blank" href="https://javascript.plainenglish.io/top-7-features-in-next-js-15-that-will-supercharge-your-web-apps-0c02bce2b51c">https://javascript.plainenglish.io/top-7-features-in-next-js-15-that-will-supercharge-your-web-apps-0c02bce2b51c</a></p>
<p><a target="_blank" href="https://javascript.plainenglish.io/server-actions-streaming-and-more-the-full-power-of-next-js-15-bbfbe16cbecb">https://javascript.plainenglish.io/server-actions-streaming-and-more-the-full-power-of-next-js-15-bbfbe16cbecb</a></p>
<p><a target="_blank" href="https://medium.com/@imvinojanv/next-js-14-arrives-turbocharging-react-development-with-new-features-and-enhanced-performance-e961ff122915">https://medium.com/@imvinojanv/next-js-14-arrives-turbocharging-react-development-with-new-features-and-enhanced-performance-e961ff122915</a></p>
<p><a target="_blank" href="https://javascript.plainenglish.io/4-major-features-in-next-js-14-3e897f391068">https://javascript.plainenglish.io/4-major-features-in-next-js-14-3e897f391068</a></p>
<p><a target="_blank" href="https://focusreactive.com/breaking-down-next-js-14/">https://focusreactive.com/breaking-down-next-js-14/</a></p>
<p><a target="_blank" href="https://medium.com/@Apiumhub/whats-new-in-next-js-14-and-how-does-it-achieve-to-be-so-fast-apiumhub-faa6b512c153">https://medium.com/@Apiumhub/whats-new-in-next-js-14-and-how-does-it-achieve-to-be-so-fast-apiumhub-faa6b512c153</a></p>
<p><a target="_blank" href="https://github.com/reactjs/rfcs/pull/227">http</a><a target="_blank" href="https://blog.bitsrc.io/next-js-13-4-is-finally-here-and-its-awesome-e9f5b27bccda">s://blog.bitsrc.io/next-js-13-4-is-finally-here-and-its-awesome-e9f5b27bccda</a></p>
<p><a target="_blank" href="https://levelup.gitconnected.com/a-complete-guide-to-the-routing-system-in-next-js-13-with-simple-explanations-and-code-examples-74dce5042f83">https://levelup.gitconnected.com/a-complete-guide-to-the-routing-system-in-next-js-13-with-simple-explanations-and-code-examples-74dce5042f83</a></p>
<p><a target="_blank" href="https://medium.com/better-programming/8-things-you-should-know-about-next-js-13-969291f168ec">https://medium.com/better-programming/8-things-you-should-know-about-next-js-13-969291f168ec</a></p>
<p><a target="_blank" href="https://adhithiravi.medium.com/the-yin-and-yang-of-next-js-13-understanding-server-components-and-server-side-rendering-6a9b774c3b06">https://adhithiravi.medium.com/the-yin-and-yang-of-next-js-13-understanding-server-components-and-server-side-rendering-6a9b774c3b06</a></p>
<p><a target="_blank" href="https://adhithiravi.medium.com/what-are-server-components-and-client-components-in-react-18-and-next-js-13-6f869c0c66b0">https://adhithiravi.medium.com/what-are-server-components-and-client-components-in-react-18-and-next-js-13-6f869c0c66b0</a></p>
<p><a target="_blank" href="https://medium.com/frontendweb/how-to-understand-and-use-the-uselinkstatus-hook-in-next-js-applications-7ddd5aad6924">https://medium.com/frontendweb/how-to-understand-and-use-the-uselinkstatus-hook-in-next-js-applications-7ddd5aad6924</a></p>
<p><a target="_blank" href="https://medium.com/better-programming/5-new-killer-features-of-next-js-12-dfd1d766b539">https://medium.com/better-programming/5-new-killer-features-of-next-js-12-dfd1d766b539</a></p>
<p><a target="_blank" href="https://medium.com/@badcaptain0001/next-js-16-is-here-a-major-step-forward-for-performance-dx-full-stack-architecture-77aa0bcb91f7">https://medium.com/@badcaptain0001/next-js-16-is-here-a-major-step-forward-for-performance-dx-full-stack-architecture-77aa0bcb91f7</a></p>

</article>
<article>
<h1>Bundlers Handbook</h1>
<p>Tuan Tran Van — Mon, 16 Jun 2025 10:36:02 GMT</p>
<h1 id="heading-bundlers">Bundlers</h1>
<p><strong>What is the JavaScript bundler anyway?</strong></p>
<p>A tool that people struggle with for hours just to get a basic web app set up. A thing that you use when you want to bootstrap your React project? Something that your company uses, or that your colleagues/seniors have configured already? Which is apparently supposed to optimize your final JS build.</p>
<p>Whether you are starting your web development journey or have already used a bunch of bundlers before, you may have these questions at some point in time. I certainly did.</p>
<p>To answer the above question, <mark>a module bundler provides a method for arranging and merging multiple JavaScript files into a unified single file. Using a JavaScript bundler becomes necessary when your project outgrows a single file or when dealing with libraries with numerous dependencies. As a result, the end-user’s browser and client don’t have to fetch numerous files individually.</mark></p>
<h2 id="heading-why-do-we-need-a-javascript-bundler">Why do we need a JavaScript bundler?</h2>
<p>JavaScript bundlers are a tool that helps in optimizing the delivery of JavaScript files in web applications. The following are the key benefits of using a bundler.</p>
<ul>
<li><p><strong>Merging, Splitting, and Post-processing on Modules</strong>: While working with vanilla JavaScript or any corresponding modern JavaScript framework, it’s better to split the code into multiple files for the development journey. The concept of JavaScript bundlers is a decade old now. A decade ago, for browsers to access a single file through HTTP1 protocol was a heavy operation. So, it’s better to combine all the code into one file and then make a single HTTP request. But most browsers have improved a lot since then and are now using the HTTP2 protocol for sending network requests that show no bottleneck in sending multiple requests to access files. Instead, we have started to first compile and then split the codebase to load the minimum required sources on the requested route through bundlers. We have also started to remove the unused code (<a target="_blank" href="https://developer.mozilla.org/en-US/docs/Glossary/Tree_shaking">tree sharking</a>) and blank/while spaces among the combined files to minimize the requested resources (<a target="_blank" href="https://developer.mozilla.org/en-US/docs/Glossary/minification">modification</a>)</p>
</li>
<li><p><strong>Solving the problem of cyclic dependencies:</strong> Without bundlers, one needs to take care of the import order of the JavaScript files to avoid the “not defined“ errors. Check out this <a target="_blank" href="https://github.com/mozilla/releases-comm-central/blob/master/mail/components/addrbook/content/abSearchDialog.xhtml#L34">file</a>. Developers need to take care of the import order of script tags by themselves, which is error-prone. Bundlers can traverse through all the required files and decide the loading order.</p>
</li>
<li><p><strong>Anchoring transpilation and pre-processing on modules</strong>: Nowadays, JavaScript has added some modern rules to improve the development journey. But modern browsers do not support these features yet, so one needs translators (which are generally called transpilers) to convert the modern JavaScript into the JavaScript that the browser can understand. Bundlers help in this process, where it first takes the help of the transpiler module to translate the files and then combine them for the browser to load directly.</p>
</li>
</ul>
<p>Modern JavaScript bundlers can be imagined as <strong>compilers</strong> that convert all the <strong>development-friendly code</strong> into an <strong>optimized browser-readable format</strong>.</p>
<h2 id="heading-behind-the-scenes-of-crafted-front-end-code-rendering-in-your-user-browser">Behind the Scenes of Crafted Front-end Code Rendering in your User Browser</h2>
<p>Ever wondered what happens behind the scenes when your code goes from your machine to the user’s browser? Well, let’s dive into it.</p>
<p>Meet our unsung hero: the bundler. It’s like the backstage manager, taking all your project files, doing some magic to optimize them, and then packing them up for a smooth delivery to web browsers. The result? A snappier and more responsive web app.</p>
<p>So, grab your coding beverage of choice, let’s break it down this journey step by step. We are about to uncover the nitty-gritty details of how your frontend code turns into that awesome experience</p>
<ol>
<li><strong>Input Files:</strong></li>
</ol>
<p></p>
<p>A bundler starts with a set of input files, which are typically your project’s source code and assets, such as JavaScript files, CSS files, images, and more.</p>
<ol start="2">
<li><strong>Dependency Resolution:</strong></li>
</ol>
<p></p>
<p>The bundler analyzes your source code to identify dependencies. Dependencies are other files or modules that your code relies on, like importing JavaScript modules or CSS files.</p>
<ol start="3">
<li><strong>Code Transformation</strong></li>
</ol>
<p>Before bundling, the bundler may apply transformations to your code. For example, it might transpile modern JavaScript (ES6+) into older versions for broader browser compatibility, or it might process CSS preprocessor syntax like SASS or LESS into standard CSS.</p>
<ol start="4">
<li><strong>Bundling</strong></li>
</ol>
<p>The bundler combines all the input files, including their dependencies, into one or more modules. Each bundle is a single, optimized file containing the code and assets for your application.</p>
<ol start="5">
<li><strong>Optimization</strong></li>
</ol>
<p>During bundling, the bundler performs various optimizations, such as removing whitespace and comments, minifying code (reducing variable names to shorter forms), and eliminating dead code (code that’s never used). Some bundlers support code splitting, which means breaking the bundled code into smaller parts or chunks. These chunks can be loaded on demand when needed, reducing initial loading times. Bundlers can also handle assets like images and fonts, optimizing and providing them as part of the bundle or as separate files.</p>
<ol start="6">
<li><strong>Development Server (optional)</strong></li>
</ol>
<p>During development, bundlers often include a development server. This server serves your project locally, automatically rebuilds the bundle when you make a change, and may offer features like hot module replacement (HMR) for instant code updates without a full page refresh.</p>
<ol start="7">
<li><strong>Output Files</strong></li>
</ol>
<p>The result of bundling is one or more output files, typically named something like “bundle.js“ for JavaScript or “bundle.css “ for CSS. These files are optimized and ready for deployment. <a target="_blank" href="https://www.youtube.com/watch?v=MxBCPc7bQvM">Here’s a useful link to have hands-on knowledge of how to analyze your JavaScript bundle</a>.</p>
<ol start="8">
<li><strong>Deployment</strong></li>
</ol>
<p>The final bundled files, along with your HTML and other assets, are deployed to a web server or a hosting service to make your application accessible to everyone</p>
<ol start="9">
<li><strong>Loading in the Browser</strong></li>
</ol>
<p>In the user’s browser, when they access your web application, the bundled JavaScript and CSS files are loaded, and the code is executed.</p>
<ol start="10">
<li><strong>Rendering the Web Page</strong></li>
</ol>
<p>The bundled JavaScript code initializes your application, interacts with the DOM, and renders a web page according to your application’s logic and structure.</p>
<p><a target="_blank" href="https://www.freecodecamp.org/news/javascript-es-modules-and-module-bundlers/">https://www.freecodecamp.org/news/javascript-es-modules-and-module-bundlers/</a></p>
<p><a target="_blank" href="https://www.youtube.com/watch?v=MUSoj2JcD4A">https://www.youtube.com/watch?v=MUSoj2JcD4A</a></p>
<p><a target="_blank" href="https://www.youtube.com/watch?v=5IG4UmULyoA">https://www.youtube.com/watch?v=5IG4UmULyoA</a></p>
<h2 id="heading-popular-react-bundle-tools">Popular React Bundle Tools</h2>
<h3 id="heading-rollup-vs-parcel-vs-webpack-which-is-the-best-bundle">Rollup vs. Parcel vs. Webpack: Which is the best bundle?</h3>
<p>Recently, I was publishing a library to npm, and I thought of experimenting with the bundler. I was going to package my code. While <a target="_blank" href="https://webpack.js.org/">Webpack</a> has always been my standard choice, I decided to put it up against two other popular bundlers — <a target="_blank" href="https://rollupjs.org/guide/en/">Rollup</a> and <a target="_blank" href="https://parceljs.org/">Parcel</a>.</p>
<p>From those coming from a non-JavaScript background, a bundler is a tool that recursively follows all imports from the entry point of your app and bundles them up into a single file. Bundlers can also minify your files by removing unnecessary white spaces, new lines, comments, and block delimiters without affecting their functionality.</p>
<p>Let’s try to understand this through a simple code snippet:</p>
<pre><code class="lang-typescript"><span class="hljs-keyword">var</span> test = [];
<span class="hljs-keyword">for</span> (<span class="hljs-keyword">var</span> i = <span class="hljs-number">0</span>; i < <span class="hljs-number">100</span>; i++) {
  test[i] = i;
}
</code></pre>
<p>We just created an array called test and initialised its members up to 100. The minified version of this code will look somewhat like this:</p>
<pre><code class="lang-typescript"><span class="hljs-keyword">for</span>(<span class="hljs-keyword">var</span> a=[i=<span class="hljs-number">0</span>];++i<<span class="hljs-number">20</span>;a[i]=i);
</code></pre>
<p>Fewer characters and lines. You might say the code isn’t readable, but who cares? You bundle your code once it’s ready, and minified code is easy to fetch and interpret for the browser.</p>
<p>It must be now easy for you to guess the importance of a bundler, right?</p>
<p>Suppose your code is not bundled and hosted as a package multiple times on a server. For the import of each of these files to make your code run, the browser has to send a separate HTTP request to the server. The efficiency of this transmission is directly proportional to the number and the size of the files being requested. In the case of large apps such as Facebook, this can lead to disastrous performance and UX.</p>
<p>However, the performance of the app substantially improves with a bundler on board, as now the browser only has to request a single file to display your app to the user. Moreover, fetching a minified file weighing a few KBs is faster than the actual file, which might run into MBs, resulting in improved load time in the app.</p>
<p><strong>Why install bundlers when we can do it on our own?</strong></p>
<p>Sure, you can, but when working with huge codebases, minifying an app manually isn’t a scalable solution. Let the bundler do it for you.</p>
<p>Making the right choice of a bundler from the many available can be life-changing for your app, depending on the use case. Coming back to the experiment I was talking about in the beginning. I thought of sharing with you my findings on how Webpack, Rollup, and Parcel fared on some important requirements a developer would have.</p>
<ol>
<li><strong>Configuration of the bundler</strong></li>
</ol>
<p>Parcel wins here because it doesn’t require a config file at all. Just install Parcel and run parcel build, and it will do everything for you out of the box.</p>
<p>Webpack and Rollup both require a config file specifying entry, output, loaders, plugins, transformations, etc. However, there’s a slight difference.</p>
<ul>
<li><p>Rollup has node polyfills for import/export, but Webpack doesn’t.</p>
</li>
<li><p>Rollup has support for relative paths in config, but webpack doesn’t — which is why you use <code>path.resolve</code> or <code>path.join</code></p>
</li>
</ul>
<p>Webpack config can get complex, but it provides extensive support for third-party imports, images, CSS preprocessor, and whatnot.</p>
<p>I had a hard time using Rollup for bundling my app that used axios, a very commonly used library for making HTTP requests — not just axios, but for other third-party integrations too. I had to research a lot and try installing many Rollup plugins before attaining victory, at the cost of dropping some imports.</p>
<ol start="2">
<li><strong>Dead code elimination</strong></li>
</ol>
<p><mark>Dead code elimination, or </mark> <em><mark>Tree shaking</mark></em><mark>, as it’s often called, is very important to achieve the optimum bundle size and hence app performance.</mark></p>
<p><strong>Parcel emerged as the winner</strong> here. Parcel supports tree shaking for both ES6 and CommonJS modules. This is revolutionary since most of the code in libraries on npm still uses <a target="_blank" href="https://www.npmjs.com/search?q=commonjs">CommonJS</a>.</p>
<p>Most of the work Parcel does when tree shaking is also done in parallel through multicore processing using numerous worker processes, and is also cached on the file system. This means that it builds are still fast, and rebuilds are like blazing fast.</p>
<p><strong>Roll comes second in the race</strong>. Right out of the box, it statically analyzes the code you are importing and will exclude anything that isn’t actually used. This saves you from writing more lines in your config file, adding extra dependencies, and bloating the size of your app.</p>
<p>Webpack requires some manual effort to enable tree-shaking:</p>
<ul>
<li><p>Use ES6 syntax (i.e. <code>import</code> and <code>export</code>).</p>
</li>
<li><p>Set the <code>SideEffects</code> flag in your <code>package.json</code>.</p>
</li>
<li><p>Include a minifier that supports dead code removal (eg: <code>UglifyJSPlugin</code>).</p>
</li>
</ul>
<p>Rollup and Webpack have focused more on tree shaking for ES6 since it is much easier to statically analyze, but in order to truly make a big impact, we need to analyze CommonJS dependencies as well, for which they both require plugins to be imported.</p>
<p>However, given the fact that JavaScript is dynamic, almost every construct in the language can be altered at runtime in impossible to predict ways.</p>
<p>Practically, this means that an entity such as a class, which is imported as one reference, can be statically analyzed to remove members (both static and instance) that are not used. So, rather than relying on the bundler to do it for you, it will be a good practice to visualize your components before your code and analyze them afterwards to get the best results.</p>
<ol start="3">
<li><strong>Code splitting</strong></li>
</ol>
<p>As your app grows, your bundle size will grow too, more so with third-party imports. The load time of your app is directly proportional to its bundle size.</p>
<p>Code splitting helps the browser lazy-load just the things that are needed to get the app running, dramatically improving the performance and UX.</p>
<p><strong>Webpack emerges as the winner in this aspect</strong>, with minimal work and faster load time. It provides three approaches to enable code splitting available in Webpack.</p>
<ul>
<li><p><strong>Define entry point</strong>s - Manually split code using <a target="_blank" href="https://webpack.js.org/configuration/entry-context"><code>entry</code></a> configuration.</p>
</li>
<li><p><strong>Use the</strong> <a target="_blank" href="https://webpack.js.org/plugins/commons-chunk-plugin">commonsChunkPlugin</a> to de-dupe and split chunks</p>
</li>
<li><p><strong>Dynamic imports</strong> - use inline function calls within modules</p>
</li>
</ul>
<p>During code splitting by Rollup, your code splitting chunks themselves are standard ES modules that use the browser’s built-in loader without any additional overhead, while still getting the full benefit of Rollup’s tree-shaking feature.</p>
<p>Parcel supports zero-configuration code splitting. Here, code splitting is controlled by the use of the dynamic <code>import()</code> <a target="_blank" href="https://github.com/tc39/proposal-dynamic-import">function syntax proposal</a>, which works like a normal <code>import</code> statement or <code>require</code> function, but returns a <code>Promise</code>. This means that the module is loaded asynchronously.</p>
<p>It was tempting to favour Rollup and Parcel over Webpack for code splitting, but both of them have only recently introduced this feature, and some issues have also been reported. So, it’s safe to stick with the good old webpack.</p>
<p>One compelling fact I noticed was that for the same code with code splitting enabled, the build time was the least with webpack, followed by Rollup, and lastly, Parcel.</p>
<ol start="4">
<li><strong>Live reload</strong></li>
</ol>
<p>During development, it’s great if your app gets updated with the fresh code that you write, instead of manually refreshing it to see the changes. A bundler with live reload capability does that refreshing for you.</p>
<p>Bundlers provide you with a runtime environment in addition to other utilities essential for debugging and development, in the form of a development server.</p>
<p>Parcel has been very thoughtful by having a development server built in, which will automatically rebuild your app as you change files. But there are issues associated with it when using HTTP logging, Hooks, and middleware.</p>
<p>When using Rollup, we need to install and configure<code>rollup-plugin-serve</code>, which will provide us with live reload functionality. However, it needs another plugin, <code>rollup-plugin-livereload</code>, to work. That means it’s not an independent plugin and comes with an extra dependency to run.</p>
<p>With Webpack, you just need to add one plugin, <code>called webpack-dev-server</code>, which provides a simple development server with live reload functionality turned on by default. What’s better? You can use Hooks to do something after the dev server is up and running, add middleware, and also specify the file to serve when we run the dev server. <strong>The customisability of Webpack trumps Rollup and Parcel</strong>.</p>
<ol start="5">
<li><strong>Hot module replacement</strong></li>
</ol>
<p>Hot module replacement (HRM) improves the development experience by automatically updating modules in the browser at runtime without needing a whole page refresh. You can retain the application state as you make small changes in your code.</p>
<p>You might ask how HRM is different from live reload.</p>
<p>Well, live reloading reloads the entire app when a file changes. For example, if you were five levels deep into your app navigation and saved a change, live reloading would restart the app altogether and load it back to the landing/initial route.</p>
<p>Hot reloading, on the other hand, only refreshes the files that were changed while still maintaining the state of the app. For example, if you were 5 levels deep into your app navigation and saved a CSS change, the state would not change: You would still be on the same page, but the new styles would be visible.</p>
<p>Webpack has its own web server, called the <code>webpack-dev-server</code>, through which it supports HMR. It can be used in development as a live reload replacement.</p>
<p>Rollup released a plugin <code>rollup-plugin-hotreload</code> last month to support hot reload.</p>
<p>As this capability is fairly new in bundlers like Rollup and Parcel, I still choose Webpack as the safe bet for I don’t want to run into avoidable issues during development.</p>
<ol start="6">
<li><strong>Module transformers.</strong></li>
</ol>
<p>Bundlers generally know only how to read JS files. Transformers are essentially teachers who teach the bundler how to process files other than JS and add them to your app’s dependency graph and module.</p>
<p></p>
<p>For example, in the image above, you can see a webpack config having an instruction on how to read CSS between lines 13 to 15. It basically says, “Hey Webpack, whenever you encounter a file that is resolved as <code>.css</code>, use <code>css-loader</code> imported above to read it and export it as a string“. Similarly, an HTML loader will tell Webpack how to read the <code>.HTML</code> files it encounters in your app and export them as strings in your bundler.</p>
<p>Parcel handles the transformation process very smartly. Unlike Rollup and Webpack, which need you to specify file types to transform, install, and configure, and plugins to transform them, Parcel provides built-in support for many common transforms and transpilers.</p>
<p>Parcel automatically runs the appropriate transformer when it finds a configuration file such as<code>.babelrc</code>, <code>.postcssrc</code>, <code>.posthtml</code>, etc., in a module. In addition to any transforms specified in .babelrc, Parcel always uses Babel on all modules to compile modern JavaScript into a form supported by browsers.</p>
<p><strong>✅ In a nutshell</strong></p>
<ul>
<li><p>Building a library with minimal third-party imports? Use Rollup</p>
</li>
<li><p>Building a basic app and want to get it up and running quickly? Use Parcel.</p>
</li>
<li><p>Building a complex app with lots of third-party integrations? Need good code splitting, use of static assets, and CommonJS dependencies? Use Webpack.</p>
</li>
</ul>
<p>Personally, I will continue to prefer Webpack for my projects. One might argue that Parcel, in many cases, offers built-in configurations that might provide ease of development, but it’s difficult to overlook the extensive support and customizability that Webpack provides.</p>
<h1 id="heading-webpack">Webpack</h1>
<p><a target="_blank" href="https://webpack.js.org/">Webpack</a> is a commonly used library among modern frontend-based applications. It is one of the popular JavaScript bundlers. It’s now a decade-old and battle-tested library. Many of full full-fledged frontend frameworks like <a target="_blank" href="https://nextjs.org/">NextJs</a> and <a target="_blank" href="https://www.gatsbyjs.com/">Gatsby</a> use Webpack for bundling and compilation purposes by default. If you ask someone what Webpack is, they will answer that it’s a JavaScript bundler. If you go a bit more and ask why we need a JavaScript bundler and how it works, only the curious might be able to answer satisfactorily. It isn’t anyone's fault, modern frontend libraries are packed in a way that you don’t need to worry about what happens under the hood. If we take an example of a ReactJS application configured through the <a target="_blank" href="https://reactjs.org/docs/create-a-new-react-app.html">create-react-app</a> library, it takes care of the configuration of bundlers and transpilers. Developers can immediately start building an application with the knowledge of <a target="_blank" href="https://reactjs.org/">ReactJS</a>. If one wants to master the art of building fast and performant frontend applications, one needs to have a clear mental model of the functioning of all these libraries.</p>
<h2 id="heading-how-does-webpack-work">How does Webpack work?</h2>
<p>Webpack is an event-driven, plugin-based compiler. That means Webpack has a life cycle for bundling the files, and each life-cycle step can be imagined as an event. We can add a plugin that will listen to these different events and act accordingly. The default functionalities can also be inserted through plugins, i.e., there will be some default plugins handling some core functionalities.</p>
<p>Let’s say the life cycle has these 5 methods:</p>
<blockquote>
<p><em>compilation-start → resolve → parse → bundle → compilation-end</em></p>
</blockquote>
<p>The plugin can be integrated to listen to these events and perform the operation on the source code files. There will be some default plugins integrated to perform the core functionality.</p>
<p>Any plugin-based architecture can be designed similarly; it has a life cycle for any particular feature, and custom event handlers (which can be imagined as plugins) can be added to act upon at different steps of the life cycle.</p>
<p>Let’s not go through the Webpack life cycle:</p>
<h2 id="heading-what-happens-under-the-hood-in-webpack">What happens under the hood in Webpack?</h2>
<p>Let’s understand some keywords and then connect them to form a whole story.</p>
<ul>
<li><p><strong>Compiler</strong>: Just like a normal compiler, it will be a starting and stopping point in the webpack life cycle. It can be imagined as a central dispatcher of events.</p>
</li>
<li><p><strong>Compilation AKA The Dependency Graph</strong>: It’s like the brain. Through this, Webpack understands which sources you are using in your codebase. It contains the dependency graph traversal algorithm. It is created by the compiler.</p>
</li>
<li><p><strong>Resolver</strong>: It converts the partial path into the absolute path. This will be used to check if some files exist, and if it does, give us some information.</p>
</li>
<li><p><strong>Module Factory</strong>: Takes successfully resolved requests by the resolver and creates a module object with source files and some information received by the resolver.</p>
</li>
<li><p><strong>Parser</strong>: Takes a module object and turns it into an AST (a tree representation of the source code) to parse. Find all queries and imports and make a tree to parse for bundling.</p>
</li>
<li><p><strong>Templates</strong>: It is used for data binding for the dependency graph. It binds the tree object into the actual code in the module.</p>
</li>
</ul>
<p>Now, let’s connect these dots:</p>
<p></p>
<p>First of all, Webpack will look at the configuration file and look for the entry point mentioned. The <a target="_blank" href="https://github.com/webpack/webpack/blob/main/lib/Compiler.js">compiler</a> will start the <a target="_blank" href="https://github.com/webpack/webpack/blob/main/lib/Compilation.js">compilation</a> from that file. A relative path will be sent to the <a target="_blank" href="https://github.com/webpack/webpack/blob/main/lib/ResolverFactory.js">resolver</a>. The resolver will convert the relative path to the absolute path. The request will go to the module factory. <a target="_blank" href="https://github.com/webpack/webpack/blob/main/lib/ModuleFactory.js">The module factory</a> will create a module object with some more information like the type of the file, size, absolute path, assigned id, etc.</p>
<p>Now, according to the file type mentioned in the module object, the compiler will look for the transpilers to convert the code into a browser-readable format. After converting the code, the <a target="_blank" href="https://github.com/webpack/webpack/blob/main/lib/Parser.js">parser</a> will parse the file and look for the ‘require‘ or ‘imports‘ statements and update the object with the dependency information like below:</p>
<pre><code class="lang-typescript"><span class="hljs-comment">// example module object</span>
{
  id: <span class="hljs-number">0</span>,
  absolutePath: <span class="hljs-string">'/path'</span>,
  fileType: <span class="hljs-string">'.jsx'</span>,
  dependency: [{ id1, relativePath }, { id2, relativePath }]
  <span class="hljs-comment">// some more information</span>
}
</code></pre>
<p>The compiler will parse the file recursively in this manner to finally form a complete <a target="_blank" href="https://github.com/webpack/webpack/blob/main/lib/Dependency.js">dependency graph</a> of module objects. Hash-map will also be maintained between the file ID, the absolute path, and the parsed file.</p>
<p>After building the dependency graph, the compiler will topologically sort all dependencies.</p>
<p><strong><em>Topological sorting</em></strong>*: Topological sorting for a Directed Acyclic Graph (DAG) is a linear ordering of vertices such that for every directed edge u v, vertex u comes before v in the ordering.*</p>
<p>The Webpack <a target="_blank" href="https://github.com/webpack/webpack/blob/main/lib/Template.js">merges</a> all these topologically sorted dependencies with the help of a <a target="_blank" href="https://github.com/webpack/webpack/blob/main/lib/ChunkGraph.js">maintained hash map</a> to make a bundle file. <strong>Minification</strong> or <strong>tree-shaking</strong> can be done on these bundle files now as <strong>post-processing</strong> measures through an event listener, which is also called a plugin. That’s it! Bundler has done his job in these simple steps :)</p>
<p>Let’s dry run the above bundling process for <a target="_blank" href="https://github.com/KhushilMistry/webpack-testing">the following code</a>:</p>
<pre><code class="lang-typescript"><span class="hljs-comment">// cat.js ES Module</span>
<span class="hljs-keyword">export</span> <span class="hljs-keyword">default</span> <span class="hljs-string">"cat"</span>;

<span class="hljs-comment">// bar.js CommonJS</span>
<span class="hljs-keyword">const</span> cat = <span class="hljs-built_in">require</span>(<span class="hljs-string">"./cat"</span>);
<span class="hljs-keyword">const</span> bar = <span class="hljs-string">"bar"</span> + cat;
<span class="hljs-built_in">module</span>.<span class="hljs-built_in">exports</span> = bar;

<span class="hljs-comment">// foo.js ES Module</span>
<span class="hljs-keyword">import</span> catString <span class="hljs-keyword">from</span> <span class="hljs-string">'./cat'</span>;
<span class="hljs-keyword">const</span> fooString = catString + <span class="hljs-string">"foo"</span>;
<span class="hljs-keyword">export</span> <span class="hljs-keyword">default</span> fooString;

<span class="hljs-comment">// index.js - entry point</span>
<span class="hljs-keyword">import</span> fooString <span class="hljs-keyword">from</span> <span class="hljs-string">'./foo'</span>;
<span class="hljs-keyword">import</span> barString <span class="hljs-keyword">from</span> <span class="hljs-string">'./bar'</span>;
<span class="hljs-keyword">import</span> <span class="hljs-string">'./tree.jpeg'</span>;
<span class="hljs-built_in">console</span>.log(fooString, barString);
</code></pre>
<p>index.js is an entry for the bundler. The compiler will start the process with this information. It will convert the relative path into the absolute path and make a module object. We don’t need any transpiler here as it’s a simple JavaScript file. Now the parser will start parsing the index file. It contains 3 import statements, so the final object module created for index.js will look like this.</p>
<pre><code class="lang-typescript">{
  <span class="hljs-string">"id"</span>:<span class="hljs-number">0</span>,
  <span class="hljs-string">"absolutePath"</span>:<span class="hljs-string">"$home/index.js"</span>,
  <span class="hljs-string">"bundledFile"</span>: <span class="hljs-string">"bundledFile0.js"</span>,
  <span class="hljs-string">"fileType"</span>:<span class="hljs-string">".js"</span>,
  <span class="hljs-string">"dependency"</span>:[
    { <span class="hljs-string">"id"</span>: <span class="hljs-number">1</span>, <span class="hljs-string">"path"</span>: <span class="hljs-string">"./foo"</span> },
    { <span class="hljs-string">"id"</span>: <span class="hljs-number">2</span>, <span class="hljs-string">"path"</span>: <span class="hljs-string">"./bar"</span> },
    { <span class="hljs-string">"id"</span>: <span class="hljs-number">3</span>, <span class="hljs-string">"path"</span>: <span class="hljs-string">"./tree.jpeg"</span>}
  ]
}
</code></pre>
<p>Webpack will now start compiling the dependencies of <em>index.js</em>. Webpack will recursively compile all the files until there are no dependencies left for any file and form the following dependency graph. Here, <em>tree.jpeg</em> will require a file loader/transpiler as <em>NodeJS</em> can’t understand it.</p>
<p></p>
<p>It will sort all the module objects in topological order and merge their converted chunks to form a <a target="_blank" href="https://github.com/KhushilMistry/webpack-testing/blob/master/build/bundle.js">bundle file</a> for the browser to run directly.</p>
<p></p>
<h2 id="heading-the-core-concepts-of-webpack">The core concepts of Webpack</h2>
<p></p>
<h2 id="heading-the-core-concepts-of-webpack-1">The Core Concepts of Webpack</h2>
<p>The core concepts in Webpack:</p>
<ul>
<li><p>Entry</p>
</li>
<li><p>Output</p>
</li>
<li><p>Loaders</p>
</li>
<li><p>Plugins</p>
</li>
<li><p>Mode</p>
</li>
<li><p>Development Server</p>
</li>
</ul>
<h3 id="heading-entry">Entry</h3>
<p><code>entry</code> is the entry point of your application. This is the place where Webpack starts its journey. We know that our React applications are like a tree. All the components span out from <code>App.js</code>.</p>
<p></p>
<p>But where do our <code>App.js</code> live? It lives inside the <code>index.js</code> file, and that’s why webpack enters the application via <code>index.js</code> and creates a dependency graph to determine which files need to be loaded first.</p>
<h3 id="heading-output">Output</h3>
<p>This is another easy concept to understand. After all the work is done, Webpack creates a bundle file. In <code>output</code>, we can specify the name and the location of the output file.</p>
<p>It also has other uses. If you want to generate bundle names for the production system for version management, you can do that here.</p>
<p>Let’s take this a step further and try to understand how our <code>.jsx</code> or <code>.css</code> files are handled.</p>
<h3 id="heading-loader">Loader</h3>
<p>Loaders are a very important concept in Webpack. They are like compilers, Webpack checks for a certain type of file and uses appropriate loaders to handle them.</p>
<p>A typical configuration of the <code>loader</code> can be like the following:</p>
<pre><code class="lang-typescript"><span class="hljs-built_in">module</span>.<span class="hljs-built_in">exports</span> = {
    entry: { ... <span class="hljs-keyword">as</span> before}
    output: { ... <span class="hljs-keyword">as</span> before },

    <span class="hljs-keyword">module</span>: {
        rules: [
            {
                test: <span class="hljs-regexp">/\.[jt]sx?$/</span>, <span class="hljs-comment">// matches .js, .ts, .jsx and .tsx files</span>
                use: [<span class="hljs-string">'babel-loader'</span>],, <span class="hljs-comment">// uses babel-loader for the specified file types</span>
                include: path.resolve(__dirname, <span class="hljs-string">'src'</span>),
                exclude: <span class="hljs-regexp">/node_modules/</span>,
            }
        ],
    }
}
</code></pre>
<p>Now, look at the <code>module</code> part. It takes an array of rules. Each rule has several parts:</p>
<ul>
<li><p><code>test</code> -> It checks for a certain file type. It uses a regular expression.</p>
</li>
<li><p><code>use</code> -> It specifies the list of loaders used for this particular file type.</p>
</li>
<li><p><code>include</code> -> Which files should be processed?</p>
</li>
<li><p><code>exclude</code> -> Which should not be processed.</p>
</li>
</ul>
<p>Sometimes we need more than one type of loader for a specific file. A good example is loading <code>CSS</code> files. The rule for that is:</p>
<pre><code class="lang-typescript">{
    test: <span class="hljs-regexp">/\.css$/</span>, <span class="hljs-comment">// matches .css files only</span>
    use: [<span class="hljs-string">'style-loader'</span>, <span class="hljs-string">'css-loader'</span>],
},
</code></pre>
<p>Here, both <code>css-loader</code> and <code>style-loader</code> are used to process the file. One important thing to note here is that these loaders are loaded in the reverse order.</p>
<p>That means first the <code>css-loader</code> will work and then <code>style-loader</code> will work on the output produced by <code>css-loader</code>.</p>
<p>Similarly, for our <code>.scss</code> files:</p>
<pre><code class="lang-typescript">{
  test: <span class="hljs-regexp">/\.scss$/</span>,
  use: [<span class="hljs-string">'style-loader'</span>, <span class="hljs-string">'css-loader'</span>, <span class="hljs-string">'sass-loader'</span>]
},
</code></pre>
<h3 id="heading-plugins">Plugins</h3>
<p>Almost 80% of Webpack runs on plugins.</p>
<p>Plugins are another very important aspect of Webpack. Plugins are the main reason why Webpack is so powerful.</p>
<p>Plugins are like libraries. They can tap into any stage of the compilation process and do whatever they wish.</p>
<pre><code class="lang-typescript"><span class="hljs-keyword">const</span> {CleanWebpackPlugin} = <span class="hljs-built_in">require</span>(<span class="hljs-string">'clean-webpack-plugin'</span>)

<span class="hljs-built_in">module</span>.<span class="hljs-built_in">exports</span> = merge(common ,{
    entry:  {...},
    output: {...},
    <span class="hljs-keyword">module</span>: {...}

    plugins: [ <span class="hljs-keyword">new</span> CleanWebpackPlugin() ]
})
</code></pre>
<p>In the example above, we used a plugin named <code>clean-webpack-plugin</code>. What this plugin does is clean the output folder each time we run our build command.</p>
<p>There are lots of plugins that you can take advantage of. You can refer to <a target="_blank" href="https://webpack.js.org/plugins/">WebPack’s official website</a> if you are interested.</p>
<h3 id="heading-mode">Mode</h3>
<p>This is the simple concept to understand. You would want to use a different setup for your development and production. For this, you can use <code>mode</code>.</p>
<pre><code class="lang-typescript"><span class="hljs-built_in">module</span>.<span class="hljs-built_in">exports</span> = merge(common ,{
    entry:  {...},
    output: {...},
    <span class="hljs-keyword">module</span>: {...},
    plugins:{...},

    mode : <span class="hljs-string">'development'</span> or <span class="hljs-string">'production'</span>
})
</code></pre>
<p>If you set the mode to <code>production</code>, then your output bundle will be minified and optimized.</p>
<h3 id="heading-development-server">Development Server</h3>
<p>This is the final setup for your application. While developing the application, you will not want to compile it every time you change something. That’s why you need a <code>devServer</code> setup for your application.</p>
<pre><code class="lang-typescript">
<span class="hljs-built_in">module</span>.<span class="hljs-built_in">exports</span> = merge(common ,{
    entry:  {...},
    output: {...},
    <span class="hljs-keyword">module</span>: {...},
    plugins:{...},
    mode :  {...},

    devServer: {
        contentBase: path.join(__dirname, <span class="hljs-string">'public/'</span>),
        port: <span class="hljs-number">3000</span>,
        publicPath: <span class="hljs-string">'http://localhost:3000/dist/'</span>,
        hotOnly: <span class="hljs-literal">true</span>,
    },
})
</code></pre>
<p>Now, this setup will serve your application from the <code>dist</code> that you set up earlier as your <code>output</code>.</p>
<h2 id="heading-why-frontend-engineers-need-to-be-webpack-experts">Why Frontend Engineers Need to be WebPack experts</h2>
<p>Modern web applications are not just about core functionalities. We also pay attention to factors like application performance, development productivity, and efficiency to get the maximum out of our effort.</p>
<blockquote>
<p>But, are you aware that you could use WebPack to address some of these challenges?</p>
</blockquote>
<p>However, just knowing how WebPack works won’t be enough to get the maximum from it. So, let’s see what you can achieve by being an expert in Webpack.</p>
<h3 id="heading-improve-development-productivity">Improve Development Productivity</h3>
<p>As developers, we always like to see faster feedback while we carry out modifications to the code. Besides, there are various methods we follow.</p>
<p>If you know WebPack well, you can easily enable its Hot Module Replacement feature to improve the development process.</p>
<p>Hot Module Replacement (HMR) allows us to modify modules while it is in the running state. Since HMR prevents full reload of the application, it will remain in the same state and will only be updated with what has changed.</p>
<p>All you need is to update the <a target="_blank" href="https://github.com/webpack/webpack-dev-server">weppack-dev-server</a> configuration and use its built-in <a target="_blank" href="https://webpack.js.org/plugins/hot-module-replacement-plugin/">HMR plugin</a>.</p>
<pre><code class="lang-typescript"><span class="hljs-built_in">module</span>.<span class="hljs-built_in">exports</span> = {
  entry: {
    app: <span class="hljs-string">'./src/index.js'</span>,
  },
  ...
  devServer: {
    contentBase: <span class="hljs-string">'./dist'</span>,
    hot: <span class="hljs-literal">true</span>,  <span class="hljs-comment">// <--- Add this line</span>
  },
  plugins: [
    ...
    <span class="hljs-keyword">new</span> HtmlWebpackPlugin({
      title: <span class="hljs-string">'Hot Module Replacement'</span>,
    }),
  ],
  output: {
      ...
  },
};
</code></pre>
<blockquote>
<p>Pro tip: HMR becomes very handly in situations where you develop applications for multiple devices form factors. E.g., you can access the development server URL on both desktop and mobile and instantly see how it looks in both.</p>
</blockquote>
<h3 id="heading-get-better-at-tree-sharking">Get Better at Tree-Sharking</h3>
<p>If your project has a significant amount of dead code or a large number of <a target="_blank" href="https://blog.bitsrc.io/building-a-react-component-library-d92a2da8eab9">shared libraries</a>, it’s common to experience a long application loading time. It’s common to see tree-shaking in such situations to avoid dead or unwanted code from bundling.</p>
<pre><code class="lang-typescript">....
<span class="hljs-built_in">module</span>.<span class="hljs-built_in">exports</span> = {
  entry: {
    app: <span class="hljs-string">'./src/index.js'</span>,
  },
  output: {
      ...
  },
  <span class="hljs-comment">//add below line </span>
  mode: <span class="hljs-string">'development'</span>,
  optimization: {
    usedExports: <span class="hljs-literal">true</span>,
  },
};
</code></pre>
<p><strong>But, how can we guarantee that WebPack makes a correct decision about unused code in the project?</strong></p>
<p>For example, it’s common to have global-level stylesheets imported into the project, and usually, those files aren’t used anywhere. But removing such files can affect the whole project.</p>
<p>Webpack uses a special configuration in the <code>package.json file</code> named <code>sideEffects</code>. By default, all the files in your project are considered files with side effects, and tree-shaking won’t be performed.</p>
<p><strong>However, we can manually change this behavior by changing</strong> <code>sideEffects</code> <strong>value to false, true, or providing an array with file names.</strong></p>
<pre><code class="lang-typescript"><span class="hljs-comment">// All files have side effects </span>
<span class="hljs-string">"sideEffects"</span>: <span class="hljs-literal">true</span>
<span class="hljs-comment">// No files have side effects</span>
<span class="hljs-string">"sideEffects"</span>: <span class="hljs-literal">false</span>
<span class="hljs-comment">//Only these files have side effects,</span>
 <span class="hljs-string">"sideEffects"</span>: [
  <span class="hljs-string">"./src/file1.js"</span>,
  <span class="hljs-string">"./src/file2.js"</span>
 ]
}
</code></pre>
<p>If you enable tree-shaking in Webpack configuration, ensure to include files that don’t have side effects in <code>package.json</code> file settings.</p>
<h3 id="heading-using-code-splitting-to-optimize-app-loading-time">Using Code Splitting to Optimize App Loading Time</h3>
<p>If you monitor the number of unused bytes in a single bundle using Chrome DevTools, you will be amazed to see how often it happens.</p>
<p>Webpack provides the perfect situation by allowing you to split your code into different bundles and load them on-demand or in parallel.</p>
<blockquote>
<p>Webpack provides 3 approaches for code splitting, and you will need to decide which mechanism is the most suited one for your project. For that, you should have a good understanding of Webpack.</p>
</blockquote>
<p>The <strong>entry point</strong> approach is considered the most straightforward and most used code-splitting approach with Webpack. You just need to update all the separate modules in the Webpack config file manually.</p>
<pre><code class="lang-typescript">....
<span class="hljs-built_in">module</span>.<span class="hljs-built_in">exports</span> = {
  mode: <span class="hljs-string">'development'</span>,
  entry: {
    index: <span class="hljs-string">'./src/index.js'</span>,
    second: <span class="hljs-string">'./src/second-module.js'</span>,
  },
  output: {
   filename: <span class="hljs-string">'[name].bundle.js'</span>,
   path: path.resolve(__dirname, <span class="hljs-string">'dist'</span>),
   },
};
</code></pre>
<p>However, this approach is not very flexible, and there is a risk of having duplicate modules between chunks. If you don’t see any improvements with this approach, you can go deeper with the <strong>Prevent Duplication</strong> approach**.**</p>
<p><strong>Prevent Duplication</strong> approach allows specifying the shared modules between chunks using <code>dependOn</code> the option. You can easily convert the entry point approach to prevent duplication with a few modifications.</p>
<pre><code class="lang-typescript">....
<span class="hljs-built_in">module</span>.<span class="hljs-built_in">exports</span> = {
  mode: <span class="hljs-string">'development'</span>,
  entry: {
    index: {
      <span class="hljs-keyword">import</span>: <span class="hljs-string">'./src/index.js'</span>,
      dependOn: <span class="hljs-string">'shared'</span>,
    }, 
    second: {
      <span class="hljs-keyword">import</span>: <span class="hljs-string">'./src/second.js'</span>,
      dependOn: <span class="hljs-string">'shared'</span>,
    }, 
    shared: <span class="hljs-string">'shared-module'</span>,
  },
 ...
};
</code></pre>
<p>But the above configuration alone will not give you the desired output. You also need to enable <code>runtimeChunk</code> in the <code>optimization</code> section to prevent Webpack from copying module code between entry points.</p>
<pre><code class="lang-typescript">optimization: {
  splitChunks: {
    chunks: <span class="hljs-string">'all'</span>,
  },
},
</code></pre>
<p>If you are not satisfied with the Prevent Duplication approach, you can shift to the <a target="_blank" href="https://webpack.js.org/guides/code-splitting/#dynamic-imports">Dynamic Imports</a> approach.</p>
<p>I think you already understand the power of Webpack code splitting and the amount of knowledge you need to configure that. So, I won’t be going into details of the <a target="_blank" href="https://webpack.js.org/guides/code-splitting/#dynamic-imports">Dynamic Imports</a> approach here, and you will be able to understand it easily if you understood the previous two.</p>
<h3 id="heading-supports-micro-frontends-with-module-federation">Supports Micro Frontends with Module Federation</h3>
<blockquote>
<p>Module federation is an exciting JavaScript architecture that allows importing code from another application dynamically at runtime.</p>
</blockquote>
<p>Webpack facilitates the support you need to integrate the module federation architecture to your project through a plugin called Module <strong>Federation Plugin.</strong></p>
<p>All you need to do is follow the 4 simple steps:</p>
<ol>
<li><p>Import the plugin to both applications.</p>
</li>
<li><p>Make necessary modifications in the Webpack configuration for the first application and expose the components that need to be shared.</p>
</li>
<li><p>Import the shared component in the Webpack configurations of the second application.</p>
</li>
</ol>
<p>However, this might not be that simple when you start the implementation. You should be very careful about Webpack configurations and only necessary changes.</p>
<p>For example, in the first application, you won’t need to change anything other than the plugins section.</p>
<pre><code class="lang-typescript"><span class="hljs-keyword">const</span> { ModuleFederationPlugin } = <span class="hljs-built_in">require</span>(“webpack”).container;
...
plugins: [
  <span class="hljs-keyword">new</span> ModuleFederationPlugin({
    name: <span class="hljs-string">"application1"</span>,
    library: { <span class="hljs-keyword">type</span>: <span class="hljs-string">"var"</span>, name: <span class="hljs-string">"app1"</span> },
    filename: <span class="hljs-string">"remoteEntry.js"</span>,
    exposes: {
      <span class="hljs-comment">// expose each component</span>
      <span class="hljs-string">"./Component1"</span>: <span class="hljs-string">"./src/components/Component1"</span>,
    },
      shared: [<span class="hljs-string">"react"</span>, <span class="hljs-string">"react-dom"</span>],
    }),
    ...
  ],
...
</code></pre>
<p>Besides, if you have a good understanding of these concepts, you can refer to the relevant <a target="_blank" href="https://webpack.js.org/concepts/module-federation/">documentation</a> and easily carry out the required configurations.</p>
<p>With this approach, you will be able to move away from the traditional way of sharing reusable components between micro frontends, and I think that would be a huge win for your development team.</p>
<h2 id="heading-how-to-set-up-your-react-app-from-scratch-using-webpack">How to set up your React app from scratch using Webpack</h2>
<p>So, you have been using Create React App, aka CRA, for a while now. It’s great, and you can get straight to coding. But when do you need to eject from create-react-app and start configuring your own React application? There will be a time when we have to let go of the safety check and start venturing out of our own.</p>
<p>Let’s check out these articles:</p>
<p><a target="_blank" href="https://www.freecodecamp.org/news/an-intro-to-webpack-what-it-is-and-how-to-use-it-8304ecdc3c60/">https://www.freecodecamp.org/news/an-intro-to-webpack-what-it-is-and-how-to-use-it-8304ecdc3c60/</a></p>
<p><a target="_blank" href="https://raphael-leger.medium.com/react-webpack-chunkloaderror-loading-chunk-x-failed-ac385bd110e0">https://raphael-leger.medium.com/react-webpack-chunkloaderror-loading-chunk-x-failed-ac385bd110e0</a></p>
<p><a target="_blank" href="https://medium.com/better-programming/learn-webpack-in-under-10-minutes-efe2b2b10b61">https://medium.com/better-programming/learn-webpack-in-under-10-minutes-efe2b2b10b61</a></p>
<p><a target="_blank" href="https://javascript.plainenglish.io/webpack-in-2021-typescript-jest-sass-eslint-7b4640842e27">https://javascript.plainenglish.io/webpack-in-2021-typescript-jest-sass-eslint-7b4640842e27</a></p>
<p><a target="_blank" href="https://www.freecodecamp.org/news/how-to-set-up-deploy-your-react-app-from-scratch-using-webpack-and-babel-a669891033d4/">https://www.freecodecamp.org/news/how-to-set-up-deploy-your-react-app-from-scratch-using-webpack-and-babel-a669891033d4/</a></p>
<p><a target="_blank" href="https://javascript.plainenglish.io/a-complete-guide-to-use-typescript-in-web-development-with-without-react-3ab58ab4f03c">https://javascript.plainenglish.io/a-complete-guide-to-use-typescript-in-web-development-with-without-react-3ab58ab4f03c</a></p>
<p><a target="_blank" href="https://medium.com/better-programming/micro-frontends-using-webpack-5-module-federation-3b97ffb22a0d">https://medium.com/better-programming/micro-frontends-using-webpack-5-module-federation-3b97ffb22a0d</a></p>
<p><a target="_blank" href="https://medium.com/swlh/webpack-5-module-federation-a-game-changer-to-javascript-architecture-bcdd30e02669">https://medium.com/swlh/webpack-5-module-federation-a-game-changer-to-javascript-architecture-bcdd30e02669</a></p>
<h1 id="heading-bundler-best-practices">Bundler Best Practices</h1>
<h2 id="heading-webpack-and-yarn-magic-against-duplicates-in-bundles">Webpack and yarn magic against duplicates in bundles</h2>
<h3 id="heading-setting-up-the-scene">Setting up the scene</h3>
<p>I will assume that you have some understanding of what tools like yarn, npm, and webpack are used in modern frontend projects and want to dig deeper into the magic behind the scenes.</p>
<p>Some terminology used in this article:</p>
<p><strong>Direct dependencies</strong>: packages on which your project relies explicitly. Typically installed via yarn add package-name. The full list of those can be found in the dependencies field in package.json at the root of the project.</p>
<p><strong>Transitive dependencies</strong>: packages on which your project relies implicitly. Those are the dependencies on which your direct dependencies rely. Typically, you won’t see them in the <code>package.json</code> file, but they can be seen, for example, in <code>yarn.lock</code> file</p>
<p><strong>Duplicated Dependencies:</strong> transitive dependencies with mismatched versions. If one of the project dependencies has a button package version 4.0.0 as a transitive dependency and another has the same button version 3.0.0, both of those versions will be installed, and the button dependency will be duplicated.</p>
<p><strong>De-duplication</strong>: the process of elimination of duplicated dependencies according to their <a target="_blank" href="https://semver.org/">SemVer</a> versions (x.x.x - major, minor, patch). Typically, a range of versions within the same major version will contain no breaking changes, and only the latest version within this range can be installed. For example, a button version 4.0.0 and 4.5.6 can be “de-duplicated, “ and only version 4.5.6 will be installed.</p>
<p><code>yarn.lock</code> <strong>file</strong>: an auto-generated file that contains the exact and full list of all direct and transitive dependencies and their exact versions in yarn-based projects.</p>
<h3 id="heading-the-problem-of-duplicated-dependencies">The problem of duplicated dependencies</h3>
<p>“Duplicated“ dependencies in any of the middle — or large-scale projects that rely on npm packages are inevitable. When a project has dozens of “direct“ dependencies, and every one of those has its own dependencies, the final number of all packages (direct and transitive) installed in a project can be close to hundreds. In this situation, it’s more likely than not that some of the dependencies will be duplicated.</p>
<p>Considering that those are bundled together and served to the customers, in order to reduce the final JavaScript size it’s important to reduce the number of duplicates to a minimum. This is where the deduplication process comes into play.</p>
<h3 id="heading-deduplication-in-yarn">Deduplication in yarn</h3>
<p>Consider, for example, a project that among its direct dependencies has <em>modal-dialog@3.0.0</em> and <em>button@2.5.0</em>, and modal-dialog brings <em>button@2.4.1</em> as a transitive dependency. If left unduplicated, both buttons will exist in the project</p>
<p></p>
<p>and in <code>yarn.lock</code> , we will see something like this:</p>
<pre><code class="lang-typescript">modal-dialog@^<span class="hljs-number">3.0</span><span class="hljs-number">.0</span>:
  version <span class="hljs-string">"3.0.0"</span>
  resolved <span class="hljs-string">"exact-link-to-where-download-modal-dialog-3.0.0-from"</span>
  dependencies:
    button@^<span class="hljs-number">2.4</span><span class="hljs-number">.1</span>

button@^<span class="hljs-number">2.5</span><span class="hljs-number">.0</span>:
  version <span class="hljs-string">"2.5.0"</span>
  resolved <span class="hljs-string">"exact-link-to-where-download-2.5.0-version-from"</span>

button@^<span class="hljs-number">2.4</span><span class="hljs-number">.1</span>:
  version <span class="hljs-string">"2.4.1"</span>
  resolved <span class="hljs-string">"exact-link-to-where-download-2.4.1-version-from"</span>
</code></pre>
<p>Now, we know that according to semver, button@2.4.1 and button@2.5.0 are compatible, and therefore we can tell yarn to grab the same button@2.5.0 version for both of them — “deduplicate” them. From the project perspective, it will look like this:</p>
<p></p>
<p>and in yarn.lock file, we’ll see this:</p>
<pre><code class="lang-typescript">modal-dialog@^<span class="hljs-number">3.0</span><span class="hljs-number">.0</span>:
  version <span class="hljs-string">"3.0.0"</span>
  resolved <span class="hljs-string">"exact-link-to-where-download-modal-dialog-3.0.0-from"</span>
  dependencies:
    button@^<span class="hljs-number">2.4</span><span class="hljs-number">.1</span>

button@^<span class="hljs-number">2.4</span><span class="hljs-number">.1</span>, button@^<span class="hljs-number">2.5</span><span class="hljs-number">.0</span>:
  version <span class="hljs-string">"2.5.0"</span>
  resolved <span class="hljs-string">"exact-link-to-where-download-2.5.0-version-from"</span>
</code></pre>
<h3 id="heading-deduplication-in-yarn-not-compatible-version">Deduplication in yarn - not compatible version</h3>
<p>The above duplication technique is the only thing that we usually have in the fight against duplicates, and usually, it works quite well. But what will happen if a project has non-semver-dedupable transitive dependencies? If, for example, our project has <code>modal-dialog@3.0.0</code>, <code>button@2.5.0</code>, and <code>editor@5000.0.0</code> as direct dependencies, and those bring <code>button@1.3.0</code> and <code>button@1.0.0</code> as transitive dependencies?</p>
<p>Using the same technique, we can de-duplicate buttons from <code>1.x.x</code> version, and from the project perspective, it will look like this:</p>
<p></p>
<p>Two versions of the button are unavoidable, and in this case, usually, there is nothing we can do other than upgrade the version of model-dialog and editor to the versions when they both have button from 2.x.x range and it can be de-duplicated properly. Typically, in this case, we stop, say that our project has “2 versions of buttons,” and move on with our lives.</p>
<p>But what if we dig a little bit further and check out how exactly 2 buttons are installed on the disk and bundled together?</p>
<h3 id="heading-duplicated-dependencies-installed">Duplicated dependencies installed</h3>
<p>When we install our dependencies via classic yarn or npm (pnpm or yarn 2.0 changes the situation and are not considered here), npm hoists everything that is possible up to the root node_modules. If, for example, in our project above, both the editor and the modal dialog have the dependency on the same “deduped“ version of the tooltip, but our project does not, npm will install it at the root of the project.</p>
<p></p>
<p>And inside the node_modules folder, we’ll see this structure:</p>
<pre><code class="lang-typescript">/node_modules
  /editor
  /modal-dialog
  /tooltip
</code></pre>
<p>And because of that, we can be sure that we only have one version of the tooltip in the project, or even if two completely different dependencies depend on slightly different versions of it.</p>
<p>Unless…</p>
<p>Unless those versions are not semver compatible and can not be deduplicated that easily. Basically, the situation in the project with buttons from above will look like this:</p>
<p></p>
<p>Even if dependencies are “deduped” on yarn.lock level, and we “officially” have only 2 versions of buttons in <code>yarn.lock,</code> every single package, with <code>button@1.3.0</code> as the dependency that will install its own copy of it.</p>
<h3 id="heading-deduplicated-dependencies-and-webpack">Deduplicated Dependencies and Webpack</h3>
<p>So, if a project is bundled with Webpack, how exactly does it handle the situation from above? It doesn’t actually (there was a webpack dedup plugin in the long past, but it was removed after Webpack 2.0)</p>
<p>Webpack, behind the scenes, just builds the graph of all your files and their dependencies based on what’s installed and required in your node_modules via the <a target="_blank" href="https://nodejs.org/api/modules.html">normal code resolution algorithm</a>. TL;DR: Every time a file in the editor does “import Button from ‘button’;”, the node will try to find this button in the closest node_modules starting from the parent folder of the file where the request appeared. The same story with the modal-dialog. And then, from a Webpack perspective, the very final ask for the button will be:</p>
<ul>
<li><p><em>project/node_modules/editor/node_modules/button/index.js</em> — when it’s requested from within editor</p>
</li>
<li><p><em>project/node_modules/modal-dialog/node_modules/button/index.js</em> — when it’s requested from within modal-dialog</p>
</li>
</ul>
<p>Webpack is not going to check whether they are exactly the same; it will treat them as unique files and bundle both of them in the same bundle. Our “duplicated” button just got double-duplicated.</p>
<h3 id="heading-deduplication-in-webpack-first-attempt">Deduplication in Webpack - first attempt</h3>
<p>Since those buttons are exactly the same, the very first question that comes to mind is: is it possible to take advantage of that and “trick“ Webpack into recognizing it? And indeed, it is possible, and it is ridiculously simple.</p>
<p>Webpack is incredibly flexible; it provides rich plugin interfaces with access to almost everything you can imagine (and to some things that you can not), and its core, most of its features are built with plugins as well. It <a target="_blank" href="https://webpack.js.org/plugins/">exports a lot of them</a> for others to use.</p>
<p>One of those plugins is <a target="_blank" href="https://webpack.js.org/plugins/normal-module-replacement-plugin/">NormalModuleReplacementPlugin</a> — it gives the ability to replace one file with another file during a build time with a regular expression. Which is exactly what we need; the rest is just a master of coding.</p>
<p>First, detected all “duplicated“ dependencies by grabbing a list of all packages <code>node_modules</code> and filtering those that have node_modules in their install path more than once (basically all the “nested” packages from the yarn install chapter above), and grouping them by their version from package.json.</p>
<p></p>
<p>Second, replace all encounters of the “same” package with the very first one from the list</p>
<p></p>
<p>And 💥, there is no “third”, the solution works, it’s safe, and reduces bundle sizes in Jira by ~10%.</p>
<p></p>
<p>The full implementation was literally just 100 lines. Be mindful with celebrating and copying the approach, though, this is not the end of the article 😉</p>
<p>Check out <a target="_blank" href="https://www.developerway.com/posts/webpack-and-yarn-magic-against-duplicates-in-bundles">this article</a> for more details.</p>
<h2 id="heading-learning-by-fixing-nodejs-modules-and-packages">Learning by fixing: Node.js, Modules, and Packages</h2>
<p>The project I was working on has a pretty standard frontend code setup: React, Next.js, CSS in JS, UI components from an external library to build the interface. One day I added a new component, and although everything works locally, my CI, while attempting to build the website, greeted me with this:</p>
<p></p>
<p>After a bit of “errr, wat?”, scratching my head furiously, meddling with UI configuration and doing usual clean-the-cache, nuke-node-modules, cargo-culting activities, I managed to reproduce the problem locally. Turned out that:</p>
<ul>
<li><p>It only happens with the Logengy component, which uses Compiled - a new CSS-in-JS library.</p>
</li>
<li><p>It was working locally because the version of Node in the CI was newer than my local machine.</p>
</li>
</ul>
<p>So clearly, the problem was either with Lozenge or with the compiled library itself, and clearly, there was something in their code that prevented it from working with the latest Node. So the solution to the problem seemed simple: downgrade the version of Node in the CI to unblock my build and raise an issue with the <a target="_blank" href="https://github.com/atlassian-labs/compiled/issues/501">library</a> in the hope that maintainers, who know their source code, can figure it out.</p>
<p>Only…</p>
<p>What can <em>possibly</em> a Lozenge component, that just renders a few divs, or a css-in-js library, that converts js-written styles into <code>style</code> tags can have, that depends on a version of Node? Especially on an <em>old</em> version of Node? It’s usually the other way around…</p>
<p>It’s a proper mystery! Time to put my Sherlock hat on and solve it.</p>
<p>Check out <a target="_blank" href="https://www.developerway.com/posts/learning-by-fixing-node-js-modules-and-packages">this article</a> to explore the reason.</p>
<h2 id="heading-three-simple-tricks-to-speed-up-yarn-install">Three simple tricks to speed up yarn install</h2>
<p>Dev productivity and quality of life improvements are a passion of mine. And speeding up working with code is not only fun, but also essential for building products fast. Happier and faster developers equal happier customers, who get their features and bug fixes sooner!</p>
<p>When dealing with an npm-based ecosystem and its myriad of packages, install dependencies time, especially in large projects, can be unreasonably long. Below are three simple tricks that can help you shave off a minute or two, or sometimes even reduce your <code>yarn install</code> time by half 😋</p>
<p></p>
<p>Not anymore!</p>
<h2 id="heading-bloated-yarnlock-problem"><strong>Bloated yarn.lock problem</strong></h2>
<p>If your project runs on yarn, then more likely than not, some of your dependencies will be duplicated, even if they satisfy semver conditions. Although <a target="_blank" href="https://classic.yarnpkg.com/en/docs/cli/dedupe/">yarn</a> <a target="_blank" href="https://classic.yarnpkg.com/en/docs/cli/dedupe/">promises tha</a>t deduplication isn’t necessary, this is not exactly the truth.</p>
<p>Imagine the situation: you’re adding <code>@awesome/tools</code> library to your dependencies, which also depends on <code>utils@^1.0.0</code>library, which is its latest version. After installing <code>@awesome/tools</code> you’ll s<a target="_blank" href="https://classic.yarnpkg.com/en/docs/cli/dedupe/">ee in your <code>ya</code></a><code>rn.lock</code> file:</p>
<p></p>
<p>After a few months, you want to add another library that depends on those utils, let’s say <code>@simple/button</code>.The Utils library released a few bug fixes and features in the meantime, and its latest version is now <code>1.5.1</code>, and <code>@simple/button</code>depends on it. If you just <a target="_blank" href="https://classic.yarnpkg.com/en/docs/cli/dedupe/">run <code>yarn add</code></a> <code>@</code><a target="_blank" href="https://classic.yarnpkg.com/en/docs/cli/dedupe/"><code>simple/button</code></a>, then in the <a target="_blank" href="https://classic.yarnpkg.com/en/docs/cli/dedupe/"><code>yarn.lock</code> you</a> will see this picture:</p>
<p></p>
<p>Even though <code>1.5.1</code> and <code>1.0.0</code> versions are semver-compatible, yarn will not merge them into one as you’d expect, and you’ll end up with 2 versions of the same <code>utils</code> in the repo.</p>
<p>It gets worse tha<a target="_blank" href="https://classic.yarnpkg.com/en/docs/cli/dedupe/">n that. If yo</a>u have a few different libraries that depend on version <code>1.0.0</code> and a few that depend on <code>1.5.1</code>, yarn will hoist one of those versions to the root of <code>node_modules</code> folder, but another one would have no place to go <a target="_blank" href="https://classic.yarnpkg.com/en/docs/cli/dedupe/">(only one ver</a>sion can sit at the root), and they will be installed as <strong><em>copies</em></strong> in <code>node_modules</code> folders of the libraries that use them. You’ll end up with this folder structure:</p>
<p></p>
<p>And although it <em>seems</em> like you only have 2 versions of <code>utils</code> library, in reality, it can be 5–6-infinite-number of its copies living in your project, all of whi<a target="_blank" href="https://classic.yarnpkg.com/en/docs/cli/dedupe/">ch need to be</a> copied into their place, and all of which will steal your <code>yarn install</code> time.</p>
<p>Check out <a target="_blank" href="https://www.developerway.com/posts/three-simple-tricks-to-speed-up-yarn-install">this article</a> to explore the solution🔥</p>
<h2 id="heading-how-did-we-cut-bundle-size-by-70-overnight">How did we cut bundle size by 70% overnight?</h2>
<p>An analysis of modern JavaScript projec<a target="_blank" href="https://classic.yarnpkg.com/en/docs/cli/dedupe/">ts reveals a</a> concerning trend: many production applications include hundreds of transitive dependencies. According to Sonatype’s 2023 research, the average JavaScript contains 42 direct dependencies and 683 transitive dependencies, with 65% of projects containing known vulnerable dependencies.</p>
<p>The real cost goes so far beyond the megabytes:</p>
<ul>
<li><p><strong>Security Vulnerabilities</strong>: Each dependency is a potential attack vect<a target="_blank" href="https://classic.yarnpkg.com/en/docs/cli/dedupe/">or.</a></p>
</li>
<li><p><a target="_blank" href="https://classic.yarnpkg.com/en/docs/cli/dedupe/"><strong>Maint</strong></a><strong>enance overhead</strong>: Keeping dependencies updated consumes developer time.</p>
</li>
<li><p><strong>Version conflicts</strong>: Incompatible sub-dependencies create debugging nightmares.</p>
</li>
<li><p><strong>Bundle bloated</strong>: Libraries often bring more code than you actually use.</p>
</li>
</ul>
<p>Most concerning is the exponential nature of transitive dependencies. Adding a “single“ package can sometimes pull in dozens of sub-dependencies you never intended to include.</p>
<p>A client of ours recently added a simple date formatting library that seemed lightweight (12KB) — but it silently pulls in 267KB of additional dependencies. That’s a 22X multiplier!</p>
<p>That matters because every 100kB of JavaScript takes approximately 100ms to parse and compile on an average mobile device.</p>
<p>For users on slower devices or connections, this directly translates to frustration and abandonment.</p>
<h3 id="heading-our-dependency-audit-process">Our dependency audit process</h3>
<ol>
<li><strong>Analyzing the current state</strong></li>
</ol>
<p>Before making any changes, we needed visibility into our dependency mess. These tools proved invaluable:</p>
<p><strong>webpack-bundle-analyzer</strong></p>
<p>Gives you a visual treemap of your bundle components.</p>
<pre><code class="lang-typescript"># Installation
npm install --save-dev webpack-bundle-analyzer
</code></pre>
<pre><code class="lang-typescript"><span class="hljs-comment">// # In your webpack.config.js</span>
<span class="hljs-keyword">const</span> { BundleAnalyzerPlugin } = <span class="hljs-built_in">require</span>(<span class="hljs-string">'webpack-bundle-analyzer'</span>);
<span class="hljs-built_in">module</span>.<span class="hljs-built_in">exports</span> = {
  plugins: [
    <span class="hljs-keyword">new</span> BundleAnalyzerPlugin()
  ]
}
<span class="hljs-comment">// # Run your build to see the analysis</span>
npm run build
</code></pre>
<p><strong>npm is</strong></p>
<p>Shows your dependency tree directly in the terminal:</p>
<pre><code class="lang-typescript"># Show top-level dependencies
npm ls --depth=<span class="hljs-number">0</span>

# Show all dependencies including their dependencies
npm ls

# Find specific packages
npm ls react

# Show only production dependencies
npm ls --prod
</code></pre>
<p><strong>dep check</strong></p>
<p>Identifies unused dependencies in your projects</p>
<pre><code class="lang-typescript"># Installation
npm install -g depcheck

# Run <span class="hljs-keyword">in</span> your project root
depcheck

# With custom options
depcheck --ignores=<span class="hljs-string">"eslint,babel-*"</span>
</code></pre>
<p><strong>import-cost</strong></p>
<pre><code class="lang-typescript"># Installation steps:
<span class="hljs-number">1.</span> Open VS Code
<span class="hljs-number">2.</span> Press Ctrl+P (Cmd+P on Mac)
<span class="hljs-number">3.</span> Type: ext install wix.vscode-<span class="hljs-keyword">import</span>-cost
<span class="hljs-number">4.</span> Press Enter

# The extension will show size information directly <span class="hljs-keyword">in</span> your editor
# whenever you <span class="hljs-keyword">import</span> packages
</code></pre>
<p>Running webpack-bundle-analyzer was eye-opening. We immediately spotted several massive libraries dominating your bundle:</p>
<ul>
<li><p>A full-featured charting library (1.2MB), when we only used two simple chart types</p>
</li>
<li><p>Three different date manipulation libraries (Moment.js, date-fns, and Day.js)</p>
</li>
<li><p>Lodash is imported in its entirety rather than individual functions.</p>
</li>
<li><p>A massive UI component library where we used just four components.</p>
</li>
</ul>
<ol start="2">
<li><strong>Setting Measurable Goals</strong></li>
</ol>
<p>We established clear metrics to track our progress:</p>
<ul>
<li><p>Primary: Total bundle size (initial and chunked)</p>
</li>
<li><p>Secondary: Time to interact on mid-tier mobile devices.</p>
</li>
<li><p>Supporting: JavaScript parse/compile time</p>
</li>
<li><p>Business: Conversion rates and bounce rates</p>
</li>
</ul>
<p>We set an ambitious goal of reducing bundle size by 50% within one sprint, with a stretch goal of 60%. We ultimately achieved 70%.</p>
<h3 id="heading-6-techniques-that-delivered-results-our-step-by-step-process">6 Techniques that delivered results: Our Step-by-Step Process</h3>
<ol>
<li><strong>Ruless Package Evaluation</strong></li>
</ol>
<p>We applied a simple but effective framework to every dependency:</p>
<ul>
<li><p>Do we absolutely need this functionality?</p>
</li>
<li><p>Can we implement it ourselves in < 100 lines of code?</p>
</li>
<li><p>Is there a more lightweight alternative?</p>
</li>
<li><p>If we must use it, can we only use the needed parts?</p>
</li>
</ul>
<p>This led to some major wins:</p>
<p><strong>Example 1: Replacing Moment.js (329KB) with date-fns (85KB)</strong></p>
<pre><code class="lang-typescript"><span class="hljs-comment">// Before: Moment.js (329KB)</span>
<span class="hljs-keyword">import</span> moment <span class="hljs-keyword">from</span> <span class="hljs-string">'moment'</span>;
<span class="hljs-keyword">const</span> formattedDate = moment(date).format(<span class="hljs-string">'YYYY-MM-DD'</span>);
</code></pre>
<pre><code class="lang-typescript"><span class="hljs-comment">// After: date-fns (only importing what we need)</span>
<span class="hljs-keyword">import</span> { parseISO, format } <span class="hljs-keyword">from</span> <span class="hljs-string">'date-fns'</span>;
<span class="hljs-keyword">const</span> formattedDate = format(parseISO(dateString), <span class="hljs-string">'yyyy-MM-dd'</span>);
</code></pre>
<p><strong>Example 2: Replacing a full chart library with a targeted solution</strong></p>
<pre><code class="lang-typescript"><span class="hljs-comment">// Before: Importing massive chart library (1.2MB)</span>
<span class="hljs-keyword">import</span> { LineChart } <span class="hljs-keyword">from</span> <span class="hljs-string">'massive-chart-lib'</span>;

<span class="hljs-comment">// After: Using a lightweight alternative (87KB)</span>
<span class="hljs-keyword">import</span> { Line } <span class="hljs-keyword">from</span> <span class="hljs-string">'lightweight-charts'</span>;
</code></pre>
<p>In total, we eliminated 18 dependencies and replaced 7 others with lighter alternatives.</p>
<ol start="2">
<li><strong>Implementing Proper Tree-Shaking</strong></li>
</ol>
<p>Tree-shaking (eliminating unused code) sounds simple, but many projects don’t fully benefit from it due to configuration issues.</p>
<p>Common pitfalls we fixed:</p>
<ul>
<li><p>Using CommonJS modules that can’t be properly tree-shaken.</p>
</li>
<li><p>Side effects preventing dead code elimination</p>
</li>
<li><p>Incorrect Webpack/bundler configuration</p>
</li>
</ul>
<p><strong>Our webpack optimization:</strong></p>
<pre><code class="lang-typescript"><span class="hljs-comment">// webpack.config.js improvements</span>
<span class="hljs-built_in">module</span>.<span class="hljs-built_in">exports</span> = {
  mode: <span class="hljs-string">'production'</span>,
  optimization: {
    usedExports: <span class="hljs-literal">true</span>,
    sideEffects: <span class="hljs-literal">true</span>,
    minimize: <span class="hljs-literal">true</span>,
    concatenateModules: <span class="hljs-literal">true</span>,
  },
}
</code></pre>
<p><strong>Ensuring proper imports:</strong></p>
<pre><code class="lang-typescript"><span class="hljs-comment">// Before: No tree-shaking (entire library included)</span>
<span class="hljs-keyword">import</span> _ <span class="hljs-keyword">from</span> <span class="hljs-string">'lodash'</span>;

<span class="hljs-comment">// After: Tree-shakeable imports</span>

<span class="hljs-comment">// Option 1: Individual imports</span>
<span class="hljs-keyword">import</span> map <span class="hljs-keyword">from</span> <span class="hljs-string">'lodash/map'</span>;
<span class="hljs-keyword">import</span> filter <span class="hljs-keyword">from</span> <span class="hljs-string">'lodash/filter'</span>;


<span class="hljs-comment">// Option 2: Using lodash-es for ESM modules</span>
<span class="hljs-keyword">import</span> { map, filter } <span class="hljs-keyword">from</span> <span class="hljs-string">'lodash-es'</span>;
</code></pre>
<p>This alone shaved off 347KB from our bundle.</p>
<ol start="3">
<li><strong>Dynamic Imports & Code Splitting</strong></li>
</ol>
<p>Rather than loading our entire application upfront, we implemented aggressive code splitting:</p>
<p><strong>Route-based splitting:</strong></p>
<pre><code class="lang-typescript"><span class="hljs-comment">// Before: All routes imported eagerly</span>
<span class="hljs-keyword">import</span> UserProfile <span class="hljs-keyword">from</span> <span class="hljs-string">'./UserProfile'</span>;
<span class="hljs-keyword">import</span> Dashboard <span class="hljs-keyword">from</span> <span class="hljs-string">'./Dashboard'</span>;
<span class="hljs-keyword">import</span> Settings <span class="hljs-keyword">from</span> <span class="hljs-string">'./Settings'</span>;


<span class="hljs-comment">// After: Routes loaded dynamically</span>
<span class="hljs-keyword">const</span> UserProfile = React.lazy(<span class="hljs-function">() =></span> <span class="hljs-keyword">import</span>(<span class="hljs-string">'./UserProfile'</span>));
<span class="hljs-keyword">const</span> Dashboard = React.lazy(<span class="hljs-function">() =></span> <span class="hljs-keyword">import</span>(<span class="hljs-string">'./Dashboard'</span>));
<span class="hljs-keyword">const</span> Settings = React.lazy(<span class="hljs-function">() =></span> <span class="hljs-keyword">import</span>(<span class="hljs-string">'./Settings'</span>));
</code></pre>
<p><strong>Feature-based splitting:</strong></p>
<pre><code class="lang-typescript"><span class="hljs-comment">// Before: Advanced features loaded upfront</span>
<span class="hljs-keyword">import</span> { DataExport } <span class="hljs-keyword">from</span> <span class="hljs-string">'./features/export'</span>;

<span class="hljs-comment">// After: Load on demand</span>
<span class="hljs-keyword">const</span> handleExport = <span class="hljs-keyword">async</span> () => {
  <span class="hljs-keyword">const</span> { DataExport } = <span class="hljs-keyword">await</span> <span class="hljs-keyword">import</span>(<span class="hljs-string">'./features/export'</span>);
  DataExport.run(currentData);
};
</code></pre>
<p>We used <code>React.Suspense</code> to handle loading states gracefully:</p>
<pre><code class="lang-typescript"><Suspense fallback={<Spinner />}>
  <Route path=<span class="hljs-string">"/profile"</span> component={UserProfile} />
</Suspense>
</code></pre>
<p>This approach reduced our initial bundle size by 35% by deferring non-critical features.</p>
<ol start="4">
<li><strong>Micro-frontends for Targeted Loading</strong></li>
</ol>
<p>For our most complex product area — the analytics dashboard — we implemented module federation using Webpack 5’s features to load different sections independently. While this approach took us around three weeks to fully implement (longer than our initial one-week estimate), the performance benefits justified the investment.</p>
<pre><code class="lang-typescript"><span class="hljs-comment">// webpack.config.js (simplified)</span>
<span class="hljs-keyword">const</span> { ModuleFederationPlugin } = <span class="hljs-built_in">require</span>(<span class="hljs-string">'webpack'</span>).container;

<span class="hljs-built_in">module</span>.<span class="hljs-built_in">exports</span> = {
  plugins: [
    <span class="hljs-keyword">new</span> ModuleFederationPlugin({
      name: <span class="hljs-string">'dashboard'</span>,
      filename: <span class="hljs-string">'remoteEntry.js'</span>,
      exposes: {
        <span class="hljs-string">'./ReportingModule'</span>: <span class="hljs-string">'./src/components/Reporting'</span>,
        <span class="hljs-string">'./VisualizationModule'</span>: <span class="hljs-string">'./src/components/Visualization'</span>,
      },
      shared: {
        react: { singleton: <span class="hljs-literal">true</span> },
        <span class="hljs-string">'react-dom'</span>: { singleton: <span class="hljs-literal">true</span> },
        <span class="hljs-comment">// other shared dependencies</span>
      },
    }),
  ],
};
</code></pre>
<p>This approach allowed us to:</p>
<ul>
<li><p>Load only the dashboard components that the user actually views</p>
</li>
<li><p>Share common dependencies between micro-frontends</p>
</li>
<li><p>Update individual modules independently</p>
</li>
</ul>
<p><strong>When Not to Use Micro-frontends</strong></p>
<p>While powerful, this approach isn’t for everyone:</p>
<ul>
<li><p><strong>Small teams with limited DevOps resources</strong> may find the operational complexity overwhelming</p>
</li>
<li><p><strong>Applications with heavy cross-module communication</strong> might face performance penalties</p>
</li>
<li><p><strong>Projects requiring SSR/SSG optimization</strong> may need different architectural approaches</p>
</li>
</ul>
<blockquote>
<p><em>⚠️ Not for everyone — Micro-frontends introduce DevOps and architectural complexity. Avoid them for small apps or SSR-focused builds.</em></p>
</blockquote>
<p>For our use case — a large dashboard with distinct functional areas — the benefits far outweighed the complexities.</p>
<ol start="5">
<li><strong>Building Dependencies Approval Process</strong></li>
</ol>
<p>To prevent future bloat, we implemented a dependency approval workflow:</p>
<ol>
<li><p><strong>Proposed dependency form</strong>: Developers must justify new packages</p>
</li>
<li><p><strong>Bundle impact analysis</strong>: Automated testing of bundle size impact</p>
</li>
<li><p><strong>Alternatives checklist</strong>: Documented consideration of lighter options</p>
</li>
<li><p><strong>Regular audits</strong>: Monthly dependency reviews</p>
</li>
</ol>
<p>We added bundle size budgets to our CI pipeline:</p>
<pre><code class="lang-typescript"><span class="hljs-comment">// package.json</span>
{
  <span class="hljs-string">"bundlesize"</span>: [
    {
      <span class="hljs-string">"path"</span>: <span class="hljs-string">"./dist/main.*.js"</span>,
      <span class="hljs-string">"maxSize"</span>: <span class="hljs-string">"250 kB"</span>
    },
    {
      <span class="hljs-string">"path"</span>: <span class="hljs-string">"./dist/vendors.*.js"</span>,
      <span class="hljs-string">"maxSize"</span>: <span class="hljs-string">"700 kB"</span>
    }
  ]
}
</code></pre>
<p>This process has prevented at least seven unnecessary dependencies from entering our codebase in the three months since implementation.</p>
<ol start="6">
<li><strong>Compression & Caching Strategies</strong></li>
</ol>
<p>Beyond dependency optimization, we implemented several network-level optimizations:</p>
<ul>
<li><p><strong>Brotli compression</strong>: We replaced gzip with Brotli, which provides ~11% better compression</p>
</li>
<li><p><strong>Long-term caching</strong>: Set far-future cache headers (1 year) with content-based hashing</p>
</li>
<li><p><strong>CDN-hosted dependencies</strong>: Used public CDNs for common libraries when appropriate</p>
</li>
<li><p><strong>Preloading critical assets</strong>: Implemented <code><link rel="preload"></code> for essential resources</p>
</li>
</ul>
<p>These changes further reduced perceived load times by optimizing how resources were delivered to users, complementing our bundle size reductions.</p>
<h3 id="heading-the-results-before-and-after-analysis">The results: Before and After Analysis</h3>
<p>The final results, measured using Lighthouse, WebPageTest, and our internal analytics platform, exceeded even our stretch goals:</p>
<p></p>
<p>Beyond the performance metrics, we saw several unexpected benefits:</p>
<ul>
<li><p><strong>Faster build times</strong>: CI builds went from 8 minutes to under 4 minutes</p>
</li>
<li><p><strong>Fewer bugs</strong>: Removing complex dependencies eliminated subtle integration issues</p>
</li>
<li><p><strong>Improved developer experience</strong>: The codebase became more understandable and maintainable</p>
</li>
</ul>
<h2 id="heading-13-webpack-optimization-tips-you-should-know">13 Webpack Optimization Tips You Should Know</h2>
<p>I will share some of my commonly used techniques from these aspects:</p>
<ul>
<li><p>Improving the building speed</p>
</li>
<li><p>Reducing the size of the packaged files</p>
</li>
<li><p>Improving the user experience.</p>
</li>
</ul>
<h3 id="heading-improving-the-building-speed">Improving the Building Speed</h3>
<ol>
<li><strong>thread-loader</strong></li>
</ol>
<p>Multithreading can improve the efficiency of the program; we can also use it in Webpack. And <code>thread-loader</code> is a loader that can enable multi-threading in Webpack.</p>
<p>Installation of the loader:</p>
<pre><code class="lang-typescript">npm i thread-loader -D
</code></pre>
<p>Configuration:</p>
<pre><code class="lang-typescript">{
        test: <span class="hljs-regexp">/\.js$/</span>,
        use: [
          <span class="hljs-string">'thread-loader'</span>,
          <span class="hljs-string">'babel-loader'</span>
        ],
}
</code></pre>
<ol start="2">
<li><strong>cache-loader</strong></li>
</ol>
<p>In the process of deploying our project, Webpack needs to build the project several times. To speed up subsequent builds, we can use caching. The cache-related loader is cache-loader.</p>
<p>Installation:</p>
<pre><code class="lang-typescript">npm i cache-loader -D
</code></pre>
<p>Configuration:</p>
<pre><code class="lang-typescript">{
        test: <span class="hljs-regexp">/\.js$/</span>,
        use: [
          <span class="hljs-string">'cache-loader'</span>,
          <span class="hljs-string">'thread-loader'</span>,
          <span class="hljs-string">'babel-loader'</span>
        ],
}
</code></pre>
<ol start="3">
<li><strong>Hot update</strong></li>
</ol>
<p>When we modify a file in a project, Webpack will rebuild the entire project by default, but this is not necessary. We only need to recompile this file, which is more efficient; this strategy is called a hot update.</p>
<p>Webpack has a built-in hot update plugin; we just need to enable hot update in the configuration.</p>
<p>Configuration:</p>
<pre><code class="lang-typescript"><span class="hljs-comment">// import webpack</span>
<span class="hljs-keyword">const</span> webpack = <span class="hljs-built_in">require</span>(<span class="hljs-string">'webpack'</span>);
</code></pre>
<p>then:</p>
<pre><code class="lang-typescript">{
  plugins: [
      <span class="hljs-keyword">new</span> webpack.HotModuleReplacementPlugin()
  ],

  devServer: {
      hot: <span class="hljs-literal">true</span>
  }
}
</code></pre>
<ol start="4">
<li><strong>exclude & include</strong></li>
</ol>
<p>In our project, some files and folders never need to participate in the build. So we can specify these files in the configuration file to prevent Webpack from retrieving them, thereby improving compilation efficiency.</p>
<p>Of course, we can also specify that some files need to be compiled.</p>
<ul>
<li><p><code>exclude</code> : files that don’t need to be compiled</p>
</li>
<li><p><code>include</code> : files that need to be compiled</p>
</li>
</ul>
<p>Configuration:</p>
<pre><code class="lang-typescript">{
    test: <span class="hljs-regexp">/\.js$/</span>,

    include: path.resolve(__dirname, <span class="hljs-string">'../src'</span>),

    exclude: <span class="hljs-regexp">/node_modules/</span>,    use: [
        <span class="hljs-string">'babel-loader'</span>
    ]
}
</code></pre>
<h3 id="heading-reducing-the-size-of-the-packaged-files">Reducing the size of the packaged files</h3>
<ol start="5">
<li><strong>Minify CSS code</strong></li>
</ol>
<p><code>css-minimizer-webpack-plugin</code> can compress and deduplicate CSS code.</p>
<p>Installation:</p>
<pre><code class="lang-typescript">npm i css-minimizer-webpack-plugin -D
</code></pre>
<p>Configuration:</p>
<pre><code class="lang-typescript"><span class="hljs-keyword">const</span> CssMinimizerPlugin = <span class="hljs-built_in">require</span>(<span class="hljs-string">'css-minimizer-webpack-plugin'</span>)
</code></pre>
<p>and:</p>
<pre><code class="lang-typescript">optimization: {
    minimizer: [
      <span class="hljs-keyword">new</span> CssMinimizerPlugin(),
    ],
  }
</code></pre>
<ol start="6">
<li><strong>Minify JavaScript code</strong></li>
</ol>
<p><code>terser-webpack-plugin</code> can compress and deduplicate JavaScript code.</p>
<p>Installation:</p>
<pre><code class="lang-typescript">npm i terser-webpack-plugin -D
</code></pre>
<p>Configuration:</p>
<pre><code class="lang-typescript"><span class="hljs-keyword">const</span> TerserPlugin = <span class="hljs-built_in">require</span>(<span class="hljs-string">'terser-webpack-plugin'</span>)optimization: {
    minimizer: [
      <span class="hljs-keyword">new</span> CssMinimizerPlugin(), 
      <span class="hljs-keyword">new</span> TerserPlugin({
        terserOptions: {
          compress: {
            drop_console: <span class="hljs-literal">true</span>, <span class="hljs-comment">// remove console statement</span>
          },
        },
      }),
    ],
  }
</code></pre>
<ol start="7">
<li><strong>tree-sharking</strong></li>
</ol>
<p>Tree-sharking is: to compile only that code that is actually used, not the code that is not used in the project.</p>
<p>In Webpack 5, tree-shaking is enabled by default. You just need to make sure to use production mode when final compiling.</p>
<pre><code class="lang-typescript"><span class="hljs-built_in">module</span>.<span class="hljs-built_in">exports</span> = {
  mode: <span class="hljs-string">'production'</span>
}
</code></pre>
<ol start="8">
<li><strong>source-map</strong></li>
</ol>
<p>When there is a bug in our code, source-map can help us quickly locate the location in our source code. But this file is huge.</p>
<p>In order to balance performance and accuracy, we should: generate a more accurate (but larger) source map in development mode; generate a smaller (but not as accurate) source map in production mode.</p>
<p>Development mode:</p>
<pre><code class="lang-typescript"><span class="hljs-built_in">module</span>.<span class="hljs-built_in">exports</span> = {
  mode: <span class="hljs-string">'development'</span>,
  devtool: <span class="hljs-string">'eval-cheap-module-source-map'</span>
}
</code></pre>
<p>Production mode:</p>
<pre><code class="lang-typescript"><span class="hljs-built_in">module</span>.<span class="hljs-built_in">exports</span> = {
  mode: <span class="hljs-string">'production'</span>,
  devtool: <span class="hljs-string">'nosources-source-map'</span>
}
</code></pre>
<ol start="9">
<li><strong>Bundle Analyzer</strong></li>
</ol>
<p>We can use <code>webpack-bundle-analyzer</code> to review the column of the bundle file after packaging, and then perform corresponding volume optimization.</p>
<p>Installation:</p>
<pre><code class="lang-typescript">npm i webpack-bundle-analyzer -D
</code></pre>
<p>Configuration:</p>
<pre><code class="lang-typescript"><span class="hljs-keyword">const</span> {
  BundleAnalyzerPlugin
} = <span class="hljs-built_in">require</span>(<span class="hljs-string">'webpack-bundle-analyzer'</span>)<span class="hljs-comment">// config</span>
plugins: [
    <span class="hljs-keyword">new</span> BundleAnalyzerPlugin(),
]
</code></pre>
<h3 id="heading-improving-the-user-experience">Improving the user experience</h3>
<ol start="10">
<li><strong>Module Lazy Loading</strong></li>
</ol>
<p>If the module is not lazy-loaded, the code of the entire project will be packaged into one JS file, resulting in a very large size of a single JS file. Then, when the user requests the webpage, the loading time of the first screen will be longer.</p>
<p>After module lazy loading, the large JS file will be divided into multiple small JS files, and the webpage will be loaded on demand when loading, which greatly improves the loading speed of the first screen.</p>
<p>To enable lazy loading, we just need to write code like this:</p>
<pre><code class="lang-typescript"><span class="hljs-comment">// src/router/index.jsconst routes = [</span>
  {
    path: <span class="hljs-string">'/login'</span>,
    name: <span class="hljs-string">'login'</span>,
    component: login
  },
  {
    path: <span class="hljs-string">'/home'</span>,
    name: <span class="hljs-string">'home'</span>,    <span class="hljs-comment">// lazy-load</span>
    component: <span class="hljs-function">() =></span> <span class="hljs-keyword">import</span>(<span class="hljs-string">'../views/home/home.vue'</span>),
  },
]
</code></pre>
<ol start="11">
<li><strong>Gzip</strong></li>
</ol>
<p>Gzip is a common algorithm for compressing files, which can improve transmission efficiency. However, this function requires back-end cooperation.</p>
<p>Installation:</p>
<pre><code class="lang-typescript">npm i compression-webpack-plugin -D
</code></pre>
<p>Configuration:</p>
<pre><code class="lang-typescript">
<span class="hljs-keyword">const</span> CompressionPlugin = <span class="hljs-built_in">require</span>(<span class="hljs-string">'compression-webpack-plugin'</span>)
<span class="hljs-comment">// config</span>
plugins: [

    <span class="hljs-comment">// gzip</span>
    <span class="hljs-keyword">new</span> CompressionPlugin({
      algorithm: <span class="hljs-string">'gzip'</span>,
      threshold: <span class="hljs-number">10240</span>,
      minRatio: <span class="hljs-number">0.8</span>
    })
  ]
</code></pre>
<ol start="12">
<li><strong>base64</strong></li>
</ol>
<p>For some small pictures, they can be converted into base64 encoding, which can reduce the number of HTTP requests for users and improve the user experience. <code>url-loader</code> has been deprecated in webpack5, we can use <code>asset-module</code> instead.</p>
<p>Configuration:</p>
<pre><code class="lang-typescript">{
   test: <span class="hljs-regexp">/\.(png|jpe?g|gif|svg|webp)$/</span>,
   <span class="hljs-keyword">type</span>: <span class="hljs-string">'asset'</span>,
   parser: {      <span class="hljs-comment">// Conditions for converting to base64</span>
      dataUrlCondition: {
         maxSize: <span class="hljs-number">25</span> * <span class="hljs-number">1024</span>, <span class="hljs-comment">// 25kb</span>
      }
   },
   generator: {
    filename: <span class="hljs-string">'images/[contenthash][ext][query]'</span>,
   },
},
</code></pre>
<ol start="13">
<li><strong>Properly configure the hash</strong></li>
</ol>
<p>We can add a hash to the bundle file, which makes it easier to handle caching.</p>
<pre><code class="lang-typescript">output: {
    path: path.resolve(__dirname, <span class="hljs-string">'../dist'</span>),
    filename: <span class="hljs-string">'js/chunk-[contenthash].js'</span>,
    clean: <span class="hljs-literal">true</span>,
  },
</code></pre>
<p></p>
<h2 id="heading-how-to-fully-optimize-webpack-4-tree-shaking">How to Fully Optimize Webpack 4 Tree Shaking</h2>
<p>Before going into technical details, let me summarize the benefits. Different applications will see different levels of benefits with this exercise. The main deciding factor is the amount of dead, tree-sharkable code in your application. If you don’t have much, then you won’t see much of a benefit from tree-sharking. We had a lot of dead code in ours.</p>
<p>In our department, the biggest problem was a number of shared libraries. These ranged from simple homegrown component libraries to corporate standard component libraries to giant blobs of code shoved together into a library for no rhyme or reason. A lot of it is tech debt, but a big problem was that all of our applications were importing all of these libraries, when in reality each one only needed small pieces of them.</p>
<p>Overall, once tree-shaking was implemented, our applications shrank from between 25% to 75%, depending on the application. The average reduction across all of them was 52%, primarily driven by these bloated shared libraries being the majority of the code in small applications.</p>
<h3 id="heading-what-is-considered-dead-code">What is considered Dead Code?</h3>
<p>This is the simple: It’s code that Webpack can’t see you using. Webpack follows the trail of import/export statements throughout the application, so if it sees something being imported but ultimately not being used, it considers that to be “dead code“ and will tree-shake it.</p>
<p>Dead code isn’t always clear, though. Below will be a few examples of dead code vs “live” code, which I hope will make this more clear. Keep in mind that there will be cases where Webpack will see something as dead code even though it really isn’t. Please see the section on Side Effects to learn how to handle this.</p>
<pre><code class="lang-typescript"><span class="hljs-comment">// Importing, assigning to a JavaScript object, and using it in the code below</span>
<span class="hljs-comment">// This is considered "live" code and will NOT be tree-shaken</span>
<span class="hljs-keyword">import</span> Stuff <span class="hljs-keyword">from</span> <span class="hljs-string">'./stuff'</span>;
doSomething(Stuff);
<span class="hljs-comment">// Importing, assigning to a JavaScript object, but NOT using it in the code below</span>
<span class="hljs-comment">// This is considered "dead" code and will be tree shaken</span>
<span class="hljs-keyword">import</span> Stuff <span class="hljs-keyword">from</span> <span class="hljs-string">'./stuff'</span>;
doSomething();
<span class="hljs-comment">// Importing but not assigning to a JavaScript object and not using it in the code</span>
<span class="hljs-comment">// This is considered to be "dead" code and will be tree shaken</span>
<span class="hljs-keyword">import</span> <span class="hljs-string">'./stuff'</span>;
doSomething();
<span class="hljs-comment">// Importing an entire library, but not assigning to a JavaScript object and not using it in the code</span>
<span class="hljs-comment">// Oddly enough, this is considered to be "live" code, as Webpack treats library imports differently from local code imports</span>
<span class="hljs-keyword">import</span> <span class="hljs-string">'my-lib'</span>;
doSomething();
</code></pre>
<h3 id="heading-writing-tree-shakable-imports">Writing Tree-Shakable Imports</h3>
<p>When writing tree-shakable code, your imports are important. You should avoid importing entire libraries into a single JavaScript object. When you do so, you are telling Webpack that you need the whole library, and Webpack will not tree-shake it.</p>
<p>Take this example from the popular library Lodash. Importing the entire library at once is a big NO, but importing individual pieces is much better. Of course, Lodash specifically needs other steps to be tree-shaken, but this is a good first step.</p>
<pre><code class="lang-typescript"><span class="hljs-comment">// Import everything (NOT TREE-SHAKABLE)</span>
<span class="hljs-keyword">import</span> _ <span class="hljs-keyword">from</span> <span class="hljs-string">'lodash'</span>;
<span class="hljs-comment">// Import named export (CAN BE TREE SHAKEN)</span>
<span class="hljs-keyword">import</span> { debounce } <span class="hljs-keyword">from</span> <span class="hljs-string">'lodash'</span>;
<span class="hljs-comment">// Import the item directly (CAN BE TREE SHAKEN)</span>
<span class="hljs-keyword">import</span> debounce <span class="hljs-keyword">from</span> <span class="hljs-string">'lodash/lib/debounce'</span>;
</code></pre>
<p>Check out <a target="_blank" href="https://medium.com/@craigmiller160/how-to-fully-optimize-webpack-4-tree-shaking-405e1c76038">this article</a> to figure out more techniques about tree shaking.</p>
<h1 id="heading-references">References</h1>
<p><a target="_blank" href="https://sayanmondal342.medium.com/the-what-why-and-how-of-javascript-bundlers-f617f82aa09a">https://sayanmondal342.medium.com/the-what-why-and-how-of-javascript-bundlers-f617f82aa09a</a></p>
<p><a target="_blank" href="https://levelup.gitconnected.com/bundler-behind-the-scenes-of-your-crafted-frontend-code-rendering-in-users-browser-411d7b7d5e29">https://levelup.gitconnected.com/bundler-behind-the-scenes-of-your-crafted-frontend-code-rendering-in-users-browser-411d7b7d5e29</a></p>
<p><a target="_blank" href="https://medium.com/better-programming/the-battle-of-bundlers-6333a4e3eda9">https://medium.com/better-programming/the-battle-of-bundlers-6333a4e3eda9</a></p>
<p><a target="_blank" href="https://blog.lyearn.com/how-webpack-works-236f8cc43ae7">https://blog.lyearn.com/how-webpack-works-236f8cc43ae7</a></p>
<p><a target="_blank" href="https://mvskiran.medium.com/the-core-concepts-of-webpack-customing-webpack-414483a86fb7">https://mvskiran.medium.com/the-core-concepts-of-webpack-customing-webpack-414483a86fb7</a></p>
<p><a target="_blank" href="https://medium.com/ekino-france/beyond-webpack-esbuild-vite-rollup-swc-and-snowpack-97911a7175cf">https://medium.com/ekino-france/beyond-webpack-esbuild-vite-rollup-swc-and-snowpack-97911a7175cf</a></p>
<p><a target="_blank" href="https://rahuulmiishra.medium.com/exploring-four-core-concepts-every-frontend-developer-should-know-b51f6e0e1cd2">https://rahuulmiishra.medium.com/exploring-four-core-concepts-every-frontend-developer-should-know-b51f6e0e1cd2</a></p>
<p><a target="_blank" href="https://medium.com/better-programming/6-webpack-concepts-for-advanced-react-developers-d016da2cad52">https://medium.com/better-programming/6-webpack-concepts-for-advanced-react-developers-d016da2cad52</a></p>
<p><a target="_blank" href="https://blog.bitsrc.io/why-frontend-developers-need-to-be-webpack-experts-32e734b6f04a">https://blog.bitsrc.io/why-frontend-developers-need-to-be-webpack-experts-32e734b6f04a</a></p>
<p><a target="_blank" href="https://www.developerway.com/posts/webpack-and-yarn-magic-against-duplicates-in-bundles">https://www.developerway.com/posts/webpack-and-yarn-magic-against-duplicates-in-bundles</a></p>
<p><a target="_blank" href="https://medium.com/the-syntax-diaries/the-hidden-cost-of-npm-dependencies-how-we-cut-bundle-size-by-70-overnight-4d913fcf9dde">https://medium.com/the-syntax-diaries/the-hidden-cost-of-npm-dependencies-how-we-cut-bundle-size-by-70-overnight-4d913fcf9dde</a></p>
<p><a target="_blank" href="https://medium.com/frontend-canteen/13-webpack-optimization-tips-you-should-know-668666f8c020">https://medium.com/frontend-canteen/13-webpack-optimization-tips-you-should-know-668666f8c020</a></p>

</article>
<article>
<h1>Git Handbook</h1>
<p>Tuan Tran Van — Tue, 13 May 2025 10:55:28 GMT</p>
<p>When developing software, we find ourselves with the need to manage the changes that are being made in the code, and when working as a team, all team members always have a copy of this code in which they can work and, later, integrate these changes. To facilitate this work, we have version control systems, which allow us to track and manage changes that occur in the code over time: for this, we are going to see the use of and the workflow with GitFlow.</p>
<p>Git is a version control software developed by Linus Torvalds (the creator of Linux), in order to coordinate the work with his collaborators.</p>
<p>Keep in mind that Git has a distributed architecture, so instead of the code being in a single place, when a developer makes a working copy of this code, it generates a repository that can contain the full history of changes that have been made in that code.</p>
<h1 id="heading-repository-revision-commit-some-vocabulary">Repository, revision, commit… Some vocabulary</h1>
<p>When working with Git and version control, we come across a series of terms that it is necessary to know what they are.</p>
<ul>
<li><p><strong>Branch:</strong> A branch is a separate line of development in your project. It allows you to work on new features or fixes without affecting the main codebase.</p>
</li>
<li><p><strong>Checkout:</strong> The <code>git checkout</code> command is used to switch between branches or restore files to a previous state.</p>
</li>
<li><p><strong>Clone:</strong> <code>git clone</code> creates a full local copy of a remote repository, including its history, branches, and files.</p>
</li>
<li><p><strong>Commit:</strong> A commit is a snapshot of your changes. It includes a message describing what was done, along with metadata like author and date.</p>
</li>
<li><p><strong>Conflict:</strong> A conflict happens when Git cannot automatically merge changes from different sources. You'll need to manually resolve these.</p>
</li>
<li><p><strong>Diff (Difference):</strong> A diff shows what has changed between two versions of a file or set of files — additions, deletions, or modifications.</p>
</li>
<li><p><strong>HEAD:</strong> <code>HEAD</code> refers to the latest commit on the current branch you're working on.</p>
</li>
<li><p><strong>Merge:</strong> <code>git merge</code> integrates changes from one branch into another. Often used to bring feature branches into the main branch.</p>
</li>
<li><p><strong>Pull:</strong> <code>git pull</code> fetches and merges updates from a remote repository into your local branch.</p>
</li>
<li><p><strong>Pull Request (PR):</strong> A request to merge your changes into another branch, often reviewed before approval. Commonly used in collaborative workflows.</p>
</li>
<li><p><strong>Push:</strong> <code>git push</code> uploads your local commits to a remote repository to share with others.</p>
</li>
<li><p><strong>Repository (Repo):</strong> A storage location for your project code and history. Can be local or remote (e.g., GitHub).</p>
</li>
<li><p><strong>Tag:</strong> A tag marks a specific point in your project’s history, often used for releases (e.g., <code>v1.0.0</code>).</p>
</li>
<li><p><strong>Staging Area (Index):</strong> The place where files go when you run <code>git add</code>. Only staged files are included in the next commit.</p>
</li>
<li><p><strong>Fork:</strong> A personal copy of someone else's repository, typically used to propose changes or contribute to the original project.</p>
</li>
<li><p><strong>Rebase:</strong> <code>git rebase</code> moves or combines commits to a new base commit. Helps keep a clean, linear project history.</p>
</li>
<li><p><strong>Revert:</strong> <code>git revert</code> creates a new commit that undoes the effects of a previous commit.</p>
</li>
<li><p><strong>Reset:</strong> <code>git reset</code> changes your current branch’s history. It can remove commits or unstage files depending on the flags used.</p>
</li>
<li><p><strong>Stash:</strong> <code>git stash</code> temporarily saves uncommitted changes so you can work on something else, then come back to them later.</p>
</li>
<li><p><strong>Origin:</strong> The default name for the remote repository you cloned from. Used to refer to it in Git commands (e.g., <code>git push origin main</code>).</p>
</li>
<li><p><strong>Blame:</strong> <code>git blame</code> shows which commit and author last modified each line of a file. Useful for tracking down when and why a line was changed.</p>
</li>
<li><p><strong>Cherry-pick:</strong> <code>git cherry-pick</code> allows you to apply a specific commit from one branch onto another. Helpful when you want to copy just one change instead of merging everything.</p>
</li>
<li><p><strong>Hook:</strong> Git hooks are scripts that run automatically before or after certain events (like committing or pushing). Used for tasks like code formatting, testing, or enforcing rules.</p>
</li>
<li><p><strong>Submodule:</strong> A Git repository inside another Git repository. Useful for managing dependencies or separate components in a project.</p>
</li>
<li><p><strong>Upstream:</strong> Refers to the remote branch that your local branch is tracking. For example, if you're working on a feature branch that is based on <code>origin/main</code>, then <code>origin/main</code> is the upstream.</p>
</li>
<li><p><strong>Detached HEAD:</strong> A state where your <code>HEAD</code> points to a specific commit instead of a branch. You're not on any branch, so commits won’t be saved to any branch unless you explicitly create one.</p>
</li>
<li><p><strong>Fast-forward Merge:</strong> A type of merge that doesn’t require a merge commit. Git just moves the pointer forward because there were no divergent changes.</p>
</li>
<li><p><strong>Squash:</strong> The process of combining multiple commits into one. Often used before merging to keep history clean.</p>
</li>
<li><p><strong>Tracking Branch:</strong> A local branch that is set to track a remote branch. This allows you to easily pull/push without specifying the remote and branch name every time.</p>
</li>
<li><p><strong>Worktree:</strong> A working tree (or worktree) is a directory with a checkout of a branch. Git allows multiple worktrees linked to one repository—useful for working on multiple branches at once.</p>
</li>
</ul>
<h1 id="heading-git-advanced-concepts">Git Advanced Concepts</h1>
<p><a target="_blank" href="https://github.com/mike-rambil/Advanced-Git">https://github.com/mike-rambil/Advanced-Git</a></p>
<h2 id="heading-what-is-inside-git-folder">What is inside <code>.Git</code> Folder?</h2>
<h3 id="heading-the-moment-of-truth-opening-git"><strong>The Moment of Truth: Opening .git</strong></h3>
<p>Here's what most developers think <code>.git</code> contains: "Uh... git stuff?"</p>
<p>Let me show you what's actually in there. Open any git repository and run:</p>
<pre><code class="lang-javascript">ls -la .git/
</code></pre>
<p>You'll see something like this:</p>
<pre><code class="lang-javascript">.git/
├── HEAD
├── config
├── description
├── hooks/
├── index
├── info/
├── objects/
├── refs/
└── logs/
</code></pre>
<p>Each piece has a purpose. Each file tells a story. Let's decode them one by one.</p>
<p><strong>The Directory Structure</strong></p>
<p>Before we dive deep, here's the map:</p>
<div class="hn-table">
<table>
<thead>
<tr>
<td>Path</td><td>What It Does</td></tr>
</thead>
<tbody>
<tr>
<td><code>HEAD</code></td><td>Points to your current branch</td></tr>
<tr>
<td><code>config</code></td><td>Repository-specific settings</td></tr>
<tr>
<td><code>description</code></td><td>Used by GitWeb (rarely used)</td></tr>
<tr>
<td><code>hooks/</code></td><td>Scripts that run on git events</td></tr>
<tr>
<td><code>index</code></td><td>Your staging area (binary file)</td></tr>
<tr>
<td><code>info/</code></td><td>Global exclude patterns</td></tr>
<tr>
<td><code>objects/</code></td><td><strong>All your data lives here</strong></td></tr>
<tr>
<td><code>refs/</code></td><td>Pointers to commits (branches, tags)</td></tr>
<tr>
<td><code>logs/</code></td><td>History of ref changes (reflog)</td></tr>
</tbody>
</table>
</div><p>The two most important directories? <strong>objects/</strong> and <strong>refs/</strong>. Everything else is supporting infrastructure.</p>
<h3 id="heading-head-your-location-marker">HEAD: Your Location Marker</h3>
<p>Let's start simple. Check what's in <code>HEAD</code>:</p>
<pre><code class="lang-javascript">cat .git/HEAD
</code></pre>
<p>Output:</p>
<pre><code class="lang-javascript">ref: refs/heads/main
</code></pre>
<p>That's it. That's the file. <strong>HEAD is just a pointer</strong> telling Git which branch you're on. When you run <code>git checkout feature-branch</code>, Git rewrites this file:</p>
<pre><code class="lang-javascript">ref: refs/heads/feature-branch
</code></pre>
<p>When you check out a specific commit (detached HEAD state), it changes to:</p>
<pre><code class="lang-javascript">a3f2d8b9c1e4f5a6b7c8d9e0f1a2b3c4d5e6f7a8
</code></pre>
<p><strong>Mind-blowing realization #1:</strong> Your "current branch" is just a text file containing a reference.</p>
<h3 id="heading-refs-where-branches-live">refs/: Where Branches Live</h3>
<p>Look inside the <code>refs</code> directory:</p>
<pre><code class="lang-javascript">tree .git/refs/
</code></pre>
<pre><code class="lang-javascript">.git/refs/
├── heads/
│   ├── main
│   ├── feature-auth
│   └── bugfix-login
├── remotes/
│   └── origin/
│       ├── main
│       └── develop
└── tags/
    └── v1<span class="hljs-number">.0</span><span class="hljs-number">.0</span>
</code></pre>
<p>Each branch is <strong>just a file</strong> containing a commit hash. Let's prove it:</p>
<pre><code class="lang-javascript">cat .git/refs/heads/main
</code></pre>
<p>Output:</p>
<pre><code class="lang-javascript">f3e4d5c6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2
</code></pre>
<p>That's your latest commit on <code>main</code>. That's literally what a branch is—a 40-character hash pointing to a commit.</p>
<p><strong>When you create a new branch:</strong></p>
<pre><code class="lang-javascript">git branch feature-<span class="hljs-keyword">new</span>
</code></pre>
<p>Git creates <code>.git/refs/heads/feature-new</code> and copies the current commit hash into it. That's it. No magic.</p>
<p><strong>Mind-blowing realization #2:</strong> Branches are just files with commit hashes. Creating a branch is almost free because it's just writing 40 bytes to a file.</p>
<h3 id="heading-objects-gits-time-machine">objects/: Git's Time Machine</h3>
<p>This is where the real magic happens. The <code>objects/</code> directory is Git's database—every commit, every file, every version you've ever created lives here.</p>
<pre><code class="lang-javascript">ls .git/objects/
</code></pre>
<pre><code class="lang-javascript"><span class="hljs-number">00</span>/  <span class="hljs-number">0</span>f/  <span class="hljs-number">1</span>a/  <span class="hljs-number">2</span>b/  <span class="hljs-number">3</span>c/  <span class="hljs-number">4</span>d/  <span class="hljs-number">5</span>e/  <span class="hljs-number">6</span>f/  <span class="hljs-number">7</span>a/  <span class="hljs-number">8</span>b/  <span class="hljs-number">9</span>c/  ...
info/  pack/
</code></pre>
<p>Those two-character directories? They're organizing objects by their hash prefix (for performance). Let's look deeper:</p>
<pre><code class="lang-javascript">ls .git/objects/a3/
</code></pre>
<pre><code class="lang-javascript">f2d8b9c1e4f5a6b7c8d9e0f1a2b3c4d5e6f7a8
</code></pre>
<p>Combine the directory name with the filename: <code>a3f2d8b9c1e4f5a6b7c8d9e0f1a2b3c4d5e6f7a8</code></p>
<p>That's a complete SHA-1 hash. But what is it?</p>
<p><strong>What's a Git Object?</strong></p>
<p>Git stores everything as objects. There are only four types:</p>
<ol>
<li><p><strong>Blob</strong> - File contents</p>
</li>
<li><p><strong>Tree</strong> - Directory structure</p>
</li>
<li><p><strong>Commit</strong> - Snapshot in time</p>
</li>
<li><p><strong>Tag</strong> - Named reference (annotated tags)</p>
</li>
</ol>
<p>You can inspect any object:</p>
<pre><code class="lang-javascript">git cat-file -t a3f2d8b9  # Type
git cat-file -p a3f2d8b9  # Content
</code></pre>
<p><strong>The Three Types of Objects</strong></p>
<p>Let's see them in action. I'll create a simple file and commit it:</p>
<pre><code class="lang-javascript">echo <span class="hljs-string">"Hello Git"</span> > test.txt
git add test.txt
git commit -m <span class="hljs-string">"Add test file"</span>
</code></pre>
<p>Now let's follow the trail.</p>
<h4 id="heading-1-the-commit-object"><strong>1. The Commit Object</strong></h4>
<pre><code class="lang-javascript">git cat-file -p HEAD
</code></pre>
<p>Output:</p>
<pre><code class="lang-javascript">tree <span class="hljs-number">5e8</span>b9c0d1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6
parent f3e4d5c6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2
author John Doe <john@example.com> <span class="hljs-number">1733654400</span> +<span class="hljs-number">0000</span>
committer John Doe <john@example.com> <span class="hljs-number">1733654400</span> +<span class="hljs-number">0000</span>

Add test file
</code></pre>
<p>The commit points to a <strong>tree</strong> (the directory structure) and has metadata (author, timestamp, message).</p>
<h4 id="heading-2-the-tree-object"><strong>2. The Tree Object</strong></h4>
<pre><code class="lang-javascript">git cat-file -p <span class="hljs-number">5e8</span>b9c0d1a2b
</code></pre>
<p>Output:</p>
<pre><code class="lang-javascript"><span class="hljs-number">100644</span> blob a3f2d8b9c1e4f5a6b7c8d9e0f1a2b3c4d5e6f7a8    test.txt
<span class="hljs-number">100644</span> blob <span class="hljs-number">7</span>a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6    README.md
<span class="hljs-number">040000</span> tree b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7    src/
</code></pre>
<p>The tree lists files (blobs) and subdirectories (trees). It's like a snapshot of <code>ls -l</code>.</p>
<h4 id="heading-3-the-blob-object"><strong>3. The Blob Object</strong></h4>
<pre><code class="lang-javascript">git cat-file -p a3f2d8b9c1e4
</code></pre>
<p>Output:</p>
<pre><code class="lang-javascript">Hello Git
</code></pre>
<p>The blob is <strong>just the file contents</strong>. No filename, no metadata—pure content.</p>
<p><strong>Mind-blowing realization #3:</strong> Git doesn't store diffs. It stores complete snapshots. Every commit points to a full tree of all files.</p>
<p><strong>Following the Chain</strong></p>
<p>Here's how it connects:</p>
<pre><code class="lang-javascript">HEAD
  ↓
refs/heads/main (contains: f3e4d5c6...)
  ↓
Commit f3e4d5c6...
  ├── tree <span class="hljs-number">5e8</span>b9c0d...
  │     ├── blob a3f2d8b9... (test.txt)
  │     ├── blob <span class="hljs-number">7</span>a8b9c0d... (README.md)
  │     └── tree b9c0d1e2... (src/)
  └── parent e2f3a4b5... (previous commit)
</code></pre>
<p>When you run <code>git log</code>, Git walks this chain backwards through parent commits.</p>
<h3 id="heading-index-the-staging-area-revealed">index: The Staging Area Revealed</h3>
<p>The staging area isn't virtual—it's a binary file:</p>
<pre><code class="lang-javascript">file .git/index
</code></pre>
<p>Output:</p>
<pre><code class="lang-javascript">.git/index: Git index, version <span class="hljs-number">2</span>, <span class="hljs-number">3</span> entries
</code></pre>
<p>When you run <code>git add</code>, Git:</p>
<ol>
<li><p>Creates a blob object for the file</p>
</li>
<li><p>Updates the index to point to that blob</p>
</li>
<li><p>Doesn't create a commit yet</p>
</li>
</ol>
<p>You can peek inside (it's binary, but git can read it):</p>
<pre><code class="lang-javascript">git ls-files --stage
</code></pre>
<p>Output:</p>
<pre><code class="lang-javascript"><span class="hljs-number">100644</span> a3f2d8b9c1e4f5a6b7c8d9e0f1a2b3c4d5e6f7a8 <span class="hljs-number">0</span>   test.txt
<span class="hljs-number">100644</span> <span class="hljs-number">7</span>a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6 <span class="hljs-number">0</span>    README.md
</code></pre>
<p>Each entry shows: permissions, blob hash, stage number, and filename.</p>
<p><strong>Mind-blowing realization #4:</strong> <code>git add</code> creates the object immediately. The staging area is just a list of "these blobs should be in the next commit."</p>
<h3 id="heading-config-your-repository-settings">config: Your Repository Settings</h3>
<p>Open <code>.git/config</code>:</p>
<pre><code class="lang-javascript">cat .git/config
</code></pre>
<pre><code class="lang-javascript">[core]
    repositoryformatversion = <span class="hljs-number">0</span>
    filemode = <span class="hljs-literal">true</span>
    bare = <span class="hljs-literal">false</span>
    logallrefupdates = <span class="hljs-literal">true</span>

[remote <span class="hljs-string">"origin"</span>]
    url = git@github.com:username/repo.git
    fetch = +refs/heads<span class="hljs-comment">/*:refs/remotes/origin/*

[branch "main"]
    remote = origin
    merge = refs/heads/main

[user]
    name = John Doe
    email = john@example.com</span>
</code></pre>
<p>This is where <code>git config --local</code> writes settings. Global settings live in <code>~/.gitconfig</code>, but repository-specific overrides live here.</p>
<p>Want to change your email for just this project?</p>
<pre><code class="lang-javascript">git config user.email <span class="hljs-string">"work@company.com"</span>
</code></pre>
<p>Check the file—it's been updated.</p>
<h3 id="heading-hooks-automation-paradise">hooks/: Automation Paradise</h3>
<p>The <code>hooks/</code> directory contains scripts that run automatically on git events:</p>
<pre><code class="lang-javascript">ls .git/hooks/
</code></pre>
<pre><code class="lang-javascript">applypatch-msg.sample
pre-commit.sample
pre-push.sample
prepare-commit-msg.sample
post-commit.sample
...
</code></pre>
<p>Remove the <code>.sample</code> extension to activate a hook. For example, create <code>.git/hooks/pre-commit</code>:</p>
<pre><code class="lang-javascript">#!<span class="hljs-regexp">/bin/</span>bash
# Run tests before every commit

npm test
<span class="hljs-keyword">if</span> [ $? -ne <span class="hljs-number">0</span> ]; then
    echo <span class="hljs-string">"Tests failed! Commit aborted."</span>
    exit <span class="hljs-number">1</span>
fi
</code></pre>
<p>Make it executable:</p>
<pre><code class="lang-javascript">chmod +x .git/hooks/pre-commit
</code></pre>
<p>Now every <code>git commit</code> runs your tests first. If they fail, the commit is blocked.</p>
<p><strong>Popular hooks:</strong></p>
<ul>
<li><p><code>pre-commit</code> - Lint code, run tests</p>
</li>
<li><p><code>commit-msg</code> - Enforce commit message format</p>
</li>
<li><p><code>pre-push</code> - Run full test suite before pushing</p>
</li>
<li><p><code>post-merge</code> - Install dependencies after pulling</p>
</li>
</ul>
<p><strong>Mind-blowing realization #5:</strong> Git is programmable. You can automate almost anything.</p>
<h3 id="heading-logs-gits-diary">logs/: Git's Diary</h3>
<p>The <code>logs/</code> directory tracks every change to refs:</p>
<pre><code class="lang-javascript">cat .git/logs/HEAD
</code></pre>
<pre><code class="lang-javascript"><span class="hljs-number">0000000</span> a3f2d8b John Doe <john@example.com> <span class="hljs-number">1733654400</span> +<span class="hljs-number">0000</span>    commit (initial): Initial commit
a3f2d8b f3e4d5c John Doe <john@example.com> <span class="hljs-number">1733654500</span> +<span class="hljs-number">0000</span>    commit: Add test file
f3e4d5c e2f3a4b John Doe <john@example.com> <span class="hljs-number">1733654600</span> +<span class="hljs-number">0000</span>    commit: Update README
</code></pre>
<p>This is what powers <code>git reflog</code>—a safety net that remembers where you've been, even if you've deleted branches or reset commits.</p>
<p><strong>Accidentally deleted a branch?</strong></p>
<pre><code class="lang-javascript">git reflog
# Find the commit hash before you deleted it
git checkout -b recovered-branch a3f2d8b
</code></pre>
<p>The reflog saved you.</p>
<h3 id="heading-a-real-world-scenario-following-a-commit"><strong>A Real-World Scenario: Following a Commit</strong></h3>
<p>Let's put it all together. You run:</p>
<pre><code class="lang-javascript">git commit -m <span class="hljs-string">"Fix login bug"</span>
</code></pre>
<p>Here's what Git does behind the scenes:</p>
<ol>
<li><p><strong>Creates blob objects</strong> for each file in the index</p>
</li>
<li><p><strong>Creates a tree object</strong> representing the directory structure</p>
</li>
<li><p><strong>Creates a commit object</strong> pointing to:</p>
<ul>
<li><p>The tree</p>
</li>
<li><p>The parent commit</p>
</li>
<li><p>Author metadata</p>
</li>
<li><p>Commit message</p>
</li>
</ul>
</li>
<li><p><strong>Updates the branch ref</strong> (<code>.git/refs/heads/main</code>) to point to the new commit</p>
</li>
<li><p><strong>Updates HEAD</strong> (if needed)</p>
</li>
<li><p><strong>Logs the change</strong> in <code>.git/logs/refs/heads/main</code></p>
</li>
</ol>
<p>All of this happens in milliseconds. And it's just file operations—no database, no network calls.</p>
<p><strong>Why This Matters</strong></p>
<p>Understanding <code>.git</code> changes how you use Git:</p>
<p><strong>Before:</strong> "I'll just run these commands and hope it works."</p>
<p><strong>After:</strong></p>
<ul>
<li><p>"I need to recover a deleted branch—I'll check reflog."</p>
</li>
<li><p>"I want to automate linting—I'll use pre-commit hooks."</p>
</li>
<li><p>"This merge conflict makes sense—Git is comparing tree objects."</p>
</li>
<li><p>"Branches are cheap—they're literally just pointers."</p>
</li>
</ul>
<p>You stop fearing Git and start leveraging it.</p>
<h3 id="heading-key-takeaways"><strong>Key Takeaways</strong></h3>
<ol>
<li><p><strong>Git is just files and directories</strong> - No magic, no mystery</p>
</li>
<li><p><strong>Branches are pointers</strong> - Creating them is nearly free</p>
</li>
<li><p><strong>Objects are immutable</strong> - Once created, they never change</p>
</li>
<li><p><strong>The staging area is real</strong> - It's <code>.git/index</code></p>
</li>
<li><p><strong>Everything is recoverable</strong> - Thanks to reflog and objects</p>
</li>
<li><p><strong>Git is hackable</strong> - Hooks let you automate workflows</p>
</li>
<li><p><strong>Commits store snapshots</strong> - Not diffs</p>
</li>
</ol>
<p>The next time you run <code>git init</code>, remember: you're not just initializing a repository. You're creating a time machine, a database, and an automation system—all stored in plain files.</p>
<h2 id="heading-git-flow">Git Flow</h2>
<p>Git Flow was created by Vincent Driessen in 2010. It is tailor-made for projects that thrive on structure, such as those with strict release cycles or large teams juggling multiple features. It provides a clear roadmap, guiding teams through development, testing, and production with ease. This structure helps everyone stay aligned and focused, avoiding confusion along the way.</p>
<p>What makes Git Flow truly special is its use of <strong>different types of branches</strong>, each with a unique role in the development journey. Think of it like roles in a movie: some branches are the stars, others work behind the scenes, but together, they create a masterpiece.</p>
<h3 id="heading-why-use-git-flow">Why Use Git Flow?</h3>
<p>Git Flow offers a high level of organization for managing software projects. Here are some reasons why teams might adopt Git Flow:</p>
<ul>
<li><p><strong>Clear Branching Model</strong>: It separates different types of work (features, releases, hotfixes), making it easier for teams to collaborate and understand what’s happening at each stage of the development process.</p>
</li>
<li><p><strong>Easy to Scale</strong>: Git Flow works well for large teams and projects where multiple developers need to work on features independently while maintaining a stable main branch.</p>
</li>
<li><p><strong>Release Management</strong>: It integrates well with release cycles and provides a clear path for creating and managing releases, from development to production.</p>
</li>
<li><p><strong>Supports Hotfixes</strong>: The hotfix strategy provides that urgent bugs can be addressed without disrupting the ongoing work in development.</p>
</li>
</ul>
<h3 id="heading-core-branches-in-git-flow">Core Branches in Git Flow</h3>
<p>Git Flow revolves around two primary branches that serve as the foundation of the repository. These branches represent the stable, ongoing development process and the production-ready codebase.</p>
<ol>
<li><strong>Main (or Master) Branch</strong></li>
</ol>
<p>This branch contains the stable production-ready code. It’s where the latest production releases are tagged, and it should always reflect the state of the project that is live in production. You should only merge into the <code>main</code> branch when you’re deploying to production. All releases are tagged with version numbers here (e.g., <code>v1.0.0</code>, <code>v1.1.0</code>). Typically, it’s named <code>main</code> or <code>master</code>, depending on your preference or the Git provider’s default.</p>
<ol start="2">
<li><strong>Develop Branch</strong></li>
</ol>
<p>This branch serves as the integration branch for ongoing development. It holds all the code that’s been merged and tested and is considered the most up-to-date version of the next release. Developers commit their changes to feature branches, and once they are finished, they merge them into <code>develop</code>. When the code in <code>develop</code> is stable and ready for release, it will be merged into the <code>main</code> branch. By default, this branch is named <code>develop</code>.</p>
<p></p>
<h3 id="heading-supporting-branches-in-git-flow">Supporting Branches in Git Flow</h3>
<p>Git Flow also uses supporting branches to manage specific tasks like new features, releases, and hotfixes. These are where most of the action happens during the development cycle.</p>
<ol>
<li><strong>Feature Branches</strong></li>
</ol>
<p>These branches are used to develop new features or changes. Feature branches are typically created off the <code>develop</code> branch and are merged back into <code>develop</code> once the feature is complete. Feature branches are named according to the feature being developed, e.g., <code>feature/user-authentication</code> or <code>feature/payment-gateway</code>. This helps easily identify the purpose of each branch.</p>
<ul>
<li><p>When starting a new feature, create a branch from <code>develop</code>.</p>
</li>
<li><p>Work on the feature and commit changes regularly.</p>
</li>
<li><p>Once complete, merge the feature back into the <code>develop</code> branch.</p>
</li>
</ul>
<p>After a feature is merged, it is important to rebase the feature branch with <code>develop</code> to guarantee there are no conflicts.</p>
<ol start="2">
<li><strong>Release Branches</strong></li>
</ol>
<p>When a certain set of features is ready for release, but additional testing, bug fixes, or preparation for deployment is needed, a release branch is created. This branch helps isolate the final stages of development from ongoing feature work in <code>develop</code>. Typically named <code>release/1.0.0</code>, <code>release/2.0.0</code>, etc., based on the version number of the release.</p>
<ul>
<li><p>When <code>develop</code> is stable and ready for release, a release branch is created.</p>
</li>
<li><p>The release branch is used for last-minute fixes, preparing documentation, and adjusting configuration files.</p>
</li>
<li><p>After testing, the release branch is merged into both <code>main</code> (for deployment) and <code>develop</code> (to ensure any final changes are reflected in future development).</p>
</li>
</ul>
<p>Once the release is completed and merged into <code>main</code>, it’s tagged with the release version (e.g., <code>v1.0.0</code>). It is then merged back into <code>develop</code> to provide any changes made during the release process are incorporated into the ongoing development.</p>
<ol start="3">
<li><strong>Hotfix Branches</strong></li>
</ol>
<p>Hotfixes are used to quickly patch bugs in production. When critical issues are discovered in the <code>main</code> branch (e.g., security vulnerabilities or bugs affecting users), a hotfix branch is created from <code>main</code> to address the issue immediately. Typically named <code>hotfix/bug-fix</code>, e.g., <code>hotfix/security-patch</code>.</p>
<ul>
<li><p>A hotfix is created directly from the <code>main</code> branch.</p>
</li>
<li><p>The necessary changes have been made and committed to the hotfix branch.</p>
</li>
<li><p>Once the fix is complete, the hotfix branch is merged back into both <code>main</code> (for deployment) and <code>develop</code> (to secure future development, includes the fix.)</p>
</li>
</ul>
<p>Hotfixies are typically fast, providing a quick fix without disturbing ongoing feature development. Once merged, the hotfix branch is deleted.</p>
<h3 id="heading-git-flow-workflow-in-action">Git Flow Workflow in Action</h3>
<p>Here is an example of how a typical Git Flow workflow would unfold:</p>
<ol>
<li><p><strong>Start with a</strong> <code>develop</code> <strong>branch</strong>: This is the main development branch. All work begins here, with new features being developed in their own branches.</p>
</li>
<li><p><strong>Create a feature branch</strong> from <code>develop</code> for each new feature: Developers work on isolated branches for individual features or changes. Each branch is frequently merged back into <code>develop</code> after completing a feature.</p>
</li>
<li><p><strong>Create a release branch</strong> when <code>develop</code> is stable and ready for release. This branch prepares the code for production. It is used for final testing, bug fixes, and release-related tasks.</p>
</li>
<li><p><strong>Merge the release branch into</strong> <code>main</code> <strong>and tag it</strong>: Once the release branch is stable, it is merged into <code>main</code>, tagged with a version, and deployed.</p>
</li>
<li><p><strong>Create hotfixes</strong> if needed: If bugs are found in production, a hotfix branch is created directly from <code>main</code> to fix them.</p>
</li>
</ol>
<p>Git Flow provides clear guidelines for how to work on different types of changes and helps to ensure that the master branch always contains stable, tested code.</p>
<p>It’s important to note that Git Flow is one of the many branching models that can be used with Git, and it may not be the best fit for every team or project. It’s a great starting point for teams new to Git, but as the team and the project grow, it’s important to re-evaluate and see if it still fits the team’s needs.</p>
<h2 id="heading-comparing-git-branching-strategies"><strong>Comparing Git Branching Strategies</strong></h2>
<p>Picture this: You are leading a development team, and everyone is pushing code simultaneously. Without a clear branching strategy, your codebase becomes a tangled mess of conflicts, broken builds, and frustrated developers. Sound familiar? If you have ever found yourself in this situation, you are not alone.</p>
<p>A branching strategy is your team’s roadmap for managing code changes, collaborating effectively, and shipping quality software. It’s essentially a set of rules that guide how developers interact with a shared codebase, determining when to create branches, how to merge changes, and how to maintain code stability throughout the development process.</p>
<p>But it’s more than just rules. A good branching strategy aligns with how your team works your release cycles, QA workflows, CI/CD pipelines, and even how often you hotfix to production. Without one, you will likely end up firefighting merge conflicts during crunch time or accidentally pushing half-baked code to production.</p>
<p>In this section, we will break down the most popular branching strategies, when to use them, and how to pick the right one based on your team size, workflow, or development style. Whether you are building solo or working with a fast-moving squad, having a solid branching strategy will make collaboration smoother and releases far less painful.</p>
<h3 id="heading-why-your-team-needs-a-branching-strategy">Why Your Team Needs a Branching Strategy</h3>
<p>Think of branching strategies as traffic rules for your codebase. Without them, you are asking for chaos on the digital highway when your developers ship code every day.</p>
<p>Here’s why a solid branch strategy matters:</p>
<ul>
<li><p><strong>Enhanced Collaboration</strong>: Branching allows multiple developers to work simultaneously without stepping on each other’s toes. Each developer can create their own isolated workspace while staying connected to the main project. No more waiting for someone to finish a task before you can start yours.</p>
</li>
<li><p><strong>Risk Mitigation</strong>: By isolating new features, bug fixes, or experimental code in separate branches, you protect your main codebase from instability. Your production branch stays clean and deployable, while innovation continues safely in parallel.</p>
</li>
<li><p><strong>Organised Workflow</strong>: A well-defined branching model prevents the dreaded merge-hell, those nightmare situations where code conflicts pile up and break the build. It brings structure to how changes are integrated and released.</p>
</li>
<li><p><strong>Quality Control</strong>: Most branching strategies incorporate pull requests, reviews, and CI pipelines, making sure every change is reviewed and tested before being deployed to production. This leads to cleaner code, fewer bugs, and more confidence in every deploy.</p>
</li>
</ul>
<p>Let’s dive into the most popular branching strategies and see which one might be the perfect fit for your team.</p>
<h3 id="heading-gitflow">GitFlow</h3>
<p>Originally introduced by Vincent Driessen in 2010, <strong>GitFlow</strong> is one of the most structured and widely adopted branching strategies for managing complex projects. It’s designed around formal release cycles, making it a strong choice for teams that value process, stability, and long-term maintenance.</p>
<p><strong>How GitFlow Works</strong></p>
<p>GitFlow defines <strong>five core branches</strong>, each with a specific purpose:</p>
<ul>
<li><p><code>main</code> — Contains production-ready code. Every commit here is a stable release.</p>
</li>
<li><p><code>develop</code> — The integration branch where new features are merged before they’re ready to go live.</p>
</li>
<li><p><code>feature/*</code> — For building out new functionality. Branches off from <code>develop</code> and merges back into it.</p>
</li>
<li><p><code>release/*</code> — Used to prep a new version for production. Created from <code>develop</code> and eventually merged into both <code>main</code> and <code>develop</code>.</p>
</li>
<li><p><code>hotfix/*</code> — For urgent fixes on production. Created from <code>main</code>, then merged back into both <code>main</code> and <code>develop</code>.</p>
</li>
</ul>
<p></p>
<p><strong>When To Use GitFlow</strong></p>
<p>GitFlow is a great fit if:</p>
<ul>
<li><p>Your team follows scheduled release cycles.</p>
</li>
<li><p>You need to maintain multiple versions (e.g., patch v1.x while working on v2.x).</p>
</li>
<li><p>You have formal QA or staging environments.</p>
</li>
<li><p>Your project has complex release management or compliance requirements.</p>
</li>
</ul>
<p><strong>Props of GitFlow</strong></p>
<ul>
<li><p>Clear separation of concerns across features, releases, and hotfixes</p>
</li>
<li><p>Ideal for parallel development across different product versions</p>
</li>
<li><p>Structured workflow enforces discipline and quality control</p>
</li>
<li><p>Predictable release cycles with designed staging periods</p>
</li>
</ul>
<p><strong>Cons of GitFlow</strong></p>
<ul>
<li><p>Adds complexity, not ideal for small teams or fast-moving startups</p>
</li>
<li><p>Not suited for continuous deployment: GitHub Flow or trunk-based is better for that.</p>
</li>
<li><p>Can result in long-lived branches, increasing the risk of merge conflicts</p>
</li>
<li><p>Slows down delivery due to multiple approval stages and manual coordination</p>
</li>
</ul>
<p>GitFlow is powerful, but it’s a heavyweight. If your team thrives on structure and you manage multiple release versions, GitFlow will serve you well. But, if speed and simplicity are your top priorities, consider something leaner.</p>
<h3 id="heading-github-flow">GitHub Flow</h3>
<p>If GitFlow is all about structure and process, GitHub Flow is its minimalist cousin. This strategy keeps things simple, just one main branch and short-lived feature branches. It is designed for teams that ship fast and often, especially those embracing continuous deployment.</p>
<p><strong>How GitHub Flow Works</strong></p>
<p>This workflow is refreshingly straightforward.</p>
<ol>
<li><p>Create a <strong>feature branch</strong> from <code>main</code></p>
</li>
<li><p>Push commits to the feature branch</p>
</li>
<li><p>Open a <strong>pull request</strong> for code review and automated tests</p>
</li>
<li><p>Once approved, <strong>merge back to</strong> <code>main</code></p>
</li>
<li><p>Deploy immediately (optional but encouraged)</p>
</li>
</ol>
<p>Everything in <code>main</code> should always be production-ready.</p>
<p></p>
<p><strong>When To Use GitHub Flow</strong></p>
<p>GitHub Flow is ideal if:</p>
<ul>
<li><p>Your team practices continuous deployment</p>
</li>
<li><p>You have strong automated testing in place</p>
</li>
<li><p>You ship frequently, small releases</p>
</li>
<li><p>You are working in a small to mid-sized team.</p>
</li>
</ul>
<p><strong>Props of Github Flow</strong></p>
<ul>
<li><p>Simple and intuitive to adapt, with no complex branching rules</p>
</li>
<li><p>Perfect for rapid iteration and a fast feedback loop.</p>
</li>
<li><p>Plays well with CI/CD pipelines</p>
</li>
<li><p>Encourages frequent integration, reducing big-bang mergers.</p>
</li>
</ul>
<p><strong>Cons of GitHub Flow</strong></p>
<ul>
<li><p>Not designed for multiple production versions or LTS support</p>
</li>
<li><p>In large teams, it can result in frequent merge conflicts</p>
</li>
<li><p>No formal release staging or QA branching</p>
</li>
<li><p>Requires strong test automation to avoid pushing bugs to production</p>
</li>
</ul>
<p>GitHub Flow is lean, fast, and DevOps-friendly. If your team values speed over ceremony and has good CI/CD hygiene, this model will feel like second nature.</p>
<h3 id="heading-gitlab-flow">GitLab Flow</h3>
<p>GitLab Flow is a hybrid strategy that builds on GitFlow and GitHub Flow but brings environments and development workflows into a mix. It was introduced by GitLab to better connect development branches with deployment environments, making it particularly useful in projects with a clear DevOps pipeline.</p>
<p><strong>How GitLab Flow works</strong></p>
<p><em>Production Branch Model</em></p>
<ul>
<li><p>Developers create feature branches from <code>main</code> or <code>develop</code></p>
</li>
<li><p>Merge back into the mainline when complete</p>
</li>
<li><p>Tag releases and deploy from <code>main</code> to environments</p>
</li>
</ul>
<p><em>Environment-Based Model</em></p>
<ul>
<li><p>Each environment (e.g. <code>pre-prod</code>, <code>staging</code>, <code>production</code>) has a dedicated branch</p>
</li>
<li><p>Merges promote changes from lower to higher environments</p>
</li>
</ul>
<p>You can also combine this with <strong>issue tracking</strong>, where branches directly map to issues or epics (<code>feature/123-login-page</code>).</p>
<p></p>
<p><strong>When to Use GitLab Flow</strong></p>
<ul>
<li><p>You want to map branches to environments or deployments</p>
</li>
<li><p>You use GitLab CI/CD pipelines and want to keep them tightly integrated</p>
</li>
<li><p>Your team needs flexibility, but also structure between releases</p>
</li>
</ul>
<p><strong>Pros of GitLab Flow</strong></p>
<ul>
<li><p>Tightly integrates with CI/CD and DevOps tooling</p>
</li>
<li><p>Supports both continuous delivery and versioned releases</p>
</li>
<li><p>Encourages better traceability (commits linked to issues, merges to environments)</p>
</li>
</ul>
<p><strong>Cons of GitLab Flow</strong></p>
<ul>
<li><p>It can be confusing for beginners due to multiple models</p>
</li>
<li><p>Needs strict discipline to avoid inconsistencies across the environment branches</p>
</li>
</ul>
<p>GitLab Flow is highly adaptable and DevOps-friendly. If you use GitLab and want your Git branching to reflect your deployment lifecycle, this is your go-to.</p>
<h3 id="heading-environment-branching">Environment Branching</h3>
<p><strong>Environment Branching</strong> is a strategy where each deployment environment (like <code>dev</code>, <code>qa</code>, <code>staging</code>, <code>prod</code>) has its branch. Teams using this model push code from one environment branch to the next as it progresses through the pipeline.</p>
<p><strong>How Environment Branching Works</strong></p>
<ul>
<li><p>Developers work on <code>dev</code>, test on <code>qa</code>, stabilise in <code>staging</code>, and deploy from <code>prod</code></p>
</li>
<li><p>Promotions happen via merging between branches:<br />  <code>dev</code> → <code>qa</code> → <code>staging</code> → <code>prod</code></p>
</li>
</ul>
<p></p>
<p><strong>When to Use Environment Branching</strong></p>
<ul>
<li><p>You’re working with legacy systems or manual promotion processes</p>
</li>
<li><p>Your CI/CD tooling is limited or non-existent</p>
</li>
<li><p>You want full control over what gets pushed to each environment</p>
</li>
</ul>
<p><strong>Pros of Environment Branching</strong></p>
<ul>
<li><p>Very explicit control over deployments</p>
</li>
<li><p>Simple to understand in legacy or manual release workflows</p>
</li>
</ul>
<p><strong>Cons of Environment Branching</strong></p>
<ul>
<li><p>High risk of divergence between environments</p>
</li>
<li><p>Code may behave differently in each branch if not carefully synchronised</p>
</li>
<li><p>Difficult to scale with modern CI/CD practices</p>
</li>
<li><p>Anti-pattern in most modern DevOps setups</p>
</li>
</ul>
<p>Environment Branching gives you control, but at a cost. It’s rarely recommended for modern teams and should generally be avoided unless necessary.</p>
<h3 id="heading-trunk-based-development">Trunk-Based Development</h3>
<p><strong>Trunk-Based Development (TBD)</strong> is the go-to strategy for high-performing engineering teams that deploy multiple times a day. It’s simple at the surface but demands real discipline underneath. The idea? Everyone works off a single branch, no long-lived branches, no complex release trees. Just fast commits and faster feedback.</p>
<p><strong>How Trunk-Based Development Works</strong></p>
<p>There’s one main branch, often called <code>main</code> or <code>trunk</code>. All development happens here.</p>
<ul>
<li><p>Developers commit directly to <code>main</code>, often <strong>multiple times per day</strong>.</p>
</li>
<li><p>Changes are small, incremental, and backed by <strong>automated tests</strong>.</p>
</li>
<li><p>Incomplete features are hidden behind <strong>feature flags</strong>, so code can ship without being user-visible.</p>
</li>
</ul>
<p></p>
<p><strong>When to Use Trunk-Based Development</strong></p>
<p>This strategy works best if:</p>
<ul>
<li><p>Your team follows continuous integration religiously.</p>
</li>
<li><p>You have a strong automated testing setup (unit + integration + end-to-end).</p>
</li>
<li><p>You’re building SaaS products or anything that updates frequently.</p>
</li>
<li><p>Your team is experienced with feature flagging and CI/CD tools.</p>
</li>
</ul>
<p><strong>Pros of Trunk-Based Development</strong></p>
<ul>
<li><p>No more painful merges, everyone works on the same code path.</p>
</li>
<li><p>Encourages true continuous integration and early bug discovery.</p>
</li>
<li><p>Delivers the fastest feedback loops from dev to prod.</p>
</li>
<li><p>Simplifies the workflow, no juggling of multiple active branches.</p>
</li>
</ul>
<p><strong>Cons of Trunk-Based Development</strong></p>
<ul>
<li><p>Requires robust testing to avoid breaking production.</p>
</li>
<li><p>Not ideal for large, monolithic features (unless they’re behind flags).</p>
</li>
<li><p>You’ll need to manage feature flags carefully to avoid technical debt.</p>
</li>
<li><p>Demands a high level of discipline across the team — sloppy commits will hurt.</p>
</li>
</ul>
<p>Trunk-Based Development is fast, clean, and CI/CD friendly, but it’s not for the faint of heart. If your team is mature, test-driven, and ships frequently, TBD can supercharge your workflow.</p>
<h3 id="heading-release-branching">Release Branching</h3>
<p>If your product has long-term users, multiple versions in the wild, and strict release schedules, <strong>Release Branching</strong> is your secret weapon. This strategy helps you isolate each major release so you can squash bugs, patch security issues, and ship updates without slowing down future development.</p>
<p><strong>How Release Branching Works</strong></p>
<p>The idea is simple:</p>
<ul>
<li><p>When you’re ready to stabilise a version for release, <strong>create a release branch</strong> from your mainline (<code>main</code> or <code>develop</code>).</p>
</li>
<li><p>All <strong>bug fixes and release-specific tweaks</strong> go into this branch.</p>
</li>
<li><p>Meanwhile, the <code>main</code> branch stays open for <strong>ongoing feature development</strong>.</p>
</li>
<li><p>Once the release is finalised, it gets <strong>tagged and deployed</strong>, and if needed, hotfixes can be applied directly to this release branch.</p>
</li>
</ul>
<p>Example branches might look like: <code>release/v2.0</code>, <code>release/v2.1.1</code>, etc.</p>
<p></p>
<p><strong>When to Use Release Branching</strong></p>
<p>You’ll benefit from this model if:</p>
<ul>
<li><p>You support multiple product versions simultaneously (e.g., v1.x, v2.x).</p>
</li>
<li><p>Your releases are tied to deadlines (quarterly, client-based, etc.).</p>
</li>
<li><p>You need to provide long-term support or hotfixes for older versions.</p>
</li>
<li><p>You have a formal stabilisation and QA process before every release.</p>
</li>
</ul>
<p><strong>Pros of Release Branching</strong></p>
<ul>
<li><p>Clean isolation between feature development and stabilisation work.</p>
</li>
<li><p>Supports parallel development and maintenance efforts.</p>
</li>
<li><p>Great for version tracking and rollback in production environments.</p>
</li>
<li><p>Ideal for products that require long-term support (LTS).</p>
</li>
</ul>
<p><strong>Cons of Release Branching</strong></p>
<ul>
<li><p>It can get complex with many active branches to maintain.</p>
</li>
<li><p>Requires disciplined merge practices to sync fixes back into <code>main</code>.</p>
</li>
<li><p>Easy to fall into branch proliferation, where every minor version lives forever.</p>
</li>
</ul>
<p>Release Branching gives you control and stability across versions. It’s not the fastest strategy, but for teams juggling support and innovation, it brings much-needed order.</p>
<h3 id="heading-feature-branching">Feature Branching</h3>
<p><strong>Feature Branching</strong> is probably the most widely used and easiest-to-understand strategy. It’s the default mental model for most developers — create a branch for each new piece of work, build in isolation, and merge back when you’re done. Simple, effective, and foundational to many modern Git workflows.</p>
<p><strong>How Feature Branching Works</strong></p>
<ul>
<li><p>Start by branching off from <code>main</code> (or <code>develop</code>) to work on a specific feature or bug fix.</p>
</li>
<li><p>You commit changes to this branch until the work is complete.</p>
</li>
<li><p>Once reviewed and tested, the branch is merged back — typically via a <strong>pull request</strong>.</p>
</li>
<li><p>Branches are usually named like <code>feature/login-form</code> or <code>bugfix/payment-error</code>.</p>
</li>
</ul>
<p></p>
<p><strong>When to Use Feature Branching</strong></p>
<p>Feature Branching is a solid choice when:</p>
<ul>
<li><p>Your team is new to Git workflows and needs a gentle learning curve.</p>
</li>
<li><p>You want to isolate features or experiments without risk to mainline stability.</p>
</li>
<li><p>You value clear ownership of features or fixes.</p>
</li>
<li><p>Your project has medium complexity, without too many parallel changes.</p>
</li>
</ul>
<p><strong>Pros of Feature Branching</strong></p>
<ul>
<li><p>Provides clear isolation between features, reducing the risk of accidental interference.</p>
</li>
<li><p>Super easy to adopt and understand, great for onboarding teams.</p>
</li>
<li><p>Encourages better code reviews through pull request workflows.</p>
</li>
<li><p>Offers a flexible foundation that can scale into more advanced strategies (like Git Flow or GitHub Flow).</p>
</li>
</ul>
<p><strong>Cons of Feature Branching</strong></p>
<ul>
<li><p>It can result in long-lived branches if not merged frequently.</p>
</li>
<li><p>Integration challenges arise when multiple feature branches are merged after diverging for too long.</p>
</li>
<li><p>Potential for merge conflicts, especially on fast-moving teams with overlapping work areas.</p>
</li>
</ul>
<p>Feature Branching is the go-to starting point for most teams. It offers clarity and control, but needs discipline to avoid merge headaches down the road.</p>
<h3 id="heading-forking-workflow">Forking Workflow</h3>
<p>When you’re running an open source project, letting just anyone push to the main repo isn’t an option. That’s where the <strong>Forking Workflow</strong> comes in. It’s built for scale, safety, and distributed collaboration, which is why it’s the default model used on GitHub for open source contributions.</p>
<p><strong>How Forking Workflow Works</strong></p>
<ul>
<li><p>A contributor <strong>forks</strong> the main repository, creating their copy on the server (usually GitHub).</p>
</li>
<li><p>They <strong>clone their fork locally</strong>, create a feature or fix branch, and commit changes.</p>
</li>
<li><p>Once ready, they <strong>open a pull request</strong> back to the original repository (commonly called <code>upstream</code>).</p>
</li>
<li><p>Maintainers review, request changes, and decide whether to merge.</p>
</li>
</ul>
<p>This model gives project maintainers <strong>full control</strong> while still allowing anyone to contribute.</p>
<p></p>
<p><strong>When to Use Forking Workflow</strong></p>
<p>Consider forking if:</p>
<ul>
<li><p>You’re running an open-source project with external contributors.</p>
</li>
<li><p>You want strict control over what enters the main codebase.</p>
</li>
<li><p>Your team is distributed or made up of untrusted/external developers.</p>
</li>
<li><p>You expect a high volume of pull requests from the community.</p>
</li>
</ul>
<p><strong>Pros of Forking Workflow</strong></p>
<ul>
<li><p>No write access required for contributors, keeps your main branch safe.</p>
</li>
<li><p>Full control stays with project maintainers.</p>
</li>
<li><p>Scales beautifully with large numbers of contributors.</p>
</li>
<li><p>The de facto standard for open source collaboration.</p>
</li>
</ul>
<p><strong>Cons of Forking Workflow</strong></p>
<ul>
<li><p>Slightly more complex setup for new contributors (fork, clone, sync, pull request).</p>
</li>
<li><p>Overkill for small, trusted internal teams adds unnecessary friction.</p>
</li>
<li><p>Requires understanding of <code>origin</code> vs <code>upstream</code> remotes, which can trip up beginners.</p>
</li>
</ul>
<p>Forking Workflow is purpose-built for open source. It trades simplicity for control and security, exactly what you need when anyone on the internet can submit code.</p>
<h3 id="heading-choosing-the-right-strategy-for-your-team">Choosing the Right Strategy for Your Team</h3>
<p>Picking the right branching strategy isn’t a one-size-fits-all decision. It depends on how your team works, what you’re building, and how often you ship.</p>
<p>Here are some key factors to guide your choice:</p>
<p><strong>Team Size</strong></p>
<ul>
<li><p><strong>Small teams (2–5 developers)</strong>: GitHub Flow or Trunk-Based Development tends to work best, fewer branches, faster iteration.</p>
</li>
<li><p><strong>Larger teams</strong>: GitFlow or Release Branching provides the structure needed for coordination, especially across multiple squads.</p>
</li>
</ul>
<p><strong>Release Frequency</strong></p>
<ul>
<li><p><strong>Deploying daily or multiple times per day?</strong> Go with GitHub Flow or Trunk-Based; they’re designed for speed.</p>
</li>
<li><p><strong>Shipping on a schedule (e.g., quarterly releases)?</strong> GitFlow or Release Branching gives you the stability and process control you need.</p>
</li>
</ul>
<p><strong>Product Complexity</strong></p>
<ul>
<li><p><strong>Simple apps or MVPs</strong>: Keep it lightweight with GitHub Flow.</p>
</li>
<li><p><strong>Complex, enterprise-grade systems</strong>: Benefit from GitFlow’s or Release Branching’s separation of concerns.</p>
</li>
</ul>
<p><strong>Team Experience</strong></p>
<ul>
<li><p><strong>New teams</strong>: Start with Feature Branching or GitHub Flow — simple and easy to grasp.</p>
</li>
<li><p><strong>Mature teams</strong>: Can evolve toward Trunk-Based or GitFlow as tooling and CI/CD processes mature.</p>
</li>
</ul>
<p><strong>Compliance Requirements</strong></p>
<ul>
<li>If you’re in a <strong>regulated industry</strong> (finance, healthcare, etc.), you’ll likely need the <strong>formal approval gates</strong> and documentation trail offered by GitFlow or Release Branching.</li>
</ul>
<p>For more detailed explanations about the difference between those branching strategies. Check out those articles: <a target="_blank" href="https://medium.com/thedevproject/comparing-git-branching-strategies-git-flow-vs-github-flow-vs-gitlab-flow-2e1dd28be103">Comparing Git Branching Strategies</a>, <a target="_blank" href="https://medium.com/@technicadil_001/collaborative-git-workflows-gitflow-github-flow-and-trunk-based-development-dc77da145e3e">Collaborative Git Workflows</a></p>
<h2 id="heading-the-only-git-branching-strategy-that-works-in-real-teams"><strong>The Only Git Branching Strategy That Works in Real Teams</strong></h2>
<p>After years of messy merges, broken main branches, and endless “quick fixes,” I’ve found one branching model that consistently works — not in theory, but in real-world engineering teams with deadlines, pressure, and humans.</p>
<h3 id="heading-introduction-every-team-thinks-they-have-a-git-strategy-until-they-dont">Introduction: Every Team Thinks They Have a Git Strategy — Until They Don’t</h3>
<p>If you’ve worked on even one engineering team in your life, you already know this:<br />Git chaos isn’t caused by Git.<br />It’s caused by people.</p>
<p>Developers forget to rebase.<br />Long-lived branches drift for weeks.<br />Hotfixes magically appear in production without making it to <code>main</code>.<br />Someone merges half-finished work because “the sprint was ending anyway.”</p>
<p>And yet, every team proudly claims they “follow GitFlow,” or they “do trunk-based development,” or they “use feature branches with pull requests.” In practice? Most teams follow a chaotic cocktail of all three — sprinkled with confusion, tribal knowledge, and Slack messages like:</p>
<blockquote>
<p><em>“Wait, which branch should I open the PR against?”</em></p>
</blockquote>
<p>After a decade of working across startups, agencies, enterprise teams, and open-source projects, I’ve seen one branching strategy succeed more consistently than anything else:</p>
<p>👉 <strong>Short-Lived Feature Branches + a Protected Main Branch + Continuous Integration</strong></p>
<p>It sounds almost… disappointingly simple.<br />But it works — because it respects developer habits, real-world constraints, and the natural messiness of software teams.</p>
<p>Let’s break it down.</p>
<h3 id="heading-why-complex-branching-models-fail-in-real-teams">Why Complex Branching Models Fail in Real Teams</h3>
<p>Before we talk about what works, we need to talk about what fails — because the “why” is what makes the “how” stick.</p>
<ol>
<li><strong>GitFlow is great on paper and miserable in reality</strong></li>
</ol>
<p>GitFlow gives you:</p>
<ul>
<li><p>A <code>develop</code> branch</p>
</li>
<li><p>A <code>main</code> branch</p>
</li>
<li><p>Feature branches</p>
</li>
<li><p>Release branches</p>
</li>
<li><p>Hotfix branches</p>
</li>
<li><p>Occasional existential crisis branches</p>
</li>
</ul>
<p>The idea is to isolate work and organize releases.<br />The reality? Teams struggle to keep everything in sync.</p>
<p>Most GitFlow projects slowly devolve into:</p>
<ul>
<li><p>“Where does this go again?”</p>
</li>
<li><p>“Did we merge this into <code>develop</code> or only into <code>main</code>?"</p>
</li>
<li><p>“Why is the release branch 45 commits behind?”</p>
</li>
</ul>
<p>The overhead is too high. The cognitive load is too high.<br />And when a branching model requires this much discipline, it collapses.</p>
<ol start="2">
<li><strong>Trunk-Based Development fails when teams don’t have instant CI</strong></li>
</ol>
<p>In true trunk-based development (TBD):</p>
<ul>
<li><p>Everyone commits to <code>main</code> daily</p>
</li>
<li><p>Very small batches</p>
</li>
<li><p>Strict CI gating</p>
</li>
<li><p>Feature flags everywhere</p>
</li>
</ul>
<p>This works if you’re Google.<br />Or Netflix.<br />Or any team with god-tier tooling.</p>
<p>But in normal teams?</p>
<ul>
<li><p>PR reviews take time</p>
</li>
<li><p>CI pipelines are slow</p>
</li>
<li><p>Partially complete work can’t be safely merged</p>
</li>
<li><p>Everyone fears “breaking main”</p>
</li>
</ul>
<p>So developers start creating temporary branches…<br />which become long-lived branches…<br />which breaks TBD.</p>
<ol start="3">
<li><strong>Long-lived branches kill velocity every single time</strong></li>
</ol>
<p>The longer a branch lives, the more painful it becomes:</p>
<ul>
<li><p>Bigger PRs</p>
</li>
<li><p>More merge conflicts</p>
</li>
<li><p>More forgotten context</p>
</li>
<li><p>More code that “looked fine last week”</p>
</li>
</ul>
<p>This is how you get The Merge From Hell™.</p>
<p>Nothing slows teams down more reliably.</p>
<h3 id="heading-the-branching-strategy-that-actually-works">The Branching Strategy That Actually Works</h3>
<p>Here it is — the model I’ve seen succeed across 30+ teams:</p>
<blockquote>
<p><strong><em>Short-lived feature branches → Pull Request → CI checks → Merge to a fully protected</em></strong> <code>main</code> <strong><em>→ Deploy automatically.</em></strong></p>
</blockquote>
<p>Some call it “Feature Branching.”<br />Some call it a “lightweight GitHub Flow.”<br />I call it “The Only Strategy Humans Can Follow.”</p>
<p>Let’s break it into parts.</p>
<ol>
<li><strong>A Single Source of Truth:</strong> <code>main</code></li>
</ol>
<p><code>main</code> isn't just another branch.<br />It’s <strong>The Branch No One Touches</strong>.</p>
<p>Rules:</p>
<ul>
<li><p>No direct pushes</p>
</li>
<li><p>Only merge via pull requests</p>
</li>
<li><p>All merges must pass CI</p>
</li>
<li><p>All merges must pass at least one code review</p>
</li>
<li><p><code>main</code> always deployable</p>
</li>
</ul>
<p>If <code>main</code> is always stable, everything else becomes simpler:</p>
<ul>
<li><p>Releases are predictable</p>
</li>
<li><p>Hotfixes are trivial</p>
</li>
<li><p>Rollbacks are instant</p>
</li>
<li><p>Developers trust the codebase</p>
</li>
</ul>
<p>A safe <code>main</code> creates a less anxious engineering culture.</p>
<ol start="2">
<li><strong>Short-Lived Feature Branches</strong></li>
</ol>
<p>Every task — big or small — gets a branch:</p>
<pre><code class="lang-javascript">feature/login-page
bugfix/payment-timeout
chore/refactor-header
experiment/<span class="hljs-keyword">new</span>-cache
</code></pre>
<p>The branch lives for <strong>days, not weeks</strong>.</p>
<p>Why this works:</p>
<ul>
<li><p>Easy PR reviews</p>
</li>
<li><p>Small changes minimize conflicts</p>
</li>
<li><p>Fast merges keep code fresh</p>
</li>
<li><p>Better psychological momentum (finishing things feels good)</p>
</li>
</ul>
<p>If a branch lives more than 5–7 days, it’s a smell.</p>
<ol start="3">
<li><strong>Frequent Sync with</strong> <code>main</code></li>
</ol>
<p>Don’t wait until the end to sync.</p>
<p>Developers should rebase or merge <code>main</code> frequently:</p>
<ul>
<li><p>Avoid huge conflicts</p>
</li>
<li><p>Stay up to date with teammate changes</p>
</li>
<li><p>Keep PRs small and clean</p>
</li>
</ul>
<p>Your pull request shouldn’t resurface 80 old commits from last month.</p>
<ol start="4">
<li><strong>Pull Requests with Real Discussions</strong></li>
</ol>
<p>PRs are where engineering culture happens.</p>
<p>A good PR is:</p>
<ul>
<li><p>Small</p>
</li>
<li><p>Focused</p>
</li>
<li><p>Contextual (what + why)</p>
</li>
<li><p>Easy to review in <10 minutes</p>
</li>
</ul>
<p>A bad PR is:</p>
<ul>
<li><p>900 lines</p>
</li>
<li><p>Multiple unrelated changes</p>
</li>
<li><p>Described with “minor fixes”</p>
</li>
<li><p>Reviewed only when someone gets tired of waiting</p>
</li>
</ul>
<p>PRs should be treated as collaborative conversations, not bureaucratic roadblocks.</p>
<ol start="5">
<li><strong>CI as the Uncompromising Gatekeeper</strong></li>
</ol>
<p>Humans are smart.<br />Git is smart.<br />Your CI pipeline is smarter.</p>
<p>Every PR must pass:</p>
<ul>
<li><p>Linting</p>
</li>
<li><p>Unit tests</p>
</li>
<li><p>Integration tests</p>
</li>
<li><p>Security checks</p>
</li>
<li><p>Build checks</p>
</li>
</ul>
<p>CI enforces discipline even when the team gets busy.</p>
<p>CI is the team member who never sleeps and never forgets.</p>
<ol start="6">
<li><strong>Automatic Deployment from</strong> <code>main</code></li>
</ol>
<p>This is the secret weapon.</p>
<p>Don’t create release branches.<br />Don’t manually cherry-pick fixes.<br />Don’t keep half-finished features hidden.</p>
<p>Just deploy <code>main</code>.</p>
<p>With this:</p>
<ul>
<li><p>Releases become boring (a good thing)</p>
</li>
<li><p>Hotfixes become trivial</p>
</li>
<li><p>Developers gain confidence</p>
</li>
</ul>
<p>If you want a release process:</p>
<ul>
<li><p>Tag versions (<code>v2.1.0</code>)</p>
</li>
<li><p>Maintain changelogs</p>
</li>
<li><p>Let automation handle the boring parts</p>
</li>
</ul>
<h3 id="heading-what-about-hotfixes">What About Hotfixes?</h3>
<p>Hotfixes are simple:</p>
<pre><code class="lang-javascript">hotfix/payment-crash
</code></pre>
<p>You branch from <code>main</code>, fix it, open a PR, merge, deploy.</p>
<p>Then — <strong>and this is the part most teams forget</strong> —<br />merge <code>main</code> back into any in-progress branches.</p>
<p>No more “the hotfix was never merged into develop.”</p>
<h3 id="heading-why-this-model-works-when-everything-else-fails">Why This Model Works When Everything Else Fails</h3>
<p>Simple:<br />It reduces cognitive load.</p>
<p>Most branching strategies fall apart because they assume developers will:</p>
<ul>
<li><p>Read long documentation</p>
</li>
<li><p>Follow complex rules</p>
</li>
<li><p>Remember obscure merge paths</p>
</li>
<li><p>Coordinate manually across teams</p>
</li>
</ul>
<p>This model succeeds because it works even when people are:</p>
<ul>
<li><p>Tired</p>
</li>
<li><p>Busy</p>
</li>
<li><p>Rushing a deadline</p>
</li>
<li><p>Switching between tasks</p>
</li>
<li><p>Joining mid-sprint</p>
</li>
<li><p>Working across time zones</p>
</li>
</ul>
<p>It’s the only model I’ve seen scale from 2-person startups to multi-team orgs without breaking.</p>
<h3 id="heading-how-to-transition-your-team-to-this-strategy">How to Transition Your Team to This Strategy</h3>
<p>Start with three simple rules:</p>
<p><strong>Rule 1: No one pushes to</strong> <code>main</code>. Ever.</p>
<p>Make it a protected branch.</p>
<p><strong>Rule 2: Every task gets a branch and a PR.</strong></p>
<p>Small, focused, easy to review.</p>
<p><strong>Rule 3: CI must pass before merging.</strong></p>
<p>Non-negotiable.</p>
<p>Then gradually introduce:</p>
<ul>
<li><p>Feature flags</p>
</li>
<li><p>Automatic deployments</p>
</li>
<li><p>Better test coverage</p>
</li>
<li><p>PR templates</p>
</li>
<li><p>Branch naming conventions</p>
</li>
</ul>
<p>Do it slowly.<br />Habits take time.</p>
<p>But the payoff is enormous.</p>
<h2 id="heading-automated-app-versioning">Automated App Versioning</h2>
<p>Imagine a software without versioning, any change to an application would be a chaotic leap into the unknown. Developers wouldn’t know if a new feature was added, a bug fixed, or if the application would ever run properly. Versioning provides clarity and structure, offering a roadmap for both developers and users.</p>
<p>In the intricate dance of versioning, each number tells a story, a story that extends beyond development and seamlessly interwines with the software testing cycle.</p>
<blockquote>
<p>Application versioning isn’t just a formality; it’s a strategic guide through the intricate phases of the software testing cycle. From alpha to release candidates (RC) and hotfixes, versioning ensures systematic testing and meticulous tracking of changes.</p>
</blockquote>
<h3 id="heading-why-does-versioning-matter">Why does versioning matter?</h3>
<p>Versioning serves as a critical foundation for a seamless and organized workflow. Here’s why it matters:</p>
<ol>
<li><p><strong>Traceability</strong>: Versioning provides a clear trail of changes, allowing teams to trace back and understand the evolution of the software.</p>
</li>
<li><p><strong>Communication</strong>: Clear version numbers act as a universal language, facilitating communication among developers, testers, and stakeholders.</p>
</li>
<li><p><strong>Coordination</strong>: Acts as a coordination mechanism, ensuring everyone involved is on the same page regarding the current state of the software.</p>
</li>
<li><p><strong>Testing Efficiency</strong>: In the testing lifecycle, versioning enables efficient testing by distinguishing between alpha, beta, and release candidates.</p>
</li>
<li><p><strong>Bug Tracking:</strong> Facilitates effective bug tracking, making it easier to identify when an issue was introduced and which changes are associated.</p>
</li>
<li><p><strong>Stability Assurance:</strong> Versioning helps ensure the stability of releases by clearly indicating backward-compatible and incompatible changes.</p>
</li>
</ol>
<p>Versioning, therefore, is not just a matter of differentiation between what is in the release and what is already deployed to production. It’s a strategic necessity in the ever-evolving realm of software development. It provides clarity, promotes collaboration, and enhances the overall efficiency of the development cycle.</p>
<p></p>
<h3 id="heading-semantic-versioning-semver-explained">Semantic Versioning (SemVer) Explained</h3>
<p>Semantic Versioning (SemVer) is a standardized versioning system that precisely communicates changes in the software release. The version number in SemVer comprises three segments: Major, Minor, and Patch.</p>
<ul>
<li><p><strong>Major Version (X.0.0):</strong> Significant, backward-incompatible changes. Incremented for breaking changes.</p>
</li>
<li><p><em>Example</em>: Current version: <strong>1.2.3</strong>, After breaking change: <strong>2.0.0</strong></p>
</li>
<li><p><strong>Minor Version (X.Y.0):</strong> Backward-compatible additions or enhancements. Incremented for new features.</p>
</li>
<li><p><em>Example</em>:Current version: <strong>1.2.3</strong>, After adding a feature: <strong>1.3.0</strong></p>
</li>
<li><p><strong>Patch Version (X.Y.Z):</strong> Backward-compatible bug fixes. Incremented for bug patches.</p>
</li>
<li><p><em>Example</em>:Current version: <strong>1.2.3,</strong> After fixing a bug: <strong>1.2.4</strong></p>
</li>
<li><p><strong>Pre-release Version:</strong> Identified by appending a hyphen and a series of dot-separated identifiers following the patch version. Denoted as “alpha,” “beta,” etc.</p>
</li>
<li><p><em>Example</em>: Alpha release: <strong>1.2.3-alpha.1,</strong> Beta release: <strong>1.2.3-beta.2</strong></p>
</li>
<li><p><strong>Numeric Metadata:</strong> Identified by appending a plus sign and a series of dot-separated numeric identifiers following the patch or pre-release version.Not considered for version precedence.</p>
</li>
<li><p><em>Example</em>: With numeric metadata: <strong>1.2.3-alpha.1+42</strong> . Basically used as a build number.</p>
</li>
</ul>
<p>Semantic Versioning enables clear communication about the nature of changes in the release, fostering predictability and ensuring compatibility across different versions of a software project.</p>
<p>Understanding Semantic Versioning aids in transparently conveying changes within a project. Now, check out <a target="_blank" href="https://levelup.gitconnected.com/automated-app-versioning-using-gitversion-gitflow-mandatory-practice-not-an-optional-2feb5c64c94f">this article</a> to explore how to seamlessly integrate SemVer into the Git Workflow using GitVersion.</p>
<p></p>
<h2 id="heading-squash-commits">Squash Commits</h2>
<p>When you squash commits, you combine 2 or multiple commits into a single commit. This is useful when you have multiple small commits that are related to the same feature or fix, and you want to simplify your commit history. Squashing commits also makes it easier to review your changes and to track down bugs.</p>
<h3 id="heading-how-to-squash-commits">How to Squash Commits</h3>
<p>Here are the steps to squash commits in a git repository using the git CLI:</p>
<ol>
<li><p>Determine how many commits you want to squash. You can use the <code>git log</code> command to see a list of your commits and their hashes.</p>
</li>
<li><p>Use the <code>git rebase -i HEAD~N</code> command to open the interactive rebase tool, where <code>N</code> is the number of commits you want to squash.</p>
</li>
<li><p>In the text editor that opens, replace “pick” with “squash” or “fixup” for each commit you want to squash. “Squash” will combine the commit with the one before it, while “fixup” will combine the commit and discard its commit message.</p>
</li>
<li><p>Save and exit the editor by pressing <code>Ctrl + X</code>, then <code>Y</code>, and finally <code>Enter</code>.</p>
</li>
<li><p>If you have conflicts, resolve them by editing the conflicted files, staging the changes with <code>git add</code>, and then running <code>git rebase --continue</code>.</p>
</li>
<li><p>Force push the changes to the remote branch with <code>git push -f</code>.</p>
</li>
</ol>
<h2 id="heading-modern-git-commands">Modern Git Commands</h2>
<p>Git, however, introduced many features since then, and using them can make your life so much easier, so let’s explore some of the recently added, modern git commands that you should know about.</p>
<h3 id="heading-switch">Switch</h3>
<p>New since 2019, or more precisely, introduced Git version 2.23, is <code>git switch</code> which we can use to switch branches:</p>
<pre><code class="lang-typescript">git <span class="hljs-keyword">switch</span> other-branch
git <span class="hljs-keyword">switch</span> -  # Switch back to previous branch, similar to <span class="hljs-string">"cd -"</span>
git <span class="hljs-keyword">switch</span> remote-branch  # Directly <span class="hljs-keyword">switch</span> to remote branch and start tracking it
</code></pre>
<p>Well, that’s cool, but we’ve been switching branches in Git since forever using <code>git checkout</code>, why the need for a separate command? <code>git checkout</code> is a very versatile command - it can (among other things) check out or restore specific files or even specific commits, while the new <code>git switch</code> <em>only</em> switches the branch. Additionally, <code>switch</code> performs extra sanity checks that <code>checkout</code> doesn't, for example, switch would abort operation if it would lead to loss of local changes.</p>
<h3 id="heading-restore">Restore</h3>
<p>Another new subcommand/feature added in Git version 2.23 is <code>git restore</code>, that we can use to restore a file to the last committed version:</p>
<pre><code class="lang-typescript"># Unstage changes made to a file, same <span class="hljs-keyword">as</span> <span class="hljs-string">"git reset some-file.py"</span>
git restore --staged some-file.py

# Unstage and discard changes made to a file, same <span class="hljs-keyword">as</span> <span class="hljs-string">"git checkout some-file.py"</span>
git restore --staged --worktree some-file.py

# Revert a file to some previous commit, same <span class="hljs-keyword">as</span> <span class="hljs-string">"git reset commit -- some-file.py"</span>
git restore --source HEAD~<span class="hljs-number">2</span> some-file.py
</code></pre>
<p>The comments in the above snippet explain the workings of various <code>git restore</code>. Generally speaking <code>git restore</code> replaces and simplifies some of the use cases of <code>git reset</code> and <code>git checkout</code> which are already overloaded features. See also <a target="_blank" href="https://git-scm.com/docs/git#_reset_restore_and_revert">this docs section</a> for comparison of <code>revert</code>, <code>restore</code> and <code>reset</code>.</p>
<h3 id="heading-sparse-checkout">Sparse Checkout</h3>
<p>The next one is <code>git sparse-checkout</code>, a little more obscure feature that was added in Git 2.25, which was released on January 13, 2020.</p>
<p>Let’s say you have a large monorepo, with microservices separated into individual directories, and commands such as <code>checkout</code> or <code>status</code> are super slow because of the repository size, but maybe you really just need to work with a single subtree/directory. Well, <code>git sparse-checkout</code> to the rescue:</p>
<pre><code class="lang-typescript">$ git clone --no-checkout https:<span class="hljs-comment">//github.com/derrickstolee/sparse-checkout-example</span>
$ cd sparse-checkout-example
$ git sparse-checkout init --cone  # Configure git to only match files <span class="hljs-keyword">in</span> root directory
$ git checkout main  # Checkout only files <span class="hljs-keyword">in</span> root directory
$ ls
bootstrap.sh  LICENSE.md  README.md

$ git sparse-checkout set service/common

$ ls
bootstrap.sh  LICENSE.md  README.md  service

$ tree .
.
├── bootstrap.sh
├── LICENSE.md
├── README.md
└── service
    ├── common
    │   ├── app.js
    │   ├── Dockerfile
    ... ...
</code></pre>
<p>In the above example, we first clone the repo without actually checking out all the files. We then use <code>git sparse-checkout init --cone</code> to configure <code>git</code> to only match files in the root of the repository. So, after running checkout, we only have 3 files rather than the whole tree. To then download/checkout a particular directory, we use <code>git sparse-checkout set ...</code>.</p>
<p>As already mentioned, this can be very handy when working locally with huge repos, but it’s equally useful in CI/CD for improving the performance of a pipeline, when you only want to build/deploy part of the monorepo and there’s no need to check out everything.</p>
<p>For a detailed write-up about <code>sparse-checkout</code> see <a target="_blank" href="https://github.blog/2020-01-17-bring-your-monorepo-down-to-size-with-sparse-checkout/">this article</a>.</p>
<h3 id="heading-worktree">Worktree</h3>
<h3 id="heading-git-worktree">Git Worktree</h3>
<ol>
<li><strong>What is a Git Worktree</strong></li>
</ol>
<p><a target="_blank" href="https://git-scm.com/docs/git-worktree">Git worktree</a> is a feature in Git. Before we see Git worktree, let us see the normal Git flow.</p>
<h4 id="heading-the-normal-git-flow"><strong>The normal Git flow</strong></h4>
<ul>
<li><p>You have one working folder.</p>
</li>
<li><p>You have one active branch.</p>
</li>
<li><p>Switching branches changes all files in that folder</p>
</li>
</ul>
<pre><code class="lang-javascript">my-app/
├── src/
├── README.md
└── .git/
</code></pre>
<p>When you run <code>git checkout “feature-abc”,</code> the whole folder switches to that branch.</p>
<h4 id="heading-the-git-work-tree-flow"><strong>The Git work tree flow</strong></h4>
<ul>
<li><p>Work trees let you have many working folders from the same repo.</p>
</li>
<li><p>Each folder can have its own branch.</p>
</li>
<li><p>You can work in all of them at the same time without switching anything.</p>
</li>
</ul>
<blockquote>
<p>In simple words, you can work in parallel without switching branches.</p>
</blockquote>
<pre><code class="lang-javascript">my-app/                    
├── src/
├── README.md
└── .git/

my-app-feature-a/          ← Worktree <span class="hljs-number">1</span> (feature-a branch)
├── src/
├── README.md
└── .git                   ← File points to main repo

my-app-feature-b/          ← Worktree <span class="hljs-number">2</span> (feature-b branch)
├── src/
├── README.md
└── .git                   ← File points to main repo
</code></pre>
<p></p>
<ol start="2">
<li><strong>Git Worktree with Git Clone</strong></li>
</ol>
<p></p>
<p>The points above explain the concept. But the commands make it crystal clear.</p>
<p>This is what we do in a normal clone and what we do when we use work trees.</p>
<p></p>
<ol start="3">
<li><strong>Git Worktree Commands</strong></li>
</ol>
<p>There are a few basic Git work tree commands you will use often.</p>
<p><strong>Create Worktree</strong></p>
<pre><code class="lang-javascript"># Create a work tree and a <span class="hljs-keyword">new</span> branch
git worktree add <worktree-path> -b <<span class="hljs-keyword">new</span>-branch-name>

# Example
git worktree add ../add-header -b feature/add-header


# Create a work tree <span class="hljs-keyword">from</span> an existing branch
git worktree add <worktree-path> <span class="xml"><span class="hljs-tag"><<span class="hljs-name">branch-name</span>></span>

# Example
git worktree add ../ui-changes feature/ui-changes</span>
</code></pre>
<p><strong>List worktree</strong></p>
<pre><code class="lang-javascript"># list all active work trees
git worktree list
</code></pre>
<p><strong>Remove Worktree</strong></p>
<pre><code class="lang-javascript"># remove a work tree
git worktree remove <worktree-path>

# Example
git worktree remove ../add-header
</code></pre>
<p><strong>One Branch Per Worktree Rule</strong></p>
<p>Git has a simple rule for work trees. One branch can live in only one work tree at a time.</p>
<p>If the branch is already used in a work tree, Git will block you from using it again. See the screenshot below.</p>
<p></p>
<h3 id="heading-bisect">Bisect</h3>
<p>Last but not least, <code>git bisect</code>, which isn't so new (Git 1.7.14, released on May 13, 2012), but most people are using only <code>git</code> features from around 2005, so I think it's worth showing anyway.</p>
<p>As the <a target="_blank" href="https://git-scm.com/docs/git-bisect">docs page</a> describes it: <code>git-bisect</code> <em>- Use binary search to find the commit that introduced a bug</em>:</p>
<pre><code class="lang-typescript">git bisect start
git bisect bad HEAD  # Provide the broken commit
git bisect good <span class="hljs-number">479420</span>e  # Provide a commit, that you know works
# Bisecting: <span class="hljs-number">2</span> revisions left to test after <span class="hljs-built_in">this</span> (roughly <span class="hljs-number">1</span> step)
# [<span class="hljs-number">3258487215718444</span>a6148439fa8476e8e7bd49c8] Refactoring.

# Test the current commit...
git bisect bad  # If the commit doesn<span class="hljs-string">'t work
git bisect good # If the commit works

# Git bisects left or right half of range based on the last command
# Continue testing until you find the culprit

git bisect reset  # Reset to original commit</span>
</code></pre>
<p>We start by explicitly starting the bisection session with <code>git bisect start</code>, after which we provide the commit that doesn't work (most likely the <code>HEAD</code>) and the last known working commit or tag. With that information, <code>git</code> will check out a commit halfway between the <em>"bad"</em> and <em>"good"</em> commit. At which point we need to test whether that version has the bug or not, we then use <code>git bisect good</code> to tell <code>git</code> that it works or <code>git bisect bad</code> that it doesn't. We keep repeating the process until no commits are left and <code>git</code> will tell us which commit is the one that introduced the issue.</p>
<p>I recommend checking out the <a target="_blank" href="https://git-scm.com/docs/git-bisect">docs page</a> that shows a couple more options for git bisect, including visualizing, replaying, or skipping a commit.</p>
<h2 id="heading-cherry-picking-commits">Cherry-Picking Commits</h2>
<p>Need a specific commit from another branch? Cherry-picking lets you apply it to your current branch without merging the entire branch.</p>
<p><strong>How to use it:</strong></p>
<pre><code class="lang-typescript">git cherry-pick <commit-hash>
</code></pre>
<p><strong>Why it’s cool:</strong><br />It gives you the flexibility to bring in individual features or fixes without merging all the other changes from the source branch.</p>
<p><strong>Pro tip:</strong><br />This is especially useful when you need to backport bug fixes or small features.</p>
<h2 id="heading-blame-a-line-of-code">Blame a Line of Code</h2>
<p>Want to know who wrote a specific line of code? <code>git blame</code> gives you a line-by-line history of who changed what in a file.</p>
<p><strong>How to use it:</strong></p>
<pre><code class="lang-typescript">git blame <filename>
</code></pre>
<p><strong>Why it’s cool:</strong><br />It’s an easy way to track down who made a change and when, especially when debugging issues.</p>
<p><strong>Pro tip:</strong><br />Combine this with <code>git log -- <file></code> to get a more detailed history of changes.</p>
<h2 id="heading-quick-commit-fix">Quick Commit Fix</h2>
<p>Forgot to add a file or made a typo in your commit message? <code>git commit --amend</code> lets you update the commit without creating a new one.</p>
<p><code>git commit --amend</code></p>
<p>You can fix mistakes instantly without cluttering your commit history.</p>
<p>This is great for squashing small mistakes without polluting your Git log with unnecessary commits.</p>
<h2 id="heading-tagging-a-commit">Tagging a Commit</h2>
<p>Tags are useful for marking specific points in your Git history, such as releases.</p>
<p><strong>How to use it:</strong></p>
<pre><code class="lang-typescript">git tag -a v1<span class="hljs-number">.0</span> -m <span class="hljs-string">"Version 1.0 release"</span>
</code></pre>
<p><strong>Why it’s cool:</strong><br />It helps in marking important milestones, making it easy to jump back to a particular version later.</p>
<p><strong>Pro tip:</strong><br />Use lightweight tags (<code>git tag <tagname></code>When you don’t need additional metadata.</p>
<h2 id="heading-view-all-git-operations-git-reflog">View All Git Operations (Git Reflog)</h2>
<h3 id="heading-the-real-reason-developers-fear-git">The Real Reason Developers Fear Git</h3>
<p>Before we dive into the reflog, let’s address an uncomfortable truth:</p>
<p><strong>Most developers don’t trust themselves with Git.</strong></p>
<p>They’ve all lived through at least one horror story:</p>
<ul>
<li><p>A branch was accidentally deleted</p>
</li>
<li><p>A rebase gone wrong</p>
</li>
<li><p>A force push that wiped someone’s work</p>
</li>
<li><p>A commit lost in the void, never to be seen again</p>
</li>
</ul>
<p>So people stick to “safe” operations.<br />They avoid rebasing.<br />They avoid rewriting history.<br />They avoid anything that looks like it might ruin the repo.</p>
<p>But here’s the secret senior developers know:</p>
<p><strong>Git is far less delicate than you think — because the reflog remembers everything.</strong></p>
<h3 id="heading-wait-what-exactly-is-the-reflog">Wait… What Exactly Is the Reflog?</h3>
<p>You’ve probably used Git logs:</p>
<pre><code class="lang-javascript">git log
</code></pre>
<p>…but the log only shows reachable commits — the ones still connected to branches or tags.</p>
<p>The <strong>reflog (reference log)</strong> is different. It records <em>every movement</em> of branch heads, even if commits become “lost” or detached.</p>
<p>Every checkout.<br />Every reset.<br />Every branch switch.<br />Every rebase rewrite.<br />Every commit that disappears from the log.</p>
<p>Git keeps it all.</p>
<p>Run this:</p>
<pre><code class="lang-javascript">git reflog
</code></pre>
<p>And suddenly you see the <em>real</em> history of your repo — not just the final, polished timeline.</p>
<h3 id="heading-why-senior-engineers-rely-on-the-reflog-daily">Why Senior Engineers Rely on the Reflog Daily</h3>
<p>Senior developers love the reflog because it unlocks something powerful:</p>
<p><strong>1. It makes “dangerous” commands safe</strong></p>
<p>Want to rebase aggressively?<br />Want to rewrite history?<br />Want to force-push after cleaning up commits?</p>
<p>Seniors do all of this — because they know they can undo anything.</p>
<p><strong>2. It makes mistakes reversible</strong></p>
<p>Accidentally deleted a branch?</p>
<pre><code class="lang-javascript">git branch -D feature/payment
</code></pre>
<p>No panic.<br />The reflog has the commit:</p>
<pre><code class="lang-javascript">git reflog
git checkout -b feature/payment <commit-id>
</code></pre>
<p>Fixed.</p>
<p><strong>3. It saves work that you thought you lost forever</strong></p>
<p>Ever reset the wrong branch?</p>
<p>Ever commit something and forget where it went?</p>
<p>Ever stash something and later realize it didn’t apply cleanly?</p>
<p>Reflog keeps all of that.</p>
<p><strong>4. It speeds up debugging</strong></p>
<p>Seniors often ask:<br />“What commit was I on 20 minutes ago?”</p>
<p>Reflog answers that instantly.</p>
<p><strong>5. It encourages experimentation</strong></p>
<p>When you stop worrying about losing work, something amazing happens:</p>
<p>You explore.<br />You take risks.<br />You try new workflows.<br />You get <em>better</em> at Git.</p>
<h2 id="heading-squash-commits-1">Squash Commits</h2>
<p>Want to clean up your commit history before pushing? Squashing commits lets you combine several into one for a neater history.</p>
<p><strong>How to use it:</strong></p>
<pre><code class="lang-typescript">git rebase -i HEAD~<<span class="hljs-built_in">number</span>-<span class="hljs-keyword">of</span>-commits>
</code></pre>
<p><strong>Why it’s cool:</strong><br />Squashing makes your commit history look polished and professional, especially when you’re sharing with a team.</p>
<p><strong>Pro tip:</strong><br />This is ideal for combining multiple small fixes into one clear commit before pushing.</p>
<h1 id="heading-git-best-practices">Git Best Practices</h1>
<p>The use of the Git tool is crucial for the development process of an application, whether working in a team or individually. However, it’s common to encounter messy repositories, commits with unclear messages that don’t convey useful information, and misuse of branches, among other issues. Knowing how to use Git correctly and following good practices is essential for those who want to excel in the job market.</p>
<h2 id="heading-stop-breaking-your-codebase-the-git-hooks-nobody-told-you-about">Stop Breaking Your Codebase: The Git Hooks Nobody Told You About</h2>
<p>Automated tests, block secrets, and enforce lean commits before disaster strikes.</p>
<p>When I first discovered Git Hooks, I felt like I had unlocked a hidden superpower in Git. Imagine automating small and repetitive tasks — without needing extra external tools or fancy CI/CD pipelines, right inside your local Git workflow. That’s exactly what Git Hooks let you do.</p>
<h3 id="heading-what-are-git-hooks">What Are Git Hooks?</h3>
<p>Git Hooks are scripts that Git automatically executes before or after certain events, like committing, pushing, or merging code.</p>
<p>Think of them as a little “guardians“ of your repository. For example:</p>
<ul>
<li><p>A pre-commit hook can check your code formatting before a commit is made.</p>
</li>
<li><p>A pre-push hook can run tests before code is pushed to the remote.</p>
</li>
<li><p>A commit-msg hook can enforce commit conventions</p>
</li>
</ul>
<p>Git already provides sample hooks in every repository inside the <code>.git/hooks/</code> folder. You just need to enable or customize them.</p>
<h3 id="heading-why-githooks-matter-in-the-real-world">Why GitHooks Matter in The Real World?</h3>
<p>In theory, you could ask your team to remember rules like:</p>
<ul>
<li><p>“Always format your code before committing.”</p>
</li>
<li><p>“Don’t push without running tests.”</p>
</li>
<li><p>“Follow our commit message convention.”</p>
</li>
</ul>
<p>But in reality, people forget. Deadline creep in, and rules get broken.</p>
<p>Hooks automate these rules, ensuring consistency and saving you from painful mistakes.</p>
<h3 id="heading-real-world-scenarios-amp-examples">Real-World Scenarios & Examples</h3>
<p><strong>1. Keeping Code Clean Before Commit</strong></p>
<p>Imagine you’re working on a Python project. The team agreed to use <code>black</code> for formatting, but developers sometimes forget.</p>
<p><strong>Solution:</strong> Add a <code>pre-commit</code> hook that auto-formats code before every commit.</p>
<pre><code class="lang-typescript"># .git/hooks/pre-commit
#!<span class="hljs-regexp">/bin/</span>sh
echo <span class="hljs-string">"Running Black formatter..."</span>
black .
git add .
</code></pre>
<p>✅ Result: Every commit is properly formatted — no arguments needed in code reviews.</p>
<p><strong>2. Enforcing Commit Message Convention</strong></p>
<p>Let’s say your team uses Conventional Commits. You want commit messages like:</p>
<pre><code class="lang-typescript">feat: add login API
fix: handle <span class="hljs-literal">null</span> pointer exception
docs: update README
</code></pre>
<p><strong>Solution:</strong> Use a <code>commit-msg</code> hook to reject invalid commit messages.</p>
<pre><code class="lang-typescript"># .git/hooks/commit-msg
#!<span class="hljs-regexp">/bin/</span>sh
commit_msg_file=$<span class="hljs-number">1</span>
commit_msg=$(cat <span class="hljs-string">"$commit_msg_file"</span>)
pattern=<span class="hljs-string">"^(feat|fix|docs|style|refactor|test|chore):"</span>
<span class="hljs-keyword">if</span> ! echo <span class="hljs-string">"$commit_msg"</span> | grep -qE <span class="hljs-string">"$pattern"</span>; then
  echo <span class="hljs-string">"❌ Commit message invalid! Must follow Conventional Commits."</span>
  exit <span class="hljs-number">1</span>
fi
</code></pre>
<p>✅ Result: Developers can’t commit unless they follow the convention.</p>
<p><strong>3. Running Tests Before Pushing</strong></p>
<p>Ever pushed broken code that failed the CI pipeline? Painful.</p>
<p><strong>Solution:</strong> Add a <code>pre-push</code> hook that runs tests locally before pushing.</p>
<pre><code class="lang-typescript"># .git/hooks/pre-push
#!<span class="hljs-regexp">/bin/</span>sh
echo <span class="hljs-string">"Running tests before push..."</span>
npm test
<span class="hljs-keyword">if</span> [ $? -ne <span class="hljs-number">0</span> ]; then
  echo <span class="hljs-string">"❌ Tests failed! Push aborted."</span>
  exit <span class="hljs-number">1</span>
fi
</code></pre>
<p>✅ Result: Only the tested code reaches the remote repository.</p>
<p><strong>4. Blocking Secrets from Being Committed</strong></p>
<p>A classic mistake: pushing an API key or password to GitHub.</p>
<p><strong>Solution:</strong> Add a <code>pre-commit</code> hook that scans for secrets.</p>
<pre><code class="lang-typescript"># .git/hooks/pre-commit
#!<span class="hljs-regexp">/bin/</span>sh
<span class="hljs-keyword">if</span> git diff --cached | grep -q <span class="hljs-string">"API_KEY"</span>; then
  echo <span class="hljs-string">"❌ Secret detected! Commit aborted."</span>
  exit <span class="hljs-number">1</span>
fi
</code></pre>
<p>✅ Result: Accidental leaks are caught before they leave your machine.</p>
<p><strong>Sharing Hooks with Your Team</strong></p>
<p>By default, hooks live in <code>.git/hooks/</code> and aren’t version-controlled. To share them with your team:</p>
<ol>
<li><p>Create a folder, e.g. <code>.githooks/</code></p>
</li>
<li><p>Store all hooks there</p>
</li>
<li><p>Set Git to use that directory:</p>
</li>
</ol>
<pre><code class="lang-typescript">git config core.hooksPath .githooks
</code></pre>
<p>Now, everyone using the repo gets the same hooks.</p>
<h3 id="heading-pro-tip-use-tools-to-manage-hooks">Pro Tip: Use Tools to Manage Hooks</h3>
<p>Instead of writing raw shell scripts, you can use tools like:</p>
<ul>
<li><p>Husky (for JavaScript projects)</p>
</li>
<li><p>pre-commit (multi-language support)</p>
</li>
</ul>
<p>These make it easier to manage and share hooks across projects. I am regularly using pre-commit tools on every public repository to ensure no .env files are mistakenly pushed, no secrets are shared, code is well formatted, etc. Here is a simplified pre-commit config from one of my repository <a target="_blank" href="https://github.com/imShakil/pacli"><strong>pacl</strong>i(personal access CLI tool**)**</a><strong>.</strong></p>
<pre><code class="lang-typescript">repos:
  - repo: https:<span class="hljs-comment">//github.com/psf/black</span>
    rev: <span class="hljs-number">25.1</span><span class="hljs-number">.0</span>
    hooks:
      - id: black
        args: [<span class="hljs-string">"--line-length=120"</span>]

  - repo: https:<span class="hljs-comment">//github.com/pycqa/flake8</span>
    rev: <span class="hljs-number">7.3</span><span class="hljs-number">.0</span>
    hooks:
      - id: flake8
        args: [<span class="hljs-string">"--max-line-length=120"</span>]

  - repo: https:<span class="hljs-comment">//github.com/pre-commit/pre-commit-hooks</span>
    rev: v6<span class="hljs-number">.0</span><span class="hljs-number">.0</span>
    hooks:
      - id: trailing-whitespace
      - id: end-<span class="hljs-keyword">of</span>-file-fixer
      - id: check-yaml

  - repo: https:<span class="hljs-comment">//github.com/pre-commit/mirrors-mypy</span>
    rev: v1<span class="hljs-number">.17</span><span class="hljs-number">.1</span>
    hooks:
      - id: mypy

  - repo: https:<span class="hljs-comment">//github.com/PyCQA/bandit</span>
    rev: <span class="hljs-number">1.8</span><span class="hljs-number">.6</span>
    hooks:
      - id: bandit
</code></pre>
<h2 id="heading-perfect-git-commit-messages">Perfect Git Commit Messages</h2>
<p>Commit serves as the tangible building blocks of a programmer’s craft. They act as the icing on the cake of code, and when written correctly, they bring substantial value. A well-written commit message becomes indispensable because it provides context; otherwise, a commit message wouldn’t be needed in the first place.</p>
<p><mark>A good commit shows whether a developer is a good collaborator.</mark></p>
<p>A common mistake among developers is treating the Git repository is a backup system. Randomly committing to capture the current state of code can impede your ability to comprehend past changes when checking out the codebase in the future. Commit messages like “WIP”, “Off for lunch”, “End of code for today”, “I am tired AF”, “Happy Weekend Team”, and “First to commit” will only clutter your Git log, making it too difficult to understand the essential commits you have made because none of these messages consists of any additional value.</p>
<h3 id="heading-8-standard-rules-for-writing-a-perfect-commit-message">8 Standard Rules for Writing a Perfect Commit Message</h3>
<p>These rules provide guidelines and best practices that ensure your commit messages are properly formatted and convey clear information. While the specific rules may vary based on different resources, the general aim is to enhance the readability and understandability of the commit message within the Git version control system.</p>
<ol>
<li><strong>Limit Subject to 50 Characters (Max)</strong></li>
</ol>
<p>When crafting the subject line of a commit message, it’s advisable to keep it concise and focused. The subject line serves as a quick summary of the commit’s purpose and should ideally be limited to a maximum of 50 characters.</p>
<p><mark>Struggling to fit within the 50-character limit can be indicative of a lack of clarity about the commit’s intent</mark>. Commit messages should be concise, clear, and easy to understand on their own. By adhering to this character limit, you are forced to prioritize the most critical information, making it easier for your team and your future self to understand the nature of the change at a glance.</p>
<ol start="2">
<li><strong>Capitalize only the first letter of the subject line</strong></li>
</ol>
<p>When composing a commit message, employ title case by capitalizing the first letter of the subject line, just like writing a concise sentence. Leave the rest of the message, including any additional details, in lowercase.</p>
<ol start="3">
<li><strong>Don’t put a period at the end of the subject line</strong></li>
</ol>
<p>The reason for not ending the subject line with a period is partly historical and partly to maintain a consistent style. The convention is to treat the subject line as the title or the command, which is why it’s written in the imperative mood (e.g., “Add feature” or “Fix bug” rather than “Added feature” or “Fixed bug”). Omitting the period at the end helps reinforce this convention and keeps subject lines concise.</p>
<p><code>git commit -v -m "Create the Cart Feature with a Nice Animation"</code></p>
<ol start="4">
<li><strong>Put a blank line between the Subject line and the body</strong></li>
</ol>
<p>While this guideline might appear unusual, it’s rooted in practicality. Many developers employ command-line interfaces for Git, which often lack automatic word wrapping. Consequently, intentional formatting rules have been introduced to ensure consistent and legible commit messages.</p>
<pre><code class="lang-typescript">git commit -v -m <span class="hljs-string">"Create the Cart Feature with a Nice Animation

Body...
"</span>
</code></pre>
<ol start="5">
<li><strong>Wrap Lines at 72 Characters for the Commit Body</strong></li>
</ol>
<p>It’s important to clarify that adhering to this guideline isn’t about traditional word wrapping, instead, this practice arises in the consideration that command-line users might experience truncated commit bodies beyond 72 characters.</p>
<p><code>Most of the time, your message will exceed 72 characters in length</code>. In such cases, it’s advisable to break the text and continue your sentence on the next line, as demonstrated in the commit message below:</p>
<pre><code class="lang-typescript">git commit -v -m <span class="hljs-string">"Create the Cart Feature with a Nice Animation

Enhanced the CSS layout of the cart section, addressing text
alignment issues and refining the layout for improved aesthetics
and readability."</span>
</code></pre>
<p>In conclusion, a standard practice for denoting bullet points involves using a hyphen or asterisk, followed by a single space. Additionally, it’s important to maintain a hanging indent to enhance organizational clarity.</p>
<ol start="6">
<li><strong>Use the imperative mood</strong></li>
</ol>
<p>A valuable practice involves crafting commit messages with the underlying understanding that the commit, when implemented, will achieve a precise action. Construct your commit message in a manner that logically completes the sentence <em>“If applied, this commit will…”.</em> For instance, rather than,<code>git commit -m "Fixed the bug on the layout page"</code> ❌, use this <code>git commit -m "Fix the bug on the layout page"</code> ✔</p>
<ol start="7">
<li><strong>Explain “What“ and “Why“, but not “How“</strong></li>
</ol>
<p><mark>Limiting commit messages to “what“ and “why“ creates concise yet informative explanations of each change. Developers seeking to understand how the code was implemented can refer directly to the codebase. Instead, highlight what was altered and the rationale for the change, including what component or area was affected</mark></p>
<ol start="8">
<li><strong>Angular’s Commit Message Practices</strong></li>
</ol>
<p>Angular stands as a prominent illustration of effective commit messaging practices. The Angular team advocates for the use of specific prefixes when crafting commit messages. These prefixes include “chore: ,” “docs: ,” “style: ,” “feat: ,” “fix: ,” “refactor: ,” and “test: .”. By incorporating these prefixes, the commit history becomes a valuable resource for understanding the nature of each commit.</p>
<h2 id="heading-naming-conventions-for-git-branches">Naming Conventions for Git Branches</h2>
<p>When you are working with code versioning, one of the main good practices that we should follow is using clear, descriptive names for branches, commits, and pull requests. Ensuring a concise workflow for all team members is essential. In addition to gaining productivity, documenting the development process of the project historically simplifies teamwork. By following these best practices, you will see benefits soon.</p>
<p>Based on it, the community created a branch naming convention that you can follow in your project. The use of the following items below is optional, but they can help to improve your development skills.</p>
<p><strong>1. Lowercase:</strong> Don't use uppercase letters in the branch name, stick to lowercase.</p>
<p><strong>2. Hyphen separated:</strong> If your branch name consists of more than one word, separate them with a hyphen. following the kebab-case convention. Avoid PascalCase, camelCase, or snake_case;</p>
<p><strong>3. (a-z, 0-9):</strong> Use only alphanumeric characters and hyphens in your branch name. Avoid any non-alphanumeric character;</p>
<p><strong>4. Please, don't use continuous hyphens (--).</strong> This practice can be confusing. For example, if you have branch types (such as a feature, bugfix, hotfix, etc.), use a slash (/) instead;</p>
<p><strong>5. Avoid ending your branch name with a hyphen</strong>. It does not make sense because a hyphen separates words, and there's no word to separate at the end.</p>
<p><strong>6. This practice is the most important:</strong> Use descriptive, concise, and clear names that explain what was done on the branch.</p>
<p><strong>Wrong branch names</strong></p>
<ul>
<li><p><code>fixSidebar</code></p>
</li>
<li><p><code>feature-new-sidebar-</code></p>
</li>
<li><p><code>FeatureNewSidebar</code></p>
</li>
<li><p><code>feat_add_sidebar</code></p>
</li>
</ul>
<p><strong>Good branch names</strong></p>
<ul>
<li><p>feature/new-sidebar</p>
</li>
<li><p>add-new-sidebar</p>
</li>
<li><p>hotfix/interval-query-param-on-get-historical-data</p>
</li>
</ul>
<h2 id="heading-always-git-pull-before-working-on-a-new-feature">Always git pull before working on a new feature</h2>
<p>Do this to avoid merge conflicts as much as possible.</p>
<p>Merge conflicts happen when:</p>
<ul>
<li><p>2 people are working on the same code in the same file</p>
</li>
<li><p>1 person pushes their code first</p>
</li>
<li><p>When the 2nd person tries to push their code, it conflicts with the code from the first person</p>
</li>
<li><p>In this case, git doesn’t know how to resolve this conflict in changes, and doesn’t want to for fear of causing either one developer to lose progress</p>
</li>
<li><p>As such, git causes a merge conflict — essentially asking the developers to handle the conflicting code themselves</p>
</li>
</ul>
<p>Advantages of running “git pull“ before working on a new feature:</p>
<ul>
<li><p>There might still be merge conflicts, but they are likely to contain smaller changes and be more manageable.</p>
</li>
<li><p>You ensure that your local codebase is up to date when you start working on something.</p>
</li>
</ul>
<h2 id="heading-remember-to-delete-branches-after-you-merge-them">Remember to delete branches after you merge them</h2>
<p>In a large project, chances are that devs are expected to create a new branch to work on a new feature. Which is good practice, as this acts as an additional layer of defence against devs accidently screwing up the master branch.</p>
<p><mark>But when you forget to delete their branches after merging, these branches pipe up more and more.</mark></p>
<p>Note — git stores your branches locally in the directory .git/refs/heads</p>
<p>So, what happens when we forget to delete 1000 branches? Git now has 1000 additional unused folders inside .git/refs/heads, which clogs things up and slows things down.</p>
<p>Verdict — remember to delete your branches after you merge them successfully</p>
<h2 id="heading-git-pruning-how-to-keep-your-repository-git-clean-and-efficient">Git Pruning: How to Keep Your Repository (.git) Clean and Efficient?</h2>
<p>As your project grows, your git repository can get cluttered with old, unreachable objects (commits, branches, trees) that no longer serve any purpose. If left unchecked, this clutter can slow things down, take up unnecessary disk space, and make the repo harder to manage.</p>
<p>Recently, in one of the projects I was working on, a <strong>2+ year-old codebase</strong> with contributions from many developers, I noticed something strange. Whenever I did a <strong>git fetch</strong> or <strong>git pull</strong>, it felt unusually slow. I deep dived into it and realized even after working on the project for just 3 months, my local repo was still holding onto stale branches and commits that were no longer relevant. These were <strong>taking up space and could lead to unnecessary conflict</strong>s or overhead later.</p>
<p>So, I started researching, and one of the simplest solutions I found was <strong>Git Pruning</strong>: <em>a clean and easy way to keep your repository tidy and efficient.</em></p>
<h3 id="heading-what-are-git-objects">What are Git Objects?</h3>
<p>Git stores everything, including commits, trees, and blobs, in the <strong><em>.git</em></strong>/objects folder. These objects are 3 types:</p>
<ul>
<li><p><strong>Commits</strong>: Representing snapshots of your project at different points in time.</p>
</li>
<li><p><strong>Trees</strong>: Representing directories and their structure.</p>
</li>
<li><p><strong>Blobs</strong>: Representing individual files.</p>
</li>
</ul>
<p>Over time, as you <strong>create, modify, and delete</strong> files and commits, Git’s internal database can accumulate objects that are no longer referenced by any branch or tag. They’re like files in your Downloads folder that you forgot about, just sitting there taking up space. These objects become <strong>“unreachable”</strong> and can consume unnecessary disk space.</p>
<p>Example :</p>
<ul>
<li><p>Delete branches,</p>
</li>
<li><p>Force-push changes,</p>
</li>
<li><p>Rewrite history with commands like git rebase.</p>
</li>
</ul>
<h3 id="heading-what-is-git-pruning">What is Git Pruning?</h3>
<p><strong>Git pruning is the cleanup process.</strong> It removes these unused objects and keeps your repository clean.</p>
<h3 id="heading-how-does-it-work">How does it work?</h3>
<p>Pruning is part of <a target="_blank" href="https://www.geeksforgeeks.org/git/git-gc-garbage-collection/"><strong><em>Git’s garbage collection</em></strong></a> (git gc). By default, Git waits 7 days before removing unreachable objects, in case you want to recover them. But you can prune right away using:</p>
<pre><code class="lang-xml">git gc --prune=now
</code></pre>
<ul>
<li><p><strong>Basic pruning</strong>: Deletes unreachable objects older than 7 days<a target="_blank" href="https://www.geeksforgeeks.org/git/git-gc-garbage-collection/">.</a></p>
</li>
<li><p><strong>Aggressive pruning</strong>: Deletes even more, including some objects still in the reflog.</p>
</li>
</ul>
<p>👉 <strong>Reflog? It</strong> is a git log that tracks all reference updates (like branch changes, HEAD movements) in your local repository. This means whenever you switch branches, reset a commit, or change the HEAD, Git records it in the reflog. It allows you to go back to previous states even if those commits are no longer visible in the current branch history. In simple words, reflog is like an "undo history" in Git; it gives you a way to go back in time.</p>
<h3 id="heading-why-and-when-to-use-pruning">Why and When to Use Pruning?</h3>
<p>Let’s say you’re working on a feature branch called feature/signup.</p>
<ol>
<li><p>You commit 10 changes while experimenting.</p>
</li>
<li><p>Later, you realize the history is messy, so you squash your commits and <strong>force push</strong> the branch.</p>
</li>
<li><p>From your perspective, everything looks fine. You only see the clean squashed commit on GitHub.</p>
</li>
</ol>
<p>But behind the scenes, your local <strong>.git/objects</strong> folder still contains those 10 old commits. They are unreachable, with no branch points to them, but they’re still taking up space.</p>
<p>Now imagine your teammate clones the repository or fetches/pulls the PR. The repo feels heavier than it should. <strong>Fetches take longer. Disk usage keeps growing.</strong></p>
<p>This is when pruning helps:</p>
<pre><code class="lang-xml">git gc --prune=now // Prune all objects now

git gc --prune="2025-01-01" //Prune objects older than a specific date

git gc --aggressive --prune=now // For a deeper clean: Aggressive Pruning

⚠️ Alert : It can delete objects you might still need.
</code></pre>
<p>After running it, Git clears out those unreachable commits. The <strong>.git/objects</strong> folder shrinks. Your repository is faster to clone, lighter to push around, and free of stale history.</p>
<p><strong><em>Before : (You can see how many files are in .git/objects)</em></strong></p>
<p></p>
<p><strong><em>Now: Let's run git pruning and clean unreachable objects</em></strong></p>
<p></p>
<p><strong><em>After: Just look at the difference, how much useless reference it cleared</em></strong></p>
<p></p>
<h3 id="heading-final-thoughts-amp-questions">Final Thoughts & Questions</h3>
<p><strong>1. Is git prune safe to use?</strong></p>
<p>Yes, git prune only removes truly unreachable objects. It won’t delete anything referenced by branches or tags.</p>
<p><strong>2. When should I run git prune?</strong></p>
<ul>
<li><p>Force-push and leave behind old commits,</p>
</li>
<li><p>Performing rebases on a repository is cluttered</p>
</li>
<li><p>Delete branches and want to clear their leftovers,</p>
</li>
<li><p>Notice your repo is bigger than it should be.</p>
</li>
<li><p>Repo fetching and pulling take longer than expected</p>
</li>
<li><p>When your project is going through development for a long time</p>
</li>
</ul>
<p><strong>3. What’s the difference between local and remote pruning?</strong></p>
<ul>
<li><p>Local pruning removes unreachable objects in your local repository.</p>
</li>
<li><p>Remote pruning removes references from deleted remote branches.</p>
</li>
</ul>
<p><strong>4. What are the commands to remember?</strong></p>
<ul>
<li><p>git gc --prune=now → Clean local repo immediately.</p>
</li>
<li><p>git fetch --prune origin → Remove stale remote branches.</p>
</li>
<li><p>git prune --dry-run → Preview before deleting.</p>
</li>
</ul>
<h2 id="heading-best-git-guis-compared">Best Git GUIs Compared</h2>
<p>Git is a version control system (VCS) that allows you to track the development of a project over time. At the time of Git’s inception in 2005, developers had to use the command line interface (CLI) to manage Git. Learning and using a command line is often extremely difficult task for many developers and in some cases represents a significant barrier of entry for those seeking to leverage the power of Git.</p>
<p>Enter the graphical user interface (GUI), also referred to as a Git Client. A <a target="_blank" href="https://www.gitkraken.com/git-client">Git GUI</a> is a tool that helps developers visualize their Git repositories and run Git actions with a few simple mouse clicks or keyboard shortcuts.</p>
<p>It’s common for new and seasoned developers to leverage Git UI in their regular workflow. As you learn more about Git and interact in related communities, you will likely notice that some people have very strong opinions about using a GUI vs the CLI. Both tools have significant benefits, and it’s important to remember that you should select the tools that help you write code you are proud of. Millions of developers around the world use Git GUIs to make their lives easier and level up their coding.</p>
<p>Check out <a target="_blank" href="https://www.gitkraken.com/blog/best-git-gui-client">this article</a> to figure out which is the best Git GUI.</p>
<h1 id="heading-git-tips">Git Tips</h1>
<p><a target="_blank" href="https://github.com/git-tips/tips">https://github.com/git-tips/tips</a></p>
<h2 id="heading-git-merge-vs-git-rebase">Git Merge vs Git Rebase</h2>
<p>When navigating the Git universe for version control, grasping the art of choosing between <code>git merge</code> and <code>git rebase</code> is pivotal for streamlining and organizing code management. Both wield considerable merging prowess, yet appropriateness and impact shimmer in distinct scenarios.</p>
<h3 id="heading-git-merge">Git Merge</h3>
<p><code>git-merge</code> is a non-destructive operation designed to weave changes from two branches into a harmonious tapestry. It forges a connection between the histories of these branches by crafting a brand new “merge commit“.</p>
<p><strong>Advantages</strong></p>
<ul>
<li><p>Preserve Historical Integrity: The merge operation reverently preserves the authentic history of both branches, leaving no tale untold.</p>
</li>
<li><p>Simple and Intuitive Merge: This approach is a friendly gateway for Git novices, offering simplicity and clarity in its operation.</p>
</li>
</ul>
<p><strong>Scenarios To Be Used</strong></p>
<p>git merge shines brightest in team collaborations, where safeguarding a comprehensive history and delineating clear merge points is deemed invaluable.</p>
<h3 id="heading-git-rebase">Git Rebase</h3>
<div class="embed-wrapper"><div class="embed-loading"><div class="loadingRow"></div><div class="loadingRow"></div></div><a class="embed-card" href="https://www.youtube.com/watch?v=yTFC_MvwJvQ">https://www.youtube.com/watch?v=yTFC_MvwJvQ</a></div>
<p> </p>
<p><code>git rebase</code>performs a graceful dance, placing changes from one branch atop the freshest alterations on another. This intricate process often involves a rhythmic rewriting of the commit history, sculpting it into a more linear narrative.</p>
<p><strong>Advantages</strong></p>
<ul>
<li><p>Clean Linear History 📜: Rebase choreographs a symphony of commits, resulting in a pristine and linear project history.</p>
</li>
<li><p>Avoid Redundant Merge Commits🚫🔄: It’s the maestro of minimizing unnecessary merge commits, keeping the melody of your project smooth.</p>
</li>
</ul>
<p><strong>Scenarios to be Used</strong></p>
<p><code>rebase</code> is the virtuoso when it comes to refining commits on a personal branch or updating a feature branch before unveiling changes to the entire team.</p>
<h3 id="heading-the-golden-rule-of-git-re-basing">The Golden Rule of Git Re-basing</h3>
<p>👑 <mark>“Never use </mark> <code>git rebase</code> <mark>on public branches.” This royal decree stands firm to prevent historical dissonance among team members, averting the cacophony of confusion that may arise from altered histories.</mark></p>
<h3 id="heading-choosing-between-git-merge-and-git-rebase">Choosing Between Git Merge and Git Rebase</h3>
<p>When faced with the decision of <code>git merge</code> versus <code>git rebase</code>, thought consideration of your work environment and the team’s workflow is key:</p>
<ul>
<li><p>For private or nascent feature branches, opting for <code>git rebase</code> can be akin to tidying up the stage before a grand performance. It helps maintain a clear and uncluttered history, especially when preparing for a pull request.</p>
</li>
<li><p>On the public branch in team collaborations, embracing <code>git merge</code> is like choosing the steady path. It’s a safer change, retaining a comprehensive historical record that’s effortlessly comprehensible and traceable for all team members.</p>
</li>
</ul>
<p><a target="_blank" href="https://www.atlassian.com/git/tutorials/merging-vs-rebasing">https://www.atlassian.com/git/tutorials/merging-vs-rebasing</a></p>
<h2 id="heading-undoing-commits-amp-changes">Undoing Commits & Changes</h2>
<h3 id="heading-git-revert-checkout-and-reset">Git Revert, Checkout, and Reset</h3>
<p>These three commands have entirely different purposes. They are not remotely similar.</p>
<p><strong>git revert</strong></p>
<p>This command creates a new commit that undoes the changes from a previous commit. This command adds a new history to the project (it doesn’t modify the existing history).</p>
<p><strong>git checkout</strong></p>
<p>This command checks out content from the repository and puts it in your worktree. It can also have other effects, depending on how the command was invoked. For instance, it can also change which branch you are currently working on. This command doesn’t make any changes to the history.</p>
<p><strong>git reset</strong></p>
<p>This command is a little more complicated. It actually does a couple of different things depending on how it is invoked. It modifies the index (the so-called "staging area"). Or it changes which commit a branch head is currently pointing at. This command may alter existing history (by changing the commit that a branch references).</p>
<h3 id="heading-using-these-commands">Using these commands</h3>
<p>If a commit has been made somewhere in the project’s history, and you later decide that the commit is wrong and should not have been done, then git revert is the tool for the job. It will undo the changes introduced in the bad commit, recording the “undo“ in the history.</p>
<p>If you have modified a file in your working tree, but haven't committed the change, then you can use <code>git checkout</code> to check out a fresh-from-repository copy of the file.</p>
<p>If you have made a commit, but haven't shared it with anyone else, and you decide you don't want it, then you can use <code>git reset</code> to rewrite the history so that it looks as though you never made that commit.</p>
<p>These are just some of the possible usage scenarios. There are other commands that can be useful in some situations, and the above three commands have other uses as well.</p>
<h2 id="heading-the-difference-between-git-pull-and-git-fetch">The difference between <code>git pull</code> and <code>git fetch</code></h2>
<p>In the simplest terms, <code>git pull</code> does a <code>git fetch</code> followed by a <code>git merge</code>.</p>
<p><code>git fetch</code> updates your remote-tracking branches under <code>refs/remotes/<remote>/</code>. This operation is safe to run at any time since it never changes any of your local branches under <code>refs/heads</code>.</p>
<p><code>git pull</code> brings a local branch up-to-date with its remote version, while also updating your other remote-tracking branches.</p>
<p>From the Git documentation for git pull:</p>
<blockquote>
<p><code>git pull</code> runs <code>git fetch</code> with the given parameters and then depending on configuration options or command line flags, will call either <code>git rebase</code> or <code>git merge</code> to reconcile diverging branches.</p>
</blockquote>
<h2 id="heading-the-difference-between-head-and-head-in-git">The difference between HEAD^ and HEAD~ in Git</h2>
<ul>
<li><p><code><rev>~<n></code> goes backward <em>n</em> parents from <em>rev</em>, selecting the first parent each time.</p>
</li>
<li><p>Use <code><rev>^<n></code> to select the <em>n</em>-th immediate parent of the merge commit <em>rev</em>.</p>
</li>
<li><p>Use <code>~</code> most of the time, to go back a number of generations and always choose the first parent of merge commits, commonly what you want.</p>
</li>
<li><p>Use <code>^</code> on merge commits — because they have two or more <em>immediate</em> parents.</p>
</li>
<li><p>In my experience, selecting a particular immediate parent of a merge commit by its index order, <em>e.g.</em>, <code>B^3</code>, is rare. It’s also error-prone. Just use a hash when you can.</p>
</li>
<li><p>NOTE: <code>HEAD~3</code> is equivalent to <code>HEAD~~~</code> and <code>HEAD~1~1~1</code> — but <code>HEAD^2</code> is <strong>not</strong> equivalent to <code>HEAD^^</code>.</p>
</li>
</ul>
<p>Mnemonics:</p>
<ul>
<li><p>Tilde <code>~</code> is almost linear in appearance and wants to go backward in a straight line.</p>
</li>
<li><p>Caret <code>^</code> suggests a merge commit: an interesting segment of a tree or a fork in the road.</p>
</li>
</ul>
<h2 id="heading-git-push-origin-head">git push origin HEAD</h2>
<p>We can use <em>“git push origin HEAD”</em> over <em>“git push origin longass_branch_name”</em></p>
<p>When we work on a feature, we usually work on a branch. This way, if we accidentally screw up, we screw up only our branch, and not the master branch.</p>
<p>Branch names can get pretty long in larger projects. For instance:</p>
<ul>
<li>JIRAPROJECT18001_refactor_this_certain_feature_for_reasons</li>
</ul>
<p>To push our changes to this branch, we can simply do:</p>
<p></p>
<p>Instead of:</p>
<p></p>
<p>This is just a pain to type out</p>
<h2 id="heading-see-a-graph-of-your-branches">See a Graph of Your Branches</h2>
<p>This command gives you a visual overview of your branch history, making it easier to see merges, branches, and commits.</p>
<p><strong>How to use it:</strong></p>
<pre><code class="lang-typescript">git log --graph --oneline --all
</code></pre>
<p><strong>Why it’s cool:</strong><br />It’s an at-a-glance view of your project’s structure, especially helpful for understanding complex branch setups.</p>
<h1 id="heading-conclusion">Conclusion</h1>
<p>In conclusion, by integrating these modern command-line tools and applying best practices of Git into your workflow, you can enhance your productivity and focus on crafting software that creates real business value.</p>
<h1 id="heading-references">References</h1>
<p><a target="_blank" href="https://levelup.gitconnected.com/git-and-workflow-with-gitflow-5f9f76530835">https://levelup.gitconnected.com/git-and-workflow-with-gitflow-5f9f76530835</a></p>
<p><a target="_blank" href="https://medium.com/@Adem_Korkmaz/git-flow-a-detailed-overview-24e0dfa28f7a">https://medium.com/@Adem_Korkmaz/git-flow-a-detailed-overview-24e0dfa28f7a</a></p>
<p><a target="_blank" href="https://medium.com/thecapital/understanding-git-workflows-and-why-git-flow-is-the-best-0e5f4c4f36c3">https://medium.com/thecapital/understanding-git-workflows-and-why-git-flow-is-the-best-0e5f4c4f36c3</a></p>
<p><a target="_blank" href="https://levelup.gitconnected.com/good-commit-vs-your-commit-how-to-write-a-perfect-git-commit-message-6e96ab6357fa">https://levelup.gitconnected.com/good-commit-vs-your-commit-how-to-write-a-perfect-git-commit-message-6e96ab6357fa</a></p>
<p><a target="_blank" href="https://www.freecodecamp.org/news/how-to-write-better-git-commit-messages/">https://www.freecodecamp.org/news/how-to-write-better-git-commit-messages/</a></p>
<p><a target="_blank" href="https://dev.to/basementdevs/be-a-better-developer-with-these-git-good-practices-2dim">https://dev.to/basementdevs/be-a-better-developer-with-these-git-good-practices-2dim</a></p>
<p><a target="_blank" href="https://levelup.gitconnected.com/top-30-git-commands-you-should-know-to-master-git-cli-f04e041779bc">https://levelup.gitconnected.com/top-30-git-commands-you-should-know-to-master-git-cli-f04e041779bc</a></p>
<p><a target="_blank" href="https://levelup.gitconnected.com/14-git-things-i-regret-not-knowing-earlier-20956c192b2b">https://levelup.gitconnected.com/14-git-things-i-regret-not-knowing-earlier-20956c192b2b</a></p>
<p><a target="_blank" href="https://blog.stackademic.com/20-git-command-line-tricks-every-developer-should-know-bf817e83d6b9">https://blog.stackademic.com/20-git-command-line-tricks-every-developer-should-know-bf817e83d6b9</a></p>
<p><a target="_blank" href="https://medium.com/@jake.page91/the-guide-to-git-i-never-had-a89048d4703a">https://medium.com/@jake.page91/the-guide-to-git-i-never-had-a89048d4703a</a></p>
<p><a target="_blank" href="https://medium.com/@Choco23/git-merge-vs-git-rebase-selecting-the-appropriate-merge-strategy-863fc02a455c">https://medium.com/@Choco23/git-merge-vs-git-rebase-selecting-the-appropriate-merge-strategy-863fc02a455c</a></p>
<p><a target="_blank" href="https://gist.github.com/eashish93/3eca6a90fef1ea6e586b7ec211ff72a5?ref=dailydev">https://gist.github.com/eashish93/3eca6a90fef1ea6e586b7ec211ff72a5?ref=dailydev</a></p>
<p><a target="_blank" href="https://blog.prateekjain.dev/the-ultimate-guide-to-git-branching-strategies-6324f1aceac2">https://blog.prateekjain.dev/the-ultimate-guide-to-git-branching-strategies-6324f1aceac2</a></p>
<p><a target="_blank" href="https://javascript.plainenglish.io/stop-breaking-your-codebase-the-git-hooks-nobody-told-you-about-b972a5576277">https://javascript.plainenglish.io/stop-breaking-your-codebase-the-git-hooks-nobody-told-you-about-b972a5576277</a></p>
<p><a target="_blank" href="https://www.linkedin.com/pulse/git-pruning-how-keep-your-repository-clean-efficient-mridul-u33ac/">https://www.linkedin.com/pulse/git-pruning-how-keep-your-repository-clean-efficient-mridul-u33ac/</a></p>
<p><a target="_blank" href="https://www.devshorts.in/p/coding-with-parallel-agents-and-git?utm_source=substack&utm_medium=email">https://www.devshorts.in/p/coding-with-parallel-agents-and-git?utm_source=substack&utm_medium=email</a></p>
<p><a target="_blank" href="https://medium.com/the-software-journal/the-most-misunderstood-git-feature-and-why-seniors-love-it-f7bbf4538d97">https://medium.com/the-software-journal/the-most-misunderstood-git-feature-and-why-seniors-love-it-f7bbf4538d97</a></p>
<p><a target="_blank" href="https://medium.com/the-software-journal/the-only-git-branching-strategy-that-works-in-real-teams-188c1c4c540b">https://medium.com/the-software-journal/the-only-git-branching-strategy-that-works-in-real-teams-188c1c4c540b</a></p>
<p><a target="_blank" href="https://dev.to/agentic-jj/i-looked-inside-git-and-you-wont-believe-what-i-found-actually-you-willcos-its-fascinating-1dp0">https://dev.to/agentic-jj/i-looked-inside-git-and-you-wont-believe-what-i-found-actually-you-willcos-its-fascinating-1dp0</a>?</p>

</article>
<article>
<h1>Authentication and Authorization Handbook</h1>
<p>Tuan Tran Van — Tue, 22 Apr 2025 09:05:41 GMT</p>
<p><strong>Authentication and Authorization</strong>. In the context of access to APIs, authentication is the process of verifying the identity of a user who is making an API request (verifying who the user is), and authorization is the process of determining whether the user has the permission to access a particular API (verifying what a user is allowed to do).</p>
<p>In this blog, we will cover different types of authentication and authorization, best practices, and common mistakes.</p>
<h1 id="heading-comprehensive-explanation-of-session-cookie-and-jwt-on-the-entire-network">Comprehensive Explanation of Session, Cookie, and JWT on the Entire Network</h1>
<p>The HTTP protocol is a “<strong>stateless protocol”</strong>, that is, every time the server receives a request from the client, it is a completely new request, and the server does not know the historical request records of the client. The main purpose of a Session or Cookie is to make up for the stateless nature of HTTP.</p>
<h2 id="heading-what-is-the-session">What is the Session?</h2>
<p>When the client requests the server, the server will open up a “memory space” for this request. <mark>The memory space stores the Session object, and the storage structure is </mark> <code>ConcurrentHashMap</code>. The Session makes up for the nature of HTTP. The server can use a session to store the client's operation records during the same session.</p>
<h3 id="heading-how-do-we-determine-whether-it-is-the-same-session">How do we determine whether it is the same session?</h3>
<p>Because when the server receives the request for the first time, it opens up a session space (creates a Session object), and at the same time generates a sessionId, and sends the response to the client requesting to set a Cookie through the <code>Set-Cookie: JSESSIONID=XXX</code> command in the response header.</p>
<p>After the client receives the response, it sets a Cookie with information of <code>JSESSIONID=XXX</code> on the local client. The expiration time of this Cookie is the end of the browser session.</p>
<p></p>
<p>Next time, when the client sends the request to the same website each time, the request header will carry this Cookie information (including sessionId). Then, by reading the Cookie information in the request header, the server obtains the value named JSESSIONID and gets the sessionId of this request.</p>
<h3 id="heading-disadvantages-of-session">Disadvantages of Session</h3>
<p>However, the Session mechanism has a disadvantage. Suppose your server does load balancing and stores the Session on server A during the first request. Suppose the traffic to server A surges within a period of time, and requests will be forwarded to server B for access. However, server B does not store the session of server A, which will invalidate the session.</p>
<h2 id="heading-what-is-a-cookie">What is a Cookie</h2>
<p>You should have noticed that when introducing a Session, Cookie has already been mentioned. The session is implemented based on cookies. Session is stored on the server side, and the sessionId will be stored in the Cookie of the client.</p>
<p>Cookies in the HTTP protocol include Web Cookies and browser cookies. It is a small piece of data sent by the server to the web browser. The Cookie sent by the server to the browser will be stored in the browser and sent to the server together with the next request. Usually, it is used to determine whether two requests come from the same browser, such as when a user remains logged in.</p>
<p>Cookies are mainly used for the following three purposes:</p>
<p><strong><em>1. Session management</em></strong></p>
<ul>
<li>Cooperate with the server and identify user sessions by storing <code>sessionid</code>.</li>
</ul>
<p><strong><em>2. Store user information</em></strong></p>
<ul>
<li><p>Login status: Remember whether the user is logged in. No need to log in again on the next visit.</p>
</li>
<li><p>Preference settings: Such as language, theme, etc. Automatically apply on the next visit.</p>
</li>
</ul>
<p><strong><em>3. Track user behavior</em></strong></p>
<ul>
<li><p>Browsing history: Records visited pages for easy recommendation and navigation.</p>
</li>
<li><p>Analyze behavior: Understand user habits for optimization and precision marketing.</p>
</li>
</ul>
<h3 id="heading-creating-cookies">Creating Cookies</h3>
<p>When receiving an HTTP request from the client, the server can send a response with the Set-Cookie header. Cookies are usually stored by the browser, and then the Cookie is sent to the server along with the HTTP header.</p>
<h3 id="heading-set-cookie-and-cookie-headers">Set-Cookie and Cookie headers</h3>
<p>The <code>Set-Cookie</code> HTTP response header sends cookies from the server to the user agent. Here is an example of sending a Cookie.</p>
<p></p>
<p>This header tells the client to store cookies.</p>
<p>Now, with each new request to the server, the browser will send all previously stored cookies back to the server using the Cookie header.</p>
<p></p>
<p>There are two types of cookies. One is Session Cookies, and the other is Persistent Cookies. If a cookie does not contain an expiration date, it is regarded as a session cookie. Session cookies are stored in memory and are never written to disk. When the browser is closed, the cookie will be permanently lost thereafter. If a cookie contains an “expiration period“, it is regarded as a persistent cookie. At the specified expiration date, the cookie will be deleted from the disk.</p>
<h3 id="heading-session-cookie">Session Cookie</h3>
<p>The example above creates a session cookie. Session cookies have a characteristic that when the client closes, the cookie will be deleted because it does not specify the <code>Expires</code> or <code>Max-Age</code> directive.</p>
<p>However, web browsers may use session restoration, which will keep most session cookies in a permanent state as if the browser has never been closed.</p>
<h3 id="heading-permanent-cookies">Permanent Cookies</h3>
<p>Permanent cookies do not expire when the client is closed. Instead, they expire after a “specific date (Expires)” or a “specific length of time (Max-Age)”. For example.</p>
<p><code>Set-Cookie: id=a3fWa; Expires=Sat, 21 Sep 2024 11:28:00 GMT;</code></p>
<h3 id="heading-secure-and-httponly-flags-of-cookies">Secure and HttpOnly flags of cookies</h3>
<p>Secure cookies need to be sent to the server in an encrypted manner through the HTTPS protocol. Even if they are secure, sensitive information should not be stored in cookies because they are inherently insecure, and this flag does not provide real protection.</p>
<p>Function of HttpOnly</p>
<ul>
<li><p>The lack of the HttpOnly property in session cookies can lead to attackers being able to obtain users’ cookie information through programs (JS scripts, Applets, etc.), resulting in the leakage of users’ cookie information and increasing the threat of cross-site scripting attacks by attackers.</p>
</li>
<li><p>HttpOnly is an extension made by Microsoft for cookies. This value specifies whether cookies can be accessed through client scripts</p>
</li>
<li><p>If the HttpOnly property is not set to true in cookies, it may lead to cookie theft. Stolen cookies can contain sensitive information identifying site users, such as <a target="_blank" href="https://asp.net/">ASP.NET</a> session IDs or Forms authentication tickets. Attackers can replay stolen cookies to disguise themselves as users or obtain sensitive information and conduct cross-site scripting attacks.</p>
</li>
</ul>
<h3 id="heading-scope-of-cookies">Scope of cookies</h3>
<p>The <code>Domain</code> and <code>Path</code> identifiers define the scope of cookies: that is, which URLs cookies should be sent to.</p>
<p>The <code>Domain</code> identifier specifies which hosts can accept cookies. If not specified, the current host (excluding subdomains) is the default. If <code>Domain</code> is specified, subdomains are generally included.</p>
<p>For example, if <code>Domain=</code><a target="_blank" href="http://mozilla.org"><code>mozilla.org</code></a> is set, cookies are also included in subdomains (such as <a target="_blank" href="http://developer.mozilla.org"><code>developer.mozilla.org</code></a>).</p>
<p>For example, if <code>Path=/test</code> is set, the following addresses will all match:</p>
<ul>
<li><p><code>/test</code></p>
</li>
<li><p><code>/test/user/</code></p>
</li>
<li><p><code>/test/user/login</code></p>
</li>
</ul>
<h3 id="heading-why-do-we-need-a-token-when-we-have-already-had-a-session">Why do we need a token when we have already had a session?</h3>
<p>In modern web development, although sessions can realize user authentication and state management to a certain extent, they also have some limitations.</p>
<p>Suppose you are running a large online shopping mall. When users log in to your mall, the server will create a session to record the user’s login status. This Session is like an exclusive card prepared for users at the mall service desk, which records the user’s identity information.</p>
<p>However, when your mall’s business becomes busier and more users are shopping at the same time, the server needs to have this session information for each user, which will occupy a large amount of server memory resources. Moreover, if your mall uses multiple servers to share traffic (such as through a load balancer), then a complex mechanism is needed to ensure that when users switch between different servers, their Session information can be correctly transmitted and identified. Otherwise, users may be suddenly logged out or unable to shop normally.</p>
<p>In addition, suppose a user is shopping in your mall using a mobile phone and suddenly has an urgent matter and needs to go out. At this time, if the user uses another device (such as a tablet) to access your mall again outside, since the Session is usually bound to a specific device, the user may need to log in again, which will bring inconvenience to the user.</p>
<p><a target="_blank" href="https://javascript.plainenglish.io/10-cookie-facts-every-dev-should-know-8b4090e5fd6c">https://javascript.plainenglish.io/10-cookie-facts-every-dev-should-know-8b4090e5fd6c</a></p>
<h2 id="heading-what-is-a-token">What is a Token?</h2>
<p>Now, let’s introduce a token. The token is like a magic pass. After a user logs in successfully, the server will generate a token containing the user’s identity information and return this token to the user. The user can save this token on their own device.</p>
<p>When users browse products, add to the shopping cart, or check out in the mall, they only need to carry this token in each request. After the server receives the request, it can determine the user’s identity and permissions by verifying the validity of the Token, without having to look up and manage complex Session information.</p>
<p>For example, a user logs in to your mall on a mobile phone and obtains a Token. When the user goes out and uses a tablet to access the mall again, only this Token needs to be provided in the browser of the tablet, and the server can immediately identify the user’s identity without the user having to log in again. Moreover, no matter how many users are online at the same time in your mall, the server does not need to save a large amount of Session information for each user. It only needs to verify the Token for each request, greatly reducing the burden on the server.</p>
<p>In addition, Token can be easily integrated with third-party services. For example, if your mall wants to cooperate with an external payment service, only the Token needs to be passed to the payment service. The payment service can determine the user’s identity by verifying the Token without having to establish its own Session management mechanism.</p>
<h3 id="heading-access-token">Access Token</h3>
<p>Access Token is a resource credential required when accessing resource interfaces (APIs).</p>
<p>The composition of a token is not fixed. A simple token composition includes:</p>
<ul>
<li><p><code>uid</code> (user’s unique identity identifier);</p>
</li>
<li><p><code>time</code> (timestamp of the current time);</p>
</li>
<li><p><code>sign</code> (signature, a hexadecimal string of a certain length compressed by a hash algorithm from the first few digits of the token).</p>
</li>
</ul>
<pre><code class="lang-css"><span class="hljs-selector-tag">import</span> <span class="hljs-selector-tag">java</span><span class="hljs-selector-class">.security</span><span class="hljs-selector-class">.MessageDigest</span>;
<span class="hljs-selector-tag">import</span> <span class="hljs-selector-tag">java</span><span class="hljs-selector-class">.util</span><span class="hljs-selector-class">.Base64</span>;
<span class="hljs-selector-tag">import</span> <span class="hljs-selector-tag">java</span><span class="hljs-selector-class">.util</span><span class="hljs-selector-class">.Date</span>;

<span class="hljs-selector-tag">public</span> <span class="hljs-selector-tag">class</span> <span class="hljs-selector-tag">TokenGenerator</span> {

    public static String generateToken(int uid) {
        long time = new Date().getTime();
        String tokenContent = uid + "-" + time;
        // Generate a sign for the token content.
        String sign = generateSign(tokenContent);
        return uid + "-" + time + "-" + sign;
    }

    // <span class="hljs-selector-tag">Generate</span> <span class="hljs-selector-tag">a</span> <span class="hljs-selector-tag">sign</span> <span class="hljs-selector-tag">for</span> <span class="hljs-selector-tag">the</span> <span class="hljs-selector-tag">given</span> <span class="hljs-selector-tag">content</span> <span class="hljs-selector-tag">using</span> <span class="hljs-selector-tag">SHA-256</span> <span class="hljs-selector-tag">hash</span> <span class="hljs-selector-tag">algorithm</span>.
    <span class="hljs-selector-tag">private</span> <span class="hljs-selector-tag">static</span> <span class="hljs-selector-tag">String</span> <span class="hljs-selector-tag">generateSign</span>(<span class="hljs-selector-tag">String</span> <span class="hljs-selector-tag">content</span>) {
        try {
            MessageDigest digest = MessageDigest.getInstance("SHA-256");
            byte[] hash = digest.digest(content.getBytes());
            StringBuilder hexString = new StringBuilder();
            for (byte <span class="hljs-attribute">b </span>: hash) {
                // Convert each byte to a two-digit hexadecimal string.
                String hex = Integer.<span class="hljs-built_in">toHexString</span>(<span class="hljs-number">0</span>xff & b);
                if (hex.length() == 1) hexString.append('0');
                hexString.append(hex);
            }
            <span class="hljs-selector-tag">return</span> <span class="hljs-selector-tag">hexString</span><span class="hljs-selector-class">.substring</span>(0, 8);
        } <span class="hljs-selector-tag">catch</span> (<span class="hljs-selector-tag">Exception</span> <span class="hljs-selector-tag">e</span>) {
            return null;
        }
    }

    <span class="hljs-selector-tag">public</span> <span class="hljs-selector-tag">static</span> <span class="hljs-selector-tag">void</span> <span class="hljs-selector-tag">main</span>(<span class="hljs-selector-tag">String</span><span class="hljs-selector-attr">[]</span> <span class="hljs-selector-tag">args</span>) {
        int uid = 1234;
        String token = generateToken(uid);
        System.out.println("Generated <span class="hljs-attribute">token</span>: <span class="hljs-string">" + token);
    }
}</span>
</code></pre>
<p>Output:</p>
<pre><code class="lang-css"><span class="hljs-selector-tag">Generated</span> <span class="hljs-selector-tag">token</span>: 1234<span class="hljs-selector-tag">-1729530432169-3638dd14</span>
</code></pre>
<p>It has the following characteristics:</p>
<ul>
<li><p>The server is stateless and has good scalability.</p>
</li>
<li><p>Supports mobile devices.</p>
</li>
<li><p>Sufficiently secure.</p>
</li>
<li><p>Supports cross-program invocations.</p>
</li>
</ul>
<p>The token authentication process:</p>
<p></p>
<p>From the above process, we can know that the token needs to be carried in every subsequent request, so the token needs to be placed in the HTTP Header. User authentication based on a token is a server-side, stateless authentication method, and the server does not need to store token data. The calculation time for parsing the token is exchanged for the storage space of the session, thereby reducing the pressure on the server and reducing frequent database query operations.</p>
<h3 id="heading-refresh-token">Refresh Token</h3>
<p>Refresh Token is another kind of token that is dedicated to refreshing the access token. If there is no refresh token, the access token can also be refreshed, but every time it’s refreshed, the user needs to enter the login username and password, which will be very troublesome. With the refresh token, this trouble can be reduced. The client directly uses the refresh token to update the access token without the user performing additional operations.</p>
<p>The validity period of the Access Token is usually relatively short. When the Access Token becomes invalid due to expiration, a new token can be obtained by using the Refresh Token. If the Refresh Token also expires, the user can only log in again.</p>
<p>In addition, the Refresh Token and expiration time are stored in the server’s database and are only verified when applying for a new Access Token. It will not affect the response time of business interfaces and does not need to be kept in memory all the time, like Session, to handle a large number of requests.</p>
<h1 id="heading-authentication">Authentication</h1>
<p>There are many ways to do API Authentication, such as basic auth, API Keys, JWT, OAuth, etc, and each has its benefits and trade-offs. There is no “one size fits all“ to the question “What is the best API authentication method?“, It has its own idea use cases. So, the best practice in deciding which authentication method to use is “it depends“, not simply “choose the best for everything“.</p>
<p><a target="_blank" href="https://www.freecodecamp.org/news/how-to-implement-zero-trust-authentication-in-your-web-apps/?ref=dailydev">https://www.freecodecamp.org/news/how-to-implement-zero-trust-authentication-in-your-web-apps/?ref=dailydev</a></p>
<h2 id="heading-http-basic-authentication-basic-auth">HTTP Basic Authentication (Basic Auth)</h2>
<p>When we talk about authentication, we have to start with HTTP basic authentication, because, as the name suggests, it’s the most “basic” way to implement API authentication. We put base64-encoded <code>user:password</code> pairs in the <code>Authorization</code> header field and send it over the internet. Since base64 is encoding, not hashing or encryption, this method is insecure by default, unless it is used with HTTPS.</p>
<p>However, the insecure nature of basic auth doesn’t necessarily mean it’s useless:</p>
<ul>
<li><p>In highly controlled internal networks where no north-south internet traffic is allowed, external access is completely blocked, and network traffic is monitored, basic auth over HTTP might be used(however, even in such environments, one of the best practices is to use HTTPS for better security)</p>
</li>
<li><p>Basic authentication over HTTP might be used for simplicity in local development or for debugging and testing in a tightly controlled environment.</p>
</li>
<li><p>When some entry-level protection over non-sensitive data is needed, like if we are exposing some metrics of our app but we don’t want everybody to access it except for Prometheus to scrape it, we can use basic auth to protect the metrics endpoint, and configure basic auth in the <code>[scrape_config</code>](<a target="_blank" href="https://prometheus.io/docs/prometheus/latest/configuration/configuration/?ref=blog.gitguardian.com#scrape_config">https://prometheus.io/docs/prometheus/latest/configuration/configuration/#scrape_config</a>) of Prometheus.</p>
</li>
<li><p>When we don’t need to handle HTTPS on a per-service basis, and HTTPS is handled in general, like by a service mesh.</p>
</li>
</ul>
<h2 id="heading-api-keys">API Keys</h2>
<p>An API key is a unique identifier (like a user/password pair) issued by an API provider and linked to users for access control. Similar to basic auth, it’s not secure unless it’s transmitted over HTTPS.</p>
<p>Like basic auth, the API Key over HTTP could only be used in a controlled environment. But unlike basic auth, API key, as the name suggests, offers access to APIs, and APIs oftentimes need to be exposed to external networks. So, use HTTPS with API Key authentication whenever possible.</p>
<p>Since the API key is similar to a basic auth credential or user/password, one of the best practices is to treat it like a password: Rotate it regularly. Even if we do so, it’s still relatively long-term, so another best practice is to use temporary security credentials whenever possible: before creating some keys and start hacking, review alternatives to long-term access keys that are mentioned in the following sections.</p>
<p>If we choose to use an API key for authentication, there is one more best practice to follow: The API key must be used with every request.</p>
<p>But how?</p>
<p>Although we can set it in the query string, we shouldn’t: web servers and browser histories often log URLs, including query parameters. This means our API key could be stored in various log files, making it accessible to anyone with access to those logs. The best practice here is to transmit API keys in the <code>Authorization</code> header, typically using the <code>Bearer</code> scheme: <code>Authorization: Bearer YOUR_API_KEY</code>. Like passwords, API keys should not be stored in plaintext but securely hashed.</p>
<h2 id="heading-json-web-token-jwt">JSON Web Token (JWT)</h2>
<h3 id="heading-what-is-jwt">What is JWT?</h3>
<p>JSON Web Token (shortened to JWT) acts like a digital handshake between two participants, say you and a website. It’s a compact and secure method that ensures both parties can trust the exchanged information.</p>
<p>Here’s what the JWT looks like:</p>
<p><code>eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9. eyJpYXQiOjE2OTg2ODg0OTksIm5hbWUiOiJEZXZ0cm92ZXJ0Iiwic3ViIjoidGhpcyBpcyBhIHN1YmplY3QifQ. NT2JhQ9oLc_HIZB6WW8yAaxSHcZ8QvNE1H0C5Adhmrg</code></p>
<p>You will notice it’s split into 3 sections, each separated by dots(.)</p>
<p></p>
<p>The JWT acts as proof of who you are online:</p>
<p>Because it’s made in a special way, it’s tough for others to fake it. Plus, only websites that have the “right“ key can understand it. This is great for times when you log into a website and use different parts of it without having to log in again and again.</p>
<h3 id="heading-structure-of-jwt">Structure of JWT</h3>
<p>A JWT technically consists of three parts separated by dots (.), which are:</p>
<p><strong>Header</strong></p>
<p>Starting with the first chunk before the dot, we have the Header. This is encoded using Base64 and reveals both the type of token and the algorithm behind the signature.</p>
<p>A quick look:</p>
<pre><code class="lang-typescript">eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9
=
{
  <span class="hljs-string">"alg"</span>: <span class="hljs-string">"HS256"</span>, <span class="hljs-comment">// the signature's algorithm</span>
  <span class="hljs-string">"typ"</span>: <span class="hljs-string">"JWT"</span>    <span class="hljs-comment">// the token type</span>
}
</code></pre>
<p><strong>Payload</strong></p>
<p>Moving to the middle, between those two dots, we encounter the Payload, which is also a Base64 encoded section.</p>
<p>Within the payload, you will find the “claims“, which are the tidbits of information, maybe the user’s ID or their email address.</p>
<p>Speaking of claims, they come in three flavors: registered, public, and private. Here is a brief look:</p>
<pre><code class="lang-typescript">eyJpYXQiOjE2OTg2ODg0OTksIm5hbWUiOiJEZXZ0cm92ZXJ0Iiwic3ViIjoidGhpcyBpcyBhIHN1YmplY3QifQ
=
{
  <span class="hljs-string">"iat"</span>: <span class="hljs-number">1698688499</span>,
  <span class="hljs-string">"name"</span>: <span class="hljs-string">"Devtrovert"</span>,
  <span class="hljs-string">"sub"</span>: <span class="hljs-string">"this is a subject"</span>
}
</code></pre>
<p>A word of caution: It’s best to avoid putting the sensitive info in the payload, even though the JWT ensures the data hasn’t been changed, it doesn’t hide the content.</p>
<p>Now let’s explore those other claims further.</p>
<p>**Registered<br />**Let’s kick things off with registered claims.</p>
<p>They’re a bunch of predefined bits of information that the JWT standard provides for our benefit, while you don’t have to use them, it’s a good practice to do so:</p>
<ul>
<li><p><strong>iss (issuer)</strong>: Think of this as the “author” of the JWT (e.g., “iss”: “<a target="_blank" href="http://auth.devtrovert.com">auth.devtrovert.com</a>”).</p>
</li>
<li><p><strong>sub (subject)</strong>: This is all about who the JWT is about, often pointing to a specific user (e.g. “sub”: “john-handsome”).</p>
</li>
<li><p><strong>aud (audience)</strong>: Who should be reading the JWT? It could be meant for one entity or many (e.g. “aud”: “example-app”).</p>
</li>
<li><p><strong>exp (expiration time):</strong> Simply put, when does this JWT expire? It counts seconds since the Epoch time (e.g., “exp”: 1583241600).</p>
</li>
<li><p><strong>nbf (not before time)</strong>: It tells when we can start using the JWT, using a similar time format as exp. (e.g. “nbf”: 1583241600).</p>
</li>
<li><p><strong>iat (issued at time)</strong>: This is just when the JWT was made, like a timestamp of its creation (e.g. “iat”: 1583241600).</p>
</li>
<li><p><strong>jti (JWT ID)</strong>: A special ID for the JWT, which can be handy for various purposes like keeping track or ensuring it’s used only once.(e.g. “jti”: “a1234567”).</p>
</li>
</ul>
<p>These are part of the JWT standard.</p>
<p>So, when you decide to use them, it’s wise to stick to the standard’s rules, even if they’re <strong>optional</strong>.</p>
<p>**Public<br />**Public claims are the ones you can set yourself.</p>
<p>But, because you don’t want to accidentally use the same claim name as someone else (or registered claims), it’s a neat idea to use a web address-like format.</p>
<p>Here’s what I mean:</p>
<pre><code class="lang-typescript"><span class="hljs-string">"http://example.com/roles"</span>: [<span class="hljs-string">"editor"</span>, <span class="hljs-string">"subscriber"</span>]
</code></pre>
<p>By using this structure, we make sure our “roles” claim is its own unique thing and doesn’t collide with any other “roles” claim out there.</p>
<p>**Private<br />**Private claims are claims that you make up to suit your app’s specific needs and they aren’t meant for the public, and there’s no official list of them anywhere.</p>
<blockquote>
<p><em>“Hold up… If they’re called ‘private’, why can everyone read them?”</em></p>
</blockquote>
<p>Good point, it’s a naming thing, despite the name, private claims aren’t secrets.</p>
<p>When we look inside a JWT, everything, both public and private claims, is out in the open because of how JWTs are encoded, so anyone with the right tools can see them.</p>
<p>The terms “public” and “private” in the context of JWT claims don’t refer to their visibility or their encryption status:</p>
<ul>
<li><p><strong>Public Claims</strong>: These are commonly understood claims, using a web URL format for naming helps keep things organized and avoids confusion.</p>
</li>
<li><p><strong>Private Claims</strong>: These are your special additions, tailored just for your app, and they get the “private” label because they’re all about your app’s unique needs</p>
</li>
</ul>
<p>For instance, having a claim like <code>“department”: “HR”</code> might mean the person associated with the JWT works in Human Resources.</p>
<p><strong>Signature</strong></p>
<p>This is the third part of our JWT, right after the last dot, we encounter the signature.</p>
<p>What is fascinating about this piece is that it’s constructed by joining the header and the payload, then encrypting this merged data using a secret key. This signature ensures that our data remains untouched and authentic during its… journey.</p>
<p>For a hands-on perspective, imagine the process like this:</p>
<pre><code class="lang-typescript">NT2JhQ9oLc_HIZB6WW8yAaxSHcZ8QvNE1H0C5Adhmrg
=
HMACSHA256(
base64UrlEncode(header) + <span class="hljs-string">"."</span> +
base64UrlEncode(payload),
secret)
</code></pre>
<p>When pieced together, our JWT presents itself as:</p>
<p><code>eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9. eyJpYXQiOjE2OTg2ODg0OTksIm5hbWUiOiJEZXZ0cm92ZXJ0Iiwic3ViIjoidGhpcyBpcyBhIHN1YmplY3QifQ. NT2JhQ9oLc_HIZB6WW8yAaxSHcZ8QvNE1H0C5Adhmrg</code></p>
<p>Now, any server that verifies this token has the secret key, which is “my secret“ in this example. Unlike me, you better don’t share it with anyone.</p>
<p>This equips the server to decipher the signature and confirm the authenticity of the header and payload.</p>
<h3 id="heading-a-dip-into-algorithms">A Dip into Algorithms</h3>
<p>As we are on the topic of cryptographic algorithms, it might be a good moment to share some basics about two algorithm types.</p>
<ul>
<li><p><strong>Symmetric</strong>: A single key is used for both operations. For encryption, it means both encryption and decryption, or both creating a signature and verifying it. Both parties (sender and receiver) must process and protect this secret key. In the content of JWTs, typically, only the server retains this secret key.</p>
</li>
<li><p><strong>Asymmetric</strong>: This involves a key pair: a public key and a private key. For encryption, the public key encrypts, and its corresponding private key decrypts. For digital signatures, the private key is used to sign (create a signature), and the public key is used to verify the signature.</p>
</li>
</ul>
<p>Now, there are 3 common algorithms used to sign and verify the JWTs:</p>
<ul>
<li><p><strong>HMAC (Symmetric)</strong>: Uses a single secret key to create and check a signature for data; only the server holds this key to confirm the data hasn’t been changed in transit. For JWTs, HMAC combined with SHA-256 hashing is common, known as HS256.</p>
</li>
<li><p><strong>RSA (Asymmetric)</strong>: Works with two keys: a public key and a private key. While you might hear about encrypting data with the public key and decrypting it with the private one, for JWTs, it’s a bit different. Here, the private key signs the token, and the public key checks its authenticity.</p>
</li>
<li><p><strong>ECDSA (Asymmetric)</strong>: This is a newer method for making digital signatures. While RSA is widely used, ECDSA can offer the same safety but is faster and needs shorter keys, which makes it a good choice for systems where speed and saving space are important.</p>
</li>
</ul>
<h3 id="heading-how-jwts-are-used-in-authentication">How JWTs are used in Authentication</h3>
<p>Let’s break down how JWTs play a vital role in the authentication process step by step:</p>
<p></p>
<ol>
<li><p><strong>Logging In</strong>: A user enters their username and password, the server checks these details against its records.</p>
</li>
<li><p><strong>JWT creation</strong>: If the server confirms the user’s details are correct, it creates a JWT. This token contains the user’s details and other important information (but not sensitive). Then, the server signs this token with a secret key, ensuring its security.</p>
</li>
<li><p><strong>Sending the Token</strong>: The server sends the token back to the user, this usually happens in the HTTP header for easy retrieval and usage in subsequent requests.</p>
</li>
<li><p><strong>Token in Action</strong>: Whenever the user wants to access something on the server, they send this token back. They typically add it to their request headers, like a special access pass.</p>
</li>
<li><p><strong>Server verification</strong>: When the server receives a request with a token, it verifies the token’s authenticity. It checks if the signature matches and then gets the user’s details from the token to process the request.</p>
</li>
<li><p><strong>Response to the client</strong>: After validating the token and processing the request, the server sends the needed data back to the user.</p>
</li>
</ol>
<p>One of the great things about JWTs is that they allow stateless authentication. What does this mean?</p>
<p>Well, the server doesn’t need to remember or store every token. Each token is self-contained, carrying all the info the server need to identify the user.</p>
<h3 id="heading-how-the-jwt-token-is-checked">How the JWT token is checked?</h3>
<p>When the user sends a token to the server, how does the server know it’s valid? Let’s go through that process:</p>
<ol>
<li><p>Validate the Token structure: Our server looks at the token to see if it has the right format, it should have three parts: the Header, the Payload, and the Signature (structured like ‘xxxxx.yyyyy.zzzzz’).</p>
</li>
<li><p>Decoding: Our server then decodes the token, since in’s usually in Base64URL format, decoding it lets the server see the Header and the Payload’s details:</p>
</li>
<li><p>Figuring Out the Algorithm: By checking the token’s header, the sever can see which algorithm was used to sign the token.</p>
</li>
<li><p>Matching Signatures: The server then tries to recreate the token’s signature. If the new signature matches the one in the received token, it shows the token hasn’t been changed or tampered with.</p>
</li>
<li><p>Checking the Claims: Lastly, the server examines the JWT’s standard claim. It looks at timestamps and identifiers like when the token expires (‘exp’), when it starts being valid (‘nbf’), when it was made (‘iat’), who made it (‘iss’), who it’s for (‘aud’), and who it’s about (‘sub’).</p>
</li>
</ol>
<p></p>
<h3 id="heading-pitfalls-of-jwt">Pitfalls of JWT</h3>
<p>While JWT offers many advantages, it’s essential to be aware of potential pitfalls and security concerns that can arise if it’s not implemented properly.</p>
<p>Here are some key issues associated with JWT tokens:</p>
<ul>
<li><p>Security Risks from Improper Algorithm Choice: There are different ways to encrypt JWTs. If the encryption method isn’t properly chosen or implemented, it can be vulnerable to attack.</p>
</li>
<li><p>Key Management is an Issue: If the secret key used to create and verify JWTs is compromised, attackers could forge tokens and gain unauthorized access.</p>
</li>
<li><p>Revocation Challenges: It can be tricky to revoke a JWT once it’s been issued. This means that if a user’s credentials are compromised, their token might still be valid.</p>
</li>
<li><p>Bypassing Signature Verification: Vulnerabilities in certain JWT libraries and implementations allow for signature verification to be bypassed. These vulnerabilities could enable attackers to create forged tokens that appear legitimate to the application.</p>
</li>
</ul>
<h3 id="heading-5-common-mistakes-developers-make-with-jwt-authentication">5 Common Mistakes Developers Make with JWT Authentication</h3>
<p>Most developers think API authentication is simple:<br />User logs in → server issues JWT → client stores token → done.</p>
<p>That’s the story in every quick-start tutorial. But in the real world, things aren’t that clean.<br />Tokens leak. Sessions don’t expire. Refresh endpoints are abused.</p>
<p>And before you realize it, your “secure API” is quietly allowing anyone with the right token to impersonate users indefinitely.</p>
<p>Authentication isn’t about just verifying credentials; it’s about managing identity <em>safely</em> over time.<br />Here are the <strong>five most common mistakes</strong> developers make when handling API authentication and how to fix them the right way.</p>
<ol>
<li><strong>Storing Tokens in the Wrong Place</strong></li>
</ol>
<p>Let’s start with the classic.</p>
<p>Most developers do this after login:</p>
<pre><code class="lang-javascript"><span class="hljs-built_in">localStorage</span>.setItem(<span class="hljs-string">"token"</span>, accessToken);
</code></pre>
<p>It works, it’s convenient, and it’s insecure.</p>
<p><strong>Why It’s Dangerous</strong></p>
<p>Anything stored in <code>localStorage</code> or <code>sessionStorage</code> can be accessed by <strong>JavaScript running on your page</strong>.<br />If your app ever suffers from XSS (Cross-Site Scripting), an attacker can simply run:</p>
<pre><code class="lang-javascript"><span class="hljs-built_in">console</span>.log(<span class="hljs-built_in">localStorage</span>.getItem(<span class="hljs-string">"token"</span>));
</code></pre>
<p>Boom, your user’s session is gone.</p>
<p><strong>The Correct Way</strong></p>
<ul>
<li><p>Store <strong>short-lived access tokens in memory only</strong> (React context, Redux, or a variable).</p>
</li>
<li><p>Store <strong>refresh tokens in HTTP-only cookies,</strong> which can’t be read by JavaScript.</p>
</li>
<li><p>Use CSRF tokens to prevent cross-site attacks.</p>
</li>
</ul>
<p>Example (Express):</p>
<pre><code class="lang-javascript">res.cookie(<span class="hljs-string">"refreshToken"</span>, token, {
  <span class="hljs-attr">httpOnly</span>: <span class="hljs-literal">true</span>,
  <span class="hljs-attr">secure</span>: <span class="hljs-literal">true</span>,
  <span class="hljs-attr">sameSite</span>: <span class="hljs-string">"Strict"</span>,
});
</code></pre>
<p>This makes token theft via scripts nearly impossible.</p>
<ol start="2">
<li><strong>Using Long-Lived Tokens</strong></li>
</ol>
<p>Developers often set JWTs to expire in days or even weeks because re-authentication feels “inconvenient.”<br />But long-lived tokens are like giving out permanent keys; once leaked, they never expire.</p>
<p><strong>Real-World Risk</strong></p>
<p>A token valid for 30 days gives attackers a huge window to exploit it. Even if you patch the vulnerability tomorrow, the stolen token still works.</p>
<p><strong>The Fix</strong></p>
<p>Adopt <strong>short-lived access tokens</strong> (10–30 minutes) and <strong>long-lived refresh tokens</strong>.<br />When the access token expires, issue a new one via the refresh token.</p>
<pre><code class="lang-javascript"><span class="hljs-keyword">const</span> accessToken = jwt.sign({ <span class="hljs-attr">id</span>: user.id }, JWT_SECRET, { <span class="hljs-attr">expiresIn</span>: <span class="hljs-string">"15m"</span> });
<span class="hljs-keyword">const</span> refreshToken = jwt.sign({ <span class="hljs-attr">id</span>: user.id }, JWT_SECRET, { <span class="hljs-attr">expiresIn</span>: <span class="hljs-string">"7d"</span> });
</code></pre>
<p>Short expiration windows dramatically reduce the damage from token leaks.</p>
<ol start="4">
<li><strong>Treating JWTs as “Stateless Forever”</strong></li>
</ol>
<p>JWTs are stateless, that’s their beauty and their curse.<br />Developers love that they don’t have to check a database on every request. But that also means <strong>you can’t revoke them easily</strong>.</p>
<p><strong>Common Oversight</strong></p>
<p>If a user logs out or a token leaks, there’s often no way to invalidate it until it expires.<br />Attackers with old tokens can continue making valid requests for hours or days.</p>
<p><strong>The Right Way to Handle It</strong></p>
<p>Implement <strong>token rotation and revocation</strong>.</p>
<ul>
<li><p>Track issued refresh tokens in your database.</p>
</li>
<li><p>When a refresh token is used, mark it as “used” and generate new tokens.</p>
</li>
<li><p>If an old refresh token reappears, block the session immediately.</p>
</li>
</ul>
<p>Example:</p>
<pre><code class="lang-javascript"><span class="hljs-keyword">if</span> (refreshToken.used) {
  <span class="hljs-keyword">throw</span> <span class="hljs-keyword">new</span> <span class="hljs-built_in">Error</span>(<span class="hljs-string">"Token reuse detected"</span>);
}
refreshToken.used = <span class="hljs-literal">true</span>;
<span class="hljs-keyword">await</span> save(refreshToken);
</code></pre>
<p>This ensures that each token can be used only once, a key defense against replay attacks.</p>
<ol start="5">
<li><strong>Ignoring Token Claims and Validation</strong></li>
</ol>
<p>A shocking number of APIs verify JWT signatures but ignore the claims inside them.<br />That’s like checking someone’s ID but not reading the name.</p>
<p><strong>Common Mistake</strong></p>
<pre><code class="lang-javascript"><span class="hljs-keyword">const</span> payload = jwt.verify(token, process.env.JWT_SECRET);
<span class="hljs-comment">// OK ✅ but missing claim validation!</span>
</code></pre>
<p>If you don’t verify the <strong>issuer (</strong><code>iss</code><strong>)</strong>, <strong>audience (</strong><code>aud</code><strong>)</strong>, or <strong>expiration (</strong><code>exp</code><strong>)</strong>, Any valid token signed with the same secret can be reused, even from another service.</p>
<p><strong>How to Fix It</strong></p>
<p>Always verify the token context:</p>
<pre><code class="lang-javascript"><span class="hljs-keyword">const</span> payload = jwt.verify(token, process.env.JWT_SECRET, {
  <span class="hljs-attr">audience</span>: <span class="hljs-string">"myapi.com"</span>,
  <span class="hljs-attr">issuer</span>: <span class="hljs-string">"auth.myapi.com"</span>,
});
</code></pre>
<p>And double-check <code>exp</code> and <code>nbf</code> timestamps to ensure the token isn’t expired or not yet valid.</p>
<p><strong>Pro Tip:</strong> Rotate JWT secrets periodically. A leaked signing key can compromise your entire system.</p>
<ol start="5">
<li><strong>Forgetting About Revocation and Logout</strong></li>
</ol>
<p>One of the biggest myths in modern auth:</p>
<blockquote>
<p><em>“JWTs don’t need logout just let them expire.”</em></p>
</blockquote>
<p>That’s fine in theory, but in production, users log out, passwords change, and security incidents happen.</p>
<p>Without a proper revocation system, old tokens remain valid until expiry, and that’s dangerous.</p>
<p><strong>The Solution</strong></p>
<p>Maintain a <strong>revoked token store</strong> (a simple table or Redis cache) keyed by <code>jti</code> (JWT ID).</p>
<p>When a user logs out or resets their password:</p>
<ol>
<li><p>Add their tokens <code>jti</code> to the revoked list.</p>
</li>
<li><p>Check this list during every authentication step.</p>
</li>
</ol>
<p>Example:</p>
<pre><code class="lang-javascript"><span class="hljs-keyword">if</span> (revokedTokens.has(payload.jti)) {
  <span class="hljs-keyword">return</span> res.status(<span class="hljs-number">401</span>).json({ <span class="hljs-attr">error</span>: <span class="hljs-string">"Token revoked"</span> });
}
</code></pre>
<p>This tiny step prevents reusing stolen or expired tokens.</p>
<h2 id="heading-openid-connect-oidc">OpenID Connect (OIDC)</h2>
<p>OpenID Connect is an identity layer on top of the OAuth 2.0 protocol. It extends the OAuth 2.0 standard to standardize a way for authentication.</p>
<p></p>
<p>The difference between the two is that OAuth 2.0 provides authorization, while OIDC provides authentication.</p>
<p>OpenID Connect enables an Internet identity ecosystem for easy and secure integration. For example, if a user wants to create an account at a new website, they may use Google to create their account rather than creating an account on the new website. The OpenID provider (Google, in this case) handles the authentication processes and obtains the user’s consent to provide specific information, such as a user profile, to the relying party (the new website, in this case).</p>
<p>OAuth does not provide the user identity right away, but rather it provides an access token for authorization. OpenID Connect enables the client to identify the user based on authentication performed by the authorization server. This is achieved by defining a scope named <code>openid</code> when requesting the authorization server for user login and consent. <code>openid</code> is a mandatory scope to tell the authorization server that OpenID Connect is required.</p>
<p>The URI for the OpenID Connect authentication request made by the client looks like this:</p>
<pre><code class="lang-typescript">https:<span class="hljs-comment">//accounts.google.com/o/oauth2/v2/auth?</span>
 response_type=code&
 client_id=your_client_id&
 scope=openid%<span class="hljs-number">20</span>contacts&
 redirect_uri=https%<span class="hljs-number">3</span>A<span class="hljs-comment">//oauth2.example.com/code</span>
</code></pre>
<p>The result of the request is an authorization code that the client can exchange for an access token and ID token. If the OAuth flow is implicit, then the authorization server responds with an access token and an ID token right away.</p>
<p>The ID token is a JWT or JSON Web Token. A JWT is an encoded token that consists of three parts: header, payload, and signature. After acquiring the ID token, the client can decode it to get the user info encoded in the payload part, like this:</p>
<pre><code class="lang-typescript">{
  <span class="hljs-string">"iss"</span>: <span class="hljs-string">"https://accounts.google.com"</span>,
  <span class="hljs-string">"sub"</span>: <span class="hljs-string">"10965150351106250715113082368"</span>,
  <span class="hljs-string">"email"</span>: <span class="hljs-string">"johndoe@example.com"</span>,
  <span class="hljs-string">"iat"</span>: <span class="hljs-number">1516239022</span>,
  <span class="hljs-string">"exp"</span>: <span class="hljs-number">1516242922</span>
}
</code></pre>
<h3 id="heading-claims"><strong>Claims</strong></h3>
<p>The payload of the ID token contains some fields known as claims. Basic claims are:</p>
<ul>
<li><p><code>iss</code> token issuer.</p>
</li>
<li><p><code>sub</code> unique identifier for the user.</p>
</li>
<li><p><code>email</code> user’s email.</p>
</li>
<li><p><code>iat</code> token issuing time is represented as Unix time.</p>
</li>
<li><p><code>exp</code> token expiration time represented as Unix time.</p>
</li>
</ul>
<p>However, claims are not limited to these fields. It’s up to the authorization server to encode claims. The client can use this information to authenticate the user.</p>
<p>If the client needs more user information, the client can specify standard OpenID Connect scopes to tell the authorization server to include the required information in the ID token’s payload. These scopes are <code>profile</code>, <code>email</code>, <code>address</code>, and <code>phone</code>.</p>
<h2 id="heading-multi-factor-authentication-mfa">Multi-Factor Authentication (MFA)</h2>
<p>MFA significantly enhances security by requiring “multiple factors.“ (hence the name, Multi-Factor) for authentication. In practice, this can be combined with other authentication methods for high-risk operations or sensitive data. It can be used to secure the authentication at the IDP level in OIDC.</p>
<h2 id="heading-single-sign-on">Single Sign-On</h2>
<p><a target="_blank" href="https://medium.com/@techworldwithmilan/how-does-single-sign-on-sso-work-31ffa1afcc63">https://medium.com/@techworldwithmilan/how-does-single-sign-on-sso-work-31ffa1afcc63</a></p>
<h3 id="heading-what-is-sso">What is SSO?</h3>
<p>Single Sign-On (SSO) is a technology that allows users to securely authenticate to multiple applications and sites at once using a single set of credentials and seamlessly move between them without re-authentication.</p>
<p>SSO authentication begins when a user logs in to one of the clients associated with SSO. Instead of entering the username and password for each service each time, the user does so once. The data creates a unique session that other services will recognize.</p>
<p>When a user attempts to access another service or application within SSO, the service asks the IdP to confirm the user’s authentication. Instead of asking for credentials again, the service accepts the token that proves that the user has already been authenticated.</p>
<p>SSO is a part of a more general Identity and Access Management (IAM) concept. This comprehensive system covers the processes used to manage the user identities and their access to various resources.</p>
<p>All aspects of an IAM system can be divided into three groups: user experience, security, and infrastructure.</p>
<p></p>
<p>SSO implementation is based on protocols such as OAuth, Open ID Connect, and SAML (Security Assertion Markup Language). SAML is also beyond the scope of this material since this standard is still more commonly used in corporate SSO solutions. Therefore, we will only focus on the definition to understand the difference.</p>
<p>SAML is an XML-based standard for exchanging authentication and authorization data between an identity provider and a service provider.</p>
<h3 id="heading-sso-implementation-scheme">SSO implementation scheme</h3>
<p>We have already become acquainted with the OAuth and OpenID protocols, so let’s immediately schematically consider one of the examples of SSO implementation in practice. Since we want to get end-to-end authentication both in web applications and on mobile clients, we default to auth code flow with PKCE as a basis, and get approximately the following picture: where to begin with, each client needs to be integrated with the IdP.</p>
<p></p>
<p>Schematically, the algorithm for SSO operation between services can be described as follows:</p>
<ol>
<li><p>The user wants to log in to one of the hosts using SSO</p>
</li>
<li><p>The standard OAuth 2.0 path occurs, in which the user is redirected to the authorization form on the IdP (Identity Provider) host when they enter their login data.</p>
</li>
<li><p>Then, the redirect to the target client occurs, where, according to the standard, the services exchange the received code for a set of tokens. At the same time, before the redirect, the IDP also saves the user’s session on its domain (for example, in cookies).</p>
</li>
<li><p>The user wants to log in to another service using this IDP.</p>
</li>
<li><p>The client redirects the user to the authorization page on the IdP. Still, the provider will immediately “catch” the previous session because it has been on the IdP host since the previous authorization in the user UA (browser).</p>
</li>
<li><p>Then, according to the PKCE flow, the user will be redirected back to the client with the code without entering a login/password.</p>
</li>
<li><p>The user will be authorized in the same way as on client 1</p>
</li>
</ol>
<p>That’s it. SSO, at minimum, is ready. Of course, provided that you have, for example, a microservice architecture and some services are located on one host, you can move part of the authorization and exchange of code for a set of tokens to a separate service and leave only refresh in the rest.</p>
<h1 id="heading-authorization">Authorization</h1>
<p>Authorization verifies that the user is allowed to do. Let’s start with one of the most common authorization methods in everyday use: OAuth.</p>
<h2 id="heading-oauth-20">OAuth 2.0</h2>
<p>OAuth (Open Authorization) is a token-based authorization mechanism that enables users to grant third-party apps access to their data without having to share their login credentials. With greater flexibility and scalability than OAuth 1.0, OAuth 2.0 replaced 1.0 in 2012 and is now the de facto standard for online authorization.</p>
<p>For example, I use my Garmin fitness app (resource server and authorization server) to track my daily workouts, and now I want to create a new app, “Nutriplan“ (the client), to monitor my nutrition and calorie intake and consumption. In this case:</p>
<ul>
<li><p>The Nutriplan app asks for access to resources on the Garmin app, which is granted by the user logging in to the Garmin app with their user/password, but the user/password is not shared with the Nutriplan.</p>
</li>
<li><p>An authorization code is created and shared with Nutriplan. However, the authorization code can’t be used to access user data in the Garmin app.</p>
</li>
<li><p>With the authorization code, the Nutriplan app requests an access token from the Garmin app’s authorization server endpoint.</p>
</li>
<li><p>The Nutriplan client uses the access token to access my resources on the Garmin app to recommend nutrition plans according to my fitness data in the Garmin app.</p>
</li>
</ul>
<p>During the whole process, my Garmin app login password isn’t shared with Nutriplan but my data in my Garmin app is shared securely with third-party apps, access delegation without sharing credentials.</p>
<h2 id="heading-scope-based-authorization">Scope-Based Authorization</h2>
<p>OAuth 2.0 uses a scope-based authorization, where specific permissions are defined in scopes as a way to limit the amount of access that is granted into an access token. For example, an access token issued to a client app may be granted READ and WRITE access to protected resources, or just READ access. The client requests a scope during the authorization process and the user can then grant or deny these permissions.</p>
<h2 id="heading-role-based-access-control-rbac">Role-Based Access Control (RBAC)</h2>
<p>Role-Based Access Control (RBAC) is a method of regulating access to resources based on the roles of individual users. By assigning users to roles (e.g, admin, editor, viewer) and defining different permissions for each role, RBAC simplifies permission management and improves security. There are some generally accepted good practices for using RBAC.</p>
<ul>
<li><p>Least Privilege: Minimal and only explicitly required permissions should be assigned to roles, and start with a default deny policy and explicitly grant permissions only where needed.</p>
</li>
<li><p>Clearly define roles: Create roles that represent specific job functions or responsibilities within the organization, and avoid creating roles that are too broad or too narrow. Keep the number of roles to a minimum; too many roles can lead to complexity and difficulty in managing permissions. Consider using role hierarchies to simplify management.</p>
</li>
<li><p>Periodic review, audit, and documentation: Conduct regular security audits to stay up-to-date and identify potential vulnerabilities; maintain clear and comprehensive documentation of our RBAC policies and procedures.</p>
</li>
</ul>
<h2 id="heading-attribute-based-access-control-abac">Attribute-Based Access Control (ABAC)</h2>
<p>ABAC provides finer-grained control by passing access decisions on not just the generic role, but detailed attributes of the user, resource, and environment. It is therefore more flexible than RBAC, but the tradeoff is that it’s more complex to implement.</p>
<p>For complex scenarios, we can consider integrating ABAC principles with RBAC to provide dynamic and context-aware access control.</p>
<h2 id="heading-policy-based-access-control-pbac">Policy-Based Access Control (PBAC)</h2>
<p>PBAC is a strategy for managing user access where the roles of users are combined with policies to determine what access privileges users of each role should have. PBAC can be used with RBAC/ABAC together. Cloud IAM users should already be familiar with roles and policies. PBAC offers several benefits over the traditional access control model, like RBAC.</p>
<ul>
<li><p>Finer-grained: Like ABAC, PBAC allows for highly granular control over access based on a wide range of attributes or conditions. We can define policies based on both user and resource attributes.</p>
</li>
<li><p>Attribute-Based Access Control (ABAC) Integration: PBAC is often used in conjunction with ABAC, allowing for even more flexible and expressive control.</p>
</li>
<li><p>Dynamic Access Control: PBAC enables dynamic access control decisions based on real-time conditions. Access can be granted or revoked automatically based on changes in user attributes, resource attributes, or environmental factors. This allows for more flexible and adaptive security policies.</p>
</li>
</ul>
<h1 id="heading-conclusion">Conclusion</h1>
<p>This material helped you learn something new and organize your existing knowledge. Please remember that specifications and standards, no matter how inconvenient and optimal they may seem, are written by professionals who have spent much time and effort searching for an optimal solution and closing security holes. Take your time with implementation immediately, and spend time studying the documentation and the subject matter.</p>
<h1 id="heading-references">References</h1>
<p><a target="_blank" href="https://levelup.gitconnected.com/the-http-protocol-is-a-stateless-protocol-that-is-every-time-the-server-receives-a-request-b9c4f31bfbb3">https://levelup.gitconnected.com/the-http-protocol-is-a-stateless-protocol-that-is-every-time-the-server-receives-a-request-b9c4f31bfbb3</a></p>
<p><a target="_blank" href="https://blog.gitguardian.com/authentication-and-authorization/">https://blog.gitguardian.com/authentication-and-authorization/</a></p>
<p><a target="_blank" href="https://medium.com/permify-tech-blog/jwt-vs-paseto-new-era-of-token-based-authentication-68b5ca6c3a32">https://medium.com/permify-tech-blog/jwt-vs-paseto-new-era-of-token-based-authentication-68b5ca6c3a32</a></p>
<p><a target="_blank" href="https://levelup.gitconnected.com/jwt-dont-add-sensitive-information-into-json-webtoken-jwt-ac2c8e718dee">https://levelup.gitconnected.com/jwt-dont-add-sensitive-information-into-json-webtoken-jwt-ac2c8e718dee</a></p>
<p><a target="_blank" href="https://frontendinterviewquestions.medium.com/store-jwt-in-cookie-or-localstorage-7fa39fcc85b5">https://frontendinterviewquestions.medium.com/store-jwt-in-cookie-or-localstorage-7fa39fcc85b5</a></p>
<p><a target="_blank" href="https://medium.com/pharos-production/authentication-authorization-oauth-2-0-openid-connect-and-sso-part-2-b8eb8f51866b">https://medium.com/pharos-production/authentication-authorization-oauth-2-0-openid-connect-and-sso-part-2-b8eb8f51866b</a></p>
<p><a target="_blank" href="https://medium.com/better-programming/the-complete-guide-to-oauth-2-0-and-openid-connect-protocols-35ebc1cbc11a">https://medium.com/better-programming/the-complete-guide-to-oauth-2-0-and-openid-connect-protocols-35ebc1cbc11a</a></p>
<p><a target="_blank" href="https://codebyumar.medium.com/5-common-mistakes-developers-make-with-api-authentication-38e9507d9389">https://codebyumar.medium.com/5-common-mistakes-developers-make-with-api-authentication-38e9507d9389</a></p>

</article>
<article>
<h1>Front-end Security Hanbook</h1>
<p>Tuan Tran Van — Mon, 07 Apr 2025 12:31:20 GMT</p>
<p>When it comes to <a target="_blank" href="https://www.griddynamics.com/solutions/enterprise-security">security</a>, front-end security is a crucial aspect of web development that is often overshadowed by its back-end counterpart. However, overlooking front-end security can leave your web applications vulnerable to a wide range of threats, including cross-site scripting (XSS) attacks, cross-site request forgery (CSRF) attacks, and other security vulnerabilities. This article will expose essential front-end security best practices to help you, the front-end developer, safeguard your web applications from malicious scripts and potential security risks.</p>
<h2 id="heading-understanding-the-front-end-security-landscape">Understanding the front-end security landscape</h2>
<p>Before delving into best practices, let’s establish a foundational understanding of front-end security and the associated terminology. Front-end security primarily deals with protecting the client-side of web applications, including the user interface and any Javascript code executed in the user’s browser. It focuses on mitigating security risks by implementing various security measures.</p>
<p>Maintaining a cybersecurity mindset in front-end development is crucial because it emphasizes the importance of proactive security measures. Front-end developers need to be vigilant in preventing common vulnerabilities like cross-site scripting (XSS) and ensuring data remains protected. It means following best practices, staying updated on threats, and thinking like a potential attacker to identify and fix vulnerabilities before they become problems. This mindset helps create secure web applications that prioritize user privacy and safety right from the start.</p>
<h2 id="heading-common-issues-with-front-end-security">Common Issues With Front-End Security</h2>
<p>There are countless issues that linked to Front-end security that could cause significant issues to the entire application. However, the following are some of the most prevalent problems that must be considered when considering Front-end security:</p>
<h3 id="heading-cross-site-scripting-xss">Cross-Site Scripting (XSS)</h3>
<p></p>
<p>As web development evolves, the risk associated with protecting web applications is also increasing. One of the most significant and growing threats today is Cross-Site Scripting (XSS). The short form of Cross-site scripting is css, but this naming will conflict with Cascading Style Sheets (CSS). So, we call cross-site scripting as XSS.</p>
<p>XSS is a type of security vulnerability where attackers inject malicious scripts into web pages viewed by users. Since the malicious code is injected on the client side, the victims unknowingly execute the code, allowing attackers to bypass access controls and gain unauthorized access to sensitive information.</p>
<p>Improving protection against XSS is crucial in maintaining the security and integrity of web applications. Developers must implement robust security measures, such as input validation, output encoding, and using security-focused libraries, to mitigate the risks associated with CSS attacks.</p>
<p><strong>Understanding the Risks of XSS</strong></p>
<p>XSS attacks can have several consequences, including:</p>
<ul>
<li><p><strong>User data being compromised</strong>: Sensitive user information such as personal details, passwords, and financial data can be exposed to attackers.</p>
</li>
<li><p><strong>Stealing of cookies</strong>: Cookies, which are small pieces of data sent from a server to a web browser containing user information, can be stolen by attackers. This can lead to session hijacking and unauthorized access to user accounts.</p>
</li>
<li><p><strong>Unauthorized actions performed on behalf of the user</strong>: Attackers can perform actions such as making transactions, changing account settings, or sending messages without the user’s consent.</p>
</li>
<li><p><strong>Capturing the keystrokes of the user</strong>: By injecting malicious scrips, attackers can monitor and record user keystrokes, leading to the theft of sensitive information like passwords and credit card numbers.</p>
</li>
</ul>
<p><strong>Decoding XSS Attack Mechanisms</strong></p>
<p>DOM-based XSS is a common type of vulnerability where an attacker exploits the Document Object Model (DOM) to execute malicious script into the user’s browser. This occurs when client-side scripts directly manipulate the DOM, leading <code>to</code> unexpected execution of the injected scripts.</p>
<p>Consider the following example, where a web page uses Javascript to read the URL hash fragment and display it on the screen.</p>
<pre><code class="lang-javascript"><!DOCTYPE html>
<span class="xml"><span class="hljs-tag"><<span class="hljs-name">html</span>></span>
<span class="hljs-tag"><<span class="hljs-name">head</span>></span>
    <span class="hljs-tag"><<span class="hljs-name">title</span>></span>DOM XSS Example<span class="hljs-tag"></<span class="hljs-name">title</span>></span>
<span class="hljs-tag"></<span class="hljs-name">head</span>></span>
<span class="hljs-tag"><<span class="hljs-name">body</span>></span>
    <span class="hljs-tag"><<span class="hljs-name">h1</span>></span>Welcome!<span class="hljs-tag"></<span class="hljs-name">h1</span>></span>
    <span class="hljs-tag"><<span class="hljs-name">p</span> <span class="hljs-attr">id</span>=<span class="hljs-string">"hashElement "</span>></span><span class="hljs-tag"></<span class="hljs-name">p</span>></span>

    <span class="hljs-tag"><<span class="hljs-name">script</span>></span><span class="javascript">
        <span class="hljs-comment">// Get the hash value from the URL</span>
        <span class="hljs-keyword">var</span> hash = <span class="hljs-built_in">window</span>.location.hash.substring(<span class="hljs-number">1</span>);

        <span class="hljs-comment">// Display the hash value in the " hashElement" </span>
        <span class="hljs-built_in">document</span>.getElementById(“hashElement”).innerHTML = <span class="hljs-string">"Hello, "</span> + hash + <span class="hljs-string">"!"</span>;
    </span><span class="hljs-tag"></<span class="hljs-name">script</span>></span>
<span class="hljs-tag"></<span class="hljs-name">body</span>></span>
<span class="hljs-tag"></<span class="hljs-name">html</span>></span></span>
</code></pre>
<p>In the above code snippet, the script retrieves the hash fragment from the URL and directly inserts it into the DOM. However, this approach is insecure. An attacker can exploit this by crafting a URL such as:</p>
<p><code>http://example.com/#<script>alert('XSS')</script></code></p>
<p>When a user visits a page with a URL containing a malicious hash fragment like the one above, the script executes immediately upon the page load. This vulnerability arises because the Javascript code uses innerHTML to insert the unsanitized hash fragment into the DOM.</p>
<p>If, instead, a simple alert, the injected script contains malicious code designed to steal sensitive information, the consequences could be severe. For example, an attacker could craft a URL like <code>http://example.com/#<script>stealCookies()</script></code>, where <code>stealCookies()</code> is a function that sends the user’s cookie to the attacker’s server, and then the user's sensitive information is compromised.</p>
<p><strong>Mitigation Strategy for XSS Vulnerabilities</strong></p>
<p>This kind of attack can be prevented if the user input is sanitized and validated before it’s inserted into the DOM.</p>
<ul>
<li>Prefer using APIs that inherently do not interpret HTML, such as <code>textContent</code>instead of <code>innerHtml</code>.</li>
</ul>
<p><code>document.getElementById('hashElement').textContent = "Hello, " + hash + "!"</code>;</p>
<ul>
<li>Sanitize Input: Use libraries like DOMPurify to clean user input before inserting it into the DOM.</li>
</ul>
<p><code>var cleanHash = DOMPurify.sanitize(hash);</code><br /><code>document.getElementById('hashElement').innerHTML = "Hello, " + cleanHash + "!";</code></p>
<p><strong>React’s Approach to Mitigating XSS Vulnerabilities</strong></p>
<p>React, a popular Javascript library for building user interfaces, has built-in mechanisms to help prevent DOM-based XSS attacks.</p>
<p>React will automatically escape all the content that is embedded inside the JSX, so that it will treat the content inside JSX as a plain instead of HTML thereby preventing the insertion of any external scripts.</p>
<pre><code class="lang-javascript"><span class="hljs-keyword">import</span> React <span class="hljs-keyword">from</span> <span class="hljs-string">'react'</span>;

<span class="hljs-class"><span class="hljs-keyword">class</span> <span class="hljs-title">SampleComponent</span> <span class="hljs-keyword">extends</span> <span class="hljs-title">React</span>.<span class="hljs-title">Component</span> </span>{
  render() {
    <span class="hljs-comment">// Assume the hash value comes from the URL and is passed as a prop</span>
    <span class="hljs-keyword">const</span> { hash } = <span class="hljs-built_in">this</span>.props;

    <span class="hljs-keyword">return</span> (
      <span class="xml"><span class="hljs-tag"><<span class="hljs-name">div</span>></span>
        <span class="hljs-tag"><<span class="hljs-name">h1</span>></span>Welcome!<span class="hljs-tag"></<span class="hljs-name">h1</span>></span>
        <span class="hljs-tag"><<span class="hljs-name">p</span>></span>Hello, {hash}!<span class="hljs-tag"></<span class="hljs-name">p</span>></span>
      <span class="hljs-tag"></<span class="hljs-name">div</span>></span></span>
    );
  }
}

<span class="hljs-keyword">export</span> <span class="hljs-keyword">default</span> SampleComponent;
</code></pre>
<p>In the above example, even if the hash variable contains the script tag, React will escape it and render it as a string and not as executable code.</p>
<p><strong>Using</strong> <code>dangerouslySetInnerHtml</code></p>
<p>React offers the <code>dangerouslySetInnerHtml</code> attribute as a method to directly inject HTML into the DOM. However, it should be used cautiously, and only you can guarantee the content is safe and thoroughly sanitized.</p>
<p>If you encounter unavoidable scenarios where using the <code>dangerouslySetInnerHtml</code> attribute is necessary, always ensure that the input is sanitized rigorously with a trusted library like DOMPurify. This step helps remove any potentially harmful code, thereby mitigating the risk of XSS vulnerabilities.</p>
<pre><code class="lang-javascript"><span class="hljs-keyword">import</span> DOMPurify <span class="hljs-keyword">from</span> <span class="hljs-string">'dompurify'</span>;

<span class="hljs-class"><span class="hljs-keyword">class</span> <span class="hljs-title">XSSComponent</span> <span class="hljs-keyword">extends</span> <span class="hljs-title">React</span>.<span class="hljs-title">Component</span> </span>{
  render() {
    <span class="hljs-keyword">const</span> { hash } = <span class="hljs-built_in">this</span>.props;
    <span class="hljs-keyword">const</span> sanitizedHash = DOMPurify.sanitize(hash);

    <span class="hljs-keyword">return</span> (
      <span class="xml"><span class="hljs-tag"><<span class="hljs-name">div</span>></span>
        <span class="hljs-tag"><<span class="hljs-name">h1</span>></span>Welcome!<span class="hljs-tag"></<span class="hljs-name">h1</span>></span>
        <span class="hljs-tag"><<span class="hljs-name">p</span> <span class="hljs-attr">dangerouslySetInnerHTML</span>=<span class="hljs-string">{{</span> <span class="hljs-attr">__html:</span> `<span class="hljs-attr">Hello</span>, ${<span class="hljs-attr">sanitizedHash</span>}!` }} /></span>
      <span class="hljs-tag"></<span class="hljs-name">div</span>></span></span>
    );
  }
}

<span class="hljs-keyword">export</span> <span class="hljs-keyword">default</span> XSSComponent;
</code></pre>
<h3 id="heading-cross-site-request-forgery-csrf">Cross-Site Request Forgery (CSRF)</h3>
<p></p>
<p>Cross-site request forgery (also known as CSRF) is a web security vulnerability that allows an attacker to introduce users to perform actions that they do not intend to perform. It allows an attacker to partly circumvent the same-origin policy, which is designed to prevent different websites from interfering with each other.</p>
<p>For example, Chris might be logged into his online banking while checking his email. In the meanwhile, he might click on a link in the phishing email with a transfer request (such as a deceptively short link) asking Chris’s bank to transfer money to the compromised bank account. Since Chris is logged into his bank account, the transfer request will be executed automatically because it is made through a browser authorised by Chris.</p>
<p>To prevent the CSRF in your web application, this is the step we should follow:</p>
<ol>
<li><strong>Store the token under HttpOnly with sam-site Cookie Attribute</strong></li>
</ol>
<p>Generally, we don’t save the user token inside local storage or redux. So far, the suggestion that I have found is to save the cookie inside HttpOnly cookies with strict same-site configuration. Well, the HttpOnly cookies mean that the token can not be loaded on the client-side; it is a tag added to the browser cookie that prevents client-side scripts from accessing data. It provides a gate that prevents the specialized cookie from being accessed by anything other than the server. Nextjs would be a good way to achieve this solution because it has an express backend server as a developer that is able to save tokens inside HttpOnly cookies. Besides that, the cookies should be set to <code>strict</code> because the browser will not include the cookie in any requests that originate from another site. This is the most defensive option, but it can impair the user experience because if a logged-in user follows a third-party link to a site, then they will appear not to be logged in and will need to log in again before interacting with the site in the normal way.</p>
<p>Reference link: <a target="_blank" href="https://portswigger.net/web-security/csrf/samesite-cookies">https://portswigger.net/web-security/csrf/samesite-cookies</a></p>
<ol start="2">
<li><strong>Follow REST principles</strong></li>
</ol>
<p>It is very dangerous if we use this <code>GET</code> method to change the state of the server. For example, If Chris is accessing the bank websites, and the bank website uses a GET request to transfer funds as example below - <code>GET <http://bank.com/transfer.do?name=Chris&amount=10> HTTP/1.1</code> This is very dangerous if the attacker tamper with the query strings and make a link into an image or a script and send it to the user via an unsolicited email with HTML content, then Chris’s bank account will automating executed that query while they are doing the online banking. The attackers can even put the script such as <code>" width="0" height="0" border="0"></code> . Other methods such as <code>Create</code> , <code>Update</code> , <code>Delete</code> have the same issue with <code>GET</code> method. So the best way to prevent as a developer is to follow REST principles as they are provided.</p>
<ol start="3">
<li><strong>Implement Anti-CSRF tokens</strong></li>
</ol>
<p>Anti-CSRF tokens are to provide the user browser with a piece of information and check if the web browser will send it back. The token must be unique and provided by the third party. After that, the back end of the web application will not proceed unless it verifies the <a target="_blank" href="http://token.so/">token</a>. In this way, only the user can send requests within an authenticated session. Below is an example:</p>
<pre><code class="lang-javascript"><Form>
  <span class="xml"><span class="hljs-tag"><<span class="hljs-name">input</span> <span class="hljs-attr">type</span>=<span class="hljs-string">"name"</span> /></span></span>
  <span class="xml"><span class="hljs-tag"><<span class="hljs-name">input</span> <span class="hljs-attr">type</span>=<span class="hljs-string">"hidden"</span> <span class="hljs-attr">name</span>=<span class="hljs-string">"token"</span> <span class="hljs-attr">value</span>=<span class="hljs-string">"unique_value"</span> /></span></span>
</Form>
</code></pre>
<p>If the attacker performs a CSRF using a malicious site, it will be hard to know the current token that is set inside the cookies. The backend server won’t process the request without that token in order to make a protection from CSRF attacks. More references can read this:</p>
<p>Reference link: <a target="_blank" href="https://www.invicti.com/blog/web-security/protecting-website-using-anti-csrf-token/">Protect your website with anti-CSRF tokens | Invicti</a></p>
<h3 id="heading-injection-attack">Injection Attack</h3>
<p></p>
<p>As the name implies, injection attacks or vulnerabilities allow an attacker to inject malicious code or commands into the application’s input fields, exploiting vulnerabilities in data processing mechanisms.</p>
<p>This is one of the most common forms of vulnerability that can be present in an application and has also been added to the <a target="_blank" href="https://owasp.org/Top10/A03_2021-Injection/">OSWAP Top 10</a> list of vulnerabilities.</p>
<p>Even though there can be several injection attacks, such as SQL, Command, or even XPath injections, the principle behind the vulnerability remains the same.</p>
<p>Some of the most common causes for the injection vulnerabilities include:</p>
<ul>
<li><p>Lack of input validation: Failure to properly verify and sanitize user input before processing allows attackers to introduce harmful payloads into application input fields.</p>
</li>
<li><p>Dynamic Query Construction: Applications that dynamically generate SQL queries, shell commands, or XPath expressions from user inputs are particularly vulnerable to injection attacks.</p>
</li>
<li><p>Insufficient Escaping: Insecure handling of special characters or inability to escape the user input before combining it into queries or instructions opens programs to injection attacks.</p>
</li>
</ul>
<p><strong>How can you prevent Injection Attacks?</strong></p>
<p>Preventing an injection attack is a two-part strategy:</p>
<ol>
<li><p>First, you need to ensure that your Front-end input fields are rightfully validated and sanitized. You need to prevent users from inserting malicious code into your fields.</p>
</li>
<li><p>After you have validated your front end, it’s also important to sanitize the payloads you receive on your backend. Don’t trust your payloads that anyone can get your API endpoints and start sending malicious input. So, ensure that you sanitize your back-end payloads as well. Additionally, utilize tools like <a target="_blank" href="https://portswigger.net/burp/documentation/scanner">Burp Scanner</a>, <a target="_blank" href="https://sqlmap.org/">sqlmap</a>, <a target="_blank" href="https://github.com/ron190/jsql-injection">jSQL Injection,</a> and <a target="_blank" href="https://www.invicti.com/">Invicti</a> to detect potential SQL attacks and related vulnerabilities in your applications.</p>
</li>
</ol>
<h3 id="heading-man-in-the-middle-attack">Man-in-the-Middle Attack</h3>
<p></p>
<p>Man-in-the-middle (MitM) Attacks force an attacker to intercept and manipulate the information that is being transmitted between two parties.</p>
<p>For example, attackers can intercept your connection to Facbook.com and steal your credentials and forward you back to Facebook.</p>
<p>These attacks occur when an attacker exploits an insecure communication channel (often through public wifi). A victim of this attack doesn’t feel that they are being attacked as they assume they are holding a perfectly normal and secure conversation with the server when the information they are sharing is being spied upon or altered along the way.</p>
<p><strong>How can you prevent a Man-in-the-middle attack?</strong></p>
<ul>
<li><p>Use a secure internet connection and log out of apps you no longer use.</p>
</li>
<li><p>Don’t connect to networks you don’t know. For example, don’t connect to a free Wifi that is available in your coffee.</p>
</li>
<li><p>Use secure communication protocols such as HTTPS and TLS to encrypt all data in transit.</p>
</li>
</ul>
<h3 id="heading-clickjacking">Clickjacking</h3>
<p></p>
<p>Clickjacking, also known as UI redressing, is a type of attack where malicious actors tricks users into clicking on something different from what they perceive by embedding web pages within iframes. This can lead to unauthorized actions and compromise user security.</p>
<p>Clickjacking involves placing a transparent or opaque over a legitimate webpage element, causing users to unknowingly perform actions such as changing settings or transferring funds.</p>
<p>Consider a scenario where an attacker embeds a hidden iframe from a banking site into a trusted webpage. When a user clicks on a seemingly harmless button, they might actually be authorizing a bank transaction.</p>
<p>Here’s an example of a vulnerable page:</p>
<pre><code class="lang-xml"><span class="hljs-meta"><!DOCTYPE <span class="hljs-meta-keyword">html</span>></span>
<span class="hljs-tag"><<span class="hljs-name">html</span> <span class="hljs-attr">lang</span>=<span class="hljs-string">"en"</span>></span>
<span class="hljs-tag"><<span class="hljs-name">head</span>></span>
    <span class="hljs-tag"><<span class="hljs-name">meta</span> <span class="hljs-attr">charset</span>=<span class="hljs-string">"UTF-8"</span>></span>
    <span class="hljs-tag"><<span class="hljs-name">meta</span> <span class="hljs-attr">name</span>=<span class="hljs-string">"viewport"</span> <span class="hljs-attr">content</span>=<span class="hljs-string">"width=device-width, initial-scale=1.0"</span>></span>
    <span class="hljs-tag"><<span class="hljs-name">title</span>></span>Clickjacking Example<span class="hljs-tag"></<span class="hljs-name">title</span>></span>
<span class="hljs-tag"></<span class="hljs-name">head</span>></span>
<span class="hljs-tag"><<span class="hljs-name">body</span>></span>
    <span class="hljs-tag"><<span class="hljs-name">h1</span>></span>Welcome to Our Site<span class="hljs-tag"></<span class="hljs-name">h1</span>></span>
    <span class="hljs-tag"><<span class="hljs-name">button</span> <span class="hljs-attr">onclick</span>=<span class="hljs-string">"alert('Clicked!')"</span>></span>Click Me<span class="hljs-tag"></<span class="hljs-name">button</span>></span>
    <span class="hljs-tag"><<span class="hljs-name">iframe</span> <span class="hljs-attr">src</span>=<span class="hljs-string">"https://example-bank.com/transfer"</span> <span class="hljs-attr">style</span>=<span class="hljs-string">"opacity:0; position:absolute; top:0; left:0; width:100%; height:100%;"</span>></span><span class="hljs-tag"></<span class="hljs-name">iframe</span>></span>
<span class="hljs-tag"></<span class="hljs-name">body</span>></span>
<span class="hljs-tag"></<span class="hljs-name">html</span>></span>
</code></pre>
<p><strong>Preventing Clickjacking with Javascript</strong></p>
<p>To prevent clickjacking attacks, you can use JavaScript to ensure that your website is not being framed. Here’s a step-by-step guide on how to implement this protection:</p>
<ol>
<li><strong>Javascript Fram Busting</strong></li>
</ol>
<p>Frame busting involves using JavaScript to detect if your website is loaded inside an iframe and breaking out of it.</p>
<pre><code class="lang-xml"><span class="hljs-meta"><!DOCTYPE <span class="hljs-meta-keyword">html</span>></span>
<span class="hljs-tag"><<span class="hljs-name">html</span> <span class="hljs-attr">lang</span>=<span class="hljs-string">"en"</span>></span>
<span class="hljs-tag"><<span class="hljs-name">head</span>></span>
    <span class="hljs-tag"><<span class="hljs-name">meta</span> <span class="hljs-attr">charset</span>=<span class="hljs-string">"UTF-8"</span>></span>
    <span class="hljs-tag"><<span class="hljs-name">meta</span> <span class="hljs-attr">name</span>=<span class="hljs-string">"viewport"</span> <span class="hljs-attr">content</span>=<span class="hljs-string">"width=device-width, initial-scale=1.0"</span>></span>
    <span class="hljs-tag"><<span class="hljs-name">title</span>></span>Frame Busting Example<span class="hljs-tag"></<span class="hljs-name">title</span>></span>
    <span class="hljs-tag"><<span class="hljs-name">script</span>></span><span class="javascript">
        <span class="hljs-keyword">if</span> (<span class="hljs-built_in">window</span>.top !== <span class="hljs-built_in">window</span>.self) {
            <span class="hljs-built_in">window</span>.top.location = <span class="hljs-built_in">window</span>.self.location;
        }
    </span><span class="hljs-tag"></<span class="hljs-name">script</span>></span>
<span class="hljs-tag"></<span class="hljs-name">head</span>></span>
<span class="hljs-tag"><<span class="hljs-name">body</span>></span>
    <span class="hljs-tag"><<span class="hljs-name">h1</span>></span>Secure Site<span class="hljs-tag"></<span class="hljs-name">h1</span>></span>
    <span class="hljs-tag"><<span class="hljs-name">p</span>></span>This site is protected from clickjacking attacks.<span class="hljs-tag"></<span class="hljs-name">p</span>></span>
<span class="hljs-tag"></<span class="hljs-name">body</span>></span>
<span class="hljs-tag"></<span class="hljs-name">html</span>></span>
</code></pre>
<p>In this example, the JavaScript checks if the current window (window.self) is not the topmost window (window.top). If it's not, it redirects the topmost window to the current window's URL, effectively breaking out of the iframe.</p>
<ol start="2">
<li><strong>Enhanced Frame Busting with Event Listeners</strong></li>
</ol>
<p>You can further enhance your frame-busting technique by using event listeners to continuously check if your page is framed.</p>
<pre><code class="lang-xml"><span class="hljs-meta"><!DOCTYPE <span class="hljs-meta-keyword">html</span>></span>
<span class="hljs-tag"><<span class="hljs-name">html</span> <span class="hljs-attr">lang</span>=<span class="hljs-string">"en"</span>></span>
<span class="hljs-tag"><<span class="hljs-name">head</span>></span>
    <span class="hljs-tag"><<span class="hljs-name">meta</span> <span class="hljs-attr">charset</span>=<span class="hljs-string">"UTF-8"</span>></span>
    <span class="hljs-tag"><<span class="hljs-name">meta</span> <span class="hljs-attr">name</span>=<span class="hljs-string">"viewport"</span> <span class="hljs-attr">content</span>=<span class="hljs-string">"width=device-width, initial-scale=1.0"</span>></span>
    <span class="hljs-tag"><<span class="hljs-name">title</span>></span>Enhanced Frame Busting<span class="hljs-tag"></<span class="hljs-name">title</span>></span>
    <span class="hljs-tag"><<span class="hljs-name">script</span>></span><span class="javascript">
        <span class="hljs-function"><span class="hljs-keyword">function</span> <span class="hljs-title">preventClickjacking</span>(<span class="hljs-params"></span>) </span>{
            <span class="hljs-keyword">if</span> (<span class="hljs-built_in">window</span>.top !== <span class="hljs-built_in">window</span>.self) {
                <span class="hljs-built_in">window</span>.top.location = <span class="hljs-built_in">window</span>.self.location;
            }
        }

        <span class="hljs-built_in">window</span>.addEventListener(<span class="hljs-string">'DOMContentLoaded'</span>, preventClickjacking);
        <span class="hljs-built_in">window</span>.addEventListener(<span class="hljs-string">'load'</span>, preventClickjacking);
        <span class="hljs-built_in">window</span>.addEventListener(<span class="hljs-string">'resize'</span>, preventClickjacking);
    </span><span class="hljs-tag"></<span class="hljs-name">script</span>></span>
<span class="hljs-tag"></<span class="hljs-name">head</span>></span>
<span class="hljs-tag"><<span class="hljs-name">body</span>></span>
    <span class="hljs-tag"><<span class="hljs-name">h1</span>></span>Secure Site<span class="hljs-tag"></<span class="hljs-name">h1</span>></span>
    <span class="hljs-tag"><<span class="hljs-name">p</span>></span>This site is protected from clickjacking attacks.<span class="hljs-tag"></<span class="hljs-name">p</span>></span>
<span class="hljs-tag"></<span class="hljs-name">body</span>></span>
<span class="hljs-tag"></<span class="hljs-name">html</span>></span>
</code></pre>
<p>In this example, the preventClickjacking function is called on the DOMContentLoaded, load, and resize events to ensure continuous protection.</p>
<p><strong>Server-Side Protection</strong></p>
<p>While JavaScript methods are useful, implementing server-side protection provides an additional layer of security. Here’s how to set up HTTP headers in Apache and Nginx to prevent clickjacking:</p>
<ol>
<li><strong>X-Frame-Options Header</strong></li>
</ol>
<p>The X-Frame-Options header allows you to specify whether your site can be embedded in iframes. There are three options:</p>
<p>DENY: Prevents any domain from embedding your page.<br />SAMEORIGIN: Allows embedding only from the same origin.<br />ALLOW-FROM uri: Allows embedding from the specified URI.<br />Example:</p>
<pre><code class="lang-xml">X-Frame-Options: DENY
</code></pre>
<p>Apache Configuration<br />Add this header to your server configuration:</p>
<pre><code class="lang-xml"># Apache
Header always set X-Frame-Options "DENY"
</code></pre>
<p>Nginx Configuration<br />Add this header to your server configuration:</p>
<ol start="2">
<li><strong>Content-Security-Policy (CSP) Frame Ancestors</strong></li>
</ol>
<p>CSP provides a more flexible approach through the frame-ancestors directive, which specifies valid parents that may embed the page using iframes.</p>
<p>Example:</p>
<pre><code class="lang-xml">Content-Security-Policy: frame-ancestors 'self'
</code></pre>
<p>Apache Configuration<br />Add this header to your server configuration:</p>
<p>Example:</p>
<pre><code class="lang-xml"># Apache
Header always set Content-Security-Policy "frame-ancestors 'self'"
</code></pre>
<p>Nginx Configuration<br />Add this header to your server configuration:</p>
<pre><code class="lang-xml"># Nginx
add_header Content-Security-Policy "frame-ancestors 'self'";
</code></pre>
<h3 id="heading-insecure-direct-object-reference-idor">Insecure Direct Object Reference (IDOR)</h3>
<p></p>
<p>This type of vulnerability occurs when the application exposes the internal object references in a predictable or unauthenticated manner, allowing attackers to manipulate these references to gain unauthorized access to sensitive data or resources.</p>
<p>IDOR works when internal object references, such as database keys or file paths, are directly exposed to users without proper authorization checks. This way, attackers can access these resources by guessing or incrementing values to access these resources.</p>
<p>Common causes of IDOR vulnerability include:</p>
<ol>
<li><p><strong>Lack of Access Controls</strong>: Failure to implement sufficient access controls or permission procedures allows users to access internal object references without suitable validation directly.</p>
</li>
<li><p><strong>Predictable Object References</strong>: Applications with predictable or sequential object references, such as sequential database keys or predictable file paths, are more vulnerable to IDOR attacks.</p>
</li>
<li><p><strong>Insecure Direct Links</strong>: Direct links or URLs that expose internal object references without adequate authentication or authorization might result in IDOR vulnerabilities.</p>
</li>
</ol>
<h3 id="heading-insecure-authentication-and-session-management">Insecure Authentication and Session Management</h3>
<p></p>
<p>These vulnerabilities allow attacks to bypass or masquerade valid sessions and users into gaining unauthorized access to sensitive resources.</p>
<p>This type of vulnerability has been persistent for a long time and has also been mentioned within the <a target="_blank" href="https://owasp.org/Top10/A01_2021-Broken_Access_Control/">OWASP Top 10 list</a> of vulnerabilities and on the <a target="_blank" href="https://owasp.org/API-Security/editions/2023/en/0xa2-broken-authentication/">OWASP Top 10 for APIs</a>.</p>
<p>Some common causes for these vulnerabilities include:</p>
<ul>
<li><p><strong>Session Fixation</strong>: Improper management of session IDs, such as failing to regenerate session tokens after authentication or utilizing predictable session identifiers, can expose the application to session fixation attacks. Attackers can take over user sessions by altering or guessing session tokens.</p>
</li>
<li><p><strong>Persistent Cookies</strong>: Persistent cookies without expiration dates or long periods raise the possibility of unauthorized access and account compromise. Attackers can steal the persistent session cookie saved on users’ devices and exploit it to get continued access to their accounts.</p>
</li>
<li><p><strong>Insufficient Account Lock Mechanisms</strong>: A lack of account logout methods and insufficient rate limits on login attempts might make user accounts vulnerable to brute-force assaults. Attackers can keep guessing passwords until they gain unauthorized access to user accounts.</p>
</li>
</ul>
<h3 id="heading-thrid-party-component-risks">Thrid-Party Component Risks</h3>
<p></p>
<p>Almost all modern-day applications use third-party components such as libraries, frameworks, plugins, and APIs to accelerate development and enhance functionality. Even though these components have their benefits, they can also introduce inherent security risks that could jeopardize the application’s security and integrity.</p>
<p>Some of the most common risks brought in by third-party components are:</p>
<ol>
<li><p><strong>Security Vulnerabilities:</strong> Third-party components may have security flaws or authentication bypasses that attackers might use to compromise your application.</p>
</li>
<li><p><strong>Outdated or Unsupported Versions</strong>: Using obsolete or unsupported versions of third-party components increases the risk of security vulnerabilities, as patches and updates that address known vulnerabilities may not be applied.</p>
</li>
<li><p><strong>Supply Chain Attacks</strong>: Attackers may compromise the software supply chain by injecting malicious code or backdoors into third-party components, resulting in widespread security breaches or data exfiltration.</p>
</li>
</ol>
<h3 id="heading-malicious-file-upload">Malicious File Upload</h3>
<p>File uploads could be risky when the developer doesn’t restrict the file upload. The attacks could be to the backend infrastructures and users. Let’s say the uploaded file contains malware, which can leverage the vulnerability on the server side. The file could be used to gain control of the server. Back-end developers should restrict and scan the file uploading. But in the front end, we could try to optimize it to prevent malicious file uploads. We are unable to scan the file on the server. However, we can run some validations from the recommendations below.</p>
<ul>
<li><p>only allows file extensions that your application requires</p>
</li>
<li><p>If the file extensions are valid, then check the type of the file. e.g, application/text, application/csv, etc.</p>
</li>
<li><p>Upload should be done over the secure channel (SSL)</p>
</li>
<li><p>You can get an antivirus/malware detector in your hosting services.</p>
</li>
<li><p>Proper permissions to the folder when you move new files.</p>
</li>
<li><p>Confirm that the file names are standard and without any special characters / Randomize upload file names.</p>
</li>
<li><p>Set a maximum name length and maximum file size.</p>
</li>
</ul>
<p>Reference Link: <a target="_blank" href="https://stackoverflow.com/questions/55591385/front-end-antivirus-scan-file-uploads">Front-end Untivirus Scan File Uploads</a></p>
<h3 id="heading-denial-of-service-dos">Denial of Service (DoS)</h3>
<p>Think of a busy road suddenly blocked by hundreds of cars, making it impossible for anyone to get through. That’s what a Denial of Service (DoS) attack does in the digital world. It clogs up websites or online services, so they become inaccessible to users.</p>
<p>In a DoS attack, cyber troublemakers flood a website or a service with an overwhelming amount of traffic or data. It’s like sending so many cars onto a road that it becomes jammed. When this happens, the website or service can’t handle all the requests, and it crashes or slows down significantly.</p>
<p>These attacks can be launched for several reasons. Sometimes, it’s to cause chaos and disrupt a service, but other times, it’s a distraction while cybercriminals carry out other attacks.</p>
<p>To protect against DoS attacks, website owners and service providers use specialized software and hardware to filter out malicious traffic. They also have backup systems to keep services running even if there is an attack.</p>
<p>As a user, you might experience a website's response slowly during a DoS attack, but there’s not much you can do to prevent it. Just like dealing with traffic jams on the road, patience is key when facing a DoS attack online.</p>
<h3 id="heading-distributed-denial-of-service-ddos">Distributed Denial of Service (DDoS)</h3>
<p>Imagine your favorite online game or a popular shopping website suddenly becoming so crowded that it crashes, and you can’t access it. That is what a Distributed Denial of Service (DDoS)attack does - it creates a digital stampede that overwhelms and paralyzes websites and online services.</p>
<p>In a DDoS attack, instead of one troublemaker, there are many. These cyber attackers gather a network of hijacked computers and devices, often called a “botnet“. It’s like an enemy of digital zombies that follows the hacker’s orders.</p>
<p>When the attack begins, the botnet floods the target website or service with a massive amount of fake traffic. It’s like thousands of people trying to get into a tiny shop at once. The target gets so swamped that it can’t handle all the requests, and it slows down or crashes.</p>
<p>DDoS attacks can be used for several reasons, from causing chaos and distracting from security teams while another cyber-attack is underway.</p>
<p>To protect against DDoS attacks, websites and service providers invest in strong cybersecurity infrastructure and monitoring systems to detect and mitigate the attack traffic.</p>
<p>As users, there is not much you can do to prevent a DDoS attack, but you can be patient and wait for the storm to pass. Just like waiting for a crowd event to calm down, staying calm during a DDoS attack is key to getting back online.</p>
<h2 id="heading-front-end-security-best-practices">Front-end security best practices</h2>
<p>Now that we have a clear picture of the threats, let’s explore some best practices to fortify your Front-end security.</p>
<h3 id="heading-cors-finally-explained">CORS Finally Explained</h3>
<p></p>
<p>Seen the above before? Probably… and probably quite a lot…</p>
<p>There are millions of articles explaining how to fix the error above, but what exactly is this “Cross-Origin Resource Sharing“ thing, and why does it even exist?</p>
<p>Imagine this: you log into <code>bank.com</code>, which is your banking service. After logging in, a “session cookie is stored in your browser“. (Session cookies basically tell the server behind <code>bank.com</code> that your browser is now logged into your account.) All feature requests to <code>bank.com</code> will now contain this cookie, and it can respond properly, knowing you are logged in. Ok, so now you decide to check your mailbox. You receive a suspicious email, and of course, you choose to click on the link inside, which sends you to <code>attack.com</code>. Next, this website sends a request to <code>bank.com</code> to get your banking details. Keep in mind that <code>bank.com</code> still thinks that you are still logged in because of that session cookie…that cookie is stored in your browser. For the server behinds <code>bank.com</code>, it just looks like you requested your banking details normally, so it sends them back. Now, <code>attack.com</code> has access to these and store them elsewhere maliciously.</p>
<p>People realized this was bad, so browsers adopted an SOP (Same-Origin Policy) where if your browser notices that you are trying to make requests to <code>bank.com</code> <em>from anywhere other than</em> <code>bank.com</code> they will be blocked. Now, this is a key thing to realize - <strong>this is a browser-based policy</strong>. <code>bank.com</code> really has no way to tell where a request comes from, so it can’t protect much against attacks like CSRF. The browser you are using steps in and basically says that if you seem to be trying to request details for an origin (scheme + domain name + port, https//foo.com:4000, http//bar.org:3000, etc… Basically the URL), it will only send those requests for same origins.</p>
<p>Now, this was great at all, but it was incredibly limiting. I mean, public APIs won’t work at all. You couldn’t request data from the unless you used some sort of proxy solution.</p>
<p><strong>CSRF</strong></p>
<p>Here’s a thing: a server can sorta tell where a request came from. There is an “Origin“ header, which requests should have, showcasing what origin made a request. For instance, in the above example, the request would look something like this:</p>
<pre><code class="lang-xml">Request to -----> bank.com
{
  Headers: { Origin: http://attack.com }
}
</code></pre>
<p><code>bank.com</code> in theory, should be checking this to make sure it only responds to requests where the origin makes sense. And it usually does, so SOP seems kinda limiting.</p>
<p>This is where CORS comes in.</p>
<p><strong>CORS</strong></p>
<p>When a web application from <code>example.com</code> attempts to request resources from <code>bank.com</code>, the browser automatically includes an <code>Origin</code> header in the request, indicating where the request originates from (<code>example.com</code>). Here's the crucial part: Instead of outright blocking such cross-origin requests under the SOP, <code>bank.com</code>'s server can inspect this <code>Origin</code> header and decide whether to allow or deny the request based on its own CORS policy.</p>
<p>If <code>bank.com</code> considers <code>example.com</code> trustworthy or the resource being requested is meant to be publicly accessible, it can respond with specific CORS headers, such as <code>Access-Control-Allow-Origin</code>, indicating which origins are permitted to access the resource. This header might be set to <code>http://example.com</code>, explicitly allowing this origin, or <code>*</code> for public resources that any origin can access.</p>
<p>Of course, the browser facilitates all this. If any of it is wrong, you will get that nasty error.</p>
<p>Now, what if the request doesn’t have the origin header? What if it has a bunch of other headers and doesn't use one of the basic HTTP methods?</p>
<p>In these situations, the handling of CORS becomes a bit more intricate as it is no longer a “simple request“. This is where the concept of “preflight” requests in CORS comes into play.</p>
<p><strong>Preflight</strong></p>
<p>For certain types of requests that could potentially modify data on the server — Those are use HTTP methods like PUT, DELETE, or use headers that are not automatically included in every requests — browsers will first send a “prefight“ request before making the actual request. This preflight request is an HTTP OPTIONS request, and its purpose is to check with the server whether the actual request is safe to send.</p>
<p>The preflight request includes headers that describe the HTTP method and headers of the actual request. Here’s what happens next:</p>
<ol>
<li><p>Server Response: If the server supports the CORS policy and the actual request, it responds to the preflight request with headers indicating what methods and headers are allowed. This might include headers like <code>ccess-Control-Allow-Methods</code> and <code>Access-Control-Allow-Headers</code>.</p>
</li>
<li><p>Browser Decision: Based on the server’s response to the preflight request, the browser decides whether to proceed with the actual request. If the server’s response indicates that the request is allowed, the browser sends it; if not, the browser blocks the request, and you will see an error related to CORS.</p>
</li>
</ol>
<h3 id="heading-content-security-policies">Content Security Policies</h3>
<p>Content Security Policy (<a target="_blank" href="https://developer.mozilla.org/en-US/docs/Glossary/CSP">CSP</a>) is an added layer of security that helps to reduce and mitigate certain types of attacks, including cross-site scripting (<a target="_blank" href="https://developer.mozilla.org/en-US/docs/Glossary/XSS">XSS</a>) and data injection attacks. These attacks are used for everything from data theft to site defacement to distribution of malware.</p>
<p>As the name suggests, CSP is a set of instructions you can send with your Javascript code to the browser to control its execution. For example, you can set up a CSP to restrict the execution of Javascript to a set of whitelisted domains and ignore any inline scripts and event handlers to protect from XSS attacks. In addition, you can specify that all the scripts should load via HTTPS to reduce the risk of packet sniffing attacks.</p>
<p>So how should I configure a CSP for web applications?</p>
<p>There are two ways to configure a CSP. One approach is to return a specific HTTP Header <a target="_blank" href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy"><code>Content-Security-Policy</code></a>. The other is to specify the <a target="_blank" href="https://developer.mozilla.org/en-US/docs/Web/HTML/Element/meta"><meta></a> element in your HTML page.</p>
<p>Recommended to read this article:</p>
<p><a target="_blank" href="https://www.stackhawk.com/blog/react-content-security-policy-guide-what-it-is-and-how-to-enable-it/">https://www.stackhawk.com/blog/react-content-security-policy-guide-what-it-is-and-how-to-enable-it/</a></p>
<p>Other than that, NextJs is also able to improve security by setting the <code>headers</code> in <code>next.config.js</code> . More information - <a target="_blank" href="https://nextjs.org/docs/advanced-features/security-headers">Advanced Features: Security Headers | Next.js</a></p>
<p><strong>Let’s look at a Sample CSP</strong></p>
<p><a target="_blank" href="https://nextjs.org/docs/advanced-features/security-headers">Assume that you</a> <a target="_blank" href="https://www.stackhawk.com/blog/react-content-security-policy-guide-what-it-is-and-how-to-enable-it/#:~:text=You">set the following <code>Content-Security-Policy</code> for your we</a>b application:</p>
<pre><code class="lang-xml">Content-Security-Policy: default-src 'self'; script-src 'self' https://example.com;
</code></pre>
<p>Then, this will allow loading Javascript like from <code>https://example.com/js/*</code> but will block <code>https://someotherexample.com/js/*</code> by the browser as specified in the CSP. Furthermore, any Inline Scripts are also blocked by default unless you use hashes and nonces to allow them to execute.</p>
<p>If you haven’t heard of hashes and nonces, I would highly recommend referring to <a target="_blank" href="https://content-security-policy.com/examples/allow-inline-script/">this example link</a> to realize its true potential.</p>
<p>In a nutshell, with the hash operation, you can specify the hash of the Javascript file as an attribute to the script block where the browser will first validate the hash before executing it.</p>
<p>The same goes for the nonce, where we can generate a random number and specify it at the CSP header while referring to the same nonce at the Script block.</p>
<p><strong>How do you know if there are any CSP Violations?</strong></p>
<p>The beauty of CSP is that it has covered the scenario of reporting the violations back to you. As a part of CSP, you can define a URL where the user’s browser will automatically send a violation report back to your server for further analysis.</p>
<p>For this, you need to set up an endpoint that handles the POST payloads sent as the CSP violation report by the browser. The following shows an example of specifying a <code>/csp-incident-reports</code> path to receive a violation report payload.</p>
<p><code>Content-Security-Policy: default-src 'self'; report-uri /csp-incident-reports</code></p>
<p>If we include a Javascript or Style outside the site’s own origin (e.g, otherdomain.com), let’s say by accident when we visit a site URL (e.g, example.com), the above policy will reject it from loading to the browser and submit the following violation report as the HTTP POST payload.</p>
<pre><code class="lang-xml">{
  "csp-report": {
    "document-uri": "http://example.com/index.html",
    "referrer": "",
    "blocked-uri": "http://otherdomain.com/css/style.css",
    "violated-directive": "default-src 'self'",
    "original-policy": "default-src 'self'; report-uri /csp-incident-reports"
  }
}
</code></pre>
<p><strong>Browser Support and Tools</strong></p>
<p>As you can see, all the major browsers support the CSP feature. This is good news since the investment we put in creating the CSP addresses a larger user base.</p>
<p>Besides, browsers like Chrome have gone even further by providing tools to validate CSP attributes. For example, if you define the hash of the Javascript, the Chrome Developer Console will promote the correct hash for developers to rectify any errors.</p>
<p>In addition, if you use Webpack to bundle your Javascripts, you can find a webpack plugin named <a target="_blank" href="https://www.npmjs.com/package/csp-html-webpack-plugin">CSP HTML WebPack Plugin</a> to append the hash at build time and automate this process.</p>
<h3 id="heading-avoid-iframes-if-possible">Avoid Iframes if possible</h3>
<p>Iframe is a simple content embedding technique used in web development. However, using iframes would come with security risks. Through IFrame, attackers are able to inject malicious executables or viruses into our web application and execute them on the user’s browser. More information can be read <a target="_blank" href="https://blog.bitsrc.io/4-security-concerns-with-iframes-every-web-developer-should-know-24c73e6a33e4#:~:text=iframes%20use%20multiple%20tags%20to,execute%20them%20in%20user's%20devices">this</a>:</p>
<h3 id="heading-strict-user-input-the-first-point-of-attack">Strict User Input (the First Point of Attack)</h3>
<p>User Input should always be strict in nature to avoid vulnerabilities such as SQL injection, clickjacking, etc. So it’s important to validate or sanitize user input before sending it to the back end.</p>
<p>Sanitizing data can be done by removing or replacing contextually dangerous characters, such as by using a whitelist and escaping the input data.</p>
<p>However, I realize that sanitizing and encoding is not an easy task for all existing possibilities, so we may use the following open-source libraries:</p>
<ul>
<li><p><a target="_blank" href="https://www.npmjs.com/package/dompurify"><code>DOMPurify</code></a>: This is the most simple to use and has one method to sanitize the user’s input. It has an option to customize the rules, and it supports HTML5, SVG, and MathML.</p>
</li>
<li><p><a target="_blank" href="https://www.npmjs.com/package/secure-filters"><code>secure-filters</code></a>: A Salesforce library that provides methods to sanitize HTML, Javascript, Inline CSS styles, and other contexts. It’s especially useful when you want to make use of user input in other places, for example, generating CSS or Javascript.</p>
</li>
</ul>
<p>In the case of file upload, always check the file type, use a file filter function, and allow only certain file types to get uploaded. Refer to <a target="_blank" href="https://owasp.org/www-community/vulnerabilities/Unrestricted_File_Upload">this</a> for more.</p>
<h3 id="heading-beware-of-hidden-fields-or-data-stored-in-browser-mermory">Beware of Hidden Fields or Data Stored in Browser Mermory</h3>
<p>If we add <code>input=”hidden”</code> to hide the sensitive data in the page or add them in the browser <code>localStorage</code>, <code>sessionStorage</code>, <code>cookies</code> and think that is safe, we need to think again.</p>
<p>Everything is added to the browser and can be accessed by attackers easily. An attacker can open the dev tools and change all the in-memory variables. And what if you had hidden the auth page upon the <code>localStorage</code>, <code>sessionStorage</code>, and <code>cookies</code> values?</p>
<p>There are tools like <a target="_blank" href="https://www.zaproxy.org/">ZapProxy</a> and even inspection tools in the browser that can expose those values to attackers if they find a way to inject a script, and they can use them to attack further.</p>
<p>Hence avoid using <code>type="hidden"</code> and avoid storing keys, auth tokens, etc, in the browser's in-memory storage as much as possible.</p>
<h3 id="heading-enable-xss-protection-mode">Enable XSS Protection Mode</h3>
<p>If somehow an attacker injects the malicious code from the user input, we can instruct the browser to block the response by supplying the <code>"X-XSS-Protection": "1; mode=block"</code> header.</p>
<p>Most modern browsers have XSS protection mode enabled by default but it’s still recommended to include the <code>X-XSS-Protection</code> header. This helps to ensure better security for older browsers that don’t support CSP headers.</p>
<h3 id="heading-avoid-typical-xss-mistakes">Avoid Typical XSS Mistakes</h3>
<p>An XSS attack is usually traced to the DOM API’s innerHTML. For instance:</p>
<p><code>document.querySelector('.tagline').innerHTML = nameFromQueryString</code></p>
<p>Any attacker is able to inject malicious code with the line above:</p>
<p>Consider using <code>textContent</code> instead of <code>innerHTML</code> to prevent generating HTML output altogether. If you don’t generate HTML, there is no way to insert Javascript. You may see the content, but nothing will happen.</p>
<p>Keep an eye out for a new <a target="_blank" href="https://developers.google.com/web/updates/2019/02/trusted-types">Trusted Types specification</a>, which aims to prevent all DOM-based cross-site scripting attacks made by goodgler.</p>
<p>In the case of react.js, <code>dangerouslySetInnerHTML</code> is unambiguous and cautionary and can have a similar impact as <code>innerHTML</code>.</p>
<p><em>Note: Don't Set the</em> <code>innerHTML</code> <em>value-based on user input and use textContent instead of</em> <code>innerHTML</code> <em>as much as possible.</em></p>
<p>Also, HTTP response headers <code>Content-Type</code> and <code>X-Content-Type-Options</code> should be set properly, with their intended behavior. For example, JSON data should never be encoded as text/HTML to prevent accidental execution.</p>
<h3 id="heading-keep-errors-generic">Keep Errors Generic</h3>
<p>An error like “Your password is incorrect“, may be helpful to the users but also to the attackers. They may figure out information from these errors that helps them to plan their next action.</p>
<p>When dealing with accounts, emails, and PII, we should try to use ambiguous errors like “Incorrect login information.“</p>
<h3 id="heading-use-captcha">Use Captcha</h3>
<p>Using Captcha at public-facing endpoints (login, registration, contact). A Captcha is a computer program or system intended to distinguish humans from bots and can help stop DoS (Denial of Service) attacks.</p>
<h3 id="heading-always-set-referer-policy">Always Set <code>Referer-Policy</code></h3>
<p>Whenever we use an anchor tag or a link that navigates away from the website, make sure you use a header policy <code>"Referrer-Policy": "no-referrer"</code> or, in case of the anchor tag, set <code>rel = noopener or noreferrer</code>.</p>
<p>When we don’t set these headers and rel, the destination website can obtain data like session tokens and database IDs.</p>
<h3 id="heading-audit-dependencies-regularly">Audit Dependencies Regularly</h3>
<p>Run <code>npm audit</code> regularly to get a list of vulnerable packages and upgrade them to avoid security issues.</p>
<p>Github now flags vulnerable dependencies. We can also use <a target="_blank" href="https://snyk.io/">Synk</a>, which checks your source code automatically and opens pull requests to bump versions.</p>
<h3 id="heading-carefully-consider-autofill-fields">Carefully Consider Autofill Fields</h3>
<p>Personal identification information stored in the autofill of a browser can be convenient for both users and attackers.</p>
<p>Attackers add third-party scripts to exploit browsers’s built-in autofill to extract email addresses for building tracking identifiers. They can use these to build user browsing history profiles, which they can sell to the bad guys. Read more on <a target="_blank" href="https://freedom-to-tinker.com/2017/12/27/no-boundaries-for-user-identities-web-trackers-exploit-browser-login-managers/">this</a>.</p>
<p>Many of us aren’t even aware of what information our browser’s autofill has stored.</p>
<p><em>Tip: Disable auto-filled forms for sensitive data.</em></p>
<h3 id="heading-secure-http-requests">Secure HTTP requests</h3>
<p>When making HTTP requests, ensure they are secure by using HTTPS. HTTPS uses TLS to encrypt HTTP traffic, improving safety and security.</p>
<p>So, why is using HTTPS so important? First of all, using HTTPS is more secure for both the user and the web server, as the encryption goes both ways: from the server to the end user and vice versa. This way, none of the information transmitted during the connection is in a plain text, preventing attacks such as man-in-the-middle. Secondly, an SSL certificate authenticates the website, meaning that a trustworthy third party verifies that the web server is who it is claimed to be, protecting the user against threats like website proofing.</p>
<p>These days, using HTTPS is a must in order to gain the trust of potential customers for your website, ensuring basic security through an encrypted connection. It is important to mention that any website without a valid SSL certificate is automatically flagged as “unsecure“.</p>
<h3 id="heading-penetration-testing">Penetration Testing</h3>
<p>Web applications are critical systems as they are directly exposed to the outside world. Given this criticality, you should be worried about how secure your network is. The only way to truly know is by putting it to the test.</p>
<p>The practice of penetration testing proves to be a valuable asset in detecting vulnerabilities before they can be exploited by malicious actors. By thoroughly evaluating the security measures in place, potential weaknesses can be identified and addressed, reducing the risk of successful cyber attacks. The proactive approach to security reinforces the importance of maintaining a comprehensive and robust security strategy.</p>
<p>During a vulnerability assessment, some crucial types of attacks are being tested for:</p>
<ul>
<li><p>Injection attacks</p>
</li>
<li><p>Broken access control</p>
</li>
<li><p>Improper error handling</p>
</li>
<li><p>Broken authentication</p>
</li>
<li><p>XSS attacks</p>
</li>
</ul>
<p>Sometimes, the people who create your applications may make mistakes. To ensure that, your team’s work is error-free, you can ask an external partner to conduct a penetration test. This test helps to identify and fix any weak spots that could be exploited by hackers. In applications that must comply with PCI DSS or HIPAA regulations, penetration testing is mandatory. It’s considered one of the most effective ways to protect your network from hacking attempts.</p>
<h3 id="heading-implementing-a-web-application-firewall-waf">Implementing a Web Application Firewall (WAF)</h3>
<p>A Web Application Firewall (WAF) is a security device that monitors and filters HTTP traffic to and from a web application. It can be used to protect against various types of attacks, including SQL injection, cross-site scripting (XSS), and cross-site request forgery (CSRF).</p>
<p>You can set up a WAF in front of your React application to protect it from attacks. The WAF will inspect all incoming requests and block any that are deemed malicious. It can also be configured to block requests that contain a specific pattern or match a set of rules.</p>
<p>For example, you can configure the WAF to block requests containing SQL injections or XSS attacks. You can also configure it to block requests containing CSRF tokens stolen from other websites.</p>
<p>A WAF can be implemented in three ways:</p>
<ul>
<li><p><strong>As a hardware appliance</strong> - This is the most expensive option but provides the best performance and security</p>
</li>
<li><p><strong>As a software application</strong> - This is a cheaper option, but it requires more maintenance and configuration</p>
</li>
<li><p><strong>As a cloud service</strong> - This is the cheapest option, but it provides the least amount of control over the WAF.</p>
</li>
</ul>
<h3 id="heading-using-linter-plugins-and-code-analysis-tools">Using Linter plugins and code analysis tools</h3>
<p>Linters are tools that analyze your source code to flag programming errors, bugs, stylistic errors, and suspicious constructs. They can be used to improve the quality of your code and reduce the number of bugs in your application.</p>
<p>There are many linters available for React applications, including <strong>ESLint</strong> and <strong>JSLint</strong>. These tools can be used to enforce coding standards and detect common mistakes in your code. For example, they can be configured to flag unused variables, missing semicolons, and other common errors.</p>
<p>You can also use code analysis tools like <strong>SonarQube</strong> to analyze your code and identify potential security vulnerabilities. These tools can be used to detect security vulnerabilities.</p>
<h3 id="heading-applying-the-principle-of-least-privilege-polp">Applying the Principle of Least Privilege (PoLP)</h3>
<p>The Principle of Least Privilege (PoLP) states that every user should be given the minimum amount of privileges necessary to perform their job. This helps prevent unauthorized access to sensitive information and resources.</p>
<p>This means that you should only give users access to the resources they need to perform their job. For example, if a user only need to view a particular pages, they should not be allowed to edit it.</p>
<p>In a Reactjs application, you can implement the PoLP by using role-based access control (RBAC). This allows you to define roles for different types of users and assign permissions to those roles. For example, you can define an “admin“ role and assign it permission to edit pages.</p>
<h3 id="heading-http-security-headers-and-how-to-set-them-in-nextjs">HTTP Security Headers and How to Set Them in Next.js</h3>
<p>Security Headers are a type of HTTP header that helps us describe our site so we can help protect it against various potential attacks.</p>
<p><strong>What is a Security Header</strong></p>
<p>An HTTP (HyperText Transfer Protocol) header is simply something that we use to pass some extra information with HTTP requests and responses. Think of them as notes that give more context to the main document. Each header is simply a key-value pair separated by a colon.</p>
<p>When you visit a website, the server receives a request from the browser. This is a request for more information about the site you are visiting, which is exchanged from the HTTP request headers. The server then responds, and the response will include HTTP response headers.</p>
<p></p>
<p>An example of the HTTP Header is the “Authorization“ header. It simply authenticates the user agent (software that acts on behalf of a user) with a server.</p>
<p><code>Authorization: Bearer <Some token></code></p>
<p>So what is an HTTP security header?</p>
<p>We use security headers to help describe our sites, specifically to protect against various potential attacks. When a user navigates to the site, the server will respond with response headers that provide the browser with information on how to handle things.</p>
<p>By adding security headers to the response of our pages, we can minimize the possibility of the following attacks happening in our application.</p>
<ul>
<li><p>Cross-Site Scripting (XXS)</p>
</li>
<li><p>Clickjacking</p>
</li>
<li><p>Code injection</p>
</li>
</ul>
<p><strong>Examples of Security Headers</strong></p>
<p>Let’s take a look at some of the important security headers that you may want to implement:</p>
<p>If you are already familiar with security headers, skip ahead and set them up in Next.js here - <a target="_blank" href="https://blog.kieranroberts.dev/http-security-headers-and-how-to-set-them-in-nextjs#adding-security-headers-to-a-nextjs-app">Adding security headers to a Next.js app</a>.</p>
<ol>
<li><strong>Content Security Policy</strong></li>
</ol>
<p>The content security policy header allows you to set a policy for which domains are executable scripts. It’s like setting a policy for children in a video streaming service. You can specify what they can and cannot watch and it’s the same idea here.</p>
<p>Sometimes, your site will need to execute scripts that come from origins other than your own application. With this header, we can fine-tune exactly which domains should be considered safe or ‘whitelisted‘ and which should not.</p>
<p>We can also control the kind of resources we load into the site in more detail. For example, we could restrict loading scripts to our own domain but allow fonts or images to be loaded from a specific outside source.</p>
<p>Let’s take a look at a few examples:</p>
<p>To allow content from any domain as if the policy was not set</p>
<p><code>Content-Security-Policy: default-src *</code></p>
<p>Or set the own origin as the only trusted domain.</p>
<p><code>Content-Security-Policy: default-src 'self'</code></p>
<p>You can also specify any domain other than your own trusted domain.</p>
<p><code>Content-Security-Policy: default-src 'https://someotherdomain.com'</code></p>
<p>We can fine-tune our content security policy to set separate policies for resources like images, fonts, styles, media, scripts, and more like this</p>
<p><code>Content-Security-Policy: default-src 'self'; font-src 'self' 'https://fonts.googleapis.com'; image-src *.somewhere.com; script-src 'self'</code></p>
<p>In the above policy, we set the following:</p>
<ul>
<li><p>We set the default source for the content as our site’s origin, so this will be used for all resources unless otherwise specified.</p>
</li>
<li><p>We allow fonts to be loaded from our own site or from Google fonts</p>
</li>
<li><p>Images can be trusted from anywhere that ends in <code>.somewhere.com</code></p>
</li>
<li><p>Scripts are only trusted from our own site</p>
</li>
</ul>
<ol start="2">
<li><strong>Permissions Policy (Previously ‘Feature Policy‘)</strong></li>
</ol>
<p>The recently renamed Permissions Policy Security header allows you to control which browser APIs are allowed to be used within your site document or any frames located in the document.</p>
<p>Things like geolocation, camera, microphone, and many more can all be disabled if you know your site does not require them, which can reduce the possibility of attacks coming through these avenues.</p>
<p><code>Permissions-Policy: camera=(); battery=(self); geolocation=(); microphone=('https://somewhere.com')</code></p>
<p>In the above example, we set the policies of several browser features:</p>
<ul>
<li><p>The camera is empty, which means we deny the use of video input devices.</p>
</li>
<li><p>Battery Status API is allowed within your own domain</p>
</li>
<li><p>Geolocation is empty, which means we deny its use</p>
</li>
<li><p>Audio input devices are allowed for the origin stated</p>
</li>
</ul>
<ol start="3">
<li><strong>X-Frame-Options</strong></li>
</ol>
<p>The X-Frame-Options header controls whether or not your site can be loaded within a frame. Allowing this can be dangerous because you leave yourself open to clickjacking attacks.</p>
<p>Clickjacking is an attack that involves tricking the user into clicking something that they believe to be something else. Attackers may disguise elements, and the user is unable to see what they are actually clicking on.</p>
<p>We can help protect ourselves against this attack by preventing our site from being loaded within a frame.</p>
<p>There are two options for this header:</p>
<p><code>X-Frame-Options: deny</code></p>
<p>This recommended option is to deny your site being loaded in frames, which is shown above using the ‘deny‘ option:</p>
<p><code>X-Frame-Options: SAMEORIGIN</code></p>
<p>The “SAMEORIGIN“ option allows the site to be loaded within a frame while serving the site is the same as the one in the frame.</p>
<ol start="4">
<li><strong>X-Content-Type-Options</strong></li>
</ol>
<p>The X-Content-Type-Options header ensures that the MIME (Multipurpose Internet Mail Extensions) types specified in Content-Type are adhered to, and we avoid what is known as ‘MIME type sniffing‘. Browsers might try and determine the MINE type based on the response content instead of what is specified in the Content-Type header.</p>
<p>It only has one option, and it prevents the browser from trying to change the Content-Type away from what was declared.</p>
<p><code>X-Content-Type-Options: nosniff</code></p>
<ol start="5">
<li><strong>Referrer policy</strong></li>
</ol>
<p>With this header, we can control what information is sent when a user navigates from one origin to another. Consider a user that clicks a link on what we will call the original site. This link takes a user to a different domain. When this happens, some information is sent to the new domain. Information about where the user came from.</p>
<p>There are several different options we can set with this header.</p>
<p><code>Referrer-Policy: origin-when-cross-origin</code></p>
<p>The ‘origin-when-cross-origin‘ options send the path, origin, and query string with the same-origin request from equal protocol levels. An example of an equal protocol level would be from HTTPS to HTTPS:</p>
<p>If the request is cross-origin, only the origin is sent.</p>
<p><code>Referrer-Policy: strict-origin-when-cross-origin</code></p>
<p>The 'strict-origin-when-cross-origin' option is similar to the previous option. The path, origin, and query string are included with same-origin requests regardless of protocol level.</p>
<p>When making cross-origin requests, only the origin is sent as long as the protocol level is the same and omits the header otherwise.</p>
<p><code>Referrer-Policy: strict-origin</code></p>
<p>With 'strict-origin', only the origin is sent when the protocol level is equal and otherwise omits the header.</p>
<p><code>Referrer-Policy: no-referrer</code></p>
<p>The 'no-referrer' setting will omit the referrer header.</p>
<p>There are further options that you can check out <a target="_blank" href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy"><strong>here</strong></a></p>
<ol start="6">
<li><strong>Strict Transport Security</strong></li>
</ol>
<p>With the Strict Transport Security header, you can specify that your site should only be accessed using the HTTPS Protocol. Here, we can specify the time in seconds that the browser will remember this protocol.</p>
<p><code>Strict-Transport-Security: max-age=31536000;</code></p>
<p>You can also extend the instruction to all subdomains with all optional settings:</p>
<p><code>Strict-Transport-Security: max-age=31536000; includeSubDomains</code></p>
<p>You may think that setting up a redirect from ‘http://' to 'https://' is enough, but attackers could still seize sensitive information. Setting up a Strict Transport Security setting will make this attack far more difficult.</p>
<p><strong>Adding Security Headers to a Next.js App</strong></p>
<p>Now that we've had a look at some security headers, let's quickly implement them in a Next.js app. Also, feel free to explore some of the other security headers available.</p>
<p>In Next.js, we can set security headers from a <code>next.config.js</code> file located at the root of your project.</p>
<pre><code class="lang-typescript"><span class="hljs-comment">// next.config.js</span>
<span class="hljs-built_in">module</span>.<span class="hljs-built_in">exports</span> = {
  <span class="hljs-keyword">async</span> headers() {
    <span class="hljs-keyword">return</span> [

    ]
  },
};
</code></pre>
<p>We return an array of headers that we specify inside JavaScript objects. You can choose to apply headers that will be sent with every route request or on a route-by-route basis. Let's set some of the headers that we previously explored.</p>
<pre><code class="lang-typescript"><span class="hljs-comment">// next.config.js</span>
<span class="hljs-built_in">module</span>.<span class="hljs-built_in">exports</span> = {
  <span class="hljs-keyword">async</span> headers() {
    <span class="hljs-keyword">return</span> [
        {
          source: <span class="hljs-string">'/(.*)'</span>,
          headers: [
            {
              key: <span class="hljs-string">'Content-Security-Policy'</span>,
              value:
                <span class="hljs-string">"default-src 'self'; font-src 'self' 'https://fonts.googleapis.com'; img-src 'self' *.somewhere.com; script-src 'self'"</span>,
            },
            {
              key: <span class="hljs-string">'X-Frame-Options'</span>,
              value: <span class="hljs-string">'DENY'</span>,
            },
            {
              key: <span class="hljs-string">'X-Content-Type-Options'</span>,
              value: <span class="hljs-string">'nosniff'</span>,
            },
            {
              key: <span class="hljs-string">'Referrer-Policy'</span>,
              value: <span class="hljs-string">'origin-when-cross-origin'</span>,
            },
            {
              key: <span class="hljs-string">'Permissions-Policy'</span>,
              value: <span class="hljs-string">"camera=(); battery=(self); geolocation=(); microphone=('https://somewhere.com')"</span>,
            },
          ],
        },
      ];
  },
};
</code></pre>
<p>In the above example, we set our security headers for all routes in our site indicated by the source <code>/(.*)</code>. You could also set security headers on a page-by-page basis like this 👇</p>
<pre><code class="lang-typescript"><span class="hljs-comment">// next.config.js</span>
<span class="hljs-built_in">module</span>.<span class="hljs-built_in">exports</span> = {
  <span class="hljs-keyword">async</span> headers() {
    <span class="hljs-keyword">return</span> [
        {
          source: <span class="hljs-string">'/profile'</span>,
          headers: [
            {
              key: <span class="hljs-string">'Content-Security-Policy'</span>,
              value:
                <span class="hljs-string">"default-src 'self'; font-src 'self' 'https://fonts.googleapis.com'; img-src 'self' *.somewhere.com; script-src 'self'"</span>,
            }
          ]
        },
       {
          source: <span class="hljs-string">'/blog'</span>,
          headers: [
            {
              key: <span class="hljs-string">'Content-Security-Policy'</span>,
              value:
                <span class="hljs-string">"default-src 'self'"</span>,
            }
          ]
        },
      ];
  },
};
</code></pre>
<p>Now, spin up a development server in your Next.js application and navigate to the route after setting your security headers. You should be able to see the headers you set in the network tab of the developer console.</p>
<p></p>
<p>Congratulations, your site is more secure than it was before. Customize the security header to suit your application, as each site has its own specific requirements.</p>
<h3 id="heading-best-practices-for-storing-access-tokens-in-the-browser">Best Practices for Storing Access Tokens in the Browser</h3>
<p>Browsers offer various solutions to persist data. When storing tokens, you should weigh the choice of storage against the security risks.</p>
<p>Web applications are not static sites but a careful composition of static and dynamic content. More often than not, the application logic runs in the browser. Instead of fetching all content from the server, the application runs Javascript under the browser that fetches data from the backend API and updates the web application presentation accordingly.</p>
<p>To protect access to data, organizations should employ OAuth 2.0 With OAuth 2.0, a Javascript application needs to add an access token to every request to the API. For usability reasons, Javascript applications don’t usually request the access token on demand but store it. The question is, how do you obtain such an access token within Javascript? And when you get one, where should the application store the token so that it can add it to the request when needed?</p>
<p>This section discusses different storage solutions available in <a target="_blank" href="https://thenewstack.io/what-does-it-mean-for-web-browsers-to-have-a-baseline/">browsers</a> and highlights the security risks associated with each option. After reviewing the threat, it describes a solution in the form of a pattern that provides the best browser security options for <a target="_blank" href="https://thenewstack.io/beyond-browsers-the-longterm-future-of-javascript-standards/">Javascript applications</a> that must integrate with <a target="_blank" href="https://thenewstack.io/5-steps-to-modernize-large-websites-using-oauth/">OAuth-protected APIs</a>.</p>
<p></p>
<p>For more details, check out <a target="_blank" href="https://thenewstack.io/best-practices-for-storing-access-tokens-in-the-browser/?ref=dailydev">this useful article</a>.</p>
<h2 id="heading-references">References</h2>
<p><a target="_blank" href="https://www.freecodecamp.org/news/how-attackers-steal-data-from-websites-and-how-to-stop-them/?ref=dailydev">https://www.freecodecamp.org/news/how-attackers-steal-data-from-websites-and-how-to-stop-them/?ref=dailydev</a></p>
<p><a target="_blank" href="https://otherurl.com/js/*">https</a><a target="_blank" href="https://blog.bitsrc.io/frontend-application-security-tips-practices-f9be12169e66">://blog.bitsrc.io/frontend-application-security-tips-practices-f9be12169e66</a></p>
<p><a target="_blank" href="https://blog.bitsrc.io/top-7-frontend-security-attacks-2e2b56dc2bcc">https://blog.bitsrc.io/top-7-frontend-security-attacks-2e2b56dc2bcc</a></p>
<p><a target="_blank" href="https://griddynamics.medium.com/front-end-security-best-practices-8c47d23caf62">https://griddynamics.medium.com/front-end-security-best-practices-8c47d23caf62</a></p>
<p><a target="_blank" href="https://dev.to/akshay_varma/mitigating-xss-risks-best-practices-for-web-applications-2e04?context=digest">https://dev.to/akshay_varma/mitigating-xss-risks-best-practices-for-web-applications-2e04?context=digest</a></p>
<p><a target="_blank" href="https://medium.com/@eddyos05/security-practices-that-frontend-developers-should-know-6bcc2b8ebbbd">https://medium.com/@eddyos05/security-practices-that-frontend-developers-should-know-6bcc2b8ebbbd</a></p>
<p><a target="_blank" href="https://dev.to/rigalpatel001/preventing-clickjacking-attacks-in-javascript-39pj?context=digest">https://dev.to/rigalpatel001/preventing-clickjacking-attacks-in-javascript-39pj?context=digest</a></p>
<p><a target="_blank" href="https://www.freecodecamp.org/news/types-of-cyber-attacks-to-know/">https://www.freecodecamp.org/news/types-of-cyber-attacks-to-know/</a></p>
<p><a target="_blank" href="https://levelup.gitconnected.com/cors-finally-explained-simply-ae42b52a70a3">https://levelup.gitconnected.com/cors-finally-explained-simply-ae42b52a70a3</a></p>
<p><a target="_blank" href="https://blog.bitsrc.io/enhance-javascript-security-with-content-security-policies-5847e5def227">https://blog.bitsrc.io/enhance-javascript-security-with-content-security-policies-5847e5def227</a></p>
<p><a target="_blank" href="https://medium.com/better-programming/frontend-app-security-439797f57892">https://medium.com/better-programming/frontend-app-security-439797f57892</a></p>
<p><a target="_blank" href="https://blog.kieranroberts.dev/http-security-headers-and-how-to-set-them-in-nextjs">https://blog.kieranroberts.dev/http-security-headers-and-how-to-set-them-in-nextjs</a></p>
<p><a target="_blank" href="https://www.turing.com/kb/reactjs-security-best-practices?ref=dailydev#using-https">https://www.turing.com/kb/reactjs-security-best-practices?ref=dailydev#using-https</a></p>

</article>
<article>
<h1>SEO Handbook</h1>
<p>Tuan Tran Van — Sat, 22 Mar 2025 12:15:00 GMT</p>
<p>SEO (Search Engine Optimization) is essential for your online marketing strategy. It’s the process of optimizing your site and content to help you get as much traffic as you can from search engines.</p>
<p>Reaching top positions in the Search Engine Results Pages (SERPs) with your website is one of the fastest ways to drive traffic to your site and boost conversions.</p>
<h1 id="heading-seo-fundamentals">SEO Fundamentals</h1>
<p>Amidst the economic devastation of COVID-19, online businesses have become more dependent on SEO than ever. Times like these illustrate the power and importance of Search Engine Optimization (SEO).</p>
<h2 id="heading-what-is-seo">What is SEO?</h2>
<p>SEO is the practice of increasing the quantity and quality of traffic to a web page through organic search engine results. Organic search results are derived from an internal algorithm of the search engine and are not a result of paid advertising. Below is a list of related terminology:</p>
<ul>
<li><p><strong>SERP</strong>, or Search Engine Results Page, is simply the results page that drives clicks. These pages include a combination of paid search results and organic results.</p>
</li>
<li><p><strong>SEM</strong>, or Search Engine Marketing, is the practice of marketing a business using the paid advertisements that appear on SERPs.</p>
</li>
<li><p><strong>PPC</strong> stands for pay-per-click, an internet marketing model in which advertisers pay a fee each time their ads are clicked.</p>
</li>
</ul>
<p>Learning SEO basics and more advanced topics can be a bewildering process. In this post, we will examine simple steps to help create SEO-friendly web pages and tools for maintaining them.</p>
<h2 id="heading-web-accessibility-and-performance">Web Accessibility and Performance</h2>
<p>Search Engines will surely continue to raise the bar for acceptable web standards. <a target="_blank" href="https://webmasters.googleblog.com/2018/03/rolling-out-mobile-first-indexing.html">In 2018, Google announced the beginning of its migration to mobile-first indexing</a> and expanded by announcing <a target="_blank" href="https://webmasters.googleblog.com/2020/03/announcing-mobile-first-indexing-for.html">mobile-first indexing for the whole web in 2020</a>. Web page performance and accessibility encompass user-centric metrics that can ultimately impact SEO.</p>
<p>Web performance captures the user journey, making various moments of the user experience. Below are important performance metrics:</p>
<ul>
<li><p><a target="_blank" href="https://web.dev/fcp/">First Contentful Paint (FCP)</a> measures the time from when the page starts loading to when any part of its content is rendered on the screen.</p>
</li>
<li><p><a target="_blank" href="https://web.dev/lcp/">Largest Contentful Paint (LCP)</a> measures the time from the page's start loading to the time the largest text block or image element is rendered on the screen.</p>
</li>
<li><p><a target="_blank" href="https://web.dev/fid/">First-input Delay (FID)</a> measures the time between when a user first interacts with your site (e.g., when they click on a link, tab a button, or use a custom, Javascript-powered control) and when the browser is actually able to respond to that interaction.</p>
</li>
<li><p><a target="_blank" href="https://web.dev/tti/">Time To Interactive (TTI)</a> measures the time from when the page starts loading to when it’s visually rendered, its initial scripts (if any) have loaded, and it can reliably respond to user input quickly.</p>
</li>
<li><p><a target="_blank" href="https://web.dev/tbt/">Total Blocking Time (TBT)</a>: measures the total amount of time between FCP and TTI when the main thread was blocked for long enough to prevent input responsiveness.</p>
</li>
<li><p><a target="_blank" href="https://web.dev/cls/">Cumulative Layout Shift (CLS)</a>: measures the cumulative score of all unexpected layout shifts that occur between when the page starts loading and when its <a target="_blank" href="https://developers.google.com/web/updates/2018/07/page-lifecycle-api">lifecycle state</a> changes to hidden.</p>
</li>
</ul>
<p>Web accessibility is another important concept to keep in mind when building a search engine optimized website. Not only are there a variety of humans reading our websites, but also a variety of machines like screen-readers doing the same.</p>
<p>Improving accessibility makes your website more useable to everyone ~ Addy Osami | <a target="_blank" href="https://web.dev/a11y-tips-for-web-dev/">Accessibility Tips for Web Developers</a>.</p>
<h2 id="heading-seo-tools">SEO Tools</h2>
<p>In this post, we have taken a look at ways to improve SEO, but how do we maintain these standards over time? Many tools can help us analyze and monitor SEO.</p>
<p><a target="_blank" href="https://www.foo.software/lighthouse">Foo’s Automated Lighthouse Check</a> monitors the quality of web pages with Lighthouse. It provides detailed SEO, performance, and accessibility reporting. Free and premium plans are available.</p>
<p></p>
<p><a target="_blank" href="https://search.google.com/search-console/about">Google Search Console</a> is a must-have for any website owner who cares about SEO. It provides insight into which search terms are receiving organic traffic and a granular level of analysis. You can filter by location, device, and more.</p>
<p></p>
<h2 id="heading-benefits-of-seo-in-web-development">Benefits of SEO in Web Development</h2>
<p>Every business owner wants to grow his or her brand. Search Engine Optimization (SEO) greatly benefits organizations that provide value and boost visibility to the target audience. The following are some of the benefits of integrating SEO into website development.</p>
<ol>
<li><p>SEO boosts high-quality traffic and organic discovery. Organic visibility leads to increased traffic, which is a monumental SEO benefit. Search engine optimization is customer-centric and hyper-targeted. An effective SEO strategy helps deliver web pages to the relevant people through pertinent search queries. Since users are already looking for what a site has to offer, organic visibility propels high-quality traffic without trying to persuade ot entice the visitor.</p>
</li>
<li><p>SEO Boosts Credibility Ranking on Google’s first page showcases credibility to prospective customers. Google ranks websites based on on-page and off-page signals, such as site speed, content, and mobile usability. Although most customers probably don’t consider these signals, users expect Google to deliver valuable and relevant content first. Trust and credibility are developed on search engine authority and a high-quality service or product that builds credibility among web visitors or users.</p>
</li>
<li><p>SEO provides an Impressive ROI ROI, or Return on Investment, which is vital when evaluating digital marketing channels. Although search engine optimization could take some time to get results, a high-quality strategy will ultimately deliver an impressive return on investment. Search engine leads offer a 14.6 percent close rate, almost 12 percent greater than traditional marketing. Nevertheless, there would be no leads if a website ranks at the bottom of pages 2, 3, 4, or not at all. Visibility in search engines correlates directly to improved web traffic and more revenue, making ROI one of the most significant benefits of SEO for organizations.</p>
</li>
<li><p>SEO Targets the Marketing Funnel Driven by SEO, content marketing includes different types of targeting at each marketing funnel step. Although top or middle-of-the-funnel blog posts will not initially convert, this builds brand awareness and loyalty. These traits will lead to conversion.</p>
</li>
</ol>
<h2 id="heading-seo-techniques">SEO Techniques</h2>
<p>The website optimization process meets the Google algorithm requirements in a way that equals building a website that corresponds to the user’s requirements. Users appreciate the fast-loading website that is error-free and can be browsed seamlessly on mobiles. That said, let’s explore the fundamentals that every web developer should know.</p>
<h3 id="heading-website-loading-time">Website Loading Time</h3>
<p>Website speed and loading time are the most important after ensuring your website can be indexed. The <a target="_blank" href="https://pagespeed.web.dev/">page speed test of a website</a> with a good search result is vital; thus, it’s an essential factor to consider when it comes to website design. <a target="_blank" href="https://www.semrush.com/blog/page-speed/">According to Semrush</a>, a slow page response increases <a target="_blank" href="https://blog.openreplay.com/how-to-reduce-your-websites-bounce-rate/">the website bounce rate</a>.</p>
<p></p>
<p>Unsurprisingly, these users will skip over the website if it takes a second longer to load. Furthermore, a slow-loading website could also affect its search engine ranking. It would be challenging for an SEO expert to boost its rank with SEO content. Therefore, it’s highly recommended that developers integrate SEO into the development process, work closely with SEO experts, or learn core web vitals SEO principles in <a target="_blank" href="https://blog.openreplay.com/key-metrics-at-google-search-console/">Google search console metrics</a> about Website speed and performance.</p>
<p></p>
<h3 id="heading-redirects">Redirects</h3>
<p>The digital landscape will continue to evolve. Furthermore, everyone is recreating and improving their own sites and domains with advanced features. Another important factor in SEO for web development is Redirects. Redirects smoothly lead users to the correct page during site migration and launch. For web developers, using 301 and 302 redirect codes is paramount. Don’t just rely on the code to be rendered. Rather, use tools to test the redirect codes, no matter how many pages are being redirected to the same destination. Redirects send users from URL to URL. The first URL is where users click, type, or make a request. The second URL is the new destination.</p>
<p>When to use 301 Redirects.</p>
<ul>
<li><p>If you are changing the page URL</p>
</li>
<li><p>Domain Migration from page to page</p>
</li>
<li><p>If you want to pass the page authority to the new page.</p>
</li>
</ul>
<p></p>
<p>When to use 302 Redirects</p>
<ul>
<li><p>If you are making any changes to the current page.</p>
</li>
<li><p>If you don’t want to pass the page authority.</p>
</li>
<li><p>At some point in the future, the old page will be back.</p>
</li>
</ul>
<p></p>
<h3 id="heading-sitemaps">Sitemaps</h3>
<p>When it comes to search engine optimization, better crawlability plays an important role. When a search engine attempts to index a website, it should be able to crawl the whole website. <a target="_blank" href="https://developers.google.com/search/docs/crawling-indexing/sitemaps/overview">Sitemaps are valuable</a> if there are issues indexing the website. Adding a sitemap ensures that the website is properly indexed. Moreover, ensure that all pages listed in the XML sitemap do not have wasteful redirects, are error-free, and have clean code. From creating content to design to CEO, the sitemap is invaluable. You will constantly refer to it in the stages of development to stay on track. Sitemaps tell Google which files and pages you think are important and provide valuable information regarding these files. Here’s a simple example of the XML sitemap.</p>
<pre><code class="lang-typescript"><?xml version=<span class="hljs-string">"1.0"</span> encoding=<span class="hljs-string">"UTF-8"</span>?>
<urlset xmlns=<span class="hljs-string">"http://www.sitemaps.org/schemas/sitemap/0.9"</span>>
<url>
<loc>https:<span class="hljs-comment">//www.example.com/foo.html</loc></span>
<lastmod><span class="hljs-number">2022</span><span class="hljs-number">-06</span><span class="hljs-number">-04</span></lastmod>
</url>
</urlset>
</code></pre>
<h3 id="heading-robotstxt">Robots.txt</h3>
<p>A robots.txt file is a simple text file on a website that tells search engines which pages they can and cannot visit.</p>
<pre><code class="lang-xml">Sitemap: https://acidop.codes/sitemap.xml
User-agent: *
Allow: /
Disallow: /admin
</code></pre>
<p>In the above example, we submit our sitemap and also clearly state that we do not want to index our admin directory.</p>
<h3 id="heading-mobile-responsiveness">Mobile Responsiveness</h3>
<p>Without a doubt, a website that is <a target="_blank" href="https://developers.google.com/search/blog/2016/03/continuing-to-make-web-more-mobile">mobile-responsive</a> provides a better user experience. Furthermore, a responsive design helps them navigate the website easily without zooming in or zooming out of the content. Smartphones are getting smarter, and search engines keep setting higher bars for mobile SEO factors. A mobile-friendly website will always rank better than a desktop-supported website. Thus, web developers must ensure that the website is compatible with a wide array of devices for good search engine optimization. Furthermore, Google uses <a target="_blank" href="https://developers.google.com/search/blog/2020/03/announcing-mobile-first-indexing-for">mobile-first indexing</a>, meaning that the mobile version of the website gets crawled first.</p>
<p></p>
<p>In the above image, you can see that in the Google Search Console, the primary crawler is a smartphone. Simply put, a mobile-responsive design is when a site is responsive, as the content and/or layout responds to the screen size on which it is displayed. Moreover, a responsive website adapts itself to the advice used to see it. Use Google’s <a target="_blank" href="https://search.google.com/test/mobile-friendly">mobile-friendly testing tool</a> to get your website report.</p>
<p></p>
<h3 id="heading-implement-structured-data">Implement Structured Data</h3>
<p>For most people involved in SEO, structured data could be knotty. This is where developers could truly shine. Developers already know how to format a page so all the parts will flow well and can be read by humans and search engines alike. When used well, <a target="_blank" href="https://developers.google.com/search/docs/appearance/structured-data/intro-structured-data">structured data</a> lets Google know where and what’s on the web page. Furthermore, it could also inform Google precisely what questions you are answering. Structured data is a way for the business website to convey its content to search engines. It boosts visibility. Google uses structured data on web pages to generate snippets, which display special enhancements in SEO results. Regardless of whether they appear at the top or bottom on the search results page, rich snippets are way more visible and prominent than the standard results, and therefore, the click-through rates are much better. Take a look at an example of SERP with and without structured data.</p>
<p></p>
<p>In the above example, rating (Review, AgreegateRating) markup has been used.</p>
<p>Google, Bing, Yandex, and Yahoo! worked together to create <a target="_blank" href="https://schema.org/">Schema.org</a> so you could provide search engines the data they require to understand your content and deliver the most relevant results.</p>
<p>You can use any of the 3 methods <a target="_blank" href="https://developers.google.com/search/docs/appearance/structured-data/sd-policies#technical-guidelines">suggested by Google</a>:</p>
<ul>
<li><p><a target="_blank" href="https://json-ld.org/">Json-Id</a></p>
</li>
<li><p><a target="_blank" href="https://en.wikipedia.org/wiki/Microdata_\(HTML\)">Microdata</a></p>
</li>
<li><p><a target="_blank" href="https://en.wikipedia.org/wiki/RDFa">RDFa</a></p>
</li>
</ul>
<p>JSON-LD is the format Google recommends and is also the easiest one to implement.</p>
<p>Take a look at an example of how review markup can be implemented.</p>
<pre><code class="lang-xml"><span class="hljs-tag"><<span class="hljs-name">html</span>></span>
 <span class="hljs-tag"><<span class="hljs-name">head</span>></span>
 <span class="hljs-tag"><<span class="hljs-name">title</span>></span>Legal Seafood<span class="hljs-tag"></<span class="hljs-name">title</span>></span>
  <span class="hljs-tag"><<span class="hljs-name">script</span> <span class="hljs-attr">type</span>=<span class="hljs-string">"application/ld+json"</span>></span><span class="javascript">
  {
   <span class="hljs-string">"@context"</span>: <span class="hljs-string">"https://schema.org/"</span>,
   <span class="hljs-string">"@type"</span>: <span class="hljs-string">"Review"</span>,
   <span class="hljs-string">"itemReviewed"</span>: {
    <span class="hljs-string">"@type"</span>: <span class="hljs-string">"Restaurant"</span>,
    <span class="hljs-string">"image"</span>: <span class="hljs-string">"https://www.example.com/seafood-restaurant.jpg"</span>,
    <span class="hljs-string">"name"</span>: <span class="hljs-string">"Legal Seafood"</span>,
    <span class="hljs-string">"servesCuisine"</span>: <span class="hljs-string">"Seafood"</span>,
    <span class="hljs-string">"priceRange"</span>: <span class="hljs-string">"$$$"</span>,
    <span class="hljs-string">"telephone"</span>: <span class="hljs-string">"1234567"</span>,
    <span class="hljs-string">"address"</span> :{
     <span class="hljs-string">"@type"</span>: <span class="hljs-string">"PostalAddress"</span>,
     <span class="hljs-string">"streetAddress"</span>: <span class="hljs-string">"123 William St"</span>,
     <span class="hljs-string">"addressLocality"</span>: <span class="hljs-string">"New York"</span>,
     <span class="hljs-string">"addressRegion"</span>: <span class="hljs-string">"NY"</span>,
     <span class="hljs-string">"postalCode"</span>: <span class="hljs-string">"10038"</span>,
     <span class="hljs-string">"addressCountry"</span>: <span class="hljs-string">"US"</span>
    }
   },
   <span class="hljs-string">"reviewRating"</span>: {
    <span class="hljs-string">"@type"</span>: <span class="hljs-string">"Rating"</span>,
    <span class="hljs-string">"ratingValue"</span>: <span class="hljs-string">"4"</span>
   },
   <span class="hljs-string">"name"</span>: <span class="hljs-string">"A good seafood place."</span>,
   <span class="hljs-string">"author"</span>: {
    <span class="hljs-string">"@type"</span>: <span class="hljs-string">"Person"</span>,
    <span class="hljs-string">"name"</span>: <span class="hljs-string">"Bob Smith"</span>
   },
   <span class="hljs-string">"publisher"</span>: {
    <span class="hljs-string">"@type"</span>: <span class="hljs-string">"Organization"</span>,
    <span class="hljs-string">"name"</span>: <span class="hljs-string">"Washington Times"</span>
   }
  }
  </span><span class="hljs-tag"></<span class="hljs-name">script</span>></span>
 <span class="hljs-tag"></<span class="hljs-name">head</span>></span>
 <span class="hljs-tag"><<span class="hljs-name">body</span>></span>
 <span class="hljs-tag"></<span class="hljs-name">body</span>></span>
<span class="hljs-tag"></<span class="hljs-name">html</span>></span>
</code></pre>
<p>This JSON=LD script needs to be embedded in the HTML:</p>
<p>A special script tag: <code><script type="application/ld+json"></code> is used for this purpose. we can insert this into the head or the body of the HTML.</p>
<p>The same can be tested using the <a target="_blank" href="https://search.google.com/test/rich-results">Rich Results test</a> tool.</p>
<p></p>
<h3 id="heading-user-friendly-urls">User-Friendly URLs</h3>
<p>Web developers should remember that URLs should be descriptive, concise, and easy to read to be effective. Both search engines and users like the quality of page addresses, which could easily be advantageous to your website. SEO guide for developers includes much information about bot-friendly writing URLs. You can, specifically, do the following:</p>
<ul>
<li><p>Use one domain and subdomain. A subdomain could generate mixed results; thus, using a single domain whenever possible is the best solution.</p>
</li>
<li><p>Make use of hyphens. Rather than spaces, bots refer hyphens to separate words in URLs.</p>
</li>
<li><p>Keywords. Add keywords to URLs where they naturally fit. Do not, however, use too much. Furthermore, refrain from making the URL too long so it won’t look spammy.</p>
</li>
<li><p>Get rid of unsafe characters. Some characters, such as carats, tildes, and spaces, could make bots stop in their tracks. Thus, it’s best to avoid them. Here are some user-friendly URL suggestions:</p>
</li>
</ul>
<p></p>
<h3 id="heading-website-security">Website Security</h3>
<p>To the search engines, website security is an absolute must. Regarding website development, web developers should make sure to <a target="_blank" href="https://developers.google.com/web/shows/cds/2013/got-ssl">have an SSL in place</a> and with no errors. Furthermore, it’s also necessary to have safeguards to ensure that the website doesn't have vulnerabilities.</p>
<p></p>
<p>For every business these days, protecting a website against phishing, cyber-crimes, cyber-attacks, and malfunctions is paramount. Security testing is always needed to defend against data loss and theft caused by digital hackers. In the present scenario, cybersecurity has become a primary shield, and with technological advancement, you need to detect, monitor, upgrade, and patch continuously to avoid risks. From the beginning, website security features should be implemented to keep up with the new threats of continuous technological advancement. Furthermore, the security features should be monitored and maintained as well. Getting hacks hurts the user experience and could cause the site to slow down, lose traffic, lose sensitive client information, and crash. Google Search Console also gives us notifications related to security issues. Google Search Console with <a target="_blank" href="https://support.google.com/webmasters/answer/9044101?hl=en">website security issues</a>.</p>
<p></p>
<p>Google Search Console without website security issues.</p>
<p></p>
<h3 id="heading-title-tags-and-meta-descriptions">Title Tags and Meta Descriptions</h3>
<p>Here is how a title tag looks:</p>
<pre><code class="lang-xml"><span class="hljs-tag"><<span class="hljs-name">head</span>></span>
  <span class="hljs-tag"><<span class="hljs-name">title</span>></span>AcidOP | Freelancing Developer<span class="hljs-tag"></<span class="hljs-name">title</span>></span>
<span class="hljs-tag"></<span class="hljs-name">head</span>></span>
</code></pre>
<p>Again, your goal is to tell a lot in a very short space. Technically, you don’t have a limit, but you should keep it to <a target="_blank" href="https://www.authorityhacker.com/seo-title-tags/">60 characters</a>.</p>
<p>The title should explain your niche or product related to your website and article.</p>
<p>Here’s how a description tag looks:</p>
<pre><code class="lang-xml"><span class="hljs-tag"><<span class="hljs-name">head</span>></span>
  <span class="hljs-tag"><<span class="hljs-name">meta</span> <span class="hljs-attr">name</span>=<span class="hljs-string">"description"</span> <span class="hljs-attr">content</span>=<span class="hljs-string">"Excellent Developer from India."</span> /></span>
<span class="hljs-tag"></<span class="hljs-name">head</span>></span>
</code></pre>
<p>One of the most important elements in drawing visitors to a website is a <a target="_blank" href="https://developer.mozilla.org/en-US/docs/Learn/HTML/Introduction_to_HTML/The_head_metadata_in_HTML#adding_an_author_and_description">meta description</a> tag:</p>
<p>The meta description should skillfully include the page’s target keywords to persuade readers to click through the page.</p>
<p>Search engines like Google frequently draw user attention by emphasizing terms from the query while displaying the description. It’s critical to match your description closely, but not excessively, to highly valuable search terms.</p>
<p>Below is a <code>title</code> and <code>description</code> tag in action:</p>
<p></p>
<p>Do not exceed <a target="_blank" href="https://yoast.com/meta-descriptions/#meta-description">155 characters</a> in descriptions, or Google will then truncate the text.</p>
<p><a target="_blank" href="https://www.w3schools.com/tags/tag_meta.asp">Here</a> is a list of other meta tags that you can use as well.</p>
<h3 id="heading-header-tags-h1-h2-h3-etc">Header Tags (H1, H2, H3, etc.)</h3>
<p><a target="_blank" href="https://www.w3schools.com/tags/tag_header.asp">Header tags</a> help your users navigate the page. The break up your content and break the page into dedicated sections.</p>
<p>Search engines rely on headers to better understand the sections of the page, which helps with SEO.</p>
<p>Instead of writing a very long article with a few paragraphs, divide it into multiple parts, each with its own heading, as I have done in this blog.</p>
<p>The main title of your document should be your <code><h1></code>. The <a target="_blank" href="https://backlinko.com/h1-tag">H1 Tag</a> represents the document’s overall topic and is displayed at the beginning as the large text.</p>
<p>Your main points should be wrapped in <h2>. <a target="_blank" href="https://www.techonthenet.com/html/elements/h2_tag.php">H2 tags</a> are second-level headings used to break up content and make it scanable and easy to read.</p>
<p>Subsequent heading tags lead all the way up to H6, which are not that important in the heading hierarchy.</p>
<ul>
<li><p>All the tags must be in the hierarchy, i.e., H1>H2>H3...H6.</p>
</li>
<li><p>There should only be 1 H1 tag in the entire document.</p>
</li>
</ul>
<pre><code class="lang-xml"><span class="hljs-tag"><<span class="hljs-name">h1</span>></span>I built an Markdown editor using Next.js and TailwindCss 🔥<span class="hljs-tag"></<span class="hljs-name">h1</span>></span>

<span class="hljs-tag"><<span class="hljs-name">h2</span>></span>Objectives<span class="hljs-tag"></<span class="hljs-name">h2</span>></span>

<span class="hljs-tag"><<span class="hljs-name">h2</span>></span>1. Create the landing page<span class="hljs-tag"></<span class="hljs-name">h2</span>></span>
<span class="hljs-tag"><<span class="hljs-name">h2</span>></span>2. Add states to store data<span class="hljs-tag"></<span class="hljs-name">h2</span>></span>
<span class="hljs-tag"><<span class="hljs-name">h2</span>></span>3. Setup react-markdown and @tailwindcss/typography<span class="hljs-tag"></<span class="hljs-name">h2</span>></span>
<span class="hljs-tag"><<span class="hljs-name">h2</span>></span>4. Code Highlighting and Custom Components<span class="hljs-tag"></<span class="hljs-name">h2</span>></span>
<span class="hljs-tag"><<span class="hljs-name">h3</span>></span>Optional<span class="hljs-tag"></<span class="hljs-name">h3</span>></span>
<span class="hljs-tag"><<span class="hljs-name">h2</span>></span>5. Adding Rehype and Remark Plugins<span class="hljs-tag"></<span class="hljs-name">h2</span>></span>
<span class="hljs-tag"><<span class="hljs-name">h2</span>></span>6. Header with Markdown buttons<span class="hljs-tag"></<span class="hljs-name">h2</span>></span>
</code></pre>
<h3 id="heading-image-optimization-for-seo">Image Optimization for SEO</h3>
<p>According to Optinmonster, content that contains images <a target="_blank" href="https://optinmonster.com/blogging-statistics/">receives up to 94% more views</a>.</p>
<p>Visuals naturally captivate people, and nothing does it more effectively than a pleasing image.</p>
<p>This means that you must use visuals in your content to engage readers and increase your visibility.</p>
<p><strong>Using descriptive alt text</strong></p>
<pre><code class="lang-xml"><span class="hljs-tag"><<span class="hljs-name">img</span> <span class="hljs-attr">src</span>=<span class="hljs-string">"https://acidop.codes/og.jpg"</span> <span class="hljs-attr">alt</span>=<span class="hljs-string">"My website banner"</span> /></span>
</code></pre>
<p><a target="_blank" href="https://www.w3schools.com/TAGS/att_img_alt.asp">Alt Tags</a> (Technically, they are not tags; they are <a target="_blank" href="https://www.geeksforgeeks.org/tags-vs-elements-vs-attributes-in-html/">attributes</a>, but you don’t need to worry about that) are important for several key reasons.</p>
<ul>
<li><p><strong>Enhanced Accessibility</strong>: It assists visually impaired individuals in comprehending the image.</p>
</li>
<li><p><strong>SEO Boost</strong>: It offers search engines valuable details about the image, aiding in its visibility in search rankings.</p>
</li>
<li><p><strong>Improved User Experience</strong>: It conveys information about the image, even when it fails to load.</p>
</li>
</ul>
<p><strong>Choosing the right image formats:</strong></p>
<ul>
<li><p><a target="_blank" href="https://web.dev/learn/images/jpeg/">JPEGs</a> are good things like screenshots, blog post images, and content where <a target="_blank" href="https://acidop.codes/blogs/developer-seo-tips#6-site-speed">site speed</a> is essential.</p>
</li>
<li><p><a target="_blank" href="https://cloudinary.com/guides/image-formats/what-is-a-png-image-and-how-to-convert-it">PNG</a> is better for quality and resolution, but these files are typically larger, which can result in slower page load time.</p>
</li>
<li><p><a target="_blank" href="https://developers.google.com/speed/webp">WebP</a> offers superior compression capabilities compared to others, without comprising much on image quality. It enhances the load time of your web pages and minimizes bandwidth. It supports both the animated features of GIFs and the transparent backgrounds of PNGs.</p>
</li>
<li><p><a target="_blank" href="https://www.freecodecamp.org/news/a-fresh-perspective-at-why-when-and-how-to-use-svg/">SVG</a> is best when it comes to icons and logos. They can be scaled to any size without losing resolution.</p>
</li>
</ul>
<p><strong>Implementing responsive images (srcset)</strong></p>
<p>Large graphics may slow down your website. We can speed up the process and <a target="_blank" href="https://html.com/attributes/img-srcset/">lower the file size,</a> but the visual quality remains the same on mobile devices as it does on desktop computers.</p>
<p><a target="_blank" href="https://html.com/attributes/img-srcset/">srcset</a> allows you to define a list of different image resources along with size information so the browser can pick the most appropriate image based on the actual device’s resolution.</p>
<pre><code class="lang-xml"><span class="hljs-tag"><<span class="hljs-name">img</span>
  <span class="hljs-attr">src</span>=<span class="hljs-string">"image.jpg"</span>
  <span class="hljs-attr">srcset</span>=<span class="hljs-string">"small.jpg 300w, medium.jpg 600w, large.jpg 900w"</span>
/></span>
</code></pre>
<h3 id="heading-canonical-tags-important">Canonical Tags (Important)</h3>
<pre><code class="lang-xml"><span class="hljs-tag"><<span class="hljs-name">head</span>></span>
  <span class="hljs-tag"><<span class="hljs-name">link</span>
    <span class="hljs-attr">rel</span>=<span class="hljs-string">"canonical"</span>
    <span class="hljs-attr">href</span>=<span class="hljs-string">"https://acidop.codes/blogs/developer-seo-tips"</span>
  /></span>
<span class="hljs-tag"></<span class="hljs-name">head</span>></span>
</code></pre>
<p>In SEO, a <a target="_blank" href="https://developers.google.com/search/docs/crawling-indexing/consolidate-duplicate-urls">canonical tag</a> is a link attribute that tells search engines which version of a web page is the original. This helps avoid confusion when multiple pages have similar or identical content.</p>
<p>Google is known to penalize sites with duplicate content.</p>
<p><a target="_blank" href="https://acidop.xn--codeshttps-yk10d://acidop.codes?utm_content=buffer">https://acidop.codes,</a></p>
<p><a target="_blank" href="https://acidop.xn--codeshttps-yk10d://acidop.codes?utm_content=buffer">https://acidop.codes?utm_content=buffer</a></p>
<p></p>
<p>Even with UTM parameters, both point to the same page, right?</p>
<p>However, Google would consider both URLs to be different pages.</p>
<p>Having a propel canonical tag would help Google understand both are the same</p>
<p>For example, I write blogs on 2 sites: <a target="_blank" href="https://dev.to/acidop">Dev.to</a> (which supports canonical URLs) and my website. My primary source is my website obviously.</p>
<p>First, I post my blog on my website. Then I post the same blog on <a target="_blank" href="https://dev.to/acidop">dev.to</a> with a canonical URL pointing to my own website.</p>
<p>This way, I managed to get a bigger audience while also preventing Google from penalizing me.</p>
<h3 id="heading-regular-seo-audits-and-monitoring">Regular SEO Audits and Monitoring</h3>
<p>An SEO audit determines how optimized your website is for search engines. It identifies problems that could be harming the website’s rankings and offers ways to fix them.</p>
<p>Free tools for SEO audits:</p>
<ol>
<li><p><a target="_blank" href="https://aioseo.com/seo-analyzer/">Aioseo (<em>Best</em></a>)</p>
</li>
<li><p><a target="_blank" href="http://seoptimer.com">seoptimer.com</a></p>
</li>
<li><p><a target="_blank" href="https://seomator.com/free-tools">Seomat</a><a target="_blank" href="https://aioseo.com/seo-analyzer/">or</a></p>
</li>
<li><p><a target="_blank" href="https://www.seoptimer.com/">Seobi</a><a target="_blank" href="https://seomator.com/free-tools">l</a><a target="_blank" href="https://aioseo.com/seo-analyzer/">ity</a></p>
</li>
<li><p><a target="_blank" href="https://ahrefs.com/seo-audit-tool">S</a><a target="_blank" href="https://www.seoptimer.com/">emrus</a><a target="_blank" href="https://aioseo.com/seo-analyzer/">h</a></p>
</li>
<li><p><a target="_blank" href="https://aioseo.com/seo-analyzer/">A</a><a target="_blank" href="https://seomator.com/free-tools">h</a><a target="_blank" href="https://www.seoptimer.com/">refs</a></p>
</li>
</ol>
<h1 id="heading-nextjs-seo">Next.js SEO</h1>
<p>Next.js is a popular React-based web framework that has gained popularity and a growing community in recent years. It’s a powerful tool for building fast and SEO-friendly web applications with dynamic pages that work great on mobile devices.</p>
<p>Due to the complex nature of isomorphic system design, Next.js SEO can be a tricky topic to get your head around. You are coming from traditional React apps, and you’re relying solely on documentation.</p>
<p>With its built-in support for server-side rendering, static site generation, and now React server components, Next.js provides a robust platform for achieving quality SEO web traffic in your web application. It also helps you deliver exceptional user experiences across multiple pages in Node and React apps while making them SEO-friendly.</p>
<h2 id="heading-how-is-next-seo-different-from-other-frameworks">How is Next SEO different from other Frameworks?</h2>
<p>Next.js SEO sets itself apart by streamlining so many features and free tools into a well-organized package that you can easily digest and apply in your single applications. Nextjs does a great job when it comes to tasks such as search engine optimization, image optimization, and minimizing cumulative layout shift.</p>
<p>Nextjs SEo won’t change much conceptually. If you are looking for good search engine results and organic traffic, the game still revolves around the notion of fast page loads, quick paints, low cumulative layout shifts, and all the rest. Static pages still play a large role as well.</p>
<p>But Next.js gives us some pretty cool and novel features that help facilitate excellent search engine metrics, and it’s more than just React Server Components.</p>
<h2 id="heading-best-practices-for-higher-rankings">Best Practices for Higher Rankings</h2>
<p>In addition to leveraging Next.js features for SEO, there are several other Next.js best practices you should consider to optimize your site’s visibility to search engines. Here are key strategies, including your mention of robots or sitemaps:</p>
<ul>
<li><p><strong>Robots.txt</strong>: This is a text file placed in the root directory of your site that tells search engine crawlers which pages or sections of your site should not be crawled or indexed. For a Next.js site, you can create a <code>robots.txt</code> file and serve it statically. Ensure it’s accessible by placing it in the <code>public</code> folder. This will help control the crawler traffic to your site, prevent the indexing of certain pages, and help manage the crawl budget.</p>
</li>
<li><p><strong>XML Sitemaps</strong>: A sitemap is crucial as it lists all URLs for a site, allowing search engines to crawl the site more intelligently. In Next.js, you can generate sitemaps dynamically during your build process. Static generation is often preferred for performance reasons. You can use libraries like <code>next-sitemap</code> Automate the generation of sitemaps during your build process.</p>
</li>
<li><p><strong>Use Semantic HTML</strong>: Semantic HTML5 elements (like <code><header></code>, <code><footer></code>, <code><article></code>, and <code><section></code>) help search engines understand the structure of your website and the performance of the content within each section. This can be particularly beneficial for SEO.</p>
</li>
<li><p><strong>Optimize Page Speed:</strong> Google considers page speed as the ranking factor. Optimize images, leverage efficient CSS and Javascript, use Nextjs’s Image component for optimized image handling, and consider implementing a Content Delivery Network (CDN) to serve your content faster.</p>
</li>
<li><p><strong>Meta Tags and Descriptions:</strong> Ensure each page has a unique title and description meta tags that accurately describe the page content. These are crucial for SEO as they appear in search engine results.</p>
</li>
<li><p><strong>Structured Data:</strong> Implement structured data using JSON-LD to help search engines understand the content of your pages and provide rich results. Next.js can handle inline scripts where you can place your JSON-LD structured data.</p>
</li>
<li><p><strong>Accessibility (A11y)</strong>: Making your website accessible is not only a good practice for usability, It also impacts SEO. Ensuring your website is accessible to all users, including those with disabilities, can positively influence your rankings.</p>
</li>
<li><p><strong>Mobile-Friendliness</strong>: With the increasing use of mobile devices, having a mobile-friendly website is crucial. Next.js’s responsive design capabilities can help ensure that your website looks good on all devices, which is important for both user experience and SEO.</p>
</li>
<li><p><strong>Content Quality:</strong> Regularly update your website with high-quality, relevant content that addresses your audience’s needs. This is vital for SEO and helps retain visitors.</p>
</li>
</ul>
<p>Implementing these practices within your Next.js application can significantly enhance your SEO performance and ensure your site is well-optimized for search engines.</p>
<h2 id="heading-effective-meta-tag-integration-in-next13">Effective Meta Tag Integration in Next13</h2>
<p>Next.js 13 has completely overhauled the process of integrating meta tags, bringing about significant changes.</p>
<div data-node-type="callout">
<div data-node-type="callout-emoji">💡</div>
<div data-node-type="callout-text">Explore the procedure for configuring <a target="_self" href="https://nextjs.org/learn-pages-router/basics/assets-metadata-css/metadata">metadata</a> in Next Js 12 or earlier.</div>
</div>

<p>In the most recent iteration of Next.js, there are two approaches to configuring meta tags. You can utilize either the <code>generateMetadata</code> method or incorporate a static <code>metadata</code> object within the <code>layout.tsx</code> or <code>page.tsx</code> files.</p>
<div data-node-type="callout">
<div data-node-type="callout-emoji">💡</div>
<div data-node-type="callout-text">Refer to the <a target="_self" href="https://nextjs.org/docs/app/api-reference/functions/generate-metadata#metadata-fields">metadata fields</a> to access the comprehensive list of supported options with Next JS 13 and above.</div>
</div>

<h3 id="heading-the-static-metadata-objecthttpsnextjsorgdocsappapi-referencefunctionsgenerate-metadatathe-metadata-object"><a target="_blank" href="https://nextjs.org/docs/app/api-reference/functions/generate-metadata#the-metadata-object">The Static Metadata Object</a></h3>
<pre><code class="lang-javascript"><span class="hljs-comment">// layout.tsx or page.tsx</span>

<span class="hljs-keyword">import</span> { Metadata } <span class="hljs-keyword">from</span> <span class="hljs-string">'next'</span>

<span class="hljs-comment">// either Static metadata</span>
<span class="hljs-keyword">export</span> <span class="hljs-keyword">const</span> metadata: Metadata = {
  <span class="hljs-attr">title</span>: <span class="hljs-string">'Create Next App'</span>,
  <span class="hljs-attr">description</span>: <span class="hljs-string">'Generated by create next app'</span>,
  <span class="hljs-attr">icons</span>: {
    <span class="hljs-attr">icon</span>: <span class="hljs-string">"https://nextjs.org/favicon.ico"</span>
  }
}


<span class="hljs-comment">// <head> output</span>
<title>Create Next App</title>
<span class="xml"><span class="hljs-tag"><<span class="hljs-name">meta</span> <span class="hljs-attr">name</span>=<span class="hljs-string">"description"</span> <span class="hljs-attr">content</span>=<span class="hljs-string">"Generated by create next app"</span>/></span></span>
<span class="xml"><span class="hljs-tag"><<span class="hljs-name">link</span> <span class="hljs-attr">rel</span>=<span class="hljs-string">"icon"</span> <span class="hljs-attr">href</span>=<span class="hljs-string">"https://nextjs.org/favicon.ico"</span>/></span></span>
</code></pre>
<h3 id="heading-the-generatemetadatafunctionhttpsnextjsorgdocsappapi-referencefunctionsgenerate-metadatageneratemetadata-function"><a target="_blank" href="https://nextjs.org/docs/app/api-reference/functions/generate-metadata#generatemetadata-function">The generateMetadataFunction</a></h3>
<p>Utilizing the <code>generateMetadata</code> functionality allows for the execution of API calls. Additionally, access to parameters such as <code>params</code>, <code>searchParams</code>, and <code>parent</code> provides the means to generate dynamic metadata for dynamic routes.</p>
<p>The <code>generateMetadata</code> function is expected to return a Metadata object encompassing one or more metadata fields.</p>
<p><strong>Example:</strong></p>
<pre><code class="lang-javascript"><span class="hljs-comment">// layout.tsx or page.tsx</span>
<span class="hljs-keyword">import</span> { Metadata, ResolvingMetadata } <span class="hljs-keyword">from</span> <span class="hljs-string">'next'</span>

type Props = {
  <span class="hljs-attr">params</span>: { <span class="hljs-attr">id</span>: string }
  <span class="hljs-attr">searchParams</span>: { [key: string]: string | string[] | <span class="hljs-literal">undefined</span> }
}

<span class="hljs-keyword">export</span> <span class="hljs-keyword">async</span> <span class="hljs-function"><span class="hljs-keyword">function</span> <span class="hljs-title">generateMetadata</span>(<span class="hljs-params">
  { params, searchParams }: Props,
  parent: ResolvingMetadata
</span>): <span class="hljs-title">Promise</span><<span class="hljs-title">Metadata</span>> </span>{

  <span class="hljs-comment">// read route params</span>
  <span class="hljs-keyword">const</span> id = params.id

  <span class="hljs-comment">// fetch data</span>
  <span class="hljs-keyword">const</span> product = <span class="hljs-keyword">await</span> fetch(<span class="hljs-string">`https://.../<span class="hljs-subst">${id}</span>`</span>).then(<span class="hljs-function">(<span class="hljs-params">res</span>) =></span> res.json())

  <span class="hljs-comment">// optionally access and extend (rather than replace) parent metadata</span>
  <span class="hljs-keyword">const</span> previousImages = (<span class="hljs-keyword">await</span> parent).openGraph?.images || []

  <span class="hljs-comment">// returning metadata object</span>
  <span class="hljs-keyword">return</span> {
    <span class="hljs-attr">title</span>: product.title, <span class="hljs-comment">// Create Next App</span>
    <span class="hljs-attr">description</span>: product.description <span class="hljs-comment">//Generated by create next app</span>
    <span class="hljs-attr">icons</span>: {
      <span class="hljs-attr">icon</span>: <span class="hljs-string">"https://nextjs.org/favicon.ico"</span>
    },
  }
}

<span class="hljs-keyword">export</span> <span class="hljs-keyword">default</span> <span class="hljs-function"><span class="hljs-keyword">function</span> <span class="hljs-title">Page</span>(<span class="hljs-params">{ params, searchParams }: Props</span>) </span>{}
</code></pre>
<p><strong>Following will be the <head> Output</strong></p>
<pre><code class="lang-javascript"><title>Create Next App</title>
<span class="xml"><span class="hljs-tag"><<span class="hljs-name">meta</span> <span class="hljs-attr">name</span>=<span class="hljs-string">"description"</span> <span class="hljs-attr">content</span>=<span class="hljs-string">"Generated by create next app"</span>/></span></span>
<span class="xml"><span class="hljs-tag"><<span class="hljs-name">link</span> <span class="hljs-attr">rel</span>=<span class="hljs-string">"icon"</span> <span class="hljs-attr">href</span>=<span class="hljs-string">"https://nextjs.org/favicon.ico"</span>/></span></span>
</code></pre>
<div data-node-type="callout">
<div data-node-type="callout-emoji">💡</div>
<div data-node-type="callout-text"><em>The </em><code>metadata</code><em> object and </em><code>generateMetadata</code><em> function exports are only supported in Server Components. You cannot export both the </em><code>metadata</code><em> object and </em><code>generateMetadata</code><em> function from the same route segment.</em></div>
</div>

<p><strong>Next.js</strong> will automatically include some crucial meta tags by default.</p>
<pre><code class="lang-javascript"><!-- <span class="hljs-keyword">default</span> metatags added by Next JS framework -->
<span class="xml"><span class="hljs-tag"><<span class="hljs-name">meta</span> <span class="hljs-attr">charSet</span>=<span class="hljs-string">"utf-8"</span>/></span></span>
<span class="xml"><span class="hljs-tag"><<span class="hljs-name">meta</span> <span class="hljs-attr">name</span>=<span class="hljs-string">"viewport"</span> <span class="hljs-attr">content</span>=<span class="hljs-string">"width=device-width, initial-scale=1"</span>/></span></span>
</code></pre>
<p>So far, we have progressed. Now, let us examine all metadata fields and their various options.</p>
<h3 id="heading-viewport-metadata-objecthttpsnextjsorgdocsappapi-referencefunctionsgenerate-viewport"><a target="_blank" href="https://nextjs.org/docs/app/api-reference/functions/generate-viewport">viewport MetaData Object</a></h3>
<p>However, viewport options can be superseded by exporting a <code>viewport</code> object from either the <code>layout.tsx</code> or <code>page.tsx</code> files.</p>
<pre><code class="lang-javascript"><span class="hljs-comment">// layout.tsx or page.tsx</span>
<span class="hljs-keyword">import</span> type { Viewport } <span class="hljs-keyword">from</span> <span class="hljs-string">'next'</span>

<span class="hljs-comment">// static viewport object</span>
<span class="hljs-keyword">export</span> <span class="hljs-keyword">const</span> viewport: Viewport = {
    <span class="hljs-attr">width</span>: <span class="hljs-string">'device-width'</span>,
    <span class="hljs-attr">initialScale</span>: <span class="hljs-number">1</span>,
    <span class="hljs-attr">maximumScale</span>: <span class="hljs-number">5</span>,
    <span class="hljs-attr">minimumScale</span>: <span class="hljs-number">1</span>,
    <span class="hljs-attr">themeColor</span>: [
      { <span class="hljs-attr">media</span>: <span class="hljs-string">'(prefers-color-scheme: light)'</span>, <span class="hljs-attr">color</span>: <span class="hljs-string">'cyan'</span> },
      { <span class="hljs-attr">media</span>: <span class="hljs-string">'(prefers-color-scheme: dark)'</span>, <span class="hljs-attr">color</span>: <span class="hljs-string">'black'</span> },
    ],
    <span class="hljs-attr">colorScheme</span>: <span class="hljs-string">'dark'</span>,
};

<span class="hljs-comment">//<head> ouput</span>
<span class="xml"><span class="hljs-tag"><<span class="hljs-name">meta</span> <span class="hljs-attr">name</span>=<span class="hljs-string">"viewport"</span> <span class="hljs-attr">content</span>=<span class="hljs-string">"width=device-width, initial-scale=1, minimum-scale=1, maximum-scale=5"</span>/></span></span>
<span class="xml"><span class="hljs-tag"><<span class="hljs-name">meta</span> <span class="hljs-attr">name</span>=<span class="hljs-string">"theme-color"</span> <span class="hljs-attr">media</span>=<span class="hljs-string">"(prefers-color-scheme: light)"</span> <span class="hljs-attr">content</span>=<span class="hljs-string">"cyan"</span> /></span></span>
<span class="xml"><span class="hljs-tag"><<span class="hljs-name">meta</span> <span class="hljs-attr">name</span>=<span class="hljs-string">"theme-color"</span> <span class="hljs-attr">media</span>=<span class="hljs-string">"(prefers-color-scheme: dark)"</span> <span class="hljs-attr">content</span>=<span class="hljs-string">"black"</span> /></span></span>
<span class="xml"><span class="hljs-tag"><<span class="hljs-name">meta</span> <span class="hljs-attr">name</span>=<span class="hljs-string">"color-scheme"</span> <span class="hljs-attr">content</span>=<span class="hljs-string">"dark"</span> /></span></span>
</code></pre>
<p>The viewport object can also be dynamically generated using the asynchronous function <a target="_blank" href="https://nextjs.org/docs/app/api-reference/functions/generate-viewport"><code>generateViewport</code></a>. This operates similarly to the <a target="_blank" href="https://nextjs.org/docs/app/api-reference/functions/generate-metadata"><code>generateMetadata</code></a> function.</p>
<p><strong><em>Good to know:</em></strong> <em>If the viewport doesn’t depend on runtime information, it should be defined using the static</em> <code>viewport</code> <em>object rather than</em> <code>generateMetadata</code><em>.</em></p>
<h3 id="heading-template-objecthttpsnextjsorgdocsappapi-referencefunctionsgenerate-metadatatemplate-object"><a target="_blank" href="https://nextjs.org/docs/app/api-reference/functions/generate-metadata#template-object">Template Object</a></h3>
<p>A template object can be used to define default or fallback values. This can be only defined in layout.tsx.</p>
<pre><code class="lang-javascript"><span class="hljs-keyword">import</span> { Metadata } <span class="hljs-keyword">from</span> <span class="hljs-string">'next'</span>

<span class="hljs-keyword">export</span> <span class="hljs-keyword">const</span> metadata: Metadata = {
  <span class="hljs-attr">title</span>: {
    <span class="hljs-attr">template</span>: <span class="hljs-string">'...'</span>,
    <span class="hljs-attr">default</span>: <span class="hljs-string">'...'</span>,
    <span class="hljs-attr">absolute</span>: <span class="hljs-string">'...'</span>,
  },
}
</code></pre>
<p>1. <code>title.default</code> can be used to provide a fallback title to child route segments that don't define a <code>title</code>.</p>
<p>2. <code>title.template</code>can be used to add a prefix or a suffix to <code>titles</code> defined in child route segments.</p>
<pre><code class="lang-javascript"><span class="hljs-comment">// app/layout.tsx</span>
<span class="hljs-keyword">import</span> { Metadata } <span class="hljs-keyword">from</span> <span class="hljs-string">'next'</span>

<span class="hljs-keyword">export</span> <span class="hljs-keyword">const</span> metadata: Metadata = {
  <span class="hljs-attr">title</span>: {
    <span class="hljs-attr">template</span>: <span class="hljs-string">'%s | Acme'</span>,
    <span class="hljs-attr">default</span>: <span class="hljs-string">'Acme'</span>, <span class="hljs-comment">// a default is required when creating a template</span>
  },
}


<span class="hljs-comment">// app/page.tsx</span>
<span class="hljs-keyword">import</span> { Metadata } <span class="hljs-keyword">from</span> <span class="hljs-string">'next'</span>

<span class="hljs-keyword">export</span> <span class="hljs-keyword">const</span> metadata: Metadata = {
  <span class="hljs-attr">title</span>: <span class="hljs-string">'About'</span>,
}

<span class="hljs-comment">// Output: <title>About | Acme</title></span>
</code></pre>
<p>3. <code>title.absolute</code>can be used to provide a title that ignores <code>title.template</code> set in parent segments.</p>
<pre><code class="lang-javascript"><span class="hljs-comment">// layout.tsx</span>
<span class="hljs-keyword">import</span> { Metadata } <span class="hljs-keyword">from</span> <span class="hljs-string">'next'</span>

<span class="hljs-keyword">export</span> <span class="hljs-keyword">const</span> metadata: Metadata = {
  <span class="hljs-attr">title</span>: {
    <span class="hljs-attr">template</span>: <span class="hljs-string">'%s | Acme'</span>,
  },
}

<span class="hljs-comment">// app/page.tsx</span>
<span class="hljs-keyword">import</span> { Metadata } <span class="hljs-keyword">from</span> <span class="hljs-string">'next'</span>

<span class="hljs-keyword">export</span> <span class="hljs-keyword">const</span> metadata: Metadata = {
  <span class="hljs-attr">title</span>: {
    <span class="hljs-attr">absolute</span>: <span class="hljs-string">'About'</span>,
  },
}

<span class="hljs-comment">// Output: <title>About</title></span>
</code></pre>
<h3 id="heading-basic-fieldshttpsnextjsorgdocsappapi-referencefunctionsgenerate-metadatabasic-fields"><a target="_blank" href="https://nextjs.org/docs/app/api-reference/functions/generate-metadata#basic-fields">Basic Fields</a></h3>
<p>Let’s check all basic fields which is required for SEO.</p>
<pre><code class="lang-javascript"><span class="hljs-keyword">export</span> <span class="hljs-keyword">const</span> metadata = {
  <span class="hljs-attr">generator</span>: <span class="hljs-string">'Next.js'</span>,
  <span class="hljs-attr">applicationName</span>: <span class="hljs-string">'Next.js'</span>,
  <span class="hljs-attr">referrer</span>: <span class="hljs-string">'origin-when-cross-origin'</span>,
  <span class="hljs-attr">keywords</span>: [<span class="hljs-string">'Next.js'</span>, <span class="hljs-string">'React'</span>, <span class="hljs-string">'JavaScript'</span>],
  <span class="hljs-attr">authors</span>: [{ <span class="hljs-attr">name</span>: <span class="hljs-string">'Seb'</span> }, { <span class="hljs-attr">name</span>: <span class="hljs-string">'Josh'</span>, <span class="hljs-attr">url</span>: <span class="hljs-string">'https://nextjs.org'</span> }],
  <span class="hljs-attr">creator</span>: <span class="hljs-string">'Jiachi Liu'</span>,
  <span class="hljs-attr">publisher</span>: <span class="hljs-string">'Sebastian Markbåge'</span>
}

<span class="hljs-comment">// Head output</span>
<meta name=<span class="hljs-string">"application-name"</span> content=<span class="hljs-string">"Next.js"</span> />
<span class="xml"><span class="hljs-tag"><<span class="hljs-name">meta</span> <span class="hljs-attr">name</span>=<span class="hljs-string">"author"</span> <span class="hljs-attr">content</span>=<span class="hljs-string">"Seb"</span> /></span></span>
<span class="xml"><span class="hljs-tag"><<span class="hljs-name">link</span> <span class="hljs-attr">rel</span>=<span class="hljs-string">"author"</span> <span class="hljs-attr">href</span>=<span class="hljs-string">"https://nextjs.org"</span> /></span></span>
<span class="xml"><span class="hljs-tag"><<span class="hljs-name">meta</span> <span class="hljs-attr">name</span>=<span class="hljs-string">"author"</span> <span class="hljs-attr">content</span>=<span class="hljs-string">"Josh"</span> /></span></span>
<span class="xml"><span class="hljs-tag"><<span class="hljs-name">meta</span> <span class="hljs-attr">name</span>=<span class="hljs-string">"generator"</span> <span class="hljs-attr">content</span>=<span class="hljs-string">"Next.js"</span> /></span></span>
<span class="xml"><span class="hljs-tag"><<span class="hljs-name">meta</span> <span class="hljs-attr">name</span>=<span class="hljs-string">"keywords"</span> <span class="hljs-attr">content</span>=<span class="hljs-string">"Next.js,React,JavaScript"</span> /></span></span>
<span class="xml"><span class="hljs-tag"><<span class="hljs-name">meta</span> <span class="hljs-attr">name</span>=<span class="hljs-string">"referrer"</span> <span class="hljs-attr">content</span>=<span class="hljs-string">"origin-when-cross-origin"</span> /></span></span>
<span class="xml"><span class="hljs-tag"><<span class="hljs-name">meta</span> <span class="hljs-attr">name</span>=<span class="hljs-string">"color-scheme"</span> <span class="hljs-attr">content</span>=<span class="hljs-string">"dark"</span> /></span></span>
<span class="xml"><span class="hljs-tag"><<span class="hljs-name">meta</span> <span class="hljs-attr">name</span>=<span class="hljs-string">"creator"</span> <span class="hljs-attr">content</span>=<span class="hljs-string">"Jiachi Liu"</span> /></span></span>
<span class="xml"><span class="hljs-tag"><<span class="hljs-name">meta</span> <span class="hljs-attr">name</span>=<span class="hljs-string">"publisher"</span> <span class="hljs-attr">content</span>=<span class="hljs-string">"Sebastian Markbåge"</span> /></span></span>
</code></pre>
<h3 id="heading-formatedetection-field">FormateDetection Field</h3>
<p>The behaviour of these automatic links for phone numbers, email addresses, and physical addresses can be controlled through the utilisation of <code>formatDetection</code>.</p>
<p>Please refer to the example below, which illustrates the disabling of the automatic link behaviour for phone numbers, email addresses, and telephone contacts.</p>
<pre><code class="lang-javascript"><span class="hljs-keyword">export</span> <span class="hljs-keyword">const</span> metadata = {
  <span class="hljs-attr">formatDetection</span>: {
    <span class="hljs-attr">email</span>: <span class="hljs-literal">false</span>,
    <span class="hljs-attr">address</span>: <span class="hljs-literal">false</span>,
    <span class="hljs-attr">telephone</span>: <span class="hljs-literal">false</span>,
  },
}

<span class="hljs-comment">// Head output</span>
<meta name=<span class="hljs-string">"format-detection"</span> content=<span class="hljs-string">"telephone=no, address=no, email=no"</span> />
</code></pre>
<h3 id="heading-metadatabase-fieldhttpsnextjsorgdocsappapi-referencefunctionsgenerate-metadatametadatabase"><a target="_blank" href="https://nextjs.org/docs/app/api-reference/functions/generate-metadata#metadatabase">metadataBase Field</a></h3>
<p>The <code>metadataBase</code> option provides a convenient way to establish a base URL prefix for metadata fields that demand a fully qualified URL.</p>
<pre><code class="lang-javascript"><span class="hljs-keyword">export</span> <span class="hljs-keyword">const</span> metadata = {
  <span class="hljs-attr">metadataBase</span>: <span class="hljs-keyword">new</span> URL(<span class="hljs-string">'https://acme.com'</span>),
  <span class="hljs-attr">alternates</span>: {
    <span class="hljs-attr">canonical</span>: <span class="hljs-string">'/'</span>,
    <span class="hljs-attr">languages</span>: {
      <span class="hljs-string">'en-US'</span>: <span class="hljs-string">'/en-US'</span>,
      <span class="hljs-string">'de-DE'</span>: <span class="hljs-string">'/de-DE'</span>,
    },
  },
  <span class="hljs-attr">openGraph</span>: {
    <span class="hljs-attr">images</span>: <span class="hljs-string">'/og-image.png'</span>,
  },
}


<span class="hljs-comment">// <head> out will be</span>
<link rel=<span class="hljs-string">"canonical"</span> href=<span class="hljs-string">"https://acme.com"</span> />
<span class="xml"><span class="hljs-tag"><<span class="hljs-name">link</span> <span class="hljs-attr">rel</span>=<span class="hljs-string">"alternate"</span> <span class="hljs-attr">hreflang</span>=<span class="hljs-string">"en-US"</span> <span class="hljs-attr">href</span>=<span class="hljs-string">"https://acme.com/en-US"</span> /></span></span>
<span class="xml"><span class="hljs-tag"><<span class="hljs-name">link</span> <span class="hljs-attr">rel</span>=<span class="hljs-string">"alternate"</span> <span class="hljs-attr">hreflang</span>=<span class="hljs-string">"de-DE"</span> <span class="hljs-attr">href</span>=<span class="hljs-string">"https://acme.com/de-DE"</span> /></span></span>
<span class="xml"><span class="hljs-tag"><<span class="hljs-name">meta</span> <span class="hljs-attr">property</span>=<span class="hljs-string">"og:image"</span> <span class="hljs-attr">content</span>=<span class="hljs-string">"https://acme.com/og-image.png"</span> /></span></span>
</code></pre>
<p>In the preceding example, you’ll observe that the <code>metadataBase</code> includes the base URL. Nevertheless, in other instances, such as <code>canonical</code> and <code>openGraph</code>, the base URL is not explicitly defined. Despite this, the output reflects the presence of the base URL.</p>
<h3 id="heading-opengraph-fieldhttpsnextjsorgdocsappapi-referencefunctionsgenerate-metadataopengraph"><a target="_blank" href="https://nextjs.org/docs/app/api-reference/functions/generate-metadata#opengraph">openGraph Field</a></h3>
<p>The <code>openGraph</code> field is employed for incorporating <code>og:*</code> related meta tags. Let us now review all the available options under this category.</p>
<pre><code class="lang-javascript"><span class="hljs-comment">// layout.tsx or page.tsx</span>
<span class="hljs-keyword">export</span> <span class="hljs-keyword">const</span> metadata = {
  <span class="hljs-attr">openGraph</span>: {
    <span class="hljs-attr">title</span>: <span class="hljs-string">'Next.js'</span>,
    <span class="hljs-attr">description</span>: <span class="hljs-string">'The React Framework for the Web'</span>,
    <span class="hljs-attr">url</span>: <span class="hljs-string">'https://nextjs.org'</span>,
    <span class="hljs-attr">siteName</span>: <span class="hljs-string">'Next.js'</span>,
    <span class="hljs-attr">images</span>: [
      {
        <span class="hljs-attr">url</span>: <span class="hljs-string">'https://nextjs.org/og.png'</span>,
        <span class="hljs-attr">width</span>: <span class="hljs-number">800</span>,
        <span class="hljs-attr">height</span>: <span class="hljs-number">600</span>,
      },
      {
        <span class="hljs-attr">url</span>: <span class="hljs-string">'https://nextjs.org/og-alt.png'</span>,
        <span class="hljs-attr">width</span>: <span class="hljs-number">1800</span>,
        <span class="hljs-attr">height</span>: <span class="hljs-number">1600</span>,
        <span class="hljs-attr">alt</span>: <span class="hljs-string">'My custom alt'</span>,
      },
    ],
    <span class="hljs-attr">locale</span>: <span class="hljs-string">'en_US'</span>,
    <span class="hljs-attr">type</span>: <span class="hljs-string">'article'</span>, <span class="hljs-comment">// this can be 'website' as well</span>
    <span class="hljs-attr">publishedTime</span>: <span class="hljs-string">'2023-01-01T00:00:00.000Z'</span>,
    <span class="hljs-attr">authors</span>: [<span class="hljs-string">'Seb'</span>, <span class="hljs-string">'Josh'</span>],
  },
}

<span class="hljs-comment">// Head output</span>
<meta property=<span class="hljs-string">"og:title"</span> content=<span class="hljs-string">"Next.js"</span> />
<span class="xml"><span class="hljs-tag"><<span class="hljs-name">meta</span> <span class="hljs-attr">property</span>=<span class="hljs-string">"og:description"</span> <span class="hljs-attr">content</span>=<span class="hljs-string">"The React Framework for the Web"</span> /></span></span>
<span class="xml"><span class="hljs-tag"><<span class="hljs-name">meta</span> <span class="hljs-attr">property</span>=<span class="hljs-string">"og:url"</span> <span class="hljs-attr">content</span>=<span class="hljs-string">"https://nextjs.org/"</span> /></span></span>
<span class="xml"><span class="hljs-tag"><<span class="hljs-name">meta</span> <span class="hljs-attr">property</span>=<span class="hljs-string">"og:site_name"</span> <span class="hljs-attr">content</span>=<span class="hljs-string">"Next.js"</span> /></span></span>
<span class="xml"><span class="hljs-tag"><<span class="hljs-name">meta</span> <span class="hljs-attr">property</span>=<span class="hljs-string">"og:locale"</span> <span class="hljs-attr">content</span>=<span class="hljs-string">"en_US"</span> /></span></span>
<span class="xml"><span class="hljs-tag"><<span class="hljs-name">meta</span> <span class="hljs-attr">property</span>=<span class="hljs-string">"og:image:url"</span> <span class="hljs-attr">content</span>=<span class="hljs-string">"https://nextjs.org/og.png"</span> /></span></span>
<span class="xml"><span class="hljs-tag"><<span class="hljs-name">meta</span> <span class="hljs-attr">property</span>=<span class="hljs-string">"og:image:width"</span> <span class="hljs-attr">content</span>=<span class="hljs-string">"800"</span> /></span></span>
<span class="xml"><span class="hljs-tag"><<span class="hljs-name">meta</span> <span class="hljs-attr">property</span>=<span class="hljs-string">"og:image:height"</span> <span class="hljs-attr">content</span>=<span class="hljs-string">"600"</span> /></span></span>
<span class="xml"><span class="hljs-tag"><<span class="hljs-name">meta</span> <span class="hljs-attr">property</span>=<span class="hljs-string">"og:image:url"</span> <span class="hljs-attr">content</span>=<span class="hljs-string">"https://nextjs.org/og-alt.png"</span> /></span></span>
<span class="xml"><span class="hljs-tag"><<span class="hljs-name">meta</span> <span class="hljs-attr">property</span>=<span class="hljs-string">"og:image:width"</span> <span class="hljs-attr">content</span>=<span class="hljs-string">"1800"</span> /></span></span>
<span class="xml"><span class="hljs-tag"><<span class="hljs-name">meta</span> <span class="hljs-attr">property</span>=<span class="hljs-string">"og:image:height"</span> <span class="hljs-attr">content</span>=<span class="hljs-string">"1600"</span> /></span></span>
<span class="xml"><span class="hljs-tag"><<span class="hljs-name">meta</span> <span class="hljs-attr">property</span>=<span class="hljs-string">"og:image:alt"</span> <span class="hljs-attr">content</span>=<span class="hljs-string">"My custom alt"</span> /></span></span>
<span class="hljs-comment">// <meta property="og:type" content="website" /></span>
<span class="xml"><span class="hljs-tag"><<span class="hljs-name">meta</span> <span class="hljs-attr">property</span>=<span class="hljs-string">"og:type"</span> <span class="hljs-attr">content</span>=<span class="hljs-string">"article"</span> /></span></span>
<span class="xml"><span class="hljs-tag"><<span class="hljs-name">meta</span> <span class="hljs-attr">property</span>=<span class="hljs-string">"article:published_time"</span> <span class="hljs-attr">content</span>=<span class="hljs-string">"2023-01-01T00:00:00.000Z"</span> /></span></span>
<span class="xml"><span class="hljs-tag"><<span class="hljs-name">meta</span> <span class="hljs-attr">property</span>=<span class="hljs-string">"article:author"</span> <span class="hljs-attr">content</span>=<span class="hljs-string">"Seb"</span> /></span></span>
<span class="xml"><span class="hljs-tag"><<span class="hljs-name">meta</span> <span class="hljs-attr">property</span>=<span class="hljs-string">"article:author"</span> <span class="hljs-attr">content</span>=<span class="hljs-string">"Josh"</span> /></span></span>
</code></pre>
<h3 id="heading-robotsfieldhttpsnextjsorgdocsappapi-referencefunctionsgenerate-metadatarobots"><a target="_blank" href="https://nextjs.org/docs/app/api-reference/functions/generate-metadata#robots">robotsField</a></h3>
<pre><code class="lang-javascript"><span class="hljs-keyword">import</span> type { Metadata } <span class="hljs-keyword">from</span> <span class="hljs-string">'next'</span>

<span class="hljs-keyword">export</span> <span class="hljs-keyword">const</span> metadata: Metadata = {
  <span class="hljs-attr">robots</span>: {
    <span class="hljs-attr">index</span>: <span class="hljs-literal">false</span>,
    <span class="hljs-attr">follow</span>: <span class="hljs-literal">true</span>,
    <span class="hljs-attr">nocache</span>: <span class="hljs-literal">true</span>,
    <span class="hljs-attr">googleBot</span>: {
      <span class="hljs-attr">index</span>: <span class="hljs-literal">true</span>,
      <span class="hljs-attr">follow</span>: <span class="hljs-literal">false</span>,
      <span class="hljs-attr">noimageindex</span>: <span class="hljs-literal">true</span>,
      <span class="hljs-string">'max-video-preview'</span>: <span class="hljs-number">-1</span>,
      <span class="hljs-string">'max-image-preview'</span>: <span class="hljs-string">'large'</span>,
      <span class="hljs-string">'max-snippet'</span>: <span class="hljs-number">-1</span>,
    },
  },
}

<span class="hljs-comment">// Head ouput</span>
<meta name=<span class="hljs-string">"robots"</span> content=<span class="hljs-string">"noindex, follow, nocache"</span> />
<span class="xml"><span class="hljs-tag"><<span class="hljs-name">meta</span>
  <span class="hljs-attr">name</span>=<span class="hljs-string">"googlebot"</span>
  <span class="hljs-attr">content</span>=<span class="hljs-string">"index, nofollow, noimageindex, max-video-preview:-1, max-image-preview:large, max-snippet:-1"</span>
/></span></span>
</code></pre>
<h3 id="heading-icons-fieldhttpsnextjsorgdocsappapi-referencefunctionsgenerate-metadataicons"><a target="_blank" href="https://nextjs.org/docs/app/api-reference/functions/generate-metadata#icons">icons Field</a></h3>
<p>Next.js recommends using the <a target="_blank" href="https://nextjs.org/docs/app/api-reference/file-conventions/metadata/app-icons#image-files-ico-jpg-png">file-based Metadata API</a> for icons where possible. Rather than having to sync the config export with actual files, the file-based API will automatically generate the correct metadata for you.</p>
<pre><code class="lang-javascript"><span class="hljs-keyword">export</span> <span class="hljs-keyword">const</span> metadata = {
  <span class="hljs-attr">icons</span>: {
    <span class="hljs-attr">icon</span>: <span class="hljs-string">'/icon.png'</span>,
    <span class="hljs-attr">shortcut</span>: <span class="hljs-string">'/shortcut-icon.png'</span>,
    <span class="hljs-attr">apple</span>: <span class="hljs-string">'/apple-icon.png'</span>,
    <span class="hljs-attr">other</span>: {
      <span class="hljs-attr">rel</span>: <span class="hljs-string">'apple-touch-icon-precomposed'</span>,
      <span class="hljs-attr">url</span>: <span class="hljs-string">'/apple-touch-icon-precomposed.png'</span>,
    },
  },
}

<span class="hljs-comment">// Head Output</span>
<link rel=<span class="hljs-string">"shortcut icon"</span> href=<span class="hljs-string">"/shortcut-icon.png"</span> />
<span class="xml"><span class="hljs-tag"><<span class="hljs-name">link</span> <span class="hljs-attr">rel</span>=<span class="hljs-string">"icon"</span> <span class="hljs-attr">href</span>=<span class="hljs-string">"/icon.png"</span> /></span></span>
<span class="xml"><span class="hljs-tag"><<span class="hljs-name">link</span> <span class="hljs-attr">rel</span>=<span class="hljs-string">"apple-touch-icon"</span> <span class="hljs-attr">href</span>=<span class="hljs-string">"/apple-icon.png"</span> /></span></span>
<span class="xml"><span class="hljs-tag"><<span class="hljs-name">link</span>
  <span class="hljs-attr">rel</span>=<span class="hljs-string">"apple-touch-icon-precomposed"</span>
  <span class="hljs-attr">href</span>=<span class="hljs-string">"/apple-touch-icon-precomposed.png"</span>
/></span></span>
</code></pre>
<h3 id="heading-manifest-fieldhttpsnextjsorgdocsappapi-referencefunctionsgenerate-metadatamanifest"><a target="_blank" href="https://nextjs.org/docs/app/api-reference/functions/generate-metadata#manifest">manifest Field</a></h3>
<p>A web application manifest, defined in the <a target="_blank" href="https://w3c.github.io/manifest/">Web Application Manifest</a> specification, is a <a target="_blank" href="https://developer.mozilla.org/en-US/docs/Glossary/JSON">JSON</a> text file that provides information about a web application.</p>
<pre><code class="lang-javascript"><span class="hljs-keyword">export</span> <span class="hljs-keyword">const</span> metadata = {
  <span class="hljs-attr">manifest</span>: <span class="hljs-string">'https://nextjs.org/manifest.json'</span>,
}

<span class="hljs-comment">// Head Output</span>
<link rel=<span class="hljs-string">"manifest"</span> href=<span class="hljs-string">"https://nextjs.org/manifest.json"</span> />
</code></pre>
<h3 id="heading-twitter-fieldhttpsnextjsorgdocsappapi-referencefunctionsgenerate-metadatatwitter"><a target="_blank" href="https://nextjs.org/docs/app/api-reference/functions/generate-metadata#twitter">twitter Field</a></h3>
<p>The Twitter metadata specification is utilized by Twitter to present rich text, imagery, and video content when links are shared on the platform.</p>
<p>Learn more about the <a target="_blank" href="https://developer.twitter.com/en/docs/twitter-for-websites/cards/overview/markup">Twitter Card markup reference.</a></p>
<pre><code class="lang-javascript"><span class="hljs-comment">// layout.tsx or page.tsx</span>
<span class="hljs-keyword">export</span> <span class="hljs-keyword">const</span> metadata = {
  <span class="hljs-attr">twitter</span>: {
    <span class="hljs-attr">card</span>: <span class="hljs-string">'app'</span>,
    <span class="hljs-attr">title</span>: <span class="hljs-string">'Next.js'</span>,
    <span class="hljs-attr">description</span>: <span class="hljs-string">'The React Framework for the Web'</span>,
    <span class="hljs-attr">siteId</span>: <span class="hljs-string">'1467726470533754880'</span>,
    <span class="hljs-attr">creator</span>: <span class="hljs-string">'@nextjs'</span>,
    <span class="hljs-attr">creatorId</span>: <span class="hljs-string">'1467726470533754880'</span>,
    <span class="hljs-attr">images</span>: {
      <span class="hljs-attr">url</span>: <span class="hljs-string">'https://nextjs.org/og.png'</span>,
      <span class="hljs-attr">alt</span>: <span class="hljs-string">'Next.js Logo'</span>,
    },
    <span class="hljs-attr">app</span>: {
      <span class="hljs-attr">name</span>: <span class="hljs-string">'twitter_app'</span>,
      <span class="hljs-attr">id</span>: {
        <span class="hljs-attr">iphone</span>: <span class="hljs-string">'twitter_app://iphone'</span>,
        <span class="hljs-attr">ipad</span>: <span class="hljs-string">'twitter_app://ipad'</span>,
        <span class="hljs-attr">googleplay</span>: <span class="hljs-string">'twitter_app://googleplay'</span>,
      },
      <span class="hljs-attr">url</span>: {
        <span class="hljs-attr">iphone</span>: <span class="hljs-string">'https://iphone_url'</span>,
        <span class="hljs-attr">ipad</span>: <span class="hljs-string">'https://ipad_url'</span>,
      },
    },
  },
}


<span class="hljs-comment">// Head Output</span>
<meta name=<span class="hljs-string">"twitter:site:id"</span> content=<span class="hljs-string">"1467726470533754880"</span> />
<span class="xml"><span class="hljs-tag"><<span class="hljs-name">meta</span> <span class="hljs-attr">name</span>=<span class="hljs-string">"twitter:creator"</span> <span class="hljs-attr">content</span>=<span class="hljs-string">"@nextjs"</span> /></span></span>
<span class="xml"><span class="hljs-tag"><<span class="hljs-name">meta</span> <span class="hljs-attr">name</span>=<span class="hljs-string">"twitter:creator:id"</span> <span class="hljs-attr">content</span>=<span class="hljs-string">"1467726470533754880"</span> /></span></span>
<span class="xml"><span class="hljs-tag"><<span class="hljs-name">meta</span> <span class="hljs-attr">name</span>=<span class="hljs-string">"twitter:title"</span> <span class="hljs-attr">content</span>=<span class="hljs-string">"Next.js"</span> /></span></span>
<span class="xml"><span class="hljs-tag"><<span class="hljs-name">meta</span> <span class="hljs-attr">name</span>=<span class="hljs-string">"twitter:description"</span> <span class="hljs-attr">content</span>=<span class="hljs-string">"The React Framework for the Web"</span> /></span></span>
<span class="xml"><span class="hljs-tag"><<span class="hljs-name">meta</span> <span class="hljs-attr">name</span>=<span class="hljs-string">"twitter:card"</span> <span class="hljs-attr">content</span>=<span class="hljs-string">"app"</span> /></span></span>
<span class="xml"><span class="hljs-tag"><<span class="hljs-name">meta</span> <span class="hljs-attr">name</span>=<span class="hljs-string">"twitter:image"</span> <span class="hljs-attr">content</span>=<span class="hljs-string">"https://nextjs.org/og.png"</span> /></span></span>
<span class="xml"><span class="hljs-tag"><<span class="hljs-name">meta</span> <span class="hljs-attr">name</span>=<span class="hljs-string">"twitter:image:alt"</span> <span class="hljs-attr">content</span>=<span class="hljs-string">"Next.js Logo"</span> /></span></span>
<span class="xml"><span class="hljs-tag"><<span class="hljs-name">meta</span> <span class="hljs-attr">name</span>=<span class="hljs-string">"twitter:app:name:iphone"</span> <span class="hljs-attr">content</span>=<span class="hljs-string">"twitter_app"</span> /></span></span>
<span class="xml"><span class="hljs-tag"><<span class="hljs-name">meta</span> <span class="hljs-attr">name</span>=<span class="hljs-string">"twitter:app:id:iphone"</span> <span class="hljs-attr">content</span>=<span class="hljs-string">"twitter_app://iphone"</span> /></span></span>
<span class="xml"><span class="hljs-tag"><<span class="hljs-name">meta</span> <span class="hljs-attr">name</span>=<span class="hljs-string">"twitter:app:id:ipad"</span> <span class="hljs-attr">content</span>=<span class="hljs-string">"twitter_app://ipad"</span> /></span></span>
<span class="xml"><span class="hljs-tag"><<span class="hljs-name">meta</span> <span class="hljs-attr">name</span>=<span class="hljs-string">"twitter:app:id:googleplay"</span> <span class="hljs-attr">content</span>=<span class="hljs-string">"twitter_app://googleplay"</span> /></span></span>
<span class="xml"><span class="hljs-tag"><<span class="hljs-name">meta</span> <span class="hljs-attr">name</span>=<span class="hljs-string">"twitter:app:url:iphone"</span> <span class="hljs-attr">content</span>=<span class="hljs-string">"https://iphone_url"</span> /></span></span>
<span class="xml"><span class="hljs-tag"><<span class="hljs-name">meta</span> <span class="hljs-attr">name</span>=<span class="hljs-string">"twitter:app:url:ipad"</span> <span class="hljs-attr">content</span>=<span class="hljs-string">"https://ipad_url"</span> /></span></span>
<span class="xml"><span class="hljs-tag"><<span class="hljs-name">meta</span> <span class="hljs-attr">name</span>=<span class="hljs-string">"twitter:app:name:ipad"</span> <span class="hljs-attr">content</span>=<span class="hljs-string">"twitter_app"</span> /></span></span>
<span class="xml"><span class="hljs-tag"><<span class="hljs-name">meta</span> <span class="hljs-attr">name</span>=<span class="hljs-string">"twitter:app:name:googleplay"</span> <span class="hljs-attr">content</span>=<span class="hljs-string">"twitter_app"</span> /></span></span>
</code></pre>
<h3 id="heading-verification-fieldhttpsnextjsorgdocsappapi-referencefunctionsgenerate-metadataverification"><a target="_blank" href="https://nextjs.org/docs/app/api-reference/functions/generate-metadata#verification">verification Field</a></h3>
<p><code>verification</code> field is used to add different search engine verification code to verify site.</p>
<pre><code class="lang-javascript"><span class="hljs-comment">// layout.tsx or page.tsx</span>
<span class="hljs-keyword">export</span> <span class="hljs-keyword">const</span> metadata = {
  <span class="hljs-attr">verification</span>: {
    <span class="hljs-attr">google</span>: <span class="hljs-string">'google'</span>,
    <span class="hljs-attr">yandex</span>: <span class="hljs-string">'yandex'</span>,
    <span class="hljs-attr">yahoo</span>: <span class="hljs-string">'yahoo'</span>,
    <span class="hljs-attr">other</span>: {
      <span class="hljs-attr">me</span>: [<span class="hljs-string">'my-email'</span>, <span class="hljs-string">'my-link'</span>],
    },
  },
}

<span class="hljs-comment">// Head Output</span>
<meta name=<span class="hljs-string">"google-site-verification"</span> content=<span class="hljs-string">"google"</span> />
<span class="xml"><span class="hljs-tag"><<span class="hljs-name">meta</span> <span class="hljs-attr">name</span>=<span class="hljs-string">"y_key"</span> <span class="hljs-attr">content</span>=<span class="hljs-string">"yahoo"</span> /></span></span>
<span class="xml"><span class="hljs-tag"><<span class="hljs-name">meta</span> <span class="hljs-attr">name</span>=<span class="hljs-string">"yandex-verification"</span> <span class="hljs-attr">content</span>=<span class="hljs-string">"yandex"</span> /></span></span>
<span class="xml"><span class="hljs-tag"><<span class="hljs-name">meta</span> <span class="hljs-attr">name</span>=<span class="hljs-string">"me"</span> <span class="hljs-attr">content</span>=<span class="hljs-string">"my-email"</span> /></span></span>
<span class="xml"><span class="hljs-tag"><<span class="hljs-name">meta</span> <span class="hljs-attr">name</span>=<span class="hljs-string">"me"</span> <span class="hljs-attr">content</span>=<span class="hljs-string">"my-link"</span> /></span></span>
</code></pre>
<h3 id="heading-alternates-fieldhttpsnextjsorgdocsappapi-referencefunctionsgenerate-metadataalternates"><a target="_blank" href="https://nextjs.org/docs/app/api-reference/functions/generate-metadata#alternates">alternates Field</a></h3>
<p><code>alternates</code> field is used to create meta tags for <code>canonical</code>, <code>languages</code>, <code>media</code> and define <code>type</code> of page.</p>
<pre><code class="lang-javascript"><span class="hljs-comment">// layout.tsx or page.tsx</span>
<span class="hljs-keyword">export</span> <span class="hljs-keyword">const</span> metadata = {
  <span class="hljs-attr">alternates</span>: {
    <span class="hljs-attr">canonical</span>: <span class="hljs-string">'https://nextjs.org'</span>,
    <span class="hljs-attr">languages</span>: {
      <span class="hljs-string">'en-US'</span>: <span class="hljs-string">'https://nextjs.org/en-US'</span>,
      <span class="hljs-string">'de-DE'</span>: <span class="hljs-string">'https://nextjs.org/de-DE'</span>,
    },
    <span class="hljs-attr">media</span>: {
      <span class="hljs-string">'only screen and (max-width: 600px)'</span>: <span class="hljs-string">'https://nextjs.org/mobile'</span>,
    },
    <span class="hljs-attr">types</span>: {
      <span class="hljs-string">'application/rss+xml'</span>: <span class="hljs-string">'https://nextjs.org/rss'</span>,
    },
  },
}

<span class="hljs-comment">// Head Output</span>
<link rel=<span class="hljs-string">"canonical"</span> href=<span class="hljs-string">"https://nextjs.org"</span> />
<span class="xml"><span class="hljs-tag"><<span class="hljs-name">link</span> <span class="hljs-attr">rel</span>=<span class="hljs-string">"alternate"</span> <span class="hljs-attr">hreflang</span>=<span class="hljs-string">"en-US"</span> <span class="hljs-attr">href</span>=<span class="hljs-string">"https://nextjs.org/en-US"</span> /></span></span>
<span class="xml"><span class="hljs-tag"><<span class="hljs-name">link</span> <span class="hljs-attr">rel</span>=<span class="hljs-string">"alternate"</span> <span class="hljs-attr">hreflang</span>=<span class="hljs-string">"de-DE"</span> <span class="hljs-attr">href</span>=<span class="hljs-string">"https://nextjs.org/de-DE"</span> /></span></span>
<span class="xml"><span class="hljs-tag"><<span class="hljs-name">link</span>
  <span class="hljs-attr">rel</span>=<span class="hljs-string">"alternate"</span>
  <span class="hljs-attr">media</span>=<span class="hljs-string">"only screen and (max-width: 600px)"</span>
  <span class="hljs-attr">href</span>=<span class="hljs-string">"https://nextjs.org/mobile"</span>
/></span></span>
<span class="xml"><span class="hljs-tag"><<span class="hljs-name">link</span>
  <span class="hljs-attr">rel</span>=<span class="hljs-string">"alternate"</span>
  <span class="hljs-attr">type</span>=<span class="hljs-string">"application/rss+xml"</span>
  <span class="hljs-attr">href</span>=<span class="hljs-string">"https://nextjs.org/rss"</span>
/></span></span>
</code></pre>
<h3 id="heading-other-fieldhttpsnextjsorgdocsappapi-referencefunctionsgenerate-metadataother"><a target="_blank" href="https://nextjs.org/docs/app/api-reference/functions/generate-metadata#other">other Field</a></h3>
<p>All metadata options should be covered using the built-in support. However, there may be custom metadata tags specific to your site or brand-new metadata tags just released. You can use the <code>other</code> option to render any custom metadata tag.</p>
<pre><code class="lang-javascript"><span class="hljs-comment">// layout.tsx or page.tsx</span>
<span class="hljs-keyword">export</span> <span class="hljs-keyword">const</span> metadata = {
  <span class="hljs-attr">other</span>: {
    <span class="hljs-attr">custom</span>: <span class="hljs-string">'meta'</span>,
  },
}

<span class="hljs-comment">// Head Output</span>
<meta name=<span class="hljs-string">"custom"</span> content=<span class="hljs-string">"meta"</span> />
</code></pre>
<p>To generate multiple same-key meta tags, you can use an array value.</p>
<pre><code class="lang-javascript"><span class="hljs-comment">// layout.tsx or page.tsx</span>
<span class="hljs-keyword">export</span> <span class="hljs-keyword">const</span> metadata = {
  <span class="hljs-attr">other</span>: {
    <span class="hljs-attr">custom</span>: [<span class="hljs-string">'meta1'</span>, <span class="hljs-string">'meta2'</span>],
  },
}

<span class="hljs-comment">// Head Output</span>
<meta name=<span class="hljs-string">"custom"</span> content=<span class="hljs-string">"meta1"</span> /> <span class="xml"><span class="hljs-tag"><<span class="hljs-name">meta</span> <span class="hljs-attr">name</span>=<span class="hljs-string">"custom"</span> <span class="hljs-attr">content</span>=<span class="hljs-string">"meta2"</span> /></span></span>
</code></pre>
<p>There are so many other options available like <a target="_blank" href="https://nextjs.org/docs/app/api-reference/functions/generate-metadata#applewebapp"><code>appleWebApp</code></a>, <a target="_blank" href="https://nextjs.org/docs/app/api-reference/functions/generate-metadata#applinks"><code>appLinks</code></a>, <a target="_blank" href="https://nextjs.org/docs/app/api-reference/functions/generate-metadata#archives"><code>archives</code></a>, <a target="_blank" href="https://nextjs.org/docs/app/api-reference/functions/generate-metadata#assets"><code>assets</code></a>, <a target="_blank" href="https://nextjs.org/docs/app/api-reference/functions/generate-metadata#bookmarks"><code>bookmarks</code></a>, <a target="_blank" href="https://nextjs.org/docs/app/api-reference/functions/generate-metadata#category"><code>category</code></a>. Refer to the <a target="_blank" href="https://nextjs.org/docs/app/api-reference/functions/generate-metadata#metadata-fields">Metadata Fields</a> to access all lists of supported options with Next JS 13 and above.</p>
<p>There are few unsupported Metadata. Refer to the <a target="_blank" href="https://nextjs.org/docs/app/api-reference/functions/generate-metadata#unsupported-metadata"><strong>Unsupported MetaData</strong></a> to know more about them.</p>
<h3 id="heading-should-a-url-end-with-a-trailing-slash-whats-the-difference">Should a URL end with a Trailing Slash “/“? What’s the difference?</h3>
<p>Whether a URL ends with a trailing slash primarily affects how the server interprets the request and how relative paths are resolved.</p>
<p>The specific differences are as follows:</p>
<ol>
<li><strong>Fundamental Concepts</strong></li>
</ol>
<p><strong>URL (Uniform Resource Locator):</strong></p>
<p>A unique identifier for resources on the internet, such as web pages, images, APIs, etc.</p>
<p><strong>Directory vs. Resource:</strong></p>
<p>A URL ending with a <code>/</code> typically represents a <strong>directory</strong>. For example:</p>
<pre><code class="lang-typescript">https:<span class="hljs-comment">//example.com/folder/</span>
</code></pre>
<p>A URL <em>not</em> ending with a <code>/</code> usually points to a specific <strong>resource</strong> (like a file). For example:</p>
<pre><code class="lang-typescript">https:<span class="hljs-comment">//example.com/file</span>
</code></pre>
<ol start="2">
<li><strong>Specific Differences Between With and Without a “/“</strong></li>
</ol>
<p><strong>(1) Directory vs. Resource</strong></p>
<ul>
<li><a target="_blank" href="https://example.com/folder/">https://example.com/folder/</a></li>
</ul>
<blockquote>
<p><em>A server will typically interpret this as a directory and attempt to return the default file within that directory (e.g., index.html).</em></p>
</blockquote>
<ul>
<li><a target="_blank" href="https://example.com/folder">https://example.com/folder</a></li>
</ul>
<blockquote>
<p><em>A server might treat this as a file. If folder is actually a directory and not a file, the server will often issue a 301 redirect to folder/.</em></p>
</blockquote>
<p>📌 Example:</p>
<ul>
<li>When you visit <a target="_blank" href="https://example.com/blog/"><code>https://example.com/blog/</code></a></li>
</ul>
<blockquote>
<p><em>the server might directly serve the content of</em> <a target="_blank" href="https://example.com/blog/index.html."><code>https://example.com/blog/index.html</code></a></p>
</blockquote>
<ul>
<li>When you visit <code>https://example.com/blog</code> (and <code>blog</code> is a directory),</li>
</ul>
<blockquote>
<p><em>the server will likely first redirect you to</em> <code>https://example.com/blog/</code> and then serve <code>index.html</code>.</p>
</blockquote>
<p><strong>(2) Relative Path Resolution</strong></p>
<p>The presence of a trailing slash affects how relative paths are resolved.</p>
<p>Assume an HTML page contains the following <code></code> tag:</p>
<pre><code class="lang-typescript">"image.png"</span>>
</code></pre>
<p>📌 Example:</p>
<ul>
<li>If the page is loaded from <code>https://example.com/folder/</code>,</li>
</ul>
<blockquote>
<p><em>the image path will be resolved to</em> <a target="_blank" href="https://example.com/folder/image.png."><code>https://example.com/folder/image.png</code>.</a></p>
</blockquote>
<ul>
<li>If the page is loaded from <code>https://example.com/folder</code>,</li>
</ul>
<blockquote>
<p><em>the image path will be resolved to</em> <code>https://example.com/image.png</code>. This could lead to a <strong>404 Not Found</strong> error because the browser <mark>incorrectly</mark> looks for <code>image.png</code> in the root directory (<code>example.com/</code>) instead of inside <code>folder/</code>.</p>
</blockquote>
<p><strong>Reasoning:</strong></p>
<ul>
<li><p>For a URL ending in <code>/</code>, the browser treats it as a directory, and relative paths are resolved based on that directory (<code>folder/</code>).</p>
</li>
<li><p>Without the <code>/</code>, the browser may assume <code>folder</code> is a file, causing errors in resolving relative paths.</p>
</li>
</ul>
<p><strong>(3) SEO Impact</strong></p>
<p>Search engines may treat <code>https://example.com/folder/</code> and <code>https://example.com/folder</code> as two different pages. This can lead to <strong>duplicate content issues</strong>, which can negatively affect your SEO rankings. Therefore:</p>
<ul>
<li><p>It is best practice for a website to <strong>choose one canonical form</strong> and use <strong>301 redirects</strong> to enforce it.</p>
</li>
<li><p>For example, automatically redirect all requests for <code>https://example.com/folder</code> to <code>https://example.com/folder/</code>, or vice versa.</p>
</li>
</ul>
<p><strong>(4) API Requests</strong></p>
<p>For RESTful APIs, the presence or absence of a trailing slash can lead to different behaviors:</p>
<ul>
<li><p><code>https://api.example.com/users</code> might return a list of all users.</p>
</li>
<li><p><code>https://api.example.com/users/</code> might return a 404 error or produce a different result, depending on the server's implementation.</p>
</li>
</ul>
<p>Some API servers are very sensitive to the trailing slash, so it is crucial to follow the specifications in the API documentation.</p>
<ol start="3">
<li><strong>Summary</strong></li>
</ol>
<p></p>
<p>If you are developing a website, it is recommended to:</p>
<ol>
<li><p><strong>Standardize your URL structure.</strong> For example, enforce that all directory URLs end with a <code>/</code> (or that none do) and use 301 redirects to maintain consistency.</p>
</li>
<li><p><strong>Test your API’s behavior</strong> to confirm <mark>whether</mark> the presence of a trailing slash affects request outcomes.</p>
</li>
</ol>
<h1 id="heading-accessibility">Accessibility</h1>
<p>As a front-end developer, it is your responsibility to ensure that the websites you create are accessible to all users, including those with disabilities. In this guide, we will explore what web accessibility is, why it is important, and how you can create web-accessible websites.</p>
<h2 id="heading-what-is-web-accessibility">What is Web Accessibility?</h2>
<p>Before we dive into what web accessibility is, we should first understand what the word <strong>Accessibility</strong> entails:</p>
<p>From my knowledge, <strong>Accessibility</strong> means the ability of everyone regardless of their condition to have access to something (e.g. internet, transport, system).</p>
<p>Wikipedia says, “Accessibility refers to the design of products, devices, services, or environments for people who experience disabilities.“</p>
<p>So we could eventually say that Web Accessibility is a way to make everyone including the disabled to have access to the website and internet as a whole.</p>
<p>To put it differently, we could also say:</p>
<blockquote>
<p>Web Accessibility means that people with disabilities can use the Web.</p>
</blockquote>
<p>At the end of the day, we can conclude that people with disabilities can perceive, understand, navigate, and interact with the Web and that they can contribute to the Web. Web accessibility also benefits those with temporary or conditional disabilities which in some cases may be aging, slow internet connection, or broken arm.</p>
<h2 id="heading-what-is-disability-and-types">What is Disability and Types?</h2>
<p>It’s important to build sites that are inclusive and accessible to everyone. There are at least six key areas of disability you can optimize for: <strong>visual</strong>, <strong>hearing</strong>, <strong>mobility</strong>, <strong>cognition</strong>, <strong>speed</strong>, and <strong>neural</strong>. Many tools and resources can help here, even if you are totally new to web accessibility.</p>
<p><a target="_blank" href="https://www.who.int/teams/noncommunicable-diseases/sensory-functions-disability-and-rehabilitation/world-report-on-disability">Over one billion people</a> live with some form of disability.</p>
<p>To be accessible, sites need to work across multiple devices with varying screen sizes and different kinds of input, such as screen readers. Moreover, sites should be usable by the broadest of users, including those with disabilities.</p>
<p>Here are a few disabilities your users may have:</p>
<p></p>
<p><strong>Visual issues</strong> range from an inability to distinguish colors to no vision at all:</p>
<ul>
<li><p>Ensures text content meets a minimum <a target="_blank" href="http://www.w3.org/TR/WCAG20/#visual-audio-contrast-contrast">contrast ratio threshold</a>.</p>
</li>
<li><p>Avoid communicating information <a target="_blank" href="http://www.w3.org/TR/2008/REC-WCAG20-20081211/#visual-audio-contrast-without-color">using solely color</a> and ensure that all text is <a target="_blank" href="http://www.w3.org/TR/2008/REC-WCAG20-20081211/#visual-audio-contrast-scale">resizable</a>.</p>
</li>
<li><p>Ensures all user interface components can be used with assistive technologies such as screen readers, magnifiers, and braille displays. This entails ensuring that UI components are marked up such that accessibility APIs can programmatically determine the <em>role</em>, <em>state</em>, <em>value</em>, and <em>title</em> of any element.</p>
</li>
</ul>
<div data-node-type="callout">
<div data-node-type="callout-emoji">💡</div>
<div data-node-type="callout-text"><strong>Tip</strong>: The element inspection feature in the browser displays a tooltip of CSS properties that includes a quick check for the color contrast ratio.</div>
</div>

<p></p>
<p>Some people live with low vision, they often find themself zooming in on sites, their DevTools, and the Terminal. While supporting Zoom is almost never at the top of developers' to-do lists, it can make a world of difference for people like them.</p>
<p>Hearing issues mean a user may have issues hearing sound emitted from a page.</p>
<ul>
<li><p>Provide <a target="_blank" href="http://www.w3.org/TR/WCAG20/#media-equiv-av-only-alt">text alternatives</a> for all content that is not strictly text.</p>
</li>
<li><p>Test that your UI components are still functional <a target="_blank" href="http://www.w3.org/TR/2008/REC-WCAG20-20081211/#content-structure-separation-understanding">without sound</a>.</p>
</li>
</ul>
<p><strong>Mobility issues</strong> can include the inability to operate a mouse, a keyboard, or a touch screen.</p>
<ul>
<li><p>Make the content of your UI components <a target="_blank" href="http://www.w3.org/TR/wai-aria-practices/#keyboard">functionally accessible from a keyboard</a> for any actions one would otherwise use the mouse for</p>
</li>
<li><p>Ensure pages are correctly marked up for assistive technologies — including screen readers, voice control software, and physical switch controls — which tend to use the same APIs.</p>
</li>
</ul>
<p><strong>Cognitive issues</strong> mean a user may require assistive technologies to help them with reading text, so it’s important to ensure text alternatives exist.</p>
<ul>
<li><p>Be mindful when using animations. Avoid video and animation that <a target="_blank" href="http://www.w3.org/TR/WCAG20/#time-limits">repeat</a> or flash, which can cause <a target="_blank" href="http://www.w3.org/TR/WCAG20/#seizure">issues</a> for some users.<br />  The <a target="_blank" href="https://web.dev/articles/prefers-reduced-motion#too_much_motion_in_real_life_and_on_the_web"><code>prefers-reduced-motion</code></a> CSS media query lets you limit animations and auto-playing videos for users who prefer reduced motion:</p>
<pre><code class="lang-javascript">  <span class="hljs-comment">/*
  If the user expresses a preference for reduced motion, don't use animations on buttons.
  */</span>
  @media (prefers-reduced-motion: reduce) {
    button {
      <span class="hljs-attr">animation</span>: none;
    }
  }
</code></pre>
</li>
<li><p>Avoid interactions that are <a target="_blank" href="https://www.w3.org/WAI/WCAG21/Understanding/no-timing.html">timing-based</a>.</p>
</li>
</ul>
<p>This may seem like a lot of bases to cover, but we will work through the process of assessing and improving the accessibility of your UI components.</p>
<p>For extra visual support, the GOV.UK accessibility team has created a series of <a target="_blank" href="https://accessibility.blog.gov.uk/2016/09/02/dos-and-donts-on-designing-for-accessibility/">accessibility do and don'ts digital posters</a>, which you can use to share the best practices with your team.</p>
<p></p>
<h2 id="heading-why-web-accessibility-is-important">Why Web Accessibility is important?</h2>
<p>The Web and the Internet as a whole are increasingly important resources in many aspects of our lives, including education, employment, government, commerce, health care, creation, and more. Therefore, it is important that the Web be accessible to everyone to provide equal access and equal opportunity to people with disabilities. An accessible Web can help people with disabilities participate more actively in society.</p>
<p>Also, an accessible web is often one of the easiest ways to do business with many people with disabilities, for instance, people who can not read print material, people who have difficulty going to physical stores or malls, and others. Furthermore, what you do for accessibility overlaps with other best practices such as mobile web design, usability, and search engine optimization (SEO).</p>
<p>An accessible website provides many people with disabilities with access to information and interaction. The accessibility barriers to print, audio, and visual media can be much more easily overcome through Web technologies.</p>
<p>I suggest reading “<a target="_blank" href="https://www.w3.org/WAI/bcase/soc">Social Factors in Developing a Web Accessibility Business Case for Your Organization</a>” which shows how the web impacts the lives of people with disabilities and Web accessibility as an aspect of cooperate social responsibility.</p>
<p>Another important consideration for organizations is that Web accessibility is required by laws and policies in some cases. <a target="_blank" href="https://www.w3.org/WAI/policy-res">WAI Web Accessibility Policy Resources</a> links to resources for addressing legal and policy factors within organizations, including a list of relevant <a target="_blank" href="https://www.w3.org/WAI/Policy/">laws and policies around the world</a>.</p>
<h2 id="heading-measure-ui-components-accessibility">Measure UI component’s accessibility</h2>
<p>When editing your page’s UI component for accessibility, ask yourself:</p>
<ul>
<li><p><strong>Can you use your UI component with the keyboard only?</strong><br />  Does the component manage to focus and avoid focus traps? Can it respond to the appropriate keyboard events?</p>
</li>
<li><p><strong>Can you use your UI component with the screen reader?</strong></p>
<p>  Have you provided text alternatives for any information present visually? Have you added semantic information using ARIA?</p>
</li>
<li><p><strong>Can your UI component work without sound?</strong></p>
<p>  Turn off your speakers and go through your use cases.</p>
</li>
<li><p><strong>Can your UI component work without color?</strong></p>
<p>  Ensure your UI component can be used by someone who can't see colors. A helpful tool for simulating color blindness is a Chrome extension called <a target="_blank" href="https://chromewebstore.google.com/detail/colorblindly/floniaahmccleoclneebhhmnjgdfijgg">Colorblindly</a> (Try all four forms of color blindness simulation available). You may also be interested in the <a target="_blank" href="https://chromewebstore.google.com/detail/daltonize/obcnmdgpjakcffkcjnonpdlainhphpgh">Daltonize</a> extension, which is similarly useful.</p>
</li>
<li><p><strong>Can your UI component work with high-contrast mode enabled?</strong></p>
<p>  All modern operating systems support a high contrast mode. <a target="_blank" href="https://chrome.google.com/webstore/detail/high-contrast/djcfdncoelnlbldjfhinnjlhdjlikmph">High Contrast</a> is a Chrome extension that can help here.</p>
</li>
</ul>
<p>Standardized controls (such as <code><button></code> and <code><select></code>) have accessibility built into the browser. They are focusable using the Tab key; they respond to keyboard events (like the <code>Enter</code>, <code>Space</code>, and arrow keys); and they have semantic roles, states, and properties used by accessibility tools. Their default styling should also meet the accessibility requirements listed.</p>
<p>Custom UI components (with the exception of components that extend standard elements like <code><button></code>) don’t have any built-in capabilities, including accessibility, so you need to provide it. A good place to start when implementing accessibility is to compare your component to an analogous standard element (or a combination of several standard elements, depending on how complex your component is).</p>
<p>Most browser developer tools support inspecting the accessibility tree of a page. In Chrome DevTools, this is available in the <strong>Accessibility</strong> tab in the <strong>Element</strong> panels.</p>
<p></p>
<p>Firefox also has an <strong>Accessibility</strong> panel.</p>
<p></p>
<p>Safari exposes accessibility information in the <strong>Elements</strong> panel’s <strong>Node</strong> tab.</p>
<p>The following is a list of questions you can ask yourself when attempting to make your UI component more accessible.</p>
<h2 id="heading-how-to-make-the-web-accessible">How to Make the Web Accessible</h2>
<p>Making the web accessible depends on the developers building for the web. Making your website accessible to people with disabilities, will end up making it accessible to everyone.</p>
<h3 id="heading-use-tabindex">Use <code>tabindex</code></h3>
<p>You can add keyboard focus for elements and UI components with the <code>tabindex</code> attribute. Keyboard-only and assistive technology users need to be able to place keyboard focus on elements to interact with them.</p>
<p>Built-in interactive elements (like <Button/>) are implicitly focusable, so they don’t need a <code>tabindex</code>, attribute unless you need to change their position in the tab order.</p>
<p>There are 3 types of <code>tabindex</code> values:</p>
<ul>
<li><p><code>tabindex="0"</code> is the most common and places elements in the natural tab order (defined by the DOM order)</p>
</li>
<li><p>A <code>tabindex</code> value equal to -1 causes the element to be programmatically focusable, but not in the tab order.</p>
</li>
<li><p>A <code>tabindex</code> value greater than 0 places the element in the manual tab order. All elements in the page with the positive tabindex value are visited in numerical order, before elements in the natural tab order.</p>
</li>
</ul>
<p>Warning: As a general rule, avoid positive tabindexes. Disrupting the normal focus order may confuse and frustrate your users. It’s therefore likely to cause the failure of <a target="_blank" href="https://www.w3.org/TR/WCAG22/#focus-order">Success Criterion 2.4.3.</a></p>
<p>Find some use cases for <code>tabindex</code> in this article <a target="_blank" href="https://web.dev/articles/using-tabindex">Using tabindex</a>.</p>
<p>Ensure that focus is always visible, whether by using the default focus ring style or by applying a discernible custom focus style. Remember not to trap keyboard users - they should be able to move focus away from an element using only the keyboard.</p>
<h3 id="heading-use-autofocus">Use autofocus</h3>
<p>The HTML autofocus attribute lets an author specify that a particular element should automatically take focus when the page is loaded. autofocus is already supported on all web form controls, including buttons. To autofocus elements in your own custom UI components, call the focus() method, supported on all HTML elements that can be focused (for example, <code>document.querySelector('myButton').focus()</code>).</p>
<h3 id="heading-add-keyboard-interaction">Add keyboard interaction</h3>
<p>Once your UI component is focusable, provide a good keyboard interaction story when a component is focused by handling appropriate keyboard events. For example, allow the user to use arrow keys to select menu options and <code>Space</code> or <code>Enter</code> to activate buttons. The ARIA design pattern guide provides some guidance here.</p>
<p>Finally, ensure that your keyboard shortcuts are discoverable. A common practice is to have a keyboard shortcut legend (on-screen text) to inform the user that shortcuts exist. For example, "Press ? for keyboard shortcuts.". Alternatively, a hint such as a tooltip can be used to inform a user about the shortcut.</p>
<p>The performance of managing shortcuts can not be overstated. An important example is a navigation drawer. If you add a UI component to a page, you need to direct focus to the element inside it; otherwise, the user may have to tab the entire page to get there. This can be a frustrating experience, so be sure to test focus for all keyboard navigable components on your page.</p>
<div data-node-type="callout">
<div data-node-type="callout-emoji">💡</div>
<div data-node-type="callout-text">Tip: You can use the <a target="_self" href="https://github.com/puppeteer/puppeteer">Puppeteer</a> to automate running keyboard accessibility tests for toggling UI states. <a target="_self" href="https://medium.com/walkme-engineering/web-accessibility-testing-d499a7f7a032">WalkMe Engineering</a> has a great guide on this I recommend reading.</div>
</div>

<p></p>
<pre><code class="lang-javascript"><span class="hljs-comment">// Example for expanding and collapsing a category with the Space key</span>
<span class="hljs-keyword">const</span> category = <span class="hljs-keyword">await</span> page.$(<span class="hljs-string">`.category`</span>);

<span class="hljs-comment">// verify tabIndex, role and focus</span>
expect(<span class="hljs-keyword">await</span> page.evaluate(<span class="hljs-function"><span class="hljs-params">elem</span> =></span> elem.getAttribute(<span class="hljs-string">`role`</span>), category)).toEqual(<span class="hljs-string">`button`</span>);
expect(<span class="hljs-keyword">await</span> page.evaluate(<span class="hljs-function"><span class="hljs-params">elem</span> =></span> elem.getAttribute(<span class="hljs-string">`tabindex`</span>), category)).toEqual(<span class="hljs-string">`0`</span>);
expect(<span class="hljs-keyword">await</span> page.evaluate(<span class="hljs-function"><span class="hljs-params">elem</span> =></span> <span class="hljs-built_in">window</span>.document.activeElement === elem, category)).toEqual(<span class="hljs-literal">true</span>);

<span class="hljs-comment">// verify aria-expanded = false</span>
expect(<span class="hljs-keyword">await</span> page.evaluate(<span class="hljs-function"><span class="hljs-params">elem</span> =></span> elem.getAttribute(<span class="hljs-string">`aria-expanded`</span>), category)).toEqual(<span class="hljs-string">`false`</span>);

<span class="hljs-comment">// toggle category by pressing Space</span>
<span class="hljs-keyword">await</span> page.keyboard.press(<span class="hljs-string">'Space'</span>);

<span class="hljs-comment">// verify aria-expanded = true</span>
expect(<span class="hljs-keyword">await</span> page.evaluate(<span class="hljs-function"><span class="hljs-params">elem</span> =></span> elem.getAttribute(<span class="hljs-string">`aria-expanded`</span>), category)).toEqual(<span class="hljs-string">`true`</span>);
</code></pre>
<h3 id="heading-mind-the-html-semantic">Mind the HTML semantic</h3>
<p>The Browser derives the DOM Tree to create the Accessibility Tree. This is possible because the DOM Tree has some semantic meaning implicit in HTML. This means that by correctly using HTML semantics, we will have a more accessible site.</p>
<p>Let’s see some important things that have into consideration:</p>
<p><strong>Embrace the element’s nature:</strong></p>
<p>You’ve likely seen a pseudo-button or pseudo-link before. These are elements that try to replicate the functionality of a button or anchor, on other elements. A <code>div</code> with an <code>onclick</code>, for example. This is <em>almost</em> never a good idea. The effort required to make these accessible far out-weighs whatever reason you have for implementing them. Let’s take a quick look at the features built into the <code><button></code> element.</p>
<ul>
<li><p>Focusable: A button can be focused by tabbing</p>
</li>
<li><p>Keyboard interactions: Pressing enter or space while focused will activate the button</p>
</li>
<li><p>Screen readers announce the element as a button</p>
</li>
<li><p>Additional attributes such as: <a target="_blank" href="https://developer.mozilla.org/en-US/docs/Web/HTML/Element/button#attr-autofocus">autofocus</a>, <a target="_blank" href="https://developer.mozilla.org/en-US/docs/Web/HTML/Element/button#attr-disabled">disabled</a>, <a target="_blank" href="https://developer.mozilla.org/en-US/docs/Web/HTML/Element/button#attr-type">type</a>, and <a target="_blank" href="https://developer.mozilla.org/en-US/docs/Web/HTML/Element/button">many others</a>.</p>
</li>
</ul>
<p></p>
<div data-node-type="callout">
<div data-node-type="callout-emoji">💡</div>
<div data-node-type="callout-text"><em>Why are devs drawn to this anti-pattern? The most common reason I’ve seen is that it’s an easy way to remove all browser styles from the button. Today, there is an easier solution to that problem: Simply add the </em><a target="_blank" class="ag qx" href="https://developer.mozilla.org/en-US/docs/Web/CSS/all"><em>unset</em></a><em> style to your button’s css: </em><code>button { all: unset }</code></div>
</div>

<p>We should not abuse the <code>div</code> element. Instead, we can use elements like <code>nav</code>, <code>footer</code>, <code>article</code>, <code>section</code>, <code>address</code>, <code>aside</code> elements. They will provide some crucial implicit content to the user’s device.</p>
<p></p>
<p><strong>Non-text contents</strong></p>
<p>For those elements that don’t result in text content, it is hard for the browser to reason about.</p>
<p>For input elements, there is a simple semantic solution: use the label element. We have two ways to use it:</p>
<ul>
<li><p><strong>1.</strong> Explicit (recommended): by using the <code>label</code> element with the <code>for</code> attribute</p>
</li>
<li><p><strong>2.</strong> Implicit: by wrapping the <code>input</code> in a label element</p>
</li>
</ul>
<pre><code class="lang-xml"><span class="hljs-comment"><!-- Wrapping element in Label --></span>
<span class="hljs-tag"><<span class="hljs-name">label</span>></span>
  <span class="hljs-tag"><<span class="hljs-name">input</span> <span class="hljs-attr">type</span>=<span class="hljs-string">"checkbox"</span>></span>Terms and Conditions
<span class="hljs-tag"></<span class="hljs-name">label</span>></span>

<span class="hljs-comment"><!-- Using the 'for' attribute  --></span>
<span class="hljs-tag"><<span class="hljs-name">input</span> <span class="hljs-attr">id</span>=<span class="hljs-string">"terms"</span> <span class="hljs-attr">type</span>=<span class="hljs-string">"checkbox"</span>></span>
<span class="hljs-tag"><<span class="hljs-name">label</span> <span class="hljs-attr">for</span>=<span class="hljs-string">"terms"</span>></span>Terms and Conditions<span class="hljs-tag"></<span class="hljs-name">label</span>></span>
</code></pre>
<p>There are a couple of things to have in mind. The input <code>label</code> should be visible. Otherwise, screen readers won’t voice it. Interactive elements such as links are discouraged from any <code>label</code>. They might lead to accidental clicks or simply fail to be voiced properly.</p>
<pre><code class="lang-xml">
<span class="hljs-comment"><!-- ❌ Avoid --></span>
<span class="hljs-tag"><<span class="hljs-name">input</span> <span class="hljs-attr">type</span>=<span class="hljs-string">"checkbox"</span> <span class="hljs-attr">id</span>=<span class="hljs-string">"terms"</span> <span class="hljs-attr">name</span>=<span class="hljs-string">"terms"</span> /></span>
<span class="hljs-tag"><<span class="hljs-name">label</span> <span class="hljs-attr">for</span>=<span class="hljs-string">"terms"</span>></span>I accept the <span class="hljs-tag"><<span class="hljs-name">a</span> <span class="hljs-attr">href</span>=<span class="hljs-string">"..."</span>></span>Terms and Conditions<span class="hljs-tag"></<span class="hljs-name">a</span>></span><span class="hljs-tag"></<span class="hljs-name">label</span>></span>

<span class="hljs-comment"><!-- ✅ Recommended --></span>
<span class="hljs-tag"><<span class="hljs-name">input</span> <span class="hljs-attr">type</span>=<span class="hljs-string">"checkbox"</span> <span class="hljs-attr">id</span>=<span class="hljs-string">"terms"</span> <span class="hljs-attr">name</span>=<span class="hljs-string">"terms"</span> /></span>
<span class="hljs-tag"><<span class="hljs-name">label</span> <span class="hljs-attr">for</span>=<span class="hljs-string">"terms"</span>></span>I accept the Terms and Conditions.<span class="hljs-tag"></<span class="hljs-name">label</span>></span>
<span class="hljs-tag"><<span class="hljs-name">span</span>></span><span class="hljs-tag"><<span class="hljs-name">a</span> <span class="hljs-attr">href</span>=<span class="hljs-string">"..."</span>></span>Available here<span class="hljs-tag"></<span class="hljs-name">a</span>></span><span class="hljs-tag"></<span class="hljs-name">span</span>></span>
</code></pre>
<p><strong>Correct usage of Headings</strong></p>
<p>There are six levels of section headings in HTML <code><h1></code> to <code><h6></code>. They are relevant to both users and search engines. A proper structure will help better orientate the users and rank you site properly.</p>
<p>This is a list of things to have in mind:</p>
<ul>
<li><p>There should be only one <code>h1</code> in your site at all times. It is meant to be the headline of your page. It should contain a relevant description of the content.</p>
</li>
<li><p>Avoid using those elements to resize text. In that scenario <code>font-size</code> should be used.</p>
</li>
<li><p>Avoid skipping heading levels. Start from <code>h1</code> all the way down to <code>h6</code>.</p>
</li>
</ul>
<p><strong>Give links the proper name</strong></p>
<ul>
<li><p>The link must be recognizable. They should be either underlined or bold when resizing within a block of text (don’t just rely on color to denote it’s a link).</p>
</li>
<li><p>Ensure the link text makes sense on its own or give it a custom label (see below). Avoid “click here“ in the link text. Other ambiguous links, such as “more“ or “continue“ can be confusing.</p>
</li>
<li><p>Any links that open in a new tab or window should give screen reader users advance warning by setting the aria-label attribute on the anchor link(see below).</p>
</li>
<li><p>Links that point to the PDF document should open in a new tab.</p>
</li>
<li><p>Here’s an example of a link that has a custom label and opens in a new window.</p>
</li>
</ul>
<pre><code class="lang-xml"><span class="hljs-tag"><<span class="hljs-name">a</span> <span class="hljs-attr">href</span>=<span class="hljs-string">”#”</span> <span class="hljs-attr">target</span>=<span class="hljs-string">”_blank”</span> <span class="hljs-attr">aria-label</span>=<span class="hljs-string">”Download</span> <span class="hljs-attr">the</span> <span class="hljs-attr">2022</span> <span class="hljs-attr">report</span>, <span class="hljs-attr">opens</span> <span class="hljs-attr">in</span> <span class="hljs-attr">a</span> <span class="hljs-attr">new</span> <span class="hljs-attr">tab</span>”></span>Download<span class="hljs-tag"></<span class="hljs-name">a</span>></span>
</code></pre>
<p><strong>Rules of HTML display</strong></p>
<ul>
<li><p>If a piece of HTML content is set to <code>display:none</code>, this content will also be ignored by assistive technologies.</p>
</li>
<li><p>However, keep in mind that content that is set to <code>opacity:0</code> or <code>visibility: hidden</code> will be reachable by assistive technologies.</p>
</li>
</ul>
<p><strong>Telephone numbers and email addresses should always be hyperlinked</strong></p>
<p>Some screen readers do not enable these as clickable links as default, so this needs to be accounted for.</p>
<h3 id="heading-audio-and-video-101">Audio and Video 101</h3>
<p>Play controls (play, pause, volume, etc.) should always be available for screen readers and keyboards to interact it.</p>
<p>In addition, you should always provide captions for video and live audio and aim to make text transcripts available for all audio content.</p>
<h3 id="heading-include-alt-text-for-images">Include alt text for images</h3>
<p>We have seen earlier how <code>input</code> where challenging for screen screenreaders. The same is true for images. The screen reader needs an alternate way to understand the content of the image.</p>
<p>That is where the <code>alt</code> comes to play. It is a native HTML attribute that provides alternative information for the user when he can’t view the element. That might be because he is a screen reader or because the image failed to load. Even if crawlers can now “see“ the image, having an accurate description will help the SEO.</p>
<p>Some useful guidelines:</p>
<ul>
<li><p>the text should describe the image if it contains information</p>
</li>
<li><p>if the image is a link, it should describe where it is going.</p>
</li>
<li><p><code>alt=""</code> might be used in cosmetic decoration images that are not relevant to the user.</p>
</li>
<li><p>Purely decorative images also need the HTML role attribute set:</p>
<pre><code class="lang-xml">  role="presentation"
</code></pre>
</li>
<li><p>If the image is a headshot of a person and their name is already being displayed underneath or next to the photo, the alt should also be empty in this case. This will prevent assistive technologies from reading out the person’s name twice. For example, this would be the markup for the headshot with the person’s name under it.</p>
<pre><code class="lang-xml">  <span class="hljs-tag"><<span class="hljs-name">img</span> <span class="hljs-attr">src</span>=<span class="hljs-string">’/images/walter-white.jpg’</span> <span class="hljs-attr">alt</span>=<span class="hljs-string">””</span> <span class="hljs-attr">role</span>=<span class="hljs-string">”presentation”/</span>></span> <span class="hljs-tag"><<span class="hljs-name">h3</span>></span>Walter White 👨🏻‍🔬 <span class="hljs-tag"></<span class="hljs-name">h3</span>></span>
</code></pre>
</li>
</ul>
<h3 id="heading-use-aria-attributes">Use ARIA attributes</h3>
<p>The Accessible Rich Internet Application is a set of attributes that are designed to boost the accessibility of your page. When using the correct HTML semantics you get those for free. They should therefore only be used when the native HTML semantics require additional input.</p>
<p>Let’s see an obvious example:</p>
<pre><code class="lang-xml">// ❌ bad usage
<span class="hljs-tag"><<span class="hljs-name">div</span> <span class="hljs-attr">role</span>=<span class="hljs-string">"checkbox”>...</div>
// ✅ recommended, `role=checkbox` is implicit
<input type=”checkbox” name="</span><span class="hljs-attr">terms</span>"></span>
</code></pre>
<p>Let’s see a more complex example:</p>
<pre><code class="lang-xml">
<span class="hljs-comment"><!-- Manually building progress --></span>
<span class="hljs-tag"><<span class="hljs-name">div</span>
  <span class="hljs-attr">id</span>=<span class="hljs-string">"task-completed"</span>
  <span class="hljs-attr">role</span>=<span class="hljs-string">"progressbar"</span>
  <span class="hljs-attr">aria-valuenow</span>=<span class="hljs-string">"55"</span>
  <span class="hljs-attr">aria-valuemin</span>=<span class="hljs-string">"0"</span>
  <span class="hljs-attr">aria-valuemax</span>=<span class="hljs-string">"100"</span>
></span>
<span class="hljs-tag"></<span class="hljs-name">div</span>></span>

<span class="hljs-comment"><!-- ✅ using dedicated element (preferred) --></span>
<span class="hljs-tag"><<span class="hljs-name">progress</span> <span class="hljs-attr">id</span>=<span class="hljs-string">"task-completed"</span> <span class="hljs-attr">value</span>=<span class="hljs-string">"55"</span> <span class="hljs-attr">max</span>=<span class="hljs-string">"100"</span>></span>55 %<span class="hljs-tag"></<span class="hljs-name">progress</span>></span>
</code></pre>
<p>Let’s see another example. If we want to present some advisory information we can use the <code>role="status"</code>. The screen reader will properly communicate the message to the user.</p>
<pre><code class="lang-xml">// ✅ Using status for success messages
<span class="hljs-tag"><<span class="hljs-name">p</span> <span class="hljs-attr">role</span>=<span class="hljs-string">"status"</span>></span>Your changes were saved.<span class="hljs-tag"></<span class="hljs-name">p</span>></span>
</code></pre>
<p>How can we make sure that we are enforcing ARIA accessibility in your codebase? By using those tags to make queries and assertions in our <code>e2e</code>, <code>component</code>, and <code>integration</code> tests. The whole team would be more ARIA aware and we would have some semantic selectors.</p>
<h3 id="heading-color-contrast">Color Contrast</h3>
<p>When building a site, it is important to maintain a good color contrast between the background and the foreground content. This will ensure that your content stays legible.</p>
<p>There are some ratios established by the WCAG. The success is measured by where your site lands.</p>
<ul>
<li><p>Minimum Contrast (AA)</p>
</li>
<li><p>Enhanced Contrast (AAA)</p>
</li>
<li><p>Non-text Contrast (AA)</p>
</li>
</ul>
<p>There are some tools like WebAim that can help achieve the desired output of success.</p>
<p></p>
<h3 id="heading-always-test-your-page-by-using-your-keyboard">Always test your page by using your keyboard</h3>
<ul>
<li><p>You should be able to navigate through your page with the Tab key. Typically, the expected flow is left to right, top to bottom.</p>
</li>
<li><p>If the keyboard focus disappears and jumps out of order, this needs to be fixed and usually means something will not work as expected on the screen reader as well.</p>
</li>
<li><p>All clickable elements should fire when pressing Enter.</p>
</li>
<li><p>Links that contain a dropdown menu should open when pressing ENTER or SPACEBAR.</p>
</li>
<li><p>Links within a submenu/drop-down should be reachable via TAB or using the UP and DOWN ARROWS.</p>
</li>
<li><p>Checkboxes and radio buttons should be selectable with the SPACEBAR.</p>
</li>
</ul>
<h3 id="heading-account-for-the-page-zoom">Account for the page zoom</h3>
<ul>
<li><p>You should able to zoom the browser view up to 200% without loss of content and functionality.</p>
</li>
<li><p>WCAG 2.1 requires content to be zoomable up to 400% without the need for vertically scrolling (except when necessary).</p>
</li>
</ul>
<h3 id="heading-include-a-visually-hidden-skip-to-main-content-link-before-the-global-navigation">Include a visually hidden “Skip To Main Content“ link before the global navigation</h3>
<ul>
<li><p>This allows assistive technologies to bypass the global navigation and the site header and jump to the main content.</p>
</li>
<li><p>Typically, the link remains hidden, but it should become visible when it receives keyboard focus.</p>
</li>
<li><p>When clicked, this link should drop the user to an element on the page that holds the main content.</p>
</li>
</ul>
<h3 id="heading-a-word-on-icons">A word on icons</h3>
<ul>
<li><p>Most icons can be set to be ignored by the screen readers since they are purely decorative.</p>
</li>
<li><p>If you are using font icons and it acts as a link, there must be an associated text that describes the link.</p>
</li>
<li><p>Avoid using the <i> tag for displaying icons. Some screen readers will understand this to mean <strong><em>italics</em></strong>.</p>
</li>
</ul>
<h3 id="heading-be-wary-of-hover-only-content">Be wary of hover-only content</h3>
<ul>
<li><p>Any content that can only be viewed by mouse hover will likely be ignored by assistive technologies or get cut off if a user has their screen magnified. The best practice is to use clicks to show or hide vital content.</p>
</li>
<li><p>If that is not possible, make sure the content that is displayed on hover should also be viewable on keyboard focus or when pressing ENTER depending on the behavior of the component.</p>
</li>
</ul>
<h3 id="heading-removing-focus-outline">Removing focus outline</h3>
<p>It’s not uncommon to see an app where the focus outline has been removed. This is problematic as people with mobility problems will often use an app with keyboard interactions, and rely on the outline. While I agree, it doesn’t always look pretty, there are better solutions than removing it.</p>
<p><strong>Better focus styles with box-shadow</strong></p>
<p>If you want more control over the look of the focus outline, you can override the styles to use <code>box-shadow</code>. There is a caveat here though. When a Windows high-contrast theme is turned on the <code>box-shadow</code> wont be visible to the user. We can get the best of both worlds though by setting a <code>box-shadow</code>, and <code>outline-color: transparent</code></p>
<p></p>
<p><strong>Better UX with</strong> <a target="_blank" href="https://developer.mozilla.org/en-US/docs/Web/CSS/:focus-visible"><strong>focus-visible</strong></a></p>
<p>If you’re like me, you really don’t like when you click a button and it shows the focus styles. This can be prevented by using <code>:focus-visible</code>. This allows the focus styles to appear only when the element has been tabbed to.</p>
<p></p>
<h3 id="heading-pay-close-attention-to-form-controls">Pay close attention to form controls</h3>
<ul>
<li><p>Ensure form controls have descriptive labels and introductions regardless if the label is visible on the page or not.</p>
</li>
<li><p>Relying on the input placeholder’s text to act as the label is bad practice.</p>
</li>
<li><p>Keep form error messages close to the corresponding user input. Always provide text so the screen reader can read the errors.</p>
</li>
</ul>
<p></p>
<h3 id="heading-leverage-screen-reader-only-content-when-applicable">Leverage screen reader only content when applicable</h3>
<p>When the standard HTML content is too complex for a screen reader to understand, such as for charts, graphs, infographics, etc., your best option is to create a screen reader only content. This involves:</p>
<ul>
<li><p>Creating a separate version of this content using simple text that typical users will not see on the page but will be available for assistive technologies.</p>
</li>
<li><p>In other words, you will have two versions of the same content: one for the browser and one for the screen reader. The screen version should be placed right before and after the browser content.</p>
</li>
<li><p>Many frontend frameworks such as Bootstrap offer a special CSS class that you can apply to your screen reader only content. <em>(class=”sr-only”)</em></p>
</li>
<li><p>The standard browser content that visually appear on the page needs to be hidden from the screen reader so it doesn't read duplicate information. This can be done by applying the area-hidden attribute to this element and setting this to true <em>(aria-hidden=”true”)</em></p>
</li>
</ul>
<h3 id="heading-rules-for-models-and-all-dialog-boxes">Rules for models and all dialog boxes</h3>
<ul>
<li><p>Keyboard focus should be trapped inside the modal window when it is opened and visible on the screen. Meaning, that only the items inside the modal should be focusable. Other page elements should be inaccessible by a keyboard and screen reader.</p>
</li>
<li><p>The ESC button should always allow the user to close the modal.</p>
</li>
<li><p>There should always be an obvious way for the user to exit the modal via a button.</p>
</li>
<li><p>The wrapping <div> element for the modal should utilize the following attributes:</p>
</li>
</ul>
<pre><code class="lang-xml"><span class="hljs-tag"><<span class="hljs-name">div</span> <span class="hljs-attr">tabindex</span>=<span class="hljs-string">”-1</span>" <span class="hljs-attr">role</span>=<span class="hljs-string">”dialog”</span> <span class="hljs-attr">aria-label</span>=<span class="hljs-string">”Contact</span> <span class="hljs-attr">Us</span> <span class="hljs-attr">Dialog</span>”></span>
</code></pre>
<ul>
<li><p><strong>tabindex</strong>: indicates if an element can receive user focus. It should be set to –1 when the modal is hidden and then switched to 0 with JavaScript when the modal is present on the screen. Many UI frameworks handle this behavior behind the scenes.</p>
</li>
<li><p><strong>role=”dialog”:</strong> tells screen readers and other tools that this element should behave like a dialog.</p>
</li>
<li><p><strong>aria-label:</strong> defines an accessible label for interactive elements to be read out by screen readers. You can also use <em>aria-labelled by</em>: which accepts the id of an HTML element that holds the text you want to use as the label.</p>
</li>
</ul>
<h3 id="heading-rules-for-carousels-and-sliders">Rules for carousels and sliders</h3>
<ul>
<li><p>There should always be next and previous controls.</p>
</li>
<li><p>There should always be a clear way for the user to stop or pause the carousel/slider. This can be done by adding both a stop/pause button and a play button.</p>
</li>
<li><p>When the carousel/slider moves from one slide to the next, a screen reader should read out what slide it is currently on. For example “Slide 2 of 4“.</p>
</li>
<li><p>If the carousel or slider is displaying text on any of the slides, this text needs to be read out by the screen reader as the slider moves from slide to slide. This can only be done with JavaScript and some custom HTML aria-attributes. Follow this <a target="_blank" href="https://www.w3.org/WAI/tutorials/carousels/working-example/">example</a> to see how you can implement this.</p>
</li>
<li><p>As always, ensure your carousel can be operated with a keyboard.</p>
</li>
</ul>
<h3 id="heading-accessibility-tools-and-testing">Accessibility tools and testing</h3>
<p>There are over 100 tools available to evaluate the accessibility of your site and its components. Some tools are automated while others require manual testing.</p>
<p>Here are a few for your consideration:</p>
<ul>
<li><p><a target="_blank" href="http://www.deque.com/products/axe/">Axe</a> provides automated accessibility testing for your framework or browser of choice. <a target="_blank" href="https://www.deque.com/blog/axe-and-attest-integration-puppeteer/">Axe Puppeteer</a> can be used for writing automated accessibility tests.</p>
</li>
<li><p>A <a target="_blank" href="https://developer.chrome.com/docs/lighthouse">Lighthouse</a> Accessibility audit provides helpful insights for discovering common accessibility issues. The accessibility score is a weighted average of all accessibility audits based on A<a target="_blank" href="https://github.com/dequelabs/axe-core/blob/develop/doc/rule-descriptions.md">xe user impact assessments</a>. For monitoring accessibility with continuous integration, see <a target="_blank" href="https://github.com/GoogleChrome/lighthouse-ci">Lighthouse CI</a>.</p>
<p>  </p>
</li>
<li><p><a target="_blank" href="http://Tenon.io">Tenon.io</a> is useful for testing common accessibility problems. Tenon has strong integration support across build tools, browsers (through extensions), and even text editors.</p>
</li>
<li><p>There are many library- and framework-specific tools for highlighting accessibility issues with components. For example, use <a target="_blank" href="https://www.npmjs.com/package/eslint-plugin-jsx-a11y">eslint-plugin-jsx-a11y</a> to highlight accessibility issues for React components in your editor.</p>
<p>  </p>
<p>  If you use Angular, <a target="_blank" href="https://web.dev/articles/accessible-angular-with-codelyzer">codelyzer</a> provides in-editor accessibility audits too:</p>
<p>  </p>
</li>
</ul>
<h3 id="heading-work-with-assistive-technologies">Work with assistive technologies</h3>
<ul>
<li><p>You can examine the way that assistive technologies see web content by using <a target="_blank" href="https://developer.apple.com/documentation/accessibility/accessibility-inspector">Accessibility Inspector</a> (Mac) or <a target="_blank" href="http://msdn.microsoft.com/en-us/library/windows/desktop/dd373661\(v=vs.85\).aspx">Windows Automation API Testing Tools</a> and <a target="_blank" href="http://accessibility.linuxfoundation.org/a11yweb/util/accprobe/">AccProbe</a> (Windows). You can also see the full accessibility tree that Chrome creates by navigating to <code>about://accessibility</code>.</p>
</li>
<li><p>The best way to test for screen reader support on a Mac is by using the VoiceOver utility. Use <code>⌘F5</code> to enable or disable it, <code>Ctrl+Option ←→</code> to move through the page, and <code>Ctrl+Shift+Option + ↑↓</code> to move up and down the accessibility tree. For more detailed instructions, see the <a target="_blank" href="http://www.apple.com/voiceover/info/guide/_1131.html">full list of VoiceOver commands</a> and the <a target="_blank" href="http://www.apple.com/voiceover/info/guide/_1131.html#vo27972">list of VoiceOver Web commands</a>.</p>
</li>
<li><p>On Windows, <a target="_blank" href="http://www.nvaccess.org/">NVDA</a> is a free, open-source screen reader. However, it has a steep learning curve for sighted users.</p>
<p>  </p>
</li>
<li><p>ChromeOS has a <a target="_blank" href="https://support.google.com/chromebook/answer/7031755">built-in screenreader</a>.</p>
</li>
</ul>
<p>We have a long way to go to improve accessibility on the web. Per the <a target="_blank" href="https://almanac.httparchive.org/en/2019/accessibility">Web Almanac</a>:</p>
<ul>
<li><p>4 out of every 5 sites have text that blends into the background, making them unreadable.</p>
</li>
<li><p>49.91% of pages still fail to provide <code>alt</code> attributes for some of their images.</p>
</li>
<li><p>Only 24% of pages that use buttons or links include labels.</p>
</li>
<li><p>Only 22.33% of pages provide labels for all their form inputs.</p>
</li>
</ul>
<h1 id="heading-references">References</h1>
<p><a target="_blank" href="https://ahrefs.com/seo-audit-tool">http</a><a target="_blank" href="https://blog.openreplay.com/seo-basics-for-web-developers/?ref=dailydev">s://blog.openreplay.com/seo-basics-for-web-</a><a target="_blank" href="https://www.npmjs.com/package/eslint-plugin-jsx-a11y">developers/?ref=dailyd</a><a target="_blank" href="https://github.com/dequelabs/axe-core/blob/develop/doc/rule-descriptions.md">ev</a></p>
<p><a target="_blank" href="https://github.com/dequelabs/axe-core/blob/develop/doc/rule-descriptions.md">https://dev.to</a><a target="_blank" href="https://dev.to/acidop/12-easy-seo-tips-every-developer-should-know-52k3?context=digest">/acidop/12-easy-seo-tips-every-developer-should-</a><a target="_blank" href="https://www.w3.org/WAI/tutorials/carousels/working-example/">kn</a><a target="_blank" href="https://github.com/GoogleChrome/lighthouse-ci">ow-52k3?conte</a><a target="_blank" href="https://dev.to/acidop/12-easy-seo-tips-every-developer-should-know-52k3?context=digest">xt=digest</a></p>
<p><a target="_blank" href="https://dev.to/thesohailjafri/the-must-have-seo-checklist-for-developers-192i?ref=dailydev">https://dev.to/thesohail</a><a target="_blank" href="http://www.apple.com/voiceover/info/guide/_1131.html">jafri/the-must-have-seo-checkli</a><a target="_blank" href="https://dev.to/thesohailjafri/the-must-have-seo-checklist-for-developers-192i?ref=dailydev">st-for-d</a><a target="_blank" href="http://www.apple.com/voiceover/info/guide/_1131.html#vo27972">evelopers-192i?ref=dailydev</a></p>
<p><a target="_blank" href="http://www.apple.com/voiceover/info/guide/_1131.html#vo27972">h</a><a target="_blank" href="https://www.freecodecamp.org/news/tips-to-boost-your-seo/">ttps://www.freecodecamp.org/news/tips-to-boost-your-seo/</a></p>
<p><a target="_blank" href="https://www.freecodecamp.org/news/how-to-make-a-website-seo-friendly/">https://www.freecodecamp.org/news/how-to-make-a-website-seo-friendly/</a></p>
<p><a target="_blank" href="https://www.freecodecamp.org/news/nextjs-seo/">https://www.freecodecamp.org/news/nextjs-seo/</a></p>
<p><a target="_blank" href="https://medium.com/@sassenthusiast/next-js-seo-best-practices-for-higher-rankings-f315c5c2db32">https://medium.com/@sassenthusiast/next-js-seo-best-practices-for-higher-rankings-f315c5c2db32</a></p>
<p><a target="_blank" href="https://blog.stackademic.com/boosting-seo-in-next-js-essential-steps-for-effective-meta-tag-integration-b42690f1bc02">https://blog.stackademic.com/boosting-seo-in-next-js-essential-steps-for-effective-meta-tag-integration-b42690f1bc02</a></p>
<p><a target="_blank" href="https://medium.com/better-programming/5-web-accessibility-tips-e2ba0d3726e5">https://medium.com/better-programming/5-web-accessibility-tips-e2ba0d3726e5</a></p>
<p><a target="_blank" href="https://web.dev/articles/a11y-tips-for-web-dev#improve_keyboard_focus">https://web.dev/articles/a11y-tips-for-web-dev#improve_keyboard_focus</a></p>
<p><a target="_blank" href="https://uxplanet.org/30-must-know-best-practices-for-web-accessibility-df1b3258ebdc">https://uxplanet.org/30-must-know-best-practices-for-web-accessibility-df1b3258ebdc</a></p>
<p><a target="_blank" href="https://medium.com/fbdevclagos/why-web-accessibility-is-important-and-how-you-can-accomplish-it-4f59fda7859c">https://medium.com/fbdevclagos/why-web-accessibility-is-important-and-how-you-can-accomplish-it-4f59fda7859c</a></p>
<p><a target="_blank" href="https://blog.stackademic.com/should-a-url-end-with-a-trailing-slash-whats-the-difference-a8eacc430b47">https://blog.stackademic.com/should-a-url-end-with-a-trailing-slash-whats-the-difference-a8eacc430b47</a></p>

</article>
<article>
<h1>API Integration Patterns</h1>
<p>Tuan Tran Van — Sun, 02 Mar 2025 10:23:42 GMT</p>
<p>API stands for Application Programming Interface. The “I“ in the API is the key part that explains its purpose.</p>
<p>The interface is what the software presents to other humans or programs, allowing them to interact with it.</p>
<p>A good analogy for an interface is a remote control. Imagine you have a universal remote that controls your TV, lights, and fans.</p>
<p></p>
<p>Let’s break down what a universal remote control can do:</p>
<ul>
<li><p>The remote control has various buttons, each serving a different purpose. One button might change the channel, while another can dim the light of the chandelier, and another can turn on the fan.</p>
</li>
<li><p>When you press a button, it sends a specific signal via infrared, Bluetooth, or wifi to the object you are controlling, instructing it to perform a particular action.</p>
</li>
<li><p>The key feature of the remote is that it allows you to interact with the TV, chandelier, and fan without understanding their internal workings. All that complexity is abstracted away. You simply press a button, and you get a response that you can observe immediately.</p>
</li>
</ul>
<p>APIs work in the similar way.</p>
<ul>
<li><p>APIs can have various endpoints, each designed to perform a specific action. For example, one endpoint might retrieve data while another updates or deletes it.</p>
</li>
<li><p>When you send a request to an endpoint, it communicates with the server using HTTP methods—GET, POST, PUT, and DELETE—to instruct it to perform a particular action(such as retrieving, sending, updating, or deleting data).</p>
</li>
<li><p>The key thing about APIs, as with remote controls, is that APIs abstract away the inner workings of the server or the database behind the API. The API allows users, developers, and applications to interact with a software application or perform without needing to understand its internal code or database structure. You simply send a request, and the server processes it and provides a response.</p>
</li>
</ul>
<p>The analogy holds true as long as APIs are more complex than a remote control. However, the basic principle of operation of an API and a universal remote is quite similar.</p>
<p>This article will explain API integration patterns, which can be divided into two categories: Request-Response (SOAP, REST, RPC, and GraphQL) and event-driven APIs (Pooling, WebSockets, and WebHooks).</p>
<p></p>
<h1 id="heading-request-response-integration">Request-Response Integration</h1>
<p>In a request-response integration, the client initiates the action by sending a request to the server and then waits for the response.</p>
<p>Different patterns of request-response integration exist, but at a high level, they all conform to the same rule of the client initiating a request and waiting for a response from the server.</p>
<p></p>
<h2 id="heading-rpc">RPC</h2>
<p>RPC stands for Remote Procedure Call. Unlike REST APIs, which are all about resources, RPC is all about actions. With RPC, the client executes a block of code on the client.</p>
<p>Think of a restaurant without a menu. There is no dish you can request in this restaurant. Instead, you request a specific action to be performed by the restaurant.</p>
<p></p>
<p>With a REST API, the guest would have simply asked for some fish and chips. With RPC, they have to give instructions on what they want the kitchen to prepare.</p>
<p>In the RPC pattern, the client calls a specific procedure on the server and waits for the result. The procedure to prepare and what gets prepared are tightly bound together. This might give the client very specific and tailored results, but it lacks the flexibility and ease of use of REST.</p>
<p>Most restaurants use menus instead of following their customers' custom requests. This partly explains why RPC is a less popular integration pattern than REST.</p>
<h2 id="heading-soap">SOAP</h2>
<p><strong>Simple Object Access Protocol (SOAP)</strong> is a messaging protocol used for exchanging structured data between different systems over the Internet. SOAP is an XML-based protocol and is considered one of the earliest web service protocols. SOAP was first introduced in 1998 by Microsoft as a successor to Common Object Request Broker Architecture (CORBA) and Distributed Component Object Model (DCOM). SOAP was designed to provide a platform-independent way to exchange data between different systems over the Internet. SOAP was later standardized by the World Wide Web Consortium (W3C) in 2003.</p>
<p>SOAP APIs were widely used in the early days of web services and are still used in several industries and sectors today, although REST and GraphQL have become more popular in recent years. SOAP might be the most beneficial option for developing an API when sensitive data needs to be transmitted, complex data structures need to be supported, or a reliable and standardized protocol is needed.</p>
<p>SOAP APIs use XML as the main format for data transmission. XML stands for Extensible Markup Language. It’s a markup language that allows users to create custom tags and attributes to describe the structure and content of data. XML uses a set of rules for encoding documents in a format that is both human-readable and machine-readable. This is achieved by using tags to define elements of a document, similar to HTML.</p>
<p>For example, an XML document may have a tag called <code><person></code> to define an element representing a person, with nested tags for properties such as <code><name></code>, <code><age></code>, and <code><address></code>. XML also allows users to define custom tags to describe their data in a way that is specific to their needs. XML is widely used in various industries, including finance, healthcare, and government. It is often used for data exchange between different applications and systems, as it provides a standardized way of representing data that can be easily parsed by computers. XML is also used to store configuration files and metadata for various applications.</p>
<p>Overall, XML provides a flexible and extensible way of describing and exchanging data that computers can easily process. However, its use has declined in recent years due to the rise of more modern formats such as JSON and YAML, which are lighter and easier to use for many applications.</p>
<p>Here is an example of how you can make a simple request to a SOAP API from a JavaScript front-end application:</p>
<pre><code class="lang-typescript"><span class="hljs-comment">// specify the URL of the SOAP API endpoint</span>
<span class="hljs-keyword">const</span> url = <span class="hljs-string">'http://www.example.com/soap-api'</span>;

<span class="hljs-comment">// specify the SOAP message to send</span>
<span class="hljs-keyword">const</span> soapMessage = <span class="hljs-string">'<?xml version="1.0" encoding="UTF-8"?>'</span> +
                    <span class="hljs-string">'<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ns1="http://example.com">'</span> +
                    <span class="hljs-string">'<SOAP-ENV:Header/>'</span> +
                    <span class="hljs-string">'<SOAP-ENV:Body>'</span> +
                    <span class="hljs-string">'<ns1:GetData>'</span> +
                    <span class="hljs-string">'<ns1:Id>123</ns1:Id>'</span> +
                    <span class="hljs-string">'</ns1:GetData>'</span> +
                    <span class="hljs-string">'</SOAP-ENV:Body>'</span> +
                    <span class="hljs-string">'</SOAP-ENV:Envelope>'</span>;

<span class="hljs-comment">// set the content type of the SOAP message</span>
<span class="hljs-keyword">const</span> contentType = <span class="hljs-string">'text/xml'</span>;

<span class="hljs-comment">// make the fetch request</span>
fetch(url, {
  method: <span class="hljs-string">'POST'</span>, <span class="hljs-comment">// SOAP uses the HTTP POST method to send requests to a server.</span>
  headers: {
    <span class="hljs-string">'Content-Type'</span>: contentType,
    <span class="hljs-string">'SOAPAction'</span>: <span class="hljs-string">'http://example.com/GetData'</span>
  },
  body: soapMessage
})
  .then(<span class="hljs-function"><span class="hljs-params">response</span> =></span> response.text())
  .then(<span class="hljs-function"><span class="hljs-params">xml</span> =></span> {
    <span class="hljs-comment">// handle the XML response</span>
    <span class="hljs-keyword">const</span> parser = <span class="hljs-keyword">new</span> DOMParser();
    <span class="hljs-keyword">const</span> xmlDoc = parser.parseFromString(xml, <span class="hljs-string">'text/xml'</span>);
    <span class="hljs-keyword">const</span> value = xmlDoc.getElementsByTagName(<span class="hljs-string">'Value'</span>)[<span class="hljs-number">0</span>].childNodes[<span class="hljs-number">0</span>].nodeValue;
    <span class="hljs-built_in">console</span>.log(value);
  })
  .catch(<span class="hljs-function"><span class="hljs-params">error</span> =></span> <span class="hljs-built_in">console</span>.error(error));
</code></pre>
<p>A typical response might look like this:</p>
<pre><code class="lang-typescript"><?xml version=<span class="hljs-string">"1.0"</span> encoding=<span class="hljs-string">"UTF-8"</span>?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV=<span class="hljs-string">"http://schemas.xmlsoap.org/soap/envelope/"</span>>
   <SOAP-ENV:Body>
      <ns1:GetDataResponse xmlns:ns1=<span class="hljs-string">"http://example.com"</span>>
         <ns1:Result>
            <ns1:Id><span class="hljs-number">123</span></ns1:Id>
            <ns1:Value><span class="hljs-number">42</span></ns1:Value>
         </ns1:Result>
      </ns1:GetDataResponse>
   </SOAP-ENV:Body>
</SOAP-ENV:Envelope>
</code></pre>
<p>The following code extracts the value of the Value element from the XML document object:</p>
<pre><code class="lang-typescript"><span class="hljs-keyword">const</span> parser = <span class="hljs-keyword">new</span> DOMParser();
<span class="hljs-keyword">const</span> xmlDoc = parser.parseFromString(xml, <span class="hljs-string">'text/xml'</span>);
<span class="hljs-keyword">const</span> value = xmlDoc.getElementsByTagName(<span class="hljs-string">'Value'</span>)[<span class="hljs-number">0</span>].childNodes[<span class="hljs-number">0</span>].nodeValue;
<span class="hljs-built_in">console</span>.log(value); <span class="hljs-comment">// output: 42</span>
</code></pre>
<p>Overall, SOAP responses tend to be more verbose and complex than responses from RESTs and GraphQL APIs due to their use of XML and the envelope format. However, this format provides a standardized way of exchanging information that can be useful in certain industries or use cases.</p>
<h2 id="heading-rest">REST</h2>
<p>REST (Representational State Transfer) is not a framework or library but an architectural style for building web services or APIs. In REST, <strong>everything is a resource identified by a unique URL</strong>, and these resources are manipulated using HTTP methods such as GET (to retrieve the resource), POST (to create a new resource), PUT or PATCH (to update a resource), and DELETE (to remove a resource).</p>
<p>To understand REST APIs, consider the following analogy. Imagine you go to a restaurant and order some food. The menu is extensive, and items are categorically organised. Each item on the menu can be equated to a resource.</p>
<p>First, you call a waiter to get attention, then you place an order. Each request receives a response before you can proceed with another request, like ordering a dish.</p>
<p></p>
<p>In REST API terms, the client initiates requests to the server by specifying exactly what it wants using HTTP methods such as GET, POST, PUT, and DELETE on specific URLs (the menu items). Each interaction is stateless, meaning that each request from the client to the server must contain all the information needed to understand and process the request. <strong>The server does not store client contexts between requests,</strong> simplifying design and improving scalability. The client and server’s HTTP request and response bodies carry JSON and XML representations of a resource’s status.</p>
<p><strong>Benefits of REST APIs:</strong></p>
<ul>
<li><p><strong>Simplicity</strong>: Using standard HTTP methods and common data formats makes REST APIs easy to understand and implement.</p>
</li>
<li><p><strong>Interoperability</strong>: REST APIs promote interoperability, as different applications can interact seamlessly regardless of the programming language or platforms used.</p>
</li>
<li><p><strong>Scalability</strong>: The stateless nature of REST APIs allows for easy scaling to handle large columns and requests.</p>
</li>
<li><p><strong>Flexibility</strong>: REST APIs can be updated to various use cases due to their versatile design principles.</p>
</li>
</ul>
<p><strong>Drawbacks of REST APIs</strong></p>
<ul>
<li><p><strong>Statelessness</strong>: REST relies on stateless transactions, meaning each request must complete all the information independently. This can be cumbersome for workflows that require maintaining state across multiple requests, like shopping carts on e-commerce sites.</p>
</li>
<li><p><strong>Limited payload size</strong>: Data Transfer in REST often happens through JSON or XML payloads, which can become quite large if you are dealing with complex data or many queries. This can lead to performance issues.</p>
</li>
<li><p><strong>Lack of discoverability</strong>: REST APIs don’t inherently make it easy for users to understand the functionality or how to interact with them, which can add complexity for new users.</p>
</li>
<li><p><strong>Performance for complex queries</strong>: REST might not be ideal for retrieving specific data points from a large source. Other options, like GraphQL, can be more efficient in such cases.</p>
</li>
</ul>
<p>REST defines <strong>six architectural constraints</strong> an API should follow to be considered genuinely RESTful:</p>
<ol>
<li><p><strong>Client-Server</strong>: This separation of concerns separates the client (the application using the API) from the server (the application providing the API). The client initiates requests, and the server processes them and sends the response.</p>
</li>
<li><p><strong>Stateless</strong>: Each request from the client to the server must contain all the information necessary to understand the request. The server doesn’t store any context about the client between requests. This simplifies communication and improves scalability.</p>
</li>
<li><p><strong>Uniform interface</strong>: This constraint defines a set of rules for how clients interact with the server. These rules include:</p>
<ul>
<li><p><strong>Resource-based</strong>: APIs expose resources that clients can interact with. URLs identify resources.</p>
</li>
<li><p><strong>Standard Methods</strong>: Clients use standard HTTP methods (GET, POST, PUT, DELETE) to perform operations on resources.</p>
</li>
<li><p><strong>Representation</strong>: Data is exchanged between client and server in a standard format like JSON or XML.</p>
</li>
</ul>
</li>
<li><p><strong>Cacheable</strong>: The client may mark the server responses as cacheable. This allows clients to store frequently accessed data locally, reducing server loads and improving performance.</p>
</li>
<li><p><strong>Layered System</strong>: The architecture may consist of multiple layers (proxies, caches, load balancers) between the client and server. These layers can improve performance, security, and scalability.</p>
</li>
<li><p><strong>Code on Demand (Optional)</strong>: While not strictly mandatory, a RESTful API may optionally transfer executable code to the client. Clients can use this code to extend its functionality or process data locally.</p>
</li>
</ol>
<p></p>
<p>An example of a REST API call for the API on the <a target="_blank" href="https://api.example.com/">https://api.example.com</a> address when you want to get the information about the user ID 500 is the following, using the curl command-line tool curl <code>-X GET</code> <a target="_blank" href="https://api.example.com/users/500"><code>https://api.example.com/users/500</code></a> <code>-H "Accept: application/json</code> . The last part (Accept: application/json) is a header that indicates that the client expects to receive the data in JSON format. A response would be a result in the JSON format, and 200 would be the response status code.</p>
<p></p>
<p>Even though REST is not the best choice when performances are essential, we can do a few things here, such as <strong>caching</strong>, <strong>pagination</strong>, <strong>payload compression</strong>, and more.</p>
<h2 id="heading-graphql">GraphQL</h2>
<p><a target="_blank" href="https://graphql.org/">GraphQL</a> is a query language for APIs released and open-sourced in 2015 by Meta. The <a target="_blank" href="https://graphql.org/foundation/">GraphQL Foundation</a> now oversees it. GraphQL is a server-side runtime environment that enables clients to request the data they need from an API. Unlike traditional REST APIs, which often require multiple requests to get different pieces of data, GraphQL allows you to specify all the data you need in a single request. The GraphQL specification was open-sourced in 2015.</p>
<p>Think of a restaurant that allows you to customize your own dish by specifying exact quantities or ingredients you want.</p>
<p></p>
<p>This may look similar to the RPC pattern, but notice that the customer is not saying how the food should be made; they are just customizing their order by removing some ingredients (no salt) and reducing the number of some items (two pieces of fish instead of four)</p>
<p>Because GraphQL doesn't over- or under-fetch results when queries are sent to your API, it guarantees that the app built with GraphQL is <strong>scalable, fast, and stable.</strong> It also allows for combining multiple operations into a single HTTP request.</p>
<p>GraphQL APIs are organized in <strong>terms of type and field, not endpoints</strong>. Using the <strong>GraphQL Schema Definition Language (SDL)</strong>, you define your data as a schema. This schema serves as a contract between the client and the server, detailing precisely what queries can be made, what types of data can be fetched, and what the response will look like.</p>
<p><strong>Benefits of GraphQL:</strong></p>
<ul>
<li><p><strong>Efficient data fetching</strong>: You only request the exact data you need, eliminating the issue of over-fetching and under-fetching that can happen with REST. This can significantly improve performance, especially for complex data models.</p>
</li>
<li><p><strong>Flexible and Declarative</strong>: GraphQL uses a schema that defines the available data and how to access it. This schema allows developers to write clear and concise queries that specify their exact data needs.</p>
</li>
<li><p><strong>Single request for multiple resources</strong>: Unlike REST, which requires multiple API calls to fetch data from different endpoints, GraphQL allows combining queries into a single request for improved efficiency.</p>
</li>
<li><p><strong>Versioning and Backward Compatibility</strong>: GraphQL schema changes can be improved with versioning, ensuring existing clients aren’t affected while allowing for future growth.</p>
</li>
</ul>
<p><strong>Drawbacks of GraphQL:</strong></p>
<ul>
<li><p><strong>Complexity in query structure</strong>: While flexibility is a strength, writing complex GraphQL queries can be challenging and requires careful planning for readability and maintainability.</p>
</li>
<li><p><strong>Caching</strong>: Caching data with GraphQL is generally more complex than REST APIs, which leverage built-in HTTP cache mechanisms.</p>
</li>
<li><p><strong>Security</strong>: GraphQL exposes your entire data schema, so proper security measures are crucial to prevent unauthorized access to sensitive data.</p>
</li>
<li><p><strong>Learning Curve</strong>: For developers unfamiliar with GraphQL, understanding schema and query syntax involves a learning curve.</p>
</li>
<li><p><strong>Error Handling</strong>: If the library doesn’t parse errors with a status of 200 in the response body, the client must use more intricate logic to handle them.</p>
</li>
</ul>
<p><strong>How it works:</strong></p>
<ul>
<li><p>The client <strong>defines a query in GraphQL syntax</strong>, specifying exactly how the data should be structured and what fields are needed.</p>
</li>
<li><p>The GraphQL server uses a predefined schema to determine the available data and its relationship to other data. This schema defines types, fields, and the relationships between types.</p>
</li>
<li><p>The server executes the query against the schema. For each field in the query, the <strong>server has a corresponding resolver function</strong> that fetches the data for that field.</p>
</li>
<li><p>The server returns a JSON object where the shape directly mirrors the query, populated with the requested data.</p>
</li>
</ul>
<p></p>
<p>GraphQL supports three core operations that define how the client interacts with the server:</p>
<ul>
<li><p><strong>Queries</strong>: Used to retrieve data from the server. This is the most common operation used in GraphQL.</p>
</li>
<li><p><strong>Mutations</strong> modify data on the server. This could involve creating new data, updating existing data, or deleting data.</p>
</li>
<li><p><strong>Subscriptions</strong> are used to establish real-time communication between the client and the server. The server can then update the client whenever the requested data changes.</p>
</li>
</ul>
<p>An example of a GraphQL request consists of an operation and the data you are requesting and manipulating.</p>
<p></p>
<p>This query retrieves data for a user with ID 1. It also fetches nested data for the user’s posts, including their IDs and titles.</p>
<p>The response is a JSON object containing actual data requested by the query or mutation or optional errors.</p>
<p></p>
<p>So, when to choose each of those protocols:</p>
<ul>
<li><p>✅ Use <strong>REST</strong> when you are building a CRUD-style web application or when you work with well-structured data. It’s a go-to for public APIs and services that need to be consumed by a broad range of clients.</p>
</li>
<li><p>✅ Use <strong>gRPC</strong> if your API is private about actions or if performance is essential. Low latency is critical for server-to-server communication. Its use of HTTP/2 and ProtoBuf optimizes efficiency and speed.</p>
</li>
<li><p>✅ Use <strong>GraphQL</strong> if you have a public API that needs to be flexible in customizing requests and you want to add data from different sources into a public API. Use it in client-server communication, while we must get all the data on a single round trip.</p>
</li>
</ul>
<p></p>
<h1 id="heading-event-driven-integration">Event-Driven Integration</h1>
<p>This integration pattern is ideal for services with fast-changing data.</p>
<p>Some of these integration patterns are also <a target="_blank" href="https://lightcloud.substack.com/p/synchronous-and-asynchronous-communication">asynchronous</a> and initiated by the server, unlike the request-response patterns, which are <a target="_blank" href="https://lightcloud.substack.com/p/synchronous-and-asynchronous-communication">synchronous</a> and initiated by the client.</p>
<h2 id="heading-polling">Polling</h2>
<p>Let’s use the restaurant analogy again. When you order food, it takes some time for it to be prepared.</p>
<p>Asking the waiter if your order is ready can update you on its status. The more frequently you ask, the closer you will be to having real-time information about your order.</p>
<p>However, this puts unnecessary strain on the waiters, who have to constantly check the status of your order and update you whenever you ask.</p>
<p></p>
<p>Polling is when the client continuously asks the server if there is new data available with a set frequency. It’s not efficient because many requests may return no new data, thus unnecessarily consuming resources.</p>
<p>The more frequently you poll (make requests), the closer the client gets to real-time communication with the server.</p>
<p></p>
<p>Most of the requests during the polling are wasted since they only return something useful to the client once there is a change on the server.</p>
<p>There is, however, another version of polling called long polling. With long polling, the waiter doesn’t respond to the guest straightaway about the status of the order. Instead, the waiter only responds if there is an update.</p>
<p>Naturally, this only works if the guest and the waiter agree beforehand that a slow response from the waiter doesn’t mean that the waiter is being rude and the guest is being ignored.</p>
<p></p>
<p>With long polling, the server does not respond to the client immediately. It waits until something has changed before responding.</p>
<p>As long as the server and the client agree that the server will hold on to the client’s requests and the connection between the client and the server remains open, this pattern works and can be more efficient than simply polling.</p>
<p>These two assumptions for long polling may be unrealistic, though - the server can lose the client’s requests and/or the connection can be broken.</p>
<p>To address these limitations, long polling adds extra complexity to the process by requiring a directory of the server that contains the connection to the client, which is used to send data to the client whenever the server is ready.</p>
<p>Standard polling, on the other hand, can remain <a target="_blank" href="https://lightcloud.substack.com/i/104443280/stateless-architecture">stateless</a>, making it more <a target="_blank" href="https://lightcloud.substack.com/i/59017006/fault-tolerance">fault-tolerant</a> and scalable.</p>
<h2 id="heading-websockets">WebSockets</h2>
<p>WebSockets provide a persistent, two-way communication channel between the client and server. Once a WebSocket connection is established, both parties can communicate freely, which enables real-time data flows and is more resource-efficient than polling.</p>
<p>Using the restaurant analogy again, a guest orders a meal and then establishes a dedicated communication channel with the waiter so they can freely communicate back and forth about updates and changes to the order until the meal is ready. This means the waiter can also initiate the communication with the guest, which is not the case for the other integration patterns mentioned so far.</p>
<p></p>
<p>WebSockets are similar to long polling. They both avoid the wasteful requests of polling, but WebSockets have the added benefit of having a persistent connection between the client and the server.</p>
<p>WebSockets are ideal for fast, live streaming data, like real-time chat applications. The downside of WebSockets is that the persistent connection consumes bandwidth, so it might not be ideal for mobile applications or in areas with poor connectivity.</p>
<h2 id="heading-webhooks">WebHooks</h2>
<p>WebHooks allow the server to notify the client when new data is available. The client registers a callback URL to the server, and the server sends a message to that URL when there is data to send.</p>
<p>With WebHooks, the client sends requests as usual but can also listen and receive requests like a server.</p>
<p></p>
<p>Using the restaurant analogy, when the guest orders the meal, they give the waiter a bell (analogous to the callback URL). The waiter goes to the kitchen and rings the bell as soon as the meal is ready. That allows the client to know, in real time, about the progress of his order.</p>
<p>WebHooks are superior to polling because you get real-time updates from the server once something changes, without having to make frequent, wasteful requests to the server about that change.</p>
<p>They are also superior to long polling because long polling can consume more client and server resources as it involves keeping connections open, potentially resulting in many open connections.</p>
<h1 id="heading-conclusion">Conclusion</h1>
<p>APIs are crucial tools in software development, allowing users and applications to interact with software without understanding its inner workings.</p>
<p>They come in different integration patterns, such as REST, RPC, GraphQL, Polling, WebSockets, and WebHooks.</p>
<p>If you need a simple request-response integration, then REST, RPC, or GraphQL could be ideal. For real-time or near-real-time applications, polling, WebSockets, or WebHooks are ideal.</p>
<p>As with any design problem, the right choice depends on the business case and what tradeoffs you are willing to tolerate.</p>
<h1 id="heading-references">References</h1>
<p><a target="_blank" href="https://www.freecodecamp.org/news/api-integration-patterns/">https://www.freecodecamp.org/news/api-integration-patterns/</a></p>
<p><a target="_blank" href="https://medium.com/@techworldwithmilan/when-to-use-graphql-grpc-and-rest-9d541c0bcfe0">https://medium.com/@techworldwithmilan/when-to-use-graphql-grpc-and-rest-9d541c0bcfe0</a></p>
<p><a target="_blank" href="https://blog.bytebytego.com/p/a-crash-course-in-graphql?utm_source=substack&utm_medium=email">https://blog.bytebytego.com/p/a-crash-course-in-graphql?utm_source=substack&utm_medium=email</a></p>

</article>
<article>
<h1>🔥 My Web Styling Handbook</h1>
<p>Tuan Tran Van — Sat, 22 Feb 2025 10:04:02 GMT</p>
<p>Are you ready to advance your CSS skills? Whether you are a seasoned pro or just starting out, you have all experienced those moments when your style sheets seem to have a mind of their own. This article will introduce you to some advanced CSS concepts, tips, and hacks that are sure to make your life easier and your designs impressive.</p>
<p>In this blog post, we are going to explore some awesome CSS hacks that will help you solve common challenges, improve your workflow, and add some extra pizzazz to your projects. These aren’t just any old tricks - they are practical, powerful, and perfect for UI developers like us who want to create stunning web experiences.</p>
<p>So, grab your favorite beverage, get comfy, and let’s dive into the world of CSS hacks!</p>
<h1 id="heading-css">CSS</h1>
<h2 id="heading-css-fundamental-principles">CSS Fundamental Principles</h2>
<p>CSS has a pretty simple syntax, but there are a lot of fundamental principles in how it works that catch people off guard. This can lead to confusion and a lot of frustration. There are also times when there are multiple ways to do the same thing, and that can lead to extra frustration as well because you don’t know which one is better in any given situation.</p>
<p>CSS really is one of those things that when you first start off with it, it just seems like it’s going to be the easiest thing in the world, and quickly can lead to times where you just want to throw your computer out the window. So with that in mind, let’s look at eight extremely important CSS concepts that, when you understand them, can really help simplify things and make your life much easier when you’re writing CSS.</p>
<h3 id="heading-the-box-model-and-why-you-need-box-sizing-border-box"><strong>The Box Model (and Why You Need box-sizing: border-box)</strong></h3>
<p>This is one of those things where it’s just really important to do this in every file you ever work in. Start your CSS with this:</p>
<pre><code class="lang-javascript">* {
  box-sizing: border-box;
}
</code></pre>
<p>The star selector means “select everything.” Now, over time you’re also going to start using pseudo-elements (don’t worry if you don’t know what those are yet, we’ll talk about them later), and when you do, you’ll want to update this to:</p>
<pre><code class="lang-javascript">*, *::before, *::after {
  box-sizing: border-box;
}
</code></pre>
<p>Just get in the habit of including the pseudo-elements now, even if you’re not using them yet, because you’re going to need them eventually.</p>
<p></p>
<p>Here’s why this matters. Let’s say you have an element and you give it a width of 400 pixels and padding of 20 pixels. The default behavior (called <code>content-box</code>) means that width is just the content itself, so you're adding 20 pixels on the left and 20 pixels on the right on top of that 400 pixels. Your element is actually 440 pixels wide now.</p>
<p>With <code>box-sizing: border-box</code>, that 400 pixels includes the padding. The padding pushes inward, and the element stays 400 pixels wide. This makes things much easier to calculate and to really be able to gauge how big something will be.</p>
<p>This isn’t as important as it used to be in the old days when we had float-based layouts and widths and heights were much more prevalent, but there’s still things where we set explicit widths and this is going to save you a lot of trouble in the long run. Just get in the habit of putting this at the top of every CSS file you create.</p>
<h3 id="heading-specificity-the-reason-your-styles-arent-working">Specificity (The Reason Your Styles Aren’t Working)</h3>
<p>Specificity is how specific our selectors are in our CSS, and it’s probably the number one reason beginners get frustrated when their styles don’t apply.</p>
<p>There tends to be three levels of selectors:</p>
<p><strong>Element selectors</strong> (lowest specificity):</p>
<pre><code class="lang-javascript">h2 {
  <span class="hljs-attr">color</span>: red;
}
</code></pre>
<p><strong>Class selectors</strong> (medium specificity):</p>
<pre><code class="lang-javascript">.color-accent {
  <span class="hljs-attr">color</span>: purple;
}
</code></pre>
<p><strong>ID selectors</strong> (highest specificity):</p>
<pre><code class="lang-javascript">#example {
  <span class="hljs-attr">color</span>: lime;
}
</code></pre>
<p>Here’s the thing: even if you have an h2 selector lower down in your CSS file that says the color should be red, if that h2 has a class on it with a different color, the class will win. It doesn’t matter where it is in the cascade because a class selector has more importance than an element selector.</p>
<p></p>
<p>The same goes for IDs, an ID selector will always beat a class selector, which will always beat an element selector.</p>
<p>You can also boost specificity with descendant selectors. For example:</p>
<pre><code class="lang-javascript">.dark-background h3 {
  <span class="hljs-attr">color</span>: red;
}
</code></pre>
<p>This is more specific than just <code>h3</code> because it's a class selector and an element selector combined together.</p>
<p>When something isn’t working, your dev tools can really help you out. Right-click on the element, inspect it, and you’ll see all the styles being applied. The ones that are crossed out are being overridden, and you can see exactly why, what selector is winning and where it’s coming from in your CSS file.</p>
<p>In general, try to avoid too much nesting and overly specific selectors. A lot of design systems use single class selectors for good reason, they keep specificity manageable and predictable.</p>
<h3 id="heading-inheritance-write-less-css-by-letting-things-flow-down">Inheritance (Write Less CSS by Letting Things Flow Down)</h3>
<p>Inheritance is when properties are passed down from a parent element to its children and grandchildren. This is one of those things you hear about early on but then you forget about it or you don’t really understand the implications of it.</p>
<p>Here’s the key: anything related to typography inherits by default. This includes color, font-family, font-size, text-align, line-height, and so on. Anything that is not related to typography generally does not inherit.</p>
<p></p>
<p>This means you can set styles once on the body (or html element) and they’ll flow down to everything inside:</p>
<pre><code class="lang-javascript">body {
  <span class="hljs-attr">color</span>: #<span class="hljs-number">333</span>;
  font-size: <span class="hljs-number">1.25</span>rem;
  font-family: Arial, sans-serif;
}
</code></pre>
<p>Now all your paragraphs, headings, and other text elements will inherit these styles. You don’t have to select each one individually.</p>
<p>The big advantage here is you get to write a lot less code. You set it once and then you don’t have to worry about it again. Of course, you can always overwrite things with more specific selectors when you need to.</p>
<p>One quick note: form elements don’t actually inherit font properties like you’d expect them to. You’ll often see this in CSS resets:</p>
<pre><code class="lang-javascript">button, input, textarea, select {
  <span class="hljs-attr">font</span>: inherit;
}
</code></pre>
<p>This forces these elements to start inheriting all the font properties like you would expect them to in the first place. The <code>font: inherit;</code> is a shorthand that inherits font-family, font-size, font-weight, line-height, and all the other font-related properties at once.</p>
<p>As much as possible, rely on inheritance. It means you get to write a lot less code and you can pick and choose places where you want to break out of that. One of the places where people go wrong is they start selecting everything and trying to style everything individually, and it just creates so much more work for you.</p>
<h3 id="heading-css-units-getting-the-right-size-for-the-job">CSS Units (Getting the Right Size for the Job)</h3>
<p>Understanding different units is fundamental for creating layouts that work across different screen sizes and situations. There are a lot of different units in CSS, and knowing which one to use can be confusing.</p>
<p></p>
<p><strong>Absolute units:</strong></p>
<ul>
<li><code>px</code> - Pixels are fixed units. Good for borders and small, precise measurements, but not great for responsive design when used for layout.</li>
</ul>
<p><strong>Relative units:</strong></p>
<ul>
<li><p><code>%</code> - Percentage of the parent element's size. Great for widths.</p>
</li>
<li><p><code>em</code> - Relative to the font-size of the element itself. Compounds when nested (can be tricky).</p>
</li>
<li><p><code>rem</code> - Relative to the root (html) font-size. Doesn't compound, making it more predictable. Great for spacing and font sizes.</p>
</li>
<li><p><code>vw/vh</code> - Viewport width and height. 1vw is 1% of the viewport width. Great for full-screen sections.</p>
</li>
</ul>
<p>For beginners, here’s a simple starting point:</p>
<ul>
<li><p>Use <code>rem</code> for font sizes and spacing (padding, margin)</p>
</li>
<li><p>Use <code>%</code> or <code>fr</code> (in grid) for widths</p>
</li>
<li><p>Use <code>px</code> for small things like borders</p>
</li>
<li><p>Use <code>vw/vh</code> when you need something relative to the viewport</p>
</li>
</ul>
<p>The reason <code>rem</code> is so popular is because if a user changes their browser's default font size (for accessibility), everything scales proportionally. If you used <code>px</code> everywhere, nothing would scale.</p>
<p>You don’t need to memorize all of this right away. Start with <code>rem</code> for most things and <code>px</code> for borders, and you'll be in good shape. As you get more comfortable, you can experiment with the other units.</p>
<h3 id="heading-display-property-how-elements-actually-behave">Display Property (How Elements Actually Behave)</h3>
<p>The display property is fundamental to understanding how elements behave on the page. Every HTML element has a default display value, and understanding this is crucial.</p>
<p></p>
<p><strong>display: block</strong> Block elements take up the full width available and start on a new line. Think of divs, paragraphs, headings, they stack vertically. You can set width and height on block elements.</p>
<p><strong>display: inline</strong> Inline elements only take up as much width as they need and don’t start on a new line. Think of spans, links, strong tags, they flow within text. You can’t set width and height on inline elements.</p>
<p><strong>display: inline-block</strong> This is a hybrid, it flows inline like an inline element, but you can set width and height on it like a block element. Really useful for things like navigation items or buttons that need to sit next to each other but have specific dimensions.</p>
<p><strong>display: none</strong> This removes the element from the page completely, it doesn’t take up any space. Different from <code>visibility: hidden</code> which hides it but leaves a gap where it would be.</p>
<p><strong>display: flex and display: grid</strong> These are your layout powerhouses. We’ll talk more about them in the next section.</p>
<p>Understanding display is important because sometimes you need to change an element’s default behavior. Maybe you want a link to behave like a block so you can give it padding and make it easier to click. Or you want list items to sit next to each other instead of stacking.</p>
<h3 id="heading-pseudo-classes-and-pseudo-elements-making-things-interactive">Pseudo-classes and Pseudo-elements (Making Things Interactive)</h3>
<p>Pseudo-classes and pseudo-elements are incredibly powerful tools that let you style elements based on their state or add content without touching your HTML. They look similar but do different things, and the way you write them is slightly different too.</p>
<p></p>
<p><strong>Pseudo-classes</strong> use a single colon (<code>:</code>) and are all about state. They let you style elements when something happens to them:</p>
<pre><code class="lang-javascript">a:hover {
  <span class="hljs-attr">color</span>: blue;
  text-decoration: underline;
}
</code></pre>
<pre><code class="lang-javascript">button:focus {
  <span class="hljs-attr">outline</span>: <span class="hljs-number">2</span>px solid blue;
}input:invalid {
  border-color: red;
}li:first-child {
  font-weight: bold;
}
</code></pre>
<p>These are essential for creating interactive experiences. Your links need hover states, your form inputs need focus styles for accessibility, and you often want to style the first or last item in a list differently.</p>
<p><strong>Pseudo-elements</strong> use a double colon (<code>::</code>) and let you add decorative content or style specific parts of an element:</p>
<pre><code class="lang-javascript">.quote::before {
  <span class="hljs-attr">content</span>: <span class="hljs-string">'"'</span>;
  font-size: <span class="hljs-number">2</span>em;
  color: gray;
}
</code></pre>
<pre><code class="lang-javascript">p::first-line {
  font-weight: bold;
}.card::after {
  <span class="hljs-attr">content</span>: <span class="hljs-string">''</span>;
  display: block;
  width: <span class="hljs-number">100</span>%;
  height: <span class="hljs-number">3</span>px;
  background: blue;
  margin-top: <span class="hljs-number">1</span>rem;
}
</code></pre>
<p>The <code>::before</code> and <code>::after</code> pseudo-elements are particularly useful for adding decorative elements without cluttering your HTML. You can create icons, dividers, or visual effects purely with CSS.</p>
<p>One thing to remember: pseudo-elements need the <code>content</code> property to show up, even if it's just <code>content: ''</code>. Without it, they won't render at all.</p>
<p>And here’s why back in the box model section I included <code>*::before</code> and <code>*::after</code> in the box-sizing rule - pseudo-elements create actual boxes on the page that need the same box-sizing behavior as everything else. If you don't include them, you might run into weird sizing issues later on.</p>
<h3 id="heading-responsive-design-with-media-queries-making-it-work-everywhere">Responsive Design with Media Queries (Making It Work Everywhere)</h3>
<p>Your website needs to work on phones, tablets, laptops, and big desktop monitors. That’s just reality these days. And the way we make that happen is with media queries.</p>
<p></p>
<p>Media queries let you apply different styles based on screen size:</p>
<pre><code class="lang-javascript"><span class="hljs-comment">/* Mobile-first approach - styles for small screens first */</span>
.container {
  <span class="hljs-attr">padding</span>: <span class="hljs-number">1</span>rem;
}
</code></pre>
<pre><code class="lang-javascript"><span class="hljs-comment">/* Tablets and up */</span>
@media (min-width: <span class="hljs-number">768</span>px) {
  .container {
    <span class="hljs-attr">padding</span>: <span class="hljs-number">2</span>rem;
  }
}<span class="hljs-comment">/* Desktop and up */</span>
@media (min-width: <span class="hljs-number">1024</span>px) {
  .container {
    <span class="hljs-attr">padding</span>: <span class="hljs-number">3</span>rem;
    max-width: <span class="hljs-number">1200</span>px;
    margin: <span class="hljs-number">0</span> auto;
  }
}
</code></pre>
<p>I recommend a <strong>mobile-first approach</strong>. Write your base styles for mobile devices, then use <code>min-width</code> media queries to add complexity as the screen gets bigger. This makes more sense because:</p>
<ul>
<li><p>Mobile is the most constrained environment — if it works on mobile, you can build up from there</p>
</li>
<li><p>It’s easier to add complexity than to strip it away</p>
</li>
<li><p>Most traffic these days is mobile anyway</p>
</li>
</ul>
<p>You can also use media queries for other things:</p>
<pre><code class="lang-javascript"><span class="hljs-comment">/* Dark mode */</span>
@media (prefers-color-scheme: dark) {
  body {
    <span class="hljs-attr">background</span>: #<span class="hljs-number">222</span>;
    color: #fff;
  }
}
</code></pre>
<pre><code class="lang-javascript"><span class="hljs-comment">/* Print styles */</span>
@media print {
  nav, footer {
    <span class="hljs-attr">display</span>: none;
  }
}
</code></pre>
<p>Common breakpoints you’ll see are:</p>
<ul>
<li><p>640px or 768px for tablets</p>
</li>
<li><p>1024px or 1280px for desktop</p>
</li>
<li><p>But honestly, your breakpoints should be based on your content, not specific devices</p>
</li>
</ul>
<p>Don’t stress too much about getting the perfect breakpoints from the start. As you build, you’ll see where your design breaks and that’s where you add a media query. Your browser dev tools let you test this easily — just toggle the responsive design mode and resize the viewport to see where things start looking wonky.</p>
<p>You don’t need to master responsive design right away. Start with making things work on mobile, then add a breakpoint or two as you need them. Over time you’ll get a feel for where you typically need to adjust things.</p>
<h2 id="heading-css-flexbox">CSS Flexbox</h2>
<p></p>
<p>Check out <a target="_blank" href="https://levelup.gitconnected.com/learn-css-flexbox-the-easy-way-27bd01922040">this article</a> to explore the details.</p>
<p><a target="_blank" href="https://www.joshwcomeau.com/css/interactive-guide-to-flexbox/">https://www.joshwcomeau.com/css/interactive-guide-to-flexbox/</a></p>
<p><a target="_blank" href="https://javascript.plainenglish.io/6-flexbox-secrets-that-professional-css-developers-use-but-never-document-34c8e28d32be">https://javascript.plainenglish.io/6-flexbox-secrets-that-professional-css-developers-use-but-never-document-34c8e28d32be</a></p>
<p><a target="_blank" href="https://levelup.gitconnected.com/5-flexbox-bugs-every-beginner-creates-and-how-to-spot-them-in-10-seconds-c8da0a82fcc5">https://levelup.gitconnected.com/5-flexbox-bugs-every-beginner-creates-and-how-to-spot-them-in-10-seconds-c8da0a82fcc5</a></p>
<p><a target="_blank" href="https://javascript.plainenglish.io/the-flexbox-gaps-that-break-mobile-layouts-and-3-lines-of-css-to-fix-them-cd4c5c4ba851">https://javascript.plainenglish.io/the-flexbox-gaps-that-break-mobile-layouts-and-3-lines-of-css-to-fix-them-cd4c5c4ba851</a></p>
<p><a target="_blank" href="https://medium.com/@orami98/10-css-layouts-that-solve-the-most-frustrating-web-design-problems-in-2025-4e04608e7913">https://medium.com/@orami98/10-css-layouts-that-solve-the-most-frustrating-web-design-problems-in-2025-4e04608e7913</a></p>
<p><a target="_blank" href="https://medium.com/@kp9810113/stop-fighting-flexbox-7-simple-tricks-for-flawless-layouts-059758bd07f8">https://medium.com/@kp9810113/stop-fighting-flexbox-7-simple-tricks-for-flawless-layouts-059758bd07f8</a></p>
<h2 id="heading-css-grid">CSS Grid</h2>
<p></p>
<p>Check out <a target="_blank" href="https://www.freecodecamp.org/news/complete-guide-to-css-grid/">this handbook</a> to explore everything about Grid CSS.</p>
<p><a target="_blank" href="https://www.joshwcomeau.com/css/interactive-guide-to-grid/?ref=dailydev#grid-flow-2">https://www.joshwcomeau.com/css/interactive-guide-to-grid/?ref=dailydev#grid-flow-2</a></p>
<p><a target="_blank" href="https://javascript.plainenglish.io/5-modern-css-grid-techniques-that-will-transform-your-layouts-b9f5ccbde9c2">https://javascript.plainenglish.io/5-modern-css-grid-techniques-that-will-transform-your-layouts-b9f5ccbde9c2</a></p>
<p><a target="_blank" href="https://javascript.plainenglish.io/build-a-modern-dashboard-4-css-grid-techniques-for-complex-layouts-88cb5a90c34f">https://javascript.plainenglish.io/build-a-modern-dashboard-4-css-grid-techniques-for-complex-layouts-88cb5a90c34f</a></p>
<p><a target="_blank" href="https://medium.com/codetodeploy/7-modern-css-grid-tricks-i-wish-i-knew-earlier-especially-for-mobile-6b10d0154964">https://medium.com/codetodeploy/7-modern-css-grid-tricks-i-wish-i-knew-earlier-especially-for-mobile-6b10d0154964</a></p>
<h2 id="heading-the-css-revolution-is-here">The CSS Revolution is Here</h2>
<p>I will admit it — CSS used to feel like a quiet kid in the room. Useful, essential, but not exactly surprising. Then 2025 hit, and everything changed.</p>
<p>Over the past few months, I have been implementing some of these new features in a real-world freelance project, and I can tell you: We are living through a real CSS revolution.</p>
<p>If you are a Front-end developer, a no-code designer, or a freelance pro looking to deliver clean, modern, accessible interfaces, this is the moment to uplevel your toolkit.</p>
<p>Want to stick a header that just works without JavaScript?</p>
<p>Need to animate a button only when it’s inside a specific block?</p>
<p>Or maybe style elements differently depending on what’s inside them?</p>
<p>All of that is now possible — with CSS alone.</p>
<h3 id="heading-aspect-ratio"><code>aspect-ratio</code></h3>
<p>Have you ever used a “<a target="_blank" href="https://css-tricks.com/aspect-ratio-boxes/">padding hack</a>“ to force an aspect ratio such as 16:9 video embeds? As of September 2021, the <code>aspect-ratio</code> property is stable in evergreen browsers and is the only property needed to define an aspect ratio.</p>
<p>For an HD video, you can just use an <code>aspect-ratio: 16/9</code>. For a perfect square, only <code>aspect-ratio: 1</code> is required since the implied second value is also 1;</p>
<p></p>
<p>Of note, an applied <code>aspect-ratio</code> is forgiving and will allow context to take precedence. This means that when content causes the element to exceed the ratio in at least one dimension, the element will still grow or change shape to accommodate the content. To prevent or control this behavior, you can add additional dimension properties, like <code>max-width</code>, which may be necessary to avoid expanding out the flex or grid container.</p>
<p></p>
<h3 id="heading-object-fit"><code>object-fit</code></h3>
<p>This is actually the oldest property on this list, but it solves an important issue and definitely fits the sentiment of a one-line upgrade.</p>
<p>The use of <code>object-fit</code> causes an image or other replaced elements to act as the container for its content, and have those contents adopt resizing behavior similar to <code>background-size</code>.</p>
<p>While there are a few values available for <code>object-fit</code>, the following are the ones you are most likely to use:</p>
<ul>
<li><p><code>cover</code> - The image is resized to cover the element and maintain its aspect ratio so that the content is not distorted.</p>
</li>
<li><p><code>scale-down</code>: The image resizes (if needed) within the element so that it is fully visible without being clipped and maintains its aspect ratio, which may lead to extra space (“letterboxing”) around the image if the image has a different rendered aspect ratio.</p>
</li>
</ul>
<p>In either case, <code>object-fit</code> is an excellent property pairing with <code>aspect-ratio</code> to ensure images are not distorted when you apply a custom aspect ratio.</p>
<p></p>
<h3 id="heading-margin-inline"><code>margin-inline</code></h3>
<p>One of many logical properties, <code>margin-inline</code> functions as a shorthand for setting the margin inline (left and right in horizontal writing modes).</p>
<p>The replacement here is simple:</p>
<pre><code class="lang-css"><span class="hljs-comment">/* Before */</span>
<span class="hljs-selector-tag">margin-left</span>: <span class="hljs-selector-tag">auto</span>;
<span class="hljs-selector-tag">margin-right</span>: <span class="hljs-selector-tag">auto</span>;

<span class="hljs-comment">/* After */</span>
<span class="hljs-selector-tag">margin-inline</span>: <span class="hljs-selector-tag">auto</span>;
</code></pre>
<p>Logical properties have been available for a couple of years and now have <a target="_blank" href="https://caniuse.com/css-logical-props">support upwards of 98%</a> (with occasional prefixing). Review the article by Ahmad Shadeed to learn more about <a target="_blank" href="https://ishadeed.com/article/css-logical-properties/">using logical properties</a> and their importance for sites with international audiences.</p>
<h3 id="heading-text-underline-offset"><code>text-underline-offset</code></h3>
<p>The use of text-underline-offset allows you to control the distance between the text baseline and the underline. This property has become a part of my standard reset, applied as follows:</p>
<pre><code class="lang-css"><span class="hljs-selector-tag">a</span><span class="hljs-selector-pseudo">:not(</span><span class="hljs-selector-attr">[class]</span>) {
    <span class="hljs-attribute">text-underline-offset</span>: <span class="hljs-number">0.25em</span>;
}
</code></pre>
<p>This offset can clear descenders and (subjectively) improve legibility, particularly when links are grouped in close proximity, such as in a bulleted list.</p>
<p>This upgrade may replace older hacks like a border or pseudo-element or give a gradient background, especially when used with its friend:</p>
<ul>
<li><p><code>text-decoration-color</code>: to change the underlying color</p>
</li>
<li><p>t<code>ext-decoration-thickness</code>: to change the underlined stroke thickness</p>
</li>
</ul>
<h3 id="heading-outline-offset"><code>outline-offset</code></h3>
<p>Have you been using <code>box-shadow</code> or perhaps a pseudo-element to supply a custom outline when you wanted distance between the element and outline on focus?</p>
<p>Good news! The long-available <code>outline-offset</code> property may be the one you missed, and it enables pushing the outline away from the element with the positive value or pulling it into the element with the negative value.</p>
<p>In the demo, the gray solid line is the element border, and the blue dashed line is the outline being positioned via <code>outline-offset</code>.</p>
<p></p>
<p><strong>Reminder</strong>: Outlines are not computed as parts of the element’s box size, so increasing the distance will not increase the amount of space an element occupies. This is similar to how <code>box-shadow</code> is rendered without impacting the element size as well.</p>
<h3 id="heading-scroll-margin-topbottom">scroll-margin-top/bottom</h3>
<p>The <code>scroll-margin</code> set of properties (and corresponding <code>scroll-padding</code>) allows adding an offset to an element in the context of the scroll position. In other words, adding <code>scroll-padding-top</code> can increase the scroll offset above the element but doesn’t affect its layout position within the document.</p>
<p>Why is this useful? Well, it can alleviate issues caused by a sticky nav element covering content when an anchor link is activated. Using <code>scroll-margin-top</code> we can increase the space above the element when it is scrolled via navigation to account for the space occupied by the sticky nav.</p>
<p>If you have a navigation bar and an anchor link, the bar might obscure the target element. You can use <code>scroll-margin-top</code> to account for the height of the sticky header.</p>
<pre><code class="lang-xml"><span class="hljs-tag"><<span class="hljs-name">nav</span> <span class="hljs-attr">class</span>=<span class="hljs-string">"sticky-header"</span>></span>Header<span class="hljs-tag"></<span class="hljs-name">nav</span>></span>
<span class="hljs-tag"><<span class="hljs-name">div</span> <span class="hljs-attr">id</span>=<span class="hljs-string">"section1"</span> <span class="hljs-attr">class</span>=<span class="hljs-string">"scroll-target"</span>></span>Section 1<span class="hljs-tag"></<span class="hljs-name">div</span>></span>
</code></pre>
<pre><code class="lang-css"><span class="hljs-selector-class">.sticky-header</span> {
  <span class="hljs-attribute">position</span>: sticky;
  <span class="hljs-attribute">top</span>: <span class="hljs-number">0</span>;
  <span class="hljs-attribute">height</span>: <span class="hljs-number">50px</span>;
  <span class="hljs-attribute">background</span>: <span class="hljs-number">#333</span>;
  <span class="hljs-attribute">color</span>: white;
}

<span class="hljs-selector-class">.scroll-target</span> {
  <span class="hljs-attribute">scroll-margin-top</span>: <span class="hljs-number">50px</span>; <span class="hljs-comment">/* Adds space equal to the sticky header's height */</span>
}
</code></pre>
<p>When navigating to #section1, it will appear 50px below the top of the viewport, leaving space for the sticky header.</p>
<h3 id="heading-color-scheme"><code>color-scheme</code></h3>
<p>You may be familiar with the <code>prefers-color-scheme</code> media query to customize dark and light themes. The CSS property <code>color-scheme</code> is an opt-in to adapting browser UI elements, including form controls, scrollbars, and CSS system colors. The adaptation asks the browser to render those items with either a <code>light</code> or <code>dark</code> scheme, and the property allows defining a preference order.</p>
<p>If you’re enabling the adaptation of your entire application, set the following <code>:root</code>, which says to preference a <code>dark</code> theme (or flip the order to preference a <code>light</code> theme).</p>
<pre><code class="lang-css"><span class="hljs-selector-pseudo">:root</span> {
    <span class="hljs-attribute">color-scheme</span>: dark light;
}
</code></pre>
<p>You can also define <code>color-scheme</code> on individual elements, such as adjusting form controls within an element with a dark background to improve contrast.</p>
<pre><code class="lang-css"><span class="hljs-selector-class">.dark-background</span> {
    <span class="hljs-attribute">color-scheme</span>: dark;
}
</code></pre>
<h3 id="heading-width-fit-content"><code>width: fit-content</code></h3>
<p>One of my favorite CSS hidden gems is the use of fit-content to “shrink wrap“ an element to its content.</p>
<p>Whereas you may have used an inline display value such as <code>display: inline-block</code> to reduce an element’s width to the content size, an upgrade to <code>width: fit-content</code> will achieve the same effect. The advantage of <code>width: fit-content</code> is that it leaves the <code>display</code> value available, thereby not changing the position of the element in the layout unless you adjust that as well. The computed box size will adjust to the dimensions created by <code>fit-content</code>.</p>
<p></p>
<p>Consider the secondary upgrade for this technique to the logical property equivalent of <code>inline-size: fit-content</code>.</p>
<h3 id="heading-overscroll-behavior"><code>overscroll-behavior</code></h3>
<p>The default behavior of contained scroll regions - areas with limited dimensions where overflow is allowed to be scrolled - is that when the scroll runs out in the element, the scroll interaction passes to the background page. This can be jarring at best and frustrating at worst for your users.</p>
<p>Use of <code>overscroll-behavior: contain</code> will isolate the scrolling to the contained region, preventing the scroll by moving it to the parent page once the scroll boundary is reached. This is useful in contexts such as a sidebar of navigation links, which may have an independent scroll from the main page content, which may be a long article or documentation page.</p>
<p></p>
<h3 id="heading-object-position"><code>object-position</code></h3>
<p>When you apply it to the image <code>object-fit</code> - It will crop the image to the specified height & width in order to look sharp:</p>
<p></p>
<p>However, we can’t control which part of the image will be cropped, so the object position is crucial.</p>
<pre><code class="lang-css"><span class="hljs-selector-class">.test</span> {
  <span class="hljs-attribute">height</span>: <span class="hljs-number">350px</span>;
  <span class="hljs-attribute">width</span>: <span class="hljs-number">500px</span>;
  <span class="hljs-attribute">object-fit</span>: cover;
  <span class="hljs-attribute">object-position</span>: bottom;
}
</code></pre>
<p></p>
<pre><code class="lang-css"><span class="hljs-selector-tag">object-position</span>: <span class="hljs-selector-tag">top</span>;
</code></pre>
<p></p>
<p>As well as we can add: left or right. We can even be more precise when we specify two parameters like <code>object-position: center bottom</code>;</p>
<h3 id="heading-supports"><strong>supports</strong></h3>
<p>The <code>@supports</code> rule in CSS is a feature-detection mechanism that allows developers to apply styles conditionally based on whether a specific CSS property is supported by the browser. This enables graceful degradation and progressive enhancement, ensuring that modern features are used when available while providing fallback styles for older browsers.</p>
<p><strong>How it works</strong>: The <code>@supports</code> rule checks if a given CSS property or feature is supported by the browser. If the condition evaluates to true, the enclosed styles are applied.</p>
<pre><code class="lang-css"><span class="hljs-keyword">@supports</span> (<span class="hljs-attribute">display:</span> flex) {
  <span class="hljs-selector-class">.flex-container</span> > * {
    <span class="hljs-attribute">text-shadow</span>: <span class="hljs-number">0</span> <span class="hljs-number">0</span> <span class="hljs-number">2px</span> blue;
    <span class="hljs-attribute">float</span>: none;
  }
}
</code></pre>
<p>In this example, the styles inside <code>@supports</code> will only apply if the browser supports <code>display: flex</code>, ensuring a modern layout while avoiding issues in unsupported environments.</p>
<p><strong>Use Cases</strong>:</p>
<ul>
<li><p><strong>Progressive Enhancement</strong>: Apply modern styles while ensuring compatibility with older browsers.</p>
</li>
<li><p><strong>Failure Detection for New CSS Properties</strong>: Check support for advanced CSS properties like content-visibility or aspect-ratio.</p>
</li>
<li><p><strong>CSS Grid and Flexbox Fallbacks</strong>: Use @supports to apply grid or flexbox styles only when they are available while providing float-based fallbacks for older browsers.</p>
</li>
<li><p><strong>Ensuring Browser Compatibility</strong>: This helps maintain a consistent design experience across different user environments.</p>
</li>
</ul>
<h3 id="heading-content-visibility">content-visibility</h3>
<p>The <code>content-visibility</code> property is a game-changer for performance optimization in CSS. It enables browsers to skip the rendering work for an element until it’s needed, significantly improving the loading and rendering performance of complex or large layouts.</p>
<p><strong>How it works</strong>: When set to ‘auto’, <code>content-visibility</code> tells the browser that it can skip the rendering of the element’s content if they are not currently visible in the viewport. The browser still does the initial layout, but it doesn’t render the content until it’s needed.</p>
<pre><code class="lang-css"><span class="hljs-selector-tag">section</span> {
  <span class="hljs-attribute">content-visibility</span>: auto;
  <span class="hljs-attribute">contain-intrinsic-size</span>: auto <span class="hljs-number">500px</span>;
}
</code></pre>
<p>In this example, sections that are not in the viewport will not have their contents rendered, speeding up the initial page load. The <code>contain-intrinsic-size</code> property provides an estimated size for the content, helping to prevent layout shifts as the content is loaded.</p>
<p><strong>Use Cases:</strong></p>
<ul>
<li><p><strong>Long Lists and Feeds</strong>: Optimize the performance of infinite scrolling lists or news feeds by only rendering the items currently visible in the viewport.</p>
</li>
<li><p><strong>Complex layouts</strong>: Improved the initial load time of pages with complex layouts by deferring the rendering of off-screen sections until they are needed</p>
</li>
<li><p><strong>Tabs and Accordions</strong>: Prevent the browser from rendering the hidden tab panels or accordion sections until they are activated, improving initial page load and interactivity.</p>
</li>
<li><p><strong>Image-Heavy Pages:</strong> Combine <code>content-visibility: auto</code> with lazy-loading techniques to further optimize image loading and improve perceived performance.</p>
</li>
</ul>
<h3 id="heading-keyframes">keyframes</h3>
<p>The <code>@keyframes</code> rule is a cornerstone of CSS animations, allowing developers to define the intermediate steps in a CSS animation sequence. This powerful feature enables the creation of complex, multi-step animations without relying on JavaScript.</p>
<p><strong>How it works</strong>: <code>@keyframes</code> defines a series of style changes that should occur at specified points during an animation. These keyframes can be defined using percentages of the animation duration or the keywords ‘from‘ and ‘to’.</p>
<pre><code class="lang-css"><span class="hljs-keyword">@keyframes</span> slide-in {
  <span class="hljs-selector-tag">from</span> {
    <span class="hljs-attribute">transform</span>: <span class="hljs-built_in">translateX</span>(-<span class="hljs-number">100%</span>);
    <span class="hljs-attribute">opacity</span>: <span class="hljs-number">0</span>;
  }

  50% {
    <span class="hljs-attribute">opacity</span>: <span class="hljs-number">0.5</span>;
  }

  <span class="hljs-selector-tag">to</span> {
    <span class="hljs-attribute">transform</span>: <span class="hljs-built_in">translateX</span>(<span class="hljs-number">0</span>);
    <span class="hljs-attribute">opacity</span>: <span class="hljs-number">1</span>;
  }
}

<span class="hljs-selector-class">.animated-element</span> {
  <span class="hljs-attribute">animation</span>: slide-in <span class="hljs-number">2s</span> ease-in-out;
}
</code></pre>
<p>This example defines a ‘slide-in‘ animation where an element moves from left to right while fading in. The animation is then applied to <code>.animated-element</code>.</p>
<p><strong>Use cases:</strong></p>
<ul>
<li><p><strong>UI Transitions</strong>: Create smooth transitions for UI elements like modals, dropdowns, or navigation menus.</p>
</li>
<li><p><strong>Looping Animations</strong>: Design perpetual animations for loading indicators, background effects, or decorative elements.</p>
</li>
<li><p><strong>Interactive Feedback:</strong> Use animations triggered by user actions to provide user feedback and enhance user experience.</p>
</li>
<li><p><strong>Storytelling and Engagement</strong>: Develop complex, multi-step animations to guide users through the narrative or highlight key information on the page.</p>
</li>
</ul>
<h3 id="heading-image-set">image-set()</h3>
<p>The <code>image-set()</code> CSS functional notation is a powerful tool for responsive image management. It allows the browser to choose the most appropriate image from a set of options, primarily based on the device’s pixel density.</p>
<p><strong>How it works</strong>: <code>image-set()</code> provides a list of image sources along with their resolution descriptors. The browser then selects the most suitable image based on the device’s characteristics.</p>
<pre><code class="lang-css"><span class="hljs-selector-class">.box</span> {
  <span class="hljs-attribute">width</span>: <span class="hljs-number">400px</span>;
  <span class="hljs-attribute">height</span>: <span class="hljs-number">200px</span>;
  <span class="hljs-attribute">background-repeat</span>: no-repeat;
  <span class="hljs-attribute">background-size</span>: cover;

  <span class="hljs-attribute">background-image</span>: <span class="hljs-built_in">image-set</span>(
    url(<span class="hljs-string">"https://image1.jpg"</span>) <span class="hljs-number">1</span>x,
    <span class="hljs-built_in">url</span>(<span class="hljs-string">"https://image2.jpg"</span>) <span class="hljs-number">2</span>x
  );
</code></pre>
<p>In this example, devices with standard resolution will load <code>image1.jpg</code>, while high-resolution devices (like Retina displays) will load <code>image2.jpg</code>.</p>
<p><strong>Use Cases:</strong></p>
<ul>
<li><p><strong>Responsive Images</strong>: Provide different image resolutions for various device pixel ratios, ensuring crisp images on high-DPI screens without unnecessarily large downloads on standard screens</p>
</li>
<li><p><strong>Art Direction</strong>: Use <code>image-set()</code> in combination with media queries to serve different images based on both screen resolution and size, allowing for more nuanced art direction on responsive designs.</p>
</li>
<li><p><strong>Performance Optimization</strong>: By serving appropriately sized images, you can significantly reduce bandwidth usage and improve load times, especially on mobile devices.</p>
</li>
<li><p><strong>Future-Proofing</strong>: As new screen resolutions emerge, <code>image-set()</code> allows you to easily add support for these without changing your existing markup.</p>
</li>
</ul>
<h3 id="heading-white-space-collapse">white-space-collapse</h3>
<p>The <code>white-space-collapse</code> property offers precise control over how a whitespace is handled in text, allowing for collapsing, preserving, or other custom behaviors. This property provides more granular control than the traditional <code>white-space</code> property, enabling developers to fine-tune text presentation.</p>
<p><strong>How it works:</strong> <code>white-space-collapse</code> determines how sequences of white spaces are handled within an element. It offers several values:</p>
<ul>
<li><p>collapse: Collapses sequences of white space into a single space (default behavior)</p>
</li>
<li><p>preserve: Preserves all while space characters</p>
</li>
<li><p>preserve-breaks: Preserves line breaks but collapses other white spaces.</p>
</li>
<li><p>breaks-space: Similar to preserve but allows breaking at any white space character.</p>
</li>
</ul>
<pre><code class="lang-css"><span class="hljs-selector-class">.collapsed-spaces</span> {
  <span class="hljs-attribute">white-space-collapse</span>: collapse;
}

<span class="hljs-selector-class">.preserved-spaces</span> {
  <span class="hljs-attribute">white-space-collapse</span>: preserve;
}

<span class="hljs-selector-class">.preserved-breaks</span> {
  <span class="hljs-attribute">white-space-collapse</span>: preserve-breaks;
}

<span class="hljs-selector-class">.break-spaces</span> {
  <span class="hljs-attribute">white-space-collapse</span>: break-spaces;
}
</code></pre>
<p>These examples demonstrate different ways of handling white space within text elements.</p>
<p><strong>Use Cases:</strong></p>
<ul>
<li><p><strong>Code Examples:</strong> Use preserve or preserve-breaks to display code snippets with accurate spacing and indentation.</p>
</li>
<li><p><strong>Preformatted Text:</strong> Maintain precise <code>whitespace</code> in preformatted text blocks, ensuring the layout matches the original formatting.</p>
</li>
<li><p><strong>Controlling Wrapping in Long Strings:</strong> Use <code>break-spaces</code> to allow wrapping within long strings that lack natural word breaks, such as URLs or database keys.</p>
</li>
<li><p><strong>Fine-Tuning Text Layout:</strong> Use collapse to control spacing between words and lines, creating more precise typographic adjustments.</p>
</li>
</ul>
<h3 id="heading-min-max-and-clamp">Min, Max, and Clamp</h3>
<h3 id="heading-min">min()</h3>
<pre><code class="lang-typescript"><span class="hljs-comment">/* Keeps buttons from getting too wide on large screens */</span>
.pricing-button {
  width: min(<span class="hljs-number">300</span>px, <span class="hljs-number">90</span>%);
}
</code></pre>
<p>Think of <code>min()</code> as setting an upper limit. It will pick the smaller of the values. Handy for keeping elements from getting too big while still being responsive. So as long as <code>90%</code> calculates to be less than <code>300px</code> 90% is used; once it gets beyond <code>300px</code> that, the value is used.</p>
<h3 id="heading-max">max()</h3>
<pre><code class="lang-typescript"><span class="hljs-comment">/* Ensures text stays readable even on tiny screens */</span>
.terms-container {
  font-size: max(<span class="hljs-number">16</span>px, <span class="hljs-number">1.2</span>vw);
}
</code></pre>
<p><code>max()</code> is like setting a minimum value, but it picks the larger option. Perfect for preventing elements from shrinking too much on mobile devices.</p>
<h3 id="heading-clamp"><strong>clamp()</strong></h3>
<p><code>clamp()</code> is like having <code>min()</code> and <code>max()</code> combined! It takes three values:</p>
<pre><code class="lang-css"><span class="hljs-selector-tag">body</span> {
  <span class="hljs-attribute">max-width</span>: <span class="hljs-built_in">clamp</span>(<span class="hljs-number">320px</span>, <span class="hljs-number">90%</span>, <span class="hljs-number">1000px</span>);
  <span class="hljs-comment">/* additional recommendation */</span>
  <span class="hljs-attribute">margin</span>: auto;
}
</code></pre>
<p>Adding this one line will reduce the content size to occupy 90% of the viewport and limit its width between 320 and 1000 pixels (feel free to update the minimum and maximum values)</p>
<p>This change will automatically make your content look much nicer. It will no longer be a vast text block but something that looks more structured and organized. And if you also add <code>margin: auto</code> to the body, the content will be centered on the page. Two lines of code make the content look so much better.</p>
<p></p>
<h3 id="heading-the-has-pseudo-class">The <code>:has()</code> pseudo-class</h3>
<pre><code class="lang-css"><span class="hljs-selector-class">.hero</span><span class="hljs-selector-pseudo">:has(.hero-button)</span> {
  <span class="hljs-attribute">background-color</span>: <span class="hljs-built_in">var</span>(--accent-<span class="hljs-number">50</span>);
}
</code></pre>
<p>This CSS pseudo-class <code>:has()</code> provides a powerful way to select an element based on its descendants, similar to the application of conditional styles.</p>
<h3 id="heading-is-amp-where-cleaner-dry-selectors"><code>:is()</code> & <code>:where()</code> – Cleaner, DRY selectors</h3>
<p>Writing complex combinations of selectors has always been a pain. With <code>:is()</code> and <code>:where()</code>, we can group rules and make the code cleaner and more readable.</p>
<pre><code class="lang-typescript">:is(h1, h2, h3, h4) {
  font-family: <span class="hljs-string">"Inter"</span>, sans-serif;
}
</code></pre>
<p><code>:is()</code> applies the <strong>highest specificity</strong> of any selector inside.<br /><code>:where()</code> has <strong>zero specificity</strong>: perfect for resets or design systems.</p>
<p>💡 <strong>Example with a custom reset:</strong></p>
<pre><code class="lang-typescript">:where(h1, h2, h3, p) {
  margin-block: <span class="hljs-number">0.5</span>em;
}
</code></pre>
<p><strong>🛠️Use-case:</strong><br />When working with WordPress themes or CSS builders, these help you maintain style control without fighting the cascade.</p>
<h3 id="heading-backdrop-style-native-modal-backgrounds"><code>::backdrop</code> – Style native modal backgrounds</h3>
<p>Using <code><dialog></code> (HTML5), You can now <strong>style the background behind the modal</strong>, creating modern effects like blur or gradients.</p>
<pre><code class="lang-typescript">::backdrop {
  background: rgba(<span class="hljs-number">0</span>, <span class="hljs-number">0</span>, <span class="hljs-number">0</span>, <span class="hljs-number">0.5</span>);
  backdrop-filter: blur(<span class="hljs-number">6</span>px);
}
</code></pre>
<p><em>Elegant and accessible native effect</em></p>
<p><strong>🛠️Use-case:</strong><br />Perfect for portfolio sites, contact modals, GDPR, or newsletter popups — without heavy plugins.</p>
<h3 id="heading-target-text-automatically-highlight-linked-text"><code>::target-text</code> – Automatically highlight linked text</h3>
<p>This new pseudo-class lets you <strong>style the text targeted by internal links</strong> (<code>#anchor</code>), improving navigation in long documents or FAQ sections.</p>
<pre><code class="lang-typescript">::target-text {
  background: yellow;
}
</code></pre>
<p><strong>🛠️Use-case:</strong><br />Great for documentation, anchor menu links, or e-commerce with expandable FAQ blocks.</p>
<h3 id="heading-container-queries">Container Queries</h3>
<p><a target="_blank" href="https://developer.mozilla.org/en-US/docs/Web/CSS/CSS_containment/Container_queries">CSS container queries</a> introduced a new approach to responsiveness. Previously, we used media queries to create UIs that adapted to different screen sizes. But it wasn’t as easy as it sounds. There were issues in maintenance, performance, flexibility, and style overlapping.</p>
<p>Container queries resolve these issues by allowing developers to customize elements depending on their parent container size. Since this method doesn’t depend on the viewport size, it makes the HTML components fully modular and self-contained.</p>
<p>The following is a simple example of how container queries work:</p>
<pre><code class="lang-css"><span class="hljs-selector-class">.wrapper</span> {
  <span class="hljs-attribute">display</span>: grid;
  <span class="hljs-attribute">grid-template-columns</span>: <span class="hljs-number">2</span>fr <span class="hljs-number">1</span>fr;
  <span class="hljs-attribute">gap</span>: <span class="hljs-number">20px</span>;
}
<span class="hljs-keyword">@container</span> (<span class="hljs-attribute">min-width:</span> <span class="hljs-number">500px</span>) {
  <span class="hljs-selector-class">.profile-card</span> {
    <span class="hljs-attribute">grid-template-columns</span>: <span class="hljs-number">150px</span> <span class="hljs-number">1</span>fr;
    <span class="hljs-attribute">grid-template-rows</span>: auto <span class="hljs-number">1</span>fr;
    <span class="hljs-attribute">align-items</span>: start;
    <span class="hljs-attribute">gap</span>: <span class="hljs-number">20px</span>;
  }

  <span class="hljs-selector-class">.profile-card</span> <span class="hljs-selector-tag">header</span>,
  <span class="hljs-selector-class">.profile-card</span> <span class="hljs-selector-class">.bio</span> {
    <span class="hljs-attribute">grid-column</span>: <span class="hljs-number">2</span>;
  }

  <span class="hljs-selector-class">.profile-card</span> <span class="hljs-selector-class">.profile-image</span> {
    <span class="hljs-attribute">grid-row</span>: <span class="hljs-number">1</span> / <span class="hljs-number">3</span>;
    <span class="hljs-attribute">grid-column</span>: <span class="hljs-number">1</span>;
  }
}
</code></pre>
<p>This container query adjusts the layout of the profile card when its width reaches 500px or more. It changes the card from a stacked layout (with the image on top) to a two-column layout when the image appears on the left and the text content aligns on the right.</p>
<p></p>
<p>Container queries are very useful in design systems where components need to adapt based on their immediate environment rather than the entire viewport. However, container queries still <a target="_blank" href="https://caniuse.com/css-container-queries">lack full browser support</a>. If your users are using unsupported browsers or older versions, they might face styling issues.</p>
<h3 id="heading-subgrid">Subgrid</h3>
<p><a target="_blank" href="https://developer.mozilla.org/en-US/docs/Web/CSS/CSS_grid_layout/Subgrid">Subgrid</a> is an exciting addition to the CSS grid layout model. It allows you to inherit the grid structure of the parent grid container in child grid items. In other words, a subgrid allows you to align child elements according to the rows or columns of the parent grid. This method allows you to easily create complex nested grids without using nested grid overrides.</p>
<p>In the following code example, the layout uses the subgrid approach within a list:</p>
<pre><code class="lang-css"><span class="hljs-selector-class">.product-wrapper</span> {
  <span class="hljs-attribute">display</span>: grid;
  <span class="hljs-attribute">grid-template-columns</span>: <span class="hljs-built_in">repeat</span>(auto-fit, minmax(<span class="hljs-number">300px</span>, <span class="hljs-number">1</span>fr));
}
<span class="hljs-selector-class">.product-card</span> {
  <span class="hljs-attribute">display</span>: grid;
  <span class="hljs-attribute">grid-template-rows</span>: subgrid; <span class="hljs-comment">/* Allows the nested grid to align directly with the parent grid */</span>
}
</code></pre>
<p>In the example, the <code>product-wrapper</code> creates a flexible grid layout to control the number of columns based on the container width. Then, each <code>product-card</code> aligns its rows directly with the grids defined by the <code>product-wrapper</code> .</p>
<p></p>
<h3 id="heading-layer">@layer</h3>
<p>If you have used Tailwind CSS, this might look familiar. <code>@layer</code> manages specificity conflicts by explicitly ordering style groups. Later layers always “win” regardless of specificity, solving the cascade that confuses (and annoys!) so many developers.</p>
<pre><code class="lang-typescript"><span class="hljs-comment">/* Define layer order - order here determines priority */</span>
<span class="hljs-meta">@layer</span> reset, components, utilities;

<span class="hljs-comment">/* Reset layer: lowest priority */</span>
<span class="hljs-meta">@layer</span> reset {
  * {
    margin: <span class="hljs-number">0</span>;
    padding: <span class="hljs-number">0</span>;
    box-sizing: border-box;
  }
}

<span class="hljs-comment">/* Components layer: middle priority */</span>
<span class="hljs-meta">@layer</span> components {
  .button {
    <span class="hljs-comment">/* Even if utilities have lower specificity,
       they'll still override these styles */</span>
    padding: <span class="hljs-number">.5</span>rem <span class="hljs-number">1</span>rem;
    background: blue;
  }
}

<span class="hljs-comment">/* Utilities layer: highest priority */</span>
<span class="hljs-meta">@layer</span> utilities {
  .p<span class="hljs-number">-4</span> {
    <span class="hljs-comment">/* This wins over component padding */</span>
    padding: <span class="hljs-number">1.25</span>rem;
  }

  .bg-red {
    <span class="hljs-comment">/* This wins over component background */</span>
    background: red;
  }
}
</code></pre>
<h3 id="heading-scope">scope</h3>
<p>The <code>@scope</code> at-rule introduces a revolutionary way to manage CSS specificity and encapsulation. It allows developers to define a specific scope for CSS selectors, making it easier to target elements within particular DOM subtrees without affecting elements outside the scope.</p>
<p><strong>How it works</strong>: The <code>@scope</code> rule defines a boundary within which certain styles apply. This boundary is determined by a selector, and the styles within the <code>@scope</code> block only affect elements that match the selector and are descendants of the scoped element.</p>
<pre><code class="lang-xml"><span class="hljs-tag"><<span class="hljs-name">div</span> <span class="hljs-attr">id</span>=<span class="hljs-string">"my-component"</span>></span>
  <span class="hljs-tag"><<span class="hljs-name">p</span>></span>This paragraph is inside the scope.<span class="hljs-tag"></<span class="hljs-name">p</span>></span>
<span class="hljs-tag"></<span class="hljs-name">div</span>></span>
<span class="hljs-tag"><<span class="hljs-name">p</span>></span>This paragraph is outside the scope.<span class="hljs-tag"></<span class="hljs-name">p</span>></span>
<span class="hljs-tag"><<span class="hljs-name">style</span>></span><span class="css">
<span class="hljs-keyword">@scope</span> (#my-component) {
  <span class="hljs-selector-tag">p</span> {
    <span class="hljs-attribute">color</span>: blue;
  }
}
</span><span class="hljs-tag"></<span class="hljs-name">style</span>></span>
</code></pre>
<p>In this example, only the paragraph inside the #my-component div will be colored blue. The paragraph outside remains unaffected.</p>
<p><strong>Use cases:</strong></p>
<ul>
<li><p><strong>Component-Based Architectures</strong>: <code>@scope</code> is the idea of styling components independently. Each component can have its own encapsulated styles, preventing conflicts between components and promoting code reuse.</p>
</li>
<li><p><strong>Third-party Libraries</strong>: Control the styling of third-party libraries or embedded widgets without worrying that their styles will affect your main application’s style.</p>
</li>
<li><p><strong>Scoped CSS Modules</strong>: While CSS Modules and other build-time solutions offer similar functionality,<code>@scope</code> brings this capability is brought natively to the browser, simplifying workflows and potentially improving performance.</p>
</li>
</ul>
<h3 id="heading-anchor-dynamically-position-elements-based-on-others"><code>anchor()</code> – Dynamically position elements based on others</h3>
<p>A brand-new CSS function that lets you <strong>anchor an element’s position</strong> (e.g. tooltip, menu) to another element, without JS.</p>
<pre><code class="lang-typescript">.tooltip {
  position: absolute;
  top: anchor(bottom);
  left: anchor(center);
}
</code></pre>
<p><strong>This changes the game for:</strong></p>
<ul>
<li><p>Tooltips</p>
</li>
<li><p>Dropdowns</p>
</li>
<li><p>Popovers</p>
</li>
</ul>
<p><strong>🛠️Use-case:</strong><br />Complex UI interactions (e.g., e-commerce filters, admin panels) <strong>without JavaScript</strong>.</p>
<h3 id="heading-accent-color"><code>accent-color</code></h3>
<p>If you have ever wanted to change the color of checkboxes or radio buttons, you have been seeking <code>accent-color</code>. With this property, you can modify the <code>:checked</code> the appearance of radio buttons or checkboxes and the filled-in states for both the progress element and range input. The browser’s default focus “halo“ may also be adjusted if you do not have another override.</p>
<p></p>
<p>Consider adding both <code>accent-color</code> and <code>color-scheme</code> to your baseline application styles for a quick win toward custom theme management.</p>
<h3 id="heading-light-dark-automatic-theme-switching-no-media-queries"><code>light-dark()</code> – Automatic theme switching, no media queries</h3>
<p>Want your components to automatically adapt to the system’s theme?</p>
<pre><code class="lang-typescript">body {
  color: light-dark(black, white);
  background-color: light-dark(white, black);
}
</code></pre>
<p><strong>✨Advantage:</strong><br />One color value that adapts automatically based on light or dark mode.</p>
<p><strong>🛠️Use-case:</strong><br />Custom themes for SaaS platforms, dashboards, or portfolio sites.</p>
<h3 id="heading-relative-color-syntax-amp-new-color-spaces">Relative color syntax & new color spaces</h3>
<p>You can now use <strong>colors derived from other colors</strong>, creating flexible, adaptive palettes.</p>
<pre><code class="lang-typescript">color: rgb(<span class="hljs-keyword">from</span> <span class="hljs-keyword">var</span>(--primary-color) r g b / <span class="hljs-number">50</span>%);
</code></pre>
<p><strong>Supports</strong>:<br /><code>oklch</code>, <code>oklab</code>, <code>color-mix()</code>, <code>color-contrast()</code>.</p>
<p>💡 <strong>Example with</strong> <code>color-mix()</code><strong>:</strong></p>
<pre><code class="lang-typescript">color: color-mix(<span class="hljs-keyword">in</span> srgb, red <span class="hljs-number">30</span>%, blue);
</code></pre>
<p><strong>🛠️Use-case:</strong><br />Variable branding, automatic dark mode themes, or accessible UIs.</p>
<h3 id="heading-property-variables-get-smarter-with-property"><code>@property</code> - Variables get smarter with property</h3>
<p>CSS variables are powerful, but the new <code>@property</code> at-rule takes them to the next level.</p>
<p>Now, you can define custom properties with specific types, inheritance rules, and default values.</p>
<p>Before the <code>@property</code> at-rule, custom properties were powerful but lacked type safety and constraints. For example:</p>
<pre><code class="lang-css"><span class="hljs-selector-pseudo">:root</span> {
  <span class="hljs-attribute">--rotation</span>: <span class="hljs-number">45deg</span>;
}
<span class="hljs-selector-tag">div</span> {
  <span class="hljs-attribute">transform</span>: <span class="hljs-built_in">rotate</span>(var(--rotation));
}
</code></pre>
<p>This works, but the variable is essentially unregulated.</p>
<p>If someone accidentally assigns an invalid value like <code>—rotation: blue</code>, the code breaks or behaves unpredictably.</p>
<p>Now, you can declare custom properties with a defined syntax, initial value, and inheritance rules.</p>
<p>Here’s how it works:</p>
<pre><code class="lang-css"><span class="hljs-keyword">@property</span> --rotation {
  <span class="hljs-selector-tag">syntax</span>: '<<span class="hljs-selector-tag">angle</span>>';
  <span class="hljs-selector-tag">inherits</span>: <span class="hljs-selector-tag">false</span>;
  <span class="hljs-selector-tag">initial-value</span>: 0<span class="hljs-selector-tag">deg</span>;
}
<span class="hljs-selector-tag">div</span> {
  <span class="hljs-attribute">transform</span>: <span class="hljs-built_in">rotate</span>(var(--rotation));
}
</code></pre>
<ul>
<li><p><code>syntax</code>: Specifies the type of value the property can accept. For <code>--rotation</code>, it’s an <code><angle></code> (like <code>45deg</code> or <code>1turn</code>).</p>
</li>
<li><p><code>inherits</code>: Determines if the property should inherit its value from its parent element. In this case, we set it to <code>false</code>.</p>
</li>
<li><p><code>initial-value</code>: Sets a default value if no other value is assigned. Here, it defaults to <code>0deg</code>.</p>
</li>
</ul>
<h3 id="heading-color-contrast-automatic-accessibility-support"><code>color-contrast()</code> – Automatic accessibility support</h3>
<p>Want your text to always be readable no matter the background?</p>
<pre><code class="lang-typescript">color: color-contrast(white vs #<span class="hljs-number">000</span>, #<span class="hljs-number">0</span>f62fe, #f00);
</code></pre>
<p><strong>💪What it does:</strong><br />Chooses the color with the <strong>best contrast ratio</strong> against a background, meeting WCAG guidelines.</p>
<p><strong>🛠️Use-case:</strong><br />Accessible interfaces for public agencies, corporate sites, or B2B platforms.</p>
<h3 id="heading-contain-layout-avoid-global-layout-recalculations"><code>contain: layout</code> — Avoid Global Layout Recalculations</h3>
<p><strong>Problem:</strong> A small update triggers a full layout reflow. Performance drops.</p>
<p><strong>Fix:</strong></p>
<pre><code class="lang-typescript">.card {
  contain: layout;
}
</code></pre>
<p><strong>Why it helps:</strong> The browser isolates layout changes inside <code>.card</code>. No more cascading reflows.</p>
<p><strong>Result:</strong> Faster updates. Smoother interactions. Cleaner performance graphs.</p>
<h3 id="heading-pointer-events-none-control-what-gets-clicked"><code>pointer-events: none</code> — Control What Gets Clicked</h3>
<p><strong>Problem:</strong> An overlay element blocks interaction with elements underneath.</p>
<p><strong>Fix:</strong></p>
<pre><code class="lang-typescript">.floating-label {
  pointer-events: none;
}
</code></pre>
<p><strong>Why it helps:</strong> The element becomes visually present but non-interactive.</p>
<p><strong>Result:</strong> Users interact with what they see underneath.</p>
<h3 id="heading-backdrop-filter-elegant-blur-behind-overlays"><code>backdrop-filter</code> – Elegant blur behind overlays</h3>
<p>Want that “frosted glass” effect you see in macOS, iOS, or clean minimalist UIs? You can now create it natively with CSS.</p>
<pre><code class="lang-typescript">.modal {
  background: rgba(<span class="hljs-number">255</span>, <span class="hljs-number">255</span>, <span class="hljs-number">255</span>, <span class="hljs-number">0.6</span>);
  backdrop-filter: blur(<span class="hljs-number">12</span>px);
}
</code></pre>
<p>💡 <strong>Perfect for:</strong><br />Popups, sticky headers, modals, dropdowns with depth.</p>
<p><strong>🛠️Use-case:</strong><br />Elevates the UI in portfolios, landing pages, or SaaS interfaces.</p>
<h3 id="heading-wrap-headings-in-a-more-balanced-way">Wrap headings in a more balanced way</h3>
<pre><code class="lang-css"><span class="hljs-selector-tag">h1</span>, <span class="hljs-selector-tag">h2</span>, <span class="hljs-selector-tag">h3</span>, <span class="hljs-selector-tag">h4</span>, <span class="hljs-selector-tag">h5</span>, <span class="hljs-selector-tag">h6</span> {
  <span class="hljs-attribute">text-wrap</span>: balance;
}
</code></pre>
<p>Headings are an essential part of the web structure, but due to their larger size and shorter content, they may look weird. Especially when they occupy more than one line. A solution that will help is balancing the headings with <code>text-wrap</code>.</p>
<p>Although balance seems to be the most popular value for <code>text-wrap</code>, it is not the only one. We could also use <code>pretty</code>, that moves an extra word to the last row if needed instead of balancing all the content. Unfortunately, <code>pretty</code> has yet to count onboard support.</p>
<p></p>
<p>Balanced wrapping can improve visibility and readability.</p>
<h3 id="heading-font-size-adjust-better-legibility-with-fallback-fonts"><code>font-size-adjust</code> – Better legibility with fallback fonts</h3>
<p>Sometimes, fallback fonts have a different “x-height,” making text appear too large or too small. This property keeps visual consistency across fonts.</p>
<pre><code class="lang-typescript">body {
  font-size-adjust: <span class="hljs-number">0.5</span>;
}
</code></pre>
<p>🎯 <strong>Great when:</strong><br />You use Google Fonts with fallbacks like Helvetica or Arial.</p>
<p><strong>🛠️Use-case:</strong><br />Editorial sites, blogs, or documentation where text must remain clear even without the main font.</p>
<h3 id="heading-scrollbar-gutter-amp-scrollbar-color">Scrollbar-Gutter & Scrollbar-Color</h3>
<p>When a browser displays a scrollbar, the layout can shift as space is taken up. With <code>scrollbar-gutter</code>, you can preserve scrollbar space even before scrolling begins:</p>
<pre><code class="lang-css"><span class="hljs-selector-class">.scrollable</span> {
  <span class="hljs-attribute">scrollbar-gutter</span>: stable both-edges;
}
</code></pre>
<p>You can also style your scrollbars with <code>scrollbar-color</code>:</p>
<pre><code class="lang-css"><span class="hljs-selector-class">.scrollable</span> {
  <span class="hljs-attribute">scrollbar-color</span>: <span class="hljs-number">#444</span> <span class="hljs-number">#ccc</span>;
}
</code></pre>
<p>This ensures a consistent look and prevents layout jumps.</p>
<p><strong>What it good for ✅</strong></p>
<ul>
<li><p><code>scrollbar-gutter</code> keeps layouts stable by reserving space for a scrollbar, preventing annoying shifts when the scrollbar appears.</p>
</li>
<li><p><code>scrollbar-color</code> lets you style the scrollbar’s track and thumb, enhancing design consistency, especially for dark or themed UIs.</p>
</li>
</ul>
<h3 id="heading-transition-behavior">transition-behavior</h3>
<p>While <code>transition-timing-function</code> has served us well, <code>transition-behavior</code> introduces additional control over animations, such as reversing or pausing transitions without complex JavaScript. This paves the way for smoother UI interactions and advanced animation scenarios.</p>
<pre><code class="lang-css"><span class="hljs-selector-class">.card</span> {
  <span class="hljs-attribute">transition-property</span>: opacity, display;
  <span class="hljs-attribute">transition-duration</span>: <span class="hljs-number">0.25s</span>;
  <span class="hljs-attribute">transition-behavior</span>: allow-discrete;
}

<span class="hljs-selector-class">.card</span><span class="hljs-selector-class">.fade-out</span> {
  <span class="hljs-attribute">opacity</span>: <span class="hljs-number">0</span>;
  <span class="hljs-attribute">display</span>: none;
}
</code></pre>
<p><strong>What it’s good for ✅</strong></p>
<ul>
<li><p>Expands on basic transitions to offer reversible or more complex transitions without heavy scripting.</p>
</li>
<li><p>Useful for refined UI effects, interactive components, and unique animation scenarios.</p>
</li>
</ul>
<h3 id="heading-starting-style-fixing-animation-start-issues">starting-style — Fixing animation Start Issues</h3>
<ul>
<li><p>Normally, when you hide an element (<code>display: none</code>), it pops up instantly when shown.</p>
</li>
<li><p><code>@starting-style</code> defines its initial state so transitions work smoothly.</p>
</li>
</ul>
<pre><code class="lang-typescript"><span class="hljs-meta">@starting</span>-style {
  .modal {
    opacity: <span class="hljs-number">0</span>;
    transform: scale(<span class="hljs-number">0.8</span>);
  }
}

.modal {
  transition: opacity <span class="hljs-number">0.5</span>s, transform <span class="hljs-number">0.5</span>s;
}

.modal.show {
  opacity: <span class="hljs-number">1</span>;
  transform: scale(<span class="hljs-number">1</span>);
}
</code></pre>
<p>The modal fades in instead of appearing suddenly</p>
<p>✅ Chrome, Edge</p>
<p>❌ Not yet in Firefox or Safari</p>
<h3 id="heading-animation-composition-layer-multiple-animations"><code>animation-composition</code> – Layer multiple animations</h3>
<p>This property allows you to <strong>control how multiple animations combine</strong> on a single element:</p>
<pre><code class="lang-typescript">.element {
  animation: fadeIn <span class="hljs-number">1</span>s, slideIn <span class="hljs-number">1</span>s;
  animation-composition: accumulate;
}
</code></pre>
<p><strong>Modes:</strong></p>
<ul>
<li><p><code>replace</code> (default): one animation overrides the other</p>
</li>
<li><p><code>accumulate</code>: adds values</p>
</li>
<li><p><code>add</code>: combines effects into a single result</p>
</li>
</ul>
<p><strong>🛠️Use-case:</strong><br />Interactive components like dropdowns, sliders, or animated cards.</p>
<h3 id="heading-scroll-snap-type-section-by-section-scroll-control"><code>scroll-snap-type</code> – Section-by-section scroll control</h3>
<p>With scroll snapping, you can make sections or slides “snap” into place, providing a <strong>refined mobile UX</strong>.</p>
<pre><code class="lang-typescript">.container {
  scroll-snap-<span class="hljs-keyword">type</span>: y mandatory;
  overflow-y: scroll;
}
</code></pre>
<pre><code class="lang-typescript">.section {
  scroll-snap-align: start;
}
</code></pre>
<p><strong>🛠️Use-case:</strong><br />Horizontal carousels, galleries, full-page scroll sections — super mobile-friendly.</p>
<h3 id="heading-prefers-reduced-motion-respect-ux-accessibility"><code>prefers-reduced-motion</code> – Respect UX accessibility</h3>
<p>A media query that checks user settings and <strong>disables or simplifies motion effects</strong> when requested.</p>
<pre><code class="lang-typescript"><span class="hljs-meta">@media</span> (prefers-reduced-motion: reduce) {
  * {
    animation: none !important;
    transition: none !important;
  }
}
</code></pre>
<p>🧠 A must-have for every modern project, ensuring <strong>inclusive and responsible design</strong>.</p>
<p><strong>🛠️Use-case:</strong><br />Sites for public entities, healthcare, or simply smoother UX on slower devices.</p>
<h2 id="heading-css-content-values-master-min-content-max-content-and-fit-content-for-better-layouts">CSS Content Values: Master min-content, max-content, and fit-content for Better Layouts</h2>
<p><strong>You’re building a responsive layout and wrestling with width calculations. The content sometimes overflows, sometimes leaves too much whitespace, and media queries feel like duct tape holding everything together.</strong></p>
<p>Most developers stick to percentages, fixed pixels, or viewport units because that’s what they learned first. But there’s a more elegant approach hiding in plain sight.</p>
<p><strong>The problem:</strong> Traditional sizing methods force you to guess at content dimensions. You set <code>width: 300px</code> and hope the content fits, or use <code>width: 100%</code> and accept whatever space you get, regardless of whether it makes sense for the content.</p>
<p><strong>The solution:</strong> CSS content-based sizing values (<code>min-content</code>, <code>max-content</code>, <code>fit-content</code>) let your layouts adapt intelligently to actual content dimensions, creating interfaces that feel naturally responsive.</p>
<p>These values have been supported across modern browsers for years, yet most developers never use them. Once you understand how they work, you’ll see layout opportunities everywhere — from navigation menus that size themselves perfectly, to cards that adapt to their content, to forms that feel naturally proportioned.</p>
<p>Today, I’ll show you how these three values work, when to use each one, and 5 production-ready patterns that will change how you approach CSS layouts.</p>
<p>Check out <a target="_blank" href="https://medium.com/render-beyond/css-content-values-master-min-content-max-content-and-fit-content-for-better-layouts-0e4dff937e47">this article</a>.</p>
<p><a target="_blank" href="https://medium.com/@orami98/10-css-techniques-that-solve-the-most-frustrating-layout-problems-854ca79c7ecc">https://medium.com/@orami98/10-css-techniques-that-solve-the-most-frustrating-layout-problems-854ca79c7ecc</a></p>
<h2 id="heading-units">Units</h2>
<p>In CSS, there are two main types of units: absolute and relative. Absolute units like <code>cm</code>, <code>mm</code>, <code>in</code> (and others) represent fixed physical measurements and have been available since the early days of CSS. Pixels (<code>px</code>) are actually relative units (they scale based on the viewing device). Most other units are also relative, scaling based on fonts, viewports, or other factors. CSS1 gave us <code>em</code> for font-based sizing, CSS3 added viewport units like <code>vh</code> and <code>vw</code> (introduced around 2012), and recently (2022) we got <code>dvh</code> to handle mobile browsers better. Note that several relative units (like <code>em</code>, <code>ex</code>, <code>ch</code>) can compute differently based on where they’re used. Their behavior might change when used with <code>font-size</code> versus other properties like <code>width</code> or <code>margin</code>.</p>
<h3 id="heading-font-based">Font-based</h3>
<ul>
<li><p><strong>em</strong> - Relative to the parent element’s font size</p>
</li>
<li><p><strong>rem</strong> - Relative to the root element’s font size</p>
</li>
<li><p><strong>ex</strong> - Represents the x-height of the current font (roughly the height of lowercase “x”) - this unit has been around since CSS1 but I only recently really learned about it</p>
</li>
<li><p><strong>ch</strong> - Width of the “0” (zero) character in the current font - available since CSS3 but often overlooked</p>
</li>
<li><p><strong>lh</strong> - Equal to the line-height of the element</p>
</li>
</ul>
<h3 id="heading-viewport-based">Viewport-based</h3>
<ul>
<li><p><strong>vh</strong> - 1% of the viewport height</p>
</li>
<li><p><strong>vw</strong> - 1% of the viewport width</p>
</li>
<li><p><strong>vmin</strong> - 1% of the viewport’s smaller dimension (height or width) - also from CSS3 but less commonly used</p>
</li>
<li><p><strong>vmax</strong> - 1% of the viewport’s larger dimension (height or width) - also from CSS3 but less commonly used</p>
</li>
</ul>
<h3 id="heading-modern-viewport">Modern viewport</h3>
<ul>
<li><p><strong>dvh</strong> - Dynamic viewport height, adjusts for mobile browser chrome/UI elements</p>
</li>
<li><p><strong>dvw</strong> - Dynamic viewport width</p>
</li>
<li><p><strong>svh</strong> - Small viewport height, the smallest possible height when accounting for dynamic UI elements</p>
</li>
<li><p><strong>svw</strong> - Small viewport width</p>
</li>
<li><p><strong>lvh</strong> - Large viewport height, the largest possible height when accounting for dynamic UI elements</p>
</li>
<li><p><strong>lvw</strong> - Large viewport width</p>
</li>
</ul>
<p><a target="_blank" href="https://blog.stackademic.com/stop-using-100vh-on-mobile-use-these-new-css-units-instead-adf22e7a6ea9">https://blog.stackademic.com/stop-using-100vh-on-mobile-use-these-new-css-units-instead-adf22e7a6ea9</a></p>
<h2 id="heading-a-practical-migration-handbook-from-sassscss-to-modern-native-css">A practical migration handbook from SASS/SCSS to modern native CSS</h2>
<p>Modern CSS has rapidly evolved, integrating many features that were once exclusive to Sass/SCSS. Features like CSS variables, native nesting, color functions, and cascade layers are now built into the language, eliminating the need for a preprocessor in most cases.</p>
<p><a target="_blank" href="https://medium.com/@karstenbiedermann/a-practical-migration-handbook-from-sass-scss-to-modern-native-css-be5d3f50d2ac">This article</a> provides a practical guide for developers looking to migrate their codebase from SCSS/Sass to modern native CSS.</p>
<h2 id="heading-these-3-css-breakpoints-handle-95-of-your-layouts">These 3 CSS breakpoints handle 95% of your layouts</h2>
<p>Most of us aren’t designing interfaces for smart fridges, VR headsets, and a wristwatch all at once. And yet, devs (especially early career ones) spend way too much time micromanaging media queries like they are twerking the shields on the rocket lunch.</p>
<p>You don’t need 12 breakpoints. You only need three.</p>
<h3 id="heading-the-problem-too-many-breakpoints-too-little-gain">The Problem: Too many breakpoints, too little gain.</h3>
<p>You know the drill. You start a project, install Taiwind or write a custom media query setup, and then…</p>
<p></p>
<p>By the time you finish typing, the site is already outdated.</p>
<p>You are trying to catch every edge case, but you are drowning the the maintenance hell.</p>
<p>And guess what? Your users don’t care.</p>
<p>They just want the site to <em>look good</em> and <em>work</em> on their phone, tablet, and laptop.</p>
<h3 id="heading-the-3-breakpoints-that-work-for-95-of-projects">The 3 breakpoints that work for 95% of projects</h3>
<p>If you want a setup that’s <em>practical, predictable</em>, and <em>future-proof</em>, start here:</p>
<p></p>
<p>That’s it.</p>
<p><strong>The logic behind these:</strong></p>
<ul>
<li><p><code>0 - 767px</code> → Phones (the smallest view, default)</p>
</li>
<li><p><code>768px - 1023px</code> → Tablets (or awkward in-between devices)</p>
</li>
<li><p><code>1024px and up</code> → Desktops, laptops, and beyond</p>
</li>
</ul>
<p>If you really <em>need</em> a wider breakpoint (say for ultra-wide monitors), go ahead and add a <code>1280px</code> or <code>1440px</code>. But don’t start there. Wait until <strong>the design demands it</strong>, not your anxiety.</p>
<p>And if you’re using a framework like <strong>Tailwind</strong>, you’re already covered:</p>
<p></p>
<p>Use <code>md</code>, <code>lg</code>, and <code>xl</code>, and you’re done. Don’t fight the framework.</p>
<h2 id="heading-responsive-tables-are-hard-heres-a-pattern-that-works">Responsive Tables are Hard - Here’s a Pattern That Works</h2>
<p>Tables are great until you try to view them on your phone. I have broken more UIs than I can count — until I landed on this reliable pattern.</p>
<h3 id="heading-why-responsive-tables-are-so-frustrating">Why Responsive Tables are so Frustrating</h3>
<p>You want:</p>
<ul>
<li><p>Headers</p>
</li>
<li><p>Rows</p>
</li>
<li><p>Clean alignment</p>
</li>
<li><p>Scrollable on mobile</p>
</li>
<li><p>Sticky headers, maybe?</p>
</li>
</ul>
<p>But what you often get:</p>
<ul>
<li><p>Overflowing cells</p>
</li>
<li><p>Squashed text</p>
</li>
<li><p>Ugly horizontal scroll</p>
</li>
<li><p>Broken layouts</p>
</li>
</ul>
<p><strong>Responsive grids? Easy.</strong><br /><strong>Responsive tables? Still awkward.</strong></p>
<p>And that’s because:</p>
<p>Tables weren’t designed for mobiles — they were designed for data-heavy desktops.</p>
<p>But with the right pattern, you can make it work beautifully for any screen.</p>
<h3 id="heading-the-pattern-that-works-table-inside-a-scrollable-container">The Pattern that works: Table inside a Scrollable Container.</h3>
<p>This is the cleanest, least hacky approach I have used — and it works 99% of the time.</p>
<ol>
<li><strong>Step 1: Wrap your table in a scroll container</strong></li>
</ol>
<pre><code class="lang-css"><<span class="hljs-selector-tag">div</span> <span class="hljs-selector-tag">class</span>="<span class="hljs-selector-tag">table-wrapper</span>">
  <<span class="hljs-selector-tag">table</span>>
    <<span class="hljs-selector-tag">thead</span>>...</<span class="hljs-selector-tag">thead</span>>
    <<span class="hljs-selector-tag">tbody</span>>...</<span class="hljs-selector-tag">tbody</span>>
  </<span class="hljs-selector-tag">table</span>>
</<span class="hljs-selector-tag">div</span>>

<span class="hljs-selector-class">.table-wrapper</span> {
  <span class="hljs-attribute">width</span>: <span class="hljs-number">100%</span>;
  <span class="hljs-attribute">overflow-x</span>: auto;
}

<span class="hljs-selector-tag">table</span> {
  <span class="hljs-attribute">width</span>: <span class="hljs-number">100%</span>;
  <span class="hljs-attribute">min-width</span>: <span class="hljs-number">600px</span>; <span class="hljs-comment">/* or whatever your data requires */</span>
  <span class="hljs-attribute">border-collapse</span>: collapse;
}
</code></pre>
<p>This creates <strong>horizontal scrolling on small screens</strong>, but keeps things readable and aligned.</p>
<ol start="2">
<li><strong>Step 2: Use Sticky Headers (Optional but Delightful)</strong></li>
</ol>
<pre><code class="lang-css"><span class="hljs-selector-tag">thead</span> <span class="hljs-selector-tag">th</span> {
  <span class="hljs-attribute">position</span>: sticky;
  <span class="hljs-attribute">top</span>: <span class="hljs-number">0</span>;
  <span class="hljs-attribute">background</span>: white;
  <span class="hljs-attribute">z-index</span>: <span class="hljs-number">1</span>;
}
</code></pre>
<p>Now, when users scroll, your headers stay visible.</p>
<p>Bonus: Add a subtle box shadow to the sticky header for depth</p>
<ol start="3">
<li><strong>Step 3: Make it Keyboard — Tough Friendly</strong></li>
</ol>
<pre><code class="lang-css"><span class="hljs-selector-class">.table-wrapper</span> {
  <span class="hljs-attribute">-webkit-overflow-scrolling</span>: touch;
  <span class="hljs-attribute">scrollbar-width</span>: thin;
  <span class="hljs-attribute">scroll-behavior</span>: smooth;
}
</code></pre>
<p>This improves the mobile feel <strong>without janky scrollbars.</strong></p>
<h3 id="heading-responsive-table-enhancements">Responsive Table Enhancements</h3>
<ul>
<li><p>✅ Add <code>white-space: nowrap</code> on key cells to prevent word wrap</p>
</li>
<li><p>✅ Use <code>text-overflow: ellipsis</code> for long content</p>
</li>
<li><p>✅ Add <code>title</code> or tooltips for truncated values</p>
</li>
<li><p>✅ Highlight rows on hover for readability</p>
</li>
<li><p>✅ Use <code>aria-label</code> and <code>scope</code> attributes for accessibility</p>
</li>
</ul>
<h2 id="heading-next-gen-web-animations-15-css-and-javascript-techniques-that-will-make-your-website-300-more-engaging">Next-Gen Web Animations: 15 CSS and JavaScript Techniques That Will Make Your Website 300% More Engaging</h2>
<p>Web animations are experiencing a renaissance. <strong>New CSS features like</strong> <code>@scroll-timeline</code><strong>,</strong> <code>animation-timeline</code><strong>, and the Web Animations API is revolutionizing how we create engaging user experiences.</strong> These modern techniques offer unprecedented control over timing, performance, and accessibility while maintaining smooth 60fps animations.</p>
<p>Studies show that well-crafted animations can increase user engagement by up to 300% and improve perceived value by 25%. But poorly implemented animations can destroy the user experience and tank your Core Web Vitals Score.</p>
<p>In this comprehensive guide, we will explore cutting-edge animation techniques that will transform your website into an engaging, performant experience that users love.</p>
<h3 id="heading-why-modern-animation-techniques-beat-traditional-approaches">Why Modern Animation Techniques Beat Traditional Approaches.</h3>
<p>This foundation section highlights the inefficiencies of traditional JavaScript-based animation methods, which often lead to problems like constant style recalculations, main thread blocking, poor battery life, and accessibility issues.</p>
<p>It then introduces the benefits of modern approaches, primarily GPU acceleration for smooth 60fps performance, better battery life, and built-in accessibility support, setting the stage for the subsequent techniques.</p>
<h3 id="heading-the-problem-with-old-animation-methods">The Problem with Old Animation Methods</h3>
<pre><code class="lang-typescript"><span class="hljs-comment">// Traditional approach - performance killers</span>
<span class="hljs-function"><span class="hljs-keyword">function</span> <span class="hljs-title">animateElement</span>(<span class="hljs-params"></span>) </span>{
  <span class="hljs-keyword">let</span> start = <span class="hljs-literal">null</span>;

  <span class="hljs-function"><span class="hljs-keyword">function</span> <span class="hljs-title">step</span>(<span class="hljs-params">timestamp</span>) </span>{
    <span class="hljs-keyword">if</span> (!start) start = timestamp;
    <span class="hljs-keyword">const</span> progress = timestamp - start;

    element.style.left = <span class="hljs-built_in">Math</span>.min(progress / <span class="hljs-number">10</span>, <span class="hljs-number">200</span>) + <span class="hljs-string">'px'</span>;

    <span class="hljs-keyword">if</span> (progress < <span class="hljs-number">2000</span>) {
      requestAnimationFrame(step);
    }
  }

  requestAnimationFrame(step);
}

<span class="hljs-comment">// Problems:</span>
<span class="hljs-comment">// - Constant style recalculations</span>
<span class="hljs-comment">// - Main thread blocking</span>
<span class="hljs-comment">// - Poor battery life</span>
<span class="hljs-comment">// - Accessibility issues</span>
</code></pre>
<p><strong>The Modern Advantage</strong></p>
<pre><code class="lang-typescript"><span class="hljs-comment">/* Modern approach - GPU accelerated */</span>
<span class="hljs-meta">@keyframes</span> slideIn {
  <span class="hljs-keyword">from</span> { transform: translateX(<span class="hljs-number">-100</span>%); }
  to { transform: translateX(<span class="hljs-number">0</span>); }
}
.element {
  animation: slideIn <span class="hljs-number">0.3</span>s ease-out;
  will-change: transform;
}
<span class="hljs-comment">/* Benefits:
   - GPU acceleration
   - Smooth 60fps performance  
   - Better battery life
   - Built-in accessibility support
*/</span>
</code></pre>
<p><strong>Performance comparison:</strong></p>
<ul>
<li><p><strong>CPU usage</strong>: 70% reduction</p>
</li>
<li><p><strong>Battery consumption</strong>: 50% improvement</p>
</li>
<li><p><strong>Frame rate consistency</strong>: 95% fewer dropped frames</p>
</li>
<li><p><strong>Accessibility</strong>: Native <code>prefers-reduced-motion</code> support</p>
</li>
</ul>
<h3 id="heading-understanding-modern-animation-primitives">Understanding Modern Animation Primitives</h3>
<p>Refer to <a target="_blank" href="https://medium.com/@orami98/next-gen-web-animations-15-css-javascript-techniques-that-will-make-your-website-300-more-c85a948486ea">this article</a> for more details.</p>
<h2 id="heading-css-tricks">CSS Tricks</h2>
<h3 id="heading-the-one-css-trick-every-front-end-shouldnt-have-learned-years-ago-currentcolor">The One CSS Trick Every Front-end Shouldn’t Have Learned Years Ago: currentColor</h3>
<p>You just spent an hour updating your website’s color scheme. Now you’re hunting through 47 different SVG files, manually changing hex codes from <code>#0088cc</code> to <code>#ff6b6b</code>.</p>
<p>Sound familiar? That sinking feeling in your stomach when you realize you hardcoded colors everywhere?</p>
<p>I’ve been there. Multiple times. Until I discovered <code>currentColor</code>.</p>
<p><strong>The Problem Nobody Talks About</strong></p>
<p>Here’s what happened to me last year: I built a navigation menu with custom icons. Beautiful SVGs, perfectly crafted. Then my client said, “Can we make the icons match the text color on hover?”</p>
<p>Simple request, right?</p>
<p>Wrong.</p>
<p>Each icon had <code>fill="#2c3e50"</code> hardcoded in the SVG. I had to:</p>
<ol>
<li><p>Update the SVG fill color</p>
</li>
<li><p>Update the hover state fill color</p>
</li>
<li><p>Make sure they matched the text color</p>
</li>
<li><p>Repeat for every. Single. Icon.</p>
</li>
</ol>
<p>Three different places. Three chances to mess up. And when they inevitably asked to change the color again? Back to square one.</p>
<p><strong>There had to be a better way.</strong></p>
<p><strong>Enter currentColor: CSS’s Forgotten Superhero</strong></p>
<p><code>currentColor</code> is exactly what it sounds like; it grabs whatever color value is currently set on an element. It's been around since 2010 (older than some of the frameworks you're probably using), but hardly anyone talks about it.</p>
<p>Here’s the simplest example:</p>
<pre><code class="lang-typescript">.card {
  color: red;
  border: <span class="hljs-number">3</span>px solid currentColor;
}
</code></pre>
<p>That border? It’s red. No repetition. No separate variable. It just… inherits.</p>
<p><strong>Before currentColor (the painful way):</strong></p>
<pre><code class="lang-typescript">.button {
  color: #<span class="hljs-number">0088</span>cc;
  border: <span class="hljs-number">2</span>px solid #<span class="hljs-number">0088</span>cc; <span class="hljs-comment">/* Hope you don't typo this */</span>
  box-shadow: <span class="hljs-number">0</span> <span class="hljs-number">2</span>px <span class="hljs-number">4</span>px #<span class="hljs-number">0088</span>cc; <span class="hljs-comment">/* Or this */</span>
}
</code></pre>
<p><strong>After currentColor (the same way):</strong></p>
<pre><code class="lang-typescript">.button {
  color: #<span class="hljs-number">0088</span>cc;
  border: <span class="hljs-number">2</span>px solid currentColor;
  box-shadow: <span class="hljs-number">0</span> <span class="hljs-number">2</span>px <span class="hljs-number">4</span>px currentColor;
}
</code></pre>
<p>Change one value. Everything updates. That’s the scratch for your itch.</p>
<h3 id="heading-propover-api">Propover API</h3>
<p>CSS has the ability to create popovers without needing any JavaScript.</p>
<p>You can now build interactive popups like tooltips, models, or dropdowns using just HTML and CC. This is made possible with the Popover API.</p>
<p>To create a popover, you need two basic elements:</p>
<ul>
<li><p>A <strong>trigger</strong> (like a button)</p>
</li>
<li><p>A <strong>popover element</strong> (like a div)</p>
</li>
</ul>
<p>You use the new <code>popover</code> attribute on the popover element. And you connect the trigger to it using the <code>popover-target</code> attribute.</p>
<pre><code class="lang-typescript"><!-- Trigger Button -->
<button popovertarget=<span class="hljs-string">"myPopover"</span>>Follow Me</button>

<!-- Popover Element -->
<div id=<span class="hljs-string">"myPopover"</span> popover>
  Thank you <span class="hljs-keyword">for</span> following me!
</div>
</code></pre>
<ul>
<li><p>When you click the “Subscribe” button, the div with <code>id="myPopover"</code> appears as a popover.</p>
</li>
<li><p>You can close it by pressing <strong>Escape</strong> or <strong>clicking outside</strong>.</p>
</li>
</ul>
<p></p>
<p>At first, the popover just appears and disappears instantly. If you want to add smooth opening and closing animations, <strong>you can combine it with CSS transitions.</strong></p>
<pre><code class="lang-typescript">#myPopover {
  transform: translateY(<span class="hljs-number">-2</span>rem);
  opacity: <span class="hljs-number">0</span>;
  transition: transform <span class="hljs-number">0.3</span>s ease, opacity <span class="hljs-number">0.3</span>s ease;
}

#myPopover:open {
  transform: translateY(<span class="hljs-number">0</span>);
  opacity: <span class="hljs-number">1</span>;
}
</code></pre>
<h3 id="heading-field-sizing-for-inputs-and-textareas">Field-Sizing for Inputs and Textareas</h3>
<p>Another super handy update in CSS is the new <code>field-sizing</code> property.<br />It allows input fields, textareas, and select dropdowns to <strong>automatically resize</strong> based on their content.</p>
<p>Before this, input fields and text areas had a <strong>fixed width and height</strong>.</p>
<p>If the content was too big or too small, the field stayed the same size, unless you manually adjusted it with JavaScript or set a fixed size.</p>
<p></p>
<p>With <code>field-sizing</code>, the browser can <strong>adjust the size of the field automatically</strong> depending on the text inside.</p>
<p>You simply apply:</p>
<pre><code class="lang-typescript">input, textarea, select {
  field-sizing: content;
}
</code></pre>
<p>Now, when users type something or select an option:</p>
<p>The width (and sometimes the height) will grow or shrink based on the content.</p>
<p>Example:</p>
<pre><code class="lang-typescript"><textarea placeholder=<span class="hljs-string">"Start typing..."</span>>
type="text" placeholder="Your Name">

textarea, input, select {
  field-sizing: content;
  max-width: 100%; /* Optional: prevent it from getting too large */
}

The textarea will expand as you type more lines.
The input will grow wider if you type a long name.
The select box will resize depending on the selected option.

In short field-sizing helps your form fields grow naturally with the user’s input, creating smarter and more responsive forms with just one line of CSS.

Control Element’s Height and Width

You can use the resize property to allow users to set any element’s width, height, or both manually.

There are mainly 3 values of resize. They are horizontal, vertical and both.

resize: horizontal allows you to drag the element to increase its width.

resize: vertical allows you to drag the element to increase its height.

resize: both allows you to drag the element to increase both its width and height.

But wait. It does not work for every element.

Those are — inline elements and block elements having the overflow property is set to visible .

Centering without Flexbox or Grid

Remember the struggle of centering elements with CSS?

You would reach for a flexbox or grid just to center one thing.

Not anymore!

The new align-content property makes entering elements - no extra containers.

.my-element {
  display: block;
  align-content: center;
}

✅ Supported in Chrome, Edge, and Firefox

❌ Not yet available in Safari

The Masonry Layout with just one line

We all loved the Pinterest-inspired masonry layout, where elements with varying heights stack in a neat, gap-free way. While many developers think you need a JavaScript or external libraries to achieve it, the solution is surprisingly simple:

Use the columns property.

Instead of struggling with Grid or Flexbox (which both leave an awkward gap), you can define columns directly with CSS:

columns: 300px;

Want to set the max number of columns for responsiveness? Add a second parameter like this:

columns: 300px 4;

That’s it. The browser automatically adjusts the layout for you. No fuss, no gaps, no headaches.

Universal box sizing

Probably one of the most forgotten properties to set. It simply defines how the box reacts to the border and the padding of elements within it.

By default, the box-sizing is set to content-box, which means that the width and height of an element only include its padding and border. This can cause unexpected layout problems.

To fix this, you can simply add the following one-liner to your CSS:

*, *::before, *::after {
    box-sizing: border-box;
}

div {
  width: 200px;
  padding: 20px;
  border: 10px solid black;
}

With box-sizing: content-box → total width = 200 + 20×2 + 10×2 = 260px
With box-sizing: border-box → total width = exactly 200px

The math gets an upgrade

CSS has always allowed simple calculations with the calc() function.

However, its capabilities were somewhat limited.

The latest update brings a suite of new math functions, including round(), mod(), and rem().

The old way: Limited Math with calc():

.element {
  width: calc(100% - 50px);
}

The new ways with advanced math functions

.box {
  margin: round(2.5px); /* Rounds to 3px */
}
.stripe:nth-child(odd) {
  left: calc(var(--index) * 50px mod 200px);
}
.circle {
  width: rem(10px, 3px); /* Outputs 1px */
}

Forms with New Pseudo-Classes

Forms are the backbone of user interaction on the web, but ensuring users input the right data can be very tricky.

While CSS provided some basic pseudo-classes like :valid and :invalid for form validation, they weren’t always intuitive or flexible.

The new :user-valid and :user-invalid pseudo-classes refine this process by focusing on user interaction.

The old way: Static validation with :valid and :invalid

Previously, you could validate form fields with :valid and :invalid.

However, these pseudo-classes are triggered as soon as the page is loaded, leading to premature styling changes.

input:valid {
  border-color: green;
}

input:invalid {
  border-color: red;
}

The New Way with :user-valid and :user-invalid

The :user-valid and :user-invalid pseudo-classes only apply styles after the user interacts with the field, avoiding premature validation styles.

input:user-valid {
  border-color: green;
}

input:user-invalid {
  border-color: red;
}

Animating Sizes with the Interpolate-Size Property

Animating size changes like height, width, or padding has always been tricky in CSS.

The new interpolate-size property transforms how size animations work.

The old way: Using max-value or JavaScript:

.collapsible {
  overflow: hidden;
  max-height: 0;
  transition: max-height 0.3s ease-out;
}
.collapsible.open {
  max-height: 500px; /* Assumes a fixed maximum height */
}

const element = document.querySelector('.collapsible');
element.style.height = `${element.scrollHeight}px`;

The new way with interpolate-size

.collapsible {
  interpolate-size: height ease-in-out 0.3s;
}
.collapsible.open {
  height: auto;
}

The browser calculates the starting and ending sizes dynamically, even for auto values.
Transitions are seamless, no matter how much content is inside the element.

Remove Image Backgrounds With One Line Of CSS

There are a few images whose background does not match the website’s background, like the image below:

The background color of the image is completely different from your expected color.

The most common option you might think is to change your design.

Change the background color to the product’s background color.

Not really…

There is a property in CSS called mix-blend-mode where all the magic happens.

Your image is contained inside an individual div element. Each div has its own background color and each image has its own.

How the mix-blend-mode really work?

When you apply mix-blend-mode for the image element, the browser starts a color comparison between the image and the div element.

Here, the style will be mix-blend-mode: darken

The color comparison will be done on a pixel-by-pixel basis. In a certain position, two pixels are compared with each other.

If the mix-blend-mode property is darken, the darker pixel between the two will be kept.

Looks like the image’s background has been removed, but actually, it blends with the background.

Logical Properties

Tired of using margin-left, margin-right, margin-top, and margin-bottom?

Here’s an example that uses logical properties for layout adjustments:

.box {
  margin-block: 5px 10px;    /* 5px top margin, 10px bottom margin */
  margin-inline: 20px 30px;  /* 20px left margin, 30px right margin */
}

The same method works for padding as well.

.box {
  padding-block: 10px 20px; /* 10px top/bottom padding, 20px bottom padding */
  padding-inline: 15px 25px; /* 15px left padding, 25px right padding */
}

These properties adjust automatically based on the text direction (e.g., left-to-right or right-to-left), making your code more readable, shorter, flexible, and international-friendly.

Empty Element

No more empty space or unwanted margins from empty elements! This CSS trick automatically hides any elements that have no content. It’s incredibly useful for dynamic content that might not always be present, ensuring your content stays clean and tight.

.element:empty { display: none }

Consider combining this with pseudo-elements such as ::before or ::after for placeholders or default states when the element is empty. This can add a nice touch of detail to your design without any clutter.

Responsive Styling based on orientation

Adjust your site’s background color (or any other style) based on the design orientation with this simple media query. It’s perfect for ensuring your design looks great in both portrait and landscape modes, especially on mobile devices where users might frequently change orientation.

@media (orientation: landscape) {
  body {
    background-color: #333
  }
}

Dynamic Sibling Influence

Create an interactive element on your page without JavaScript! This CSS one-liner changes the style of a target element when you hover over its sibling. It’s great for highlighting related elements or showing hidden information when another element is interacted with.

.sibling:hover ~ .target { color: #007bff }
.sibling:hover + .target { color: #007bff }

The ~ the selector in CSS targets all subsequent siblings that match the selector, allowing you to style multiple elements that follow other specific elements within the same parent.

On the other hand, the + selector targets only the directly adjacent sibling that immediately follows the specified element, limiting the effect to just one next sibling.

The `:target` Pseudo Class

CSS offers several pseudo-classes that let you style elements based on different states (:hover, :focus, :checked).

But there’s one you might not have used before — :target

The :target pseudo-class applies styles to an element when its ID matches the Fragment identifier in the URL (the part after #).

This behavior is commonly seen when clicking on an anchor link that jumps to a section on the same page.

Here’s a simple example:

"#contact">Go to Contact
"contact">
  Welcome to the contact section!

When clicked, the URL changes to yourwebsite.com/#contact, and the section becomes the target. That’s where the power of :target comes in.

: vs:: in CSS3

Have you always used trial and error to style elements when it involves either a colon : or a pair of colon ::?

: precedes and identifies the state of an element while :: “creates” element(s). The difference between : and :: is that the former describes the state of a selected element, usually involving user interaction, while the latter is used to create elements as a part of the selected element and/or used to target elements using the selected element as a reference.

It is important to note that : creates pseudo-classes; some examples are
:hover - to style an element when the user is on it, without selecting, i,e hovers over an element
:active - to style an element when clicked ie, when an element is active
:visited - to style anchor tags (links) when a user has clicked on them.
:focus - to style an input field that the user clicked on.

While :: creates pseudo-elements. Some examples of pseudo-elements are
::before - targets created an element that precedes the selected element
::after - targets created an element that succeeds the selected element

Conditions

Conditions can be written in several ways, depending on where you want to use them. Selectors are scoped to their elements, while media queries are scoped globally and need their own selectors.

/* Attribite Selectors */
[data-attr='true'] {
    /* if */
}
[data-attr='false'] {
    /* elseif */
}
:not([data-attr]) {
    /* else */
}

/* Pseudo Classes */
:checked {
    /* if */
}
:not(:checked) {
    /* else */
}

/* Media queries */
:root {
    color: red; /* else */
}
@media (min-width > 600px) {
    :root {
        color: blue; /* if */
    }
}

The Difference Between `width: 100%` and `width: auto`

The width property is used to set the width of an element. By default, width sets the width of the content area, but if the box-sizing property is set to border-box, it instead sets the width of the border area.


"en">
  
    "UTF-8" />
    "viewport" content="width=device-width, initial-scale=1.0" />
    Document
    
  
  
    class="parent">
      parent
      class="child auto">child1: width:auto
      class="child hundred-percent">child2: width:100%

In this example, we set the parent element to have padding: 20px and gave both child elements margin: 20px. child1 has a width property of auto, while child2 has a width property of 100%.

child1 (width: auto): The width adapts to the content area of the parent and does not overflow. Final width calculation for child1:

Parent width: 600px

Margin usage: 20px \ 2 = 40px*

Border usage: 10px \ 2 = 20px*

Final width = 600px — 40px — 20px = 540px

child2 (width: 100%): The width equals the width of the parent and may overflow. Final width calculation for child2:

Parent width: 600px

Final width = 600px (directly matches the parent width)

Conclusion:

width: 100%: The content area of the child element fills the content area of the parent. If the child element also has padding, border, etc., or if the parent has margins and padding, it may cause the child element to overflow.
width: auto: The child element's width is automatically adjusted based on its content, padding, border, and margin to fit within the content area of the parent.

Therefore, in development, it’s advisable to choose width: auto, as it will better maintain the width relative to the parent element. On the other hand, using width: 100% can result in additional spacing being added to the element’s size, potentially leading to layout issues.

Pseudo-Classes

Pseudo-classes such as :hover, :focus, and :first-child are options that select HTML elements based on their state rather than their hierarchy or sequence in the document. These selectors allow developers to create more interactive and responsive UIs without using JavaScript.

The following code example demonstrates several pseudo-classes in action:

// HTML
...
.hover-section:hover {
  background-color: rgb(82, 11, 145); /* Changes the background color on hover */
  color: white;
}
.input-section input[type="text"]:focus {
  border-color: orange; /* Highlights the input field when focused */
  background-color: lightyellow;
}
.list-section li:first-child {
  color: green; /* Styles the first item in a list */
}
.list-section li:last-child {
  color: red; /* Styles the last item in a list */
}

This CSS code example shows how to enhance user interaction by changing styles based on user actions, such as hovering or focusing on elements, and how to style the specific children of a container.

These pseudo-classes are pretty useful when developing forms, navigation menus, or interactive content that requires visual cues to guide user interactions.

Minimize Paint with `will-change`

Ever hover over a button and the whole thing stutters? That’s because the browser wasn’t ready.

You can hint at upcoming changes:

.button:hover {
  will-change: transform, opacity;
}

This makes the browser prep graphics memory ahead of time.

Translation: smoother animations, no jank.

Don’t overuse it, though, or your browser will hoard memory like it’s toilet paper in 2020.

Lazy-Load Background Images with `content-visibility`

Why render things the user can’t even see yet? Enter content-visibility:

.card {
  content-visibility: auto;
}

This delays painting elements until they’re about to scroll into view.

The result? Faster first paint, lower memory usage.

It’s like telling your browser, “Don’t set the table until the guests actually show up.”

Prefer Transforms Over Positioning

Want buttery-smooth animations? Stop animating top, left, width, and height.

They force layout recalculations. Instead, animate transform and opacity.

Example:

.box {
  transition: transform 0.3s ease, opacity 0.3s ease;
}

.box:hover {
  transform: translateY(-5px);
  opacity: 0.9;
}

The GPU handles this like a champ. The CPU can go to sleep.

Use `prefers-reduced-motion`

You love fancy animations. Some people don’t. Respect that by adding this:

@media (prefers-reduced-motion: reduce) {
  * {
    animation: none !important;
    transition: none !important;
  }
}

This won’t just make your site accessible — it also reduces unnecessary paint cycles for users who opt out.

Accessibility and performance high-five.

Skeleton Screens Beat Spinners

You know what screams “slow website”? A spinner.

You know what feels fast? A skeleton screen.

Style your placeholders with CSS to mimic the layout:

.skeleton {
  background: linear-gradient(90deg, #eee 25%, #ddd 50%, #eee 75%);
  background-size: 200% 100%;
  animation: shimmer 1.5s infinite;
}

@keyframes shimmer {
  0% { background-position: -200% 0; }
  100% { background-position: 200% 0; }
}

Instead of waiting for content, users feel like it’s loading in. Big difference.

Stop Overusing Classes — Use These CSS Attribute Selectors Instead

We’ve all seen it:

Every time we want to style something slightly different, we slap on another class. Before long, your HTML becomes a tangled mess of utility and semantic noise.

But here’s the thing:

You don’t need a class for everything.

With CSS attribute selectors, you can target elements based on their HTML attributes — like type, data-*, href, or even aria-*—without bloating your markup.

Targeting Buttons by type

button[type="submit"] {
  background-color: #10b981;
  color: white;
}

✅ No need to add .btn-submit everywhere.

Styling External Links

a[href^="http"] {
  color: #3b82f6;
  padding-right: 1.2em;
  background: url('external-icon.svg') no-repeat right center;
  background-size: 1em;
}

✅ Easily mark external links without class clutter.

File Upload Field Style

input[type="file"] {
  border: 2px dashed #9ca3af;
  padding: 1rem;
  background: #f9fafb;
}

🎯 Great for clean form styling with no extra markup.

ARIA-Based Styling

[aria-expanded="true"] {
  background-color: #d1fae5;
}

✅ Style accordions, modals, or menus based on state — no JS class toggles required.

Data Attribute Styling

[data-theme="dark"] {
  background-color: #1f2937;
  color: white;
}

🎯 Great for feature toggles, themes, or A/B testing.

State Toggles with [checked] or [disabled]

input[type="checkbox"]:checked + label {
  font-weight: bold;
}

button[disabled] {
  opacity: 0.5;
  cursor: not-allowed;
}

✅ Combine with pseudo-classes for interactive UI.

Starts With or Ends With Matching

a[href$=".pdf"] {
  color: #dc2626;
  font-weight: bold;
}

img[src^="https://cdn."] {
  border-radius: 0.5rem;
}

📦 Useful for dynamically generated content.

Stop Janky Scrolling: The CSS Fix Everyone Needs in 2025

They are leaving because your scroll feels broken.

That tiny stutter. That awkward pause when content loads. A lag on mobile when the page is fighting the user’s fingers.

It is death by a thousand scrolls.

And here is the truth: you can fix it with a single CSS property that most developers still overlook in 2025.

Let us break the problem down, fix it step by step, and benchmark the difference together.

Why Junky Scroll Kills Conversions?

Scrolling is the heartbeat of the web. If it is not smooth, everything feels cheap.

A production landing page feels clunky
An article feels heavy
A store feels untrustworthy

You already know how much you care about page speed. Smooth scroll is the speed you can feel.

Most developers unknowingly write CSS that causes the browser to repaint and reflow far more than necessary.

Think of it like this:

+----------+      +----------+
|  Scroll  | -->  |  Recalc  |
+----------+      +----------+
                       |
                       v
                  +----------+
                  | Repaint  |
                  +----------+

Every unnecessary reflow makes the scroll stutter.

The Fix: `scroll-behavior: smooth;` With GPU-Backed Transforms

The magic starts simply.

html {
  scroll-behavior: smooth;
}

.section {
  transform: translateZ(0); /* force GPU layer */
  will-change: transform;
}

scroll-behavior: smooth; tells the browser to animate scrolling natively.
transform: translateZ(0); forces an element into its own GPU layer.
will-change: transform; signals the browser to optimize ahead of time.

Together, these make scrolling butter-smooth, even on weaker devices.

Benchmark: Before vs After

Let us test a long page with 100 image cards.

Before

Average scroll FPS: 38
Input delay: noticeable on mobile
Repaint count: 1,246

After CSS Fix

Average scroll FPS: 58–60
Input delay: nearly invisible
Repaint count: 312

Result: Over 3x fewer repaints, near 60 FPS scroll.

Going Beyond: `scroll-snap-type` for Native Feeling

Want a scroll that feels like a native app carousel?

.container {
  scroll-snap-type: x mandatory;
  overflow-x: auto;
  display: flex;
}

.card {
  scroll-snap-align: start;
  flex: 0 0 300px;
}

Now your horizontal lists snap naturally. No JavaScript sliders. No jitter.

The Mental Model

Think of scroll performance as a pipeline:

User Input --> Compositor Thread --> GPU --> Screen

Your goal is to keep layout and paint out of this loop.

Use transform and opacity for animations.
Avoid forcing the main thread to reflow during scroll.
Always declare will-change for interactive elements.

How To Use CSS Dev Tools Like a Senior Developer

Most developers treat CSS Dev Tools like a glorified toggle switch.

They poke around the Styles panel, disable a few rules, maybe slap on padding: 20px and call it “debugging.”

That’s not senior-level work; that is a whack-a-mole with CSS.

If you want to stop wasting hours wondering “why the hell is my margin not working?“ and actually debug CSS like a senior dev, it’s time to unlock the real power of CSS DevTools.

And no, I’m not talking about the basics you already know.

I’m talking about the panels, emulations, and tricks that make CSS stop feeling like black magic.

Let’s dig in.

The Style Panel isn’t Just For Toggling

Yes, the Styles panel is where you check rules. But here’s what seniors actually do with it:

Emulate states

Ever tried debugging a :hover style while… also needing your mouse on DevTools?

Painful. Instead, force states (:hover, :active, :focus) from the DevTools sidebar.

Play with classes

Use the “.cls” icon to add/remove classes on the fly without editing your HTML.

Want to see how .is-active breaks your layout? Toggle it. Done.

Write temporary CSS

Hit the little “+” button and drop in experimental styles.

It’s like a sandbox stylesheet that doesn’t touch your actual code.

👉 Action step: Next time you’re chasing down a hover bug, force the state in DevTools.

Stop playing Twister with your mouse.

Computed Panel: The Truth Serum

CSS is full of lies.

You think an element has margin: 20px but then, oh look, it’s being overwritten by something else.

The Computed tab shows the final, actual styles being applied.

It also visualizes the box model so you can see margin, border, padding, and content at a glance.

Crossed-out rules? They’re overridden. Stop blaming CSS when the cascade is doing exactly what you told it to.
Need to find the origin of a property? Click the property in the computed panel — it jumps straight to the rule that’s winning.

👉 Action step: Whenever CSS “isn’t working,” check Computed.

It’s the lie detector test your code needs.

Layout Tab: The Grid/Flex Lifesaver

CSS is full of lies.

You think an element has margin: 20px but then, oh look, it’s being overwritten by something else.

The Computed tab shows the final, actual styles being applied.

It also visualizes the box model so you can see margin, border, padding, and content at a glance.

Crossed-out rules? They’re overridden. Stop blaming CSS when the cascade is doing exactly what you told it to.
Need to find the origin of a property? Click the property in the computed panel — it jumps straight to the rule that’s winning.

👉 Action step: Whenever CSS “isn’t working,” check Computed.

It’s the lie detector test your code needs.

Rendering Panel: The Senior Developer’s Playground

Buried in the command menu (Ctrl+Shift+P → Rendering), this tab is criminally underused.

Here’s what it gives you

Color scheme emulation. Test light/dark mode without changing your OS.
Reduced motion preference. See how your site behaves for users who disable animations.
Paint flashing. Highlights what’s repainting on every frame — great for performance debugging.
Layout shift visualization. See why Google is punishing your site for Cumulative Layout Shift (CLS).
Color blindness simulation. Stop shipping inaccessible UIs because “the button looked fine to me.”

👉 Action step: Before launch, run through Rendering with reduced motion and color blindness toggled.

If your app becomes unusable, you’ve got work to do.

Animation Panel: Stop Guessing Timing Functions

CSS animations can be… slippery. That bounce you coded? Doesn’t actually look like a bounce.

The Animations panel lets you:

Scrub through animations frame by frame.
Play them at 10% speed to spot glitches.
Adjust duration and easing live.
Copy the adjusted values back into your stylesheet.

👉 Action step: Open Animations and scrub your next animation.

If it looks clunky and slowed down, your users are noticing too.

CSS Overview: The Bird’s-Eye View You Didn’t Know You Needed

This one feels like cheating. The CSS Overview tab (still “experimental”) takes a full snapshot of your page’s CSS.

It shows you

Every color in use — great for catching “why do we have seven slightly different greens?”
Contrast issues — click to jump to the exact element failing accessibility.
Fonts and weights — spotting that one rogue Arial when everything else is Inter.
Unused declarations — rules that literally do nothing.
Media queries — so you can consolidate breakpoints instead of scattering them like confetti.

👉 Action step: Run CSS Overview on your project right now.

I guarantee you’ll find at least one color or font inconsistency you didn’t notice.

Bonus for Font Debugging (Firefox Only)

Ever deployed a site and heard: “The fonts don’t load for me”?

You swear they work fine on your machine.

Spoiler: it’s because you had the font installed locally.

In Firefox, set layout.css.font-visibility to 1 in about:config.

This blocks locally installed fonts so you can catch missing imports before shipping.

👉 Action step: Test your next project in Firefox with this setting.

If your fancy custom font disappears, congrats — you just saved yourself an embarrassing bug report.

Copy CSS Path

The time-saver: Need to target an element with CSS but can’t figure out the selector?

Right-click any element in DevTools → Copy → Copy selector.

It gives you the exact CSS selector to target that element:

/* Instead of guessing: */
.header .nav ul li:nth-child(3) a

/* DevTools gives you: */
#header > nav.main-nav > ul.nav-list > li:nth-child(3) > a.nav-link

Bonus: Use “Copy JS path” for querySelector in JavaScript.

CSS Coverage Analysis

The performance killer: Dead CSS bloating your stylesheets.

The solution: Coverage tab (More tools → Coverage)

Start recording
Navigate your site
Stop recording
See exactly which CSS rules are used vs unused

Red bars = unused CSS
Green bars = used CSS

I found one client had 73% unused CSS. That’s a massive performance hit that nobody noticed.

Color Picker Superpowers

Most people just click the color square and pick colors.

But there’s more:

Eyedropper tool: Sample any color from anywhere on the page
Contrast ratio checker: Ensures accessibility compliance
Color format switcher: Toggle between hex, rgb, hsl with Shift+Click
Color palette: DevTools remembers your recent colors

.text {
    color: #007bff; /* Shift+click to cycle through formats */
    /* #007bff → rgb(0, 123, 255) → hsl(211, 100%, 50%) */
}

CSS Changes Tracker

The workflow optimizer:

When you make changes in DevTools, they disappear on refresh. But there’s a hidden tracker:

Sources tab → Overrides
Enable local overrides
Select a folder to save changes
Now your DevTools changes persist!

Even better: Sources tab → Changes shows you a diff of everything you modified.

Performance Insights for CSS

The advanced move:

Performance tab → Start recording → Interact with your page → Stop

Look for:

Style recalculations (purple bars)
Layout thrashing (green bars)
Paint operations (green bars)

/* This triggers expensive reflows: */
.animation {
    animation: slideDown 0.3s ease;
}

@keyframes slideDown {
    from { height: 0; }
    to { height: 200px; }
}

/* This is much more performant: */
.animation {
    animation: slideDown 0.3s ease;
}

@keyframes slideDown {
    from { transform: translateY(-100%); }
    to { transform: translateY(0); }
}

Transform and opacity changes are cheaper than layout properties.

The CSS property that’s making every website feel slow

Last week, I was debugging why our company’s dashboard felt sluggish on mobile devices. Everything looked perfect in Chrome DevTools on my local machine, but real users were complaining about janky scrolling and laggy interactions. After hours of profiling, I found the culprit hiding in plain sight: box-shadow.

That innocent little property we all love for adding depth and polish was silently murdering our performance.

The Shadow That Haunts Performance

Box-shadow is one of the most performance-heavy CSS properties you can use. When applied to many components with large blur radius values, it can significantly slow down your webpage. Yet it’s everywhere - cards, buttons, dropdowns. We sprinkle it on like digital seasoning without thinking twice.

Here’s what I discovered: a video streaming interface with blurred backgrounds showed dramatic differences in GPU utilization solely attributed to blur effect implementation. The internal computations required for the blur effect heavily utilize the GPU, and when you multiply that over dozens of elements, you get a choppy user experience.

Why Box-Shadow murders your frame rates

Think about what happens when a browser renders the box-shadow:

Element with box-shadow renders like this:
┌─────────────────┐
│   Your Element  │ ← Original element
└─────────────────┘
    ▼ ▼ ▼ ▼ ▼     ← Shadow calculation
  ░░░░░░░░░░░░░░░   ← Blur processing
 ░░░░░░░░░░░░░░░░░  ← Color blending
░░░░░░░░░░░░░░░░░░░ ← Composite layers

The browser has to:

Create a copy of your element’s silhouette
Offset it based on your x/y values
Apply blur calculations (this is the killer)
Composite it behind your element
Repeat for every frame during animations

When used on a large number of elements or a large blur radius, it can significantly slow down your page. I have seen sites with 50+ elements using box-shadow: 0 10px 25px rgba(0,0,0,0.15) wondering why their Lighthouse performance score is in the red.

Let’s check out the real-world impact and these alternative solutions in this article.

Top 10 CSS Mistakes Even Experienced Devs Still Make

If you’ve ever spent 45 minutes adjusting a margin only to realize it was a padding issue all along, you’re not alone. CSS is deceptively simple. And even seasoned frontend engineers make the same silent missteps that later haunt QA reports, mobile views, and weird browser edge cases.

Here are 10 CSS mistakes that even experienced developers keep making…yes, even the ones who tweet confidently about CSS Grid.

1. Using `z-index` Without Understanding Stacking Context

Cranking up z-index: 9999 should solve it, right?
Not if you’ve unknowingly created a new stacking context.

Any transform, opacity < 1, filter, will-change, or position: fixed inside an element can create a new stacking context, which isolates z-index levels from the outside world. This one causes endless ghost-layer bugs, especially in modals or dropdowns.

2. Misusing `vh` Units on Mobile

Setting an element to height: 100vh used to be the go-to for fullscreen sections. But on mobile? It breaks.

iOS Safari subtracts the browser UI height differently. So what looks fine on a desktop often cuts off or overflows awkwardly on phones.

Fix: Use 100dvh (dynamic viewport height) or JS to set height dynamically if full-viewport fidelity is critical.

3. Forgetting That Flex Children Don’t Shrink by Default

Ever have a card layout break because one element is way too wide? That’s usually because flex-shrink isn’t behaving as expected.

When elements have content that doesn’t wrap or images without max-widths, the container explodes. A quick min-width: 0 or overflow: hidden can sometimes fix the unexpected growth.

4. Using `position: absolute` Inside a Flexbox Without a `relative` Parent

This is a silent killer. If you absolutely position something inside a flex container but forget to set position: relative on the flex parent, your top/right/bottom/left values don’t do what you think they do.

It works sometimes because of inherited flow…and fails just enough to make you question your skills.

5. Over-Nesting When It’s Not Needed

We’ve all done this:

Why? Just use .card-title.

Excessive nesting makes CSS harder to override, understand, and maintain. Especially when using BEM or CSS modules, keep selectors shallow and intentional.

6. Relying on `!important` as a First Resort

The !important tag is a crutch. Once you use it, you start a spiral where other styles need !important just to win.

If your CSS is fighting itself, chances are the problem isn’t specificity, it’s architecture. Audit your cascade.

Use !important only when you absolutely must override a third-party style and cannot change the source.

7. Forgetting About `box-sizing: border-box`

Still using width: 100% + padding and wondering why things overflow?

This tiny rule ensures that paddings are included inside the defined width/height, not added after it. Saves layouts. Every time.

8. Missing the Power of Logical Properties

Still writing margin-left and padding-top? That works, but it breaks in right-to-left (RTL) layouts or vertical writing modes.

Logical properties make your layout direction-agnostic and future-proof.

9. Overusing `display: flex` When You Needed `block`

Sometimes, all you need is display: block and margin: auto to center something. But we’re so used to typing display: flex; align-items: center; justify-content: center that we forget the simpler tools.

Over-flexing often leads to layout bugs where child elements don’t behave like you expect.

10. Letting Your CSS Snowball

The biggest mistake? Thinking CSS doesn’t need structure.

If you’re not using a convention (BEM, SMACSS, Tailwind, CSS Modules, whatever), your styles will grow into a tangled mess.

CSS is global by default. That’s its power and its curse.

Without discipline, every new feature becomes an accidental override.

CSS might not throw runtime errors, but it can absolutely wreck your product quietly and visually.

Even senior devs mess this up. The goal isn’t to avoid mistakes entirely; it’s to recognize the traps, name them, and debug faster next time.

Tailwind CSS

Exploring the rise of the utility-first CSS framework that’s changed the game. Here’s how Tailwind became so popular and why I have refused to use any other CSS solution since the year 2022.

Best Practices for Tailwind CSS

Do not repeat the same class names for elements

Prefer to create separate components with uniform styles throughout the application instead of writing the same class names in multiple places or creating a new class name including all the Tailwind class names using @apply directive.

Doing so would offer us the flexibility of updating our styles with minimal effort, as we have to update the class names in only a single place.

Suppose we have a h1 tag that will be used in multiple places. We have two approaches to achieve it:

We can create a component H1Heading with Tailwind classes applied to it and reuse this component whenever it is required.

 const H1Heading = ({ children }) => {
   return (
     "text-2xl md:text-4xl lg:text-5xl xl:text-6xl font-bold text-black">
       {children}
     
   );
 };

We can create a class in our CSS file that includes all the tailwind class names for the particular element and use the class name wherever required.

 @tailwind base;
 @tailwind components;
 @tailwind utilities;

 .heading-1 {
     @apply text-2xl md:text-4xl lg:text-5xl xl:text-6xl font-bold text-black
 }

 <h1 className="heading-1">
   Some random heading
 <h1>

Maintain an organized style guide using design tokens

Design tokens are a way to store and manage your design variables, such as color palettes, spacing scale, typography scale, or breakpoints. With design tokens, you can create consistent and reusable styles that are easy to update and maintain.

You can create the design tokens in the tailwind.config.js file. This is a good way to centralize your design tokens and make them available to all of your Tailwind CSS classes.

Suppose our application follows a particular design system. We can add these guidelines to our Tailwind configuration:

import defaultTheme from "tailwindcss/defaultTheme";

const config = {
  content: [
    "./src/**/*.{js,ts,jsx,tsx,mdx}",
  ],
  theme: {
    extend: {
      fontFamily: {
        manrope: "var(--font-manrope)",
      },
      colors: {
        ...defaultTheme.colors,
        theme: "#7743DB",
        light: {
          primary: "#FFFFFF",
          secondary: "#f1f1ef",
        },
        dark: {
          primary: "#0F0F0F",
          secondary: "#202020",
        },
        "background": "#F5F5F5",
      },
      screens: {
        ...defaultTheme.screens,
        xs: "340px",
        sm: "420px",
      },
      spacing: {
        spacing: {
          ...defaultTheme.spacing,
          1: '5px',
          2: '10px',
          3: '15px',
          4: '20px',
          5: '25px'
        }
      }
    },
  },
};

Avoid using arbitrary values

Imagine our web application follows some color scheme where we have #7743DB as our theme color and #0D0D0D as our background color.

We can add these colors to our Tailwind configuration and refer to them using class names, such as bg-background text-theme instead of using arbitrary values at multiple places, i.e. bg-[#0D0D0D] or text-[#7743DB].

Now, if we want to change our application’s color scheme, we just need to update our tailwind configuration instead of renaming the arbitrary class names in multiple places.

import defaultTheme from "tailwindcss/defaultTheme";

const config = {
  content: [
    "./src/**/*.{js,ts,jsx,tsx,mdx}",
  ],
  theme: {
    extend: {
      colors: {
        ...defaultTheme.colors,
        theme: "#7743DB",
        background: "#0D0D0D"
      },
    },
  },
};

export default config;

const ColoredText = ({ children }) => {
  return (
     "text-theme">
          {children}
     
  );
};

Avoid applying dynamically generated class names

You might have encountered this issue while working with dynamic classes: Whenever we apply dynamic class names based on a state or condition, the class name appears in the browser's elements panel, but its corresponding CSS does not.

const BorderBox = ({ borderColor }) => {
  return (
    `border border-solid border-[${borderColor}]`}>
      Some Random Text
    
  );
};

This is because Tailwind scans your source code for classes using regular expressions to extract every string that could possibly be a class name. Hence, any broken class name string such as border-[${borderColor}] would not be recognized by Tailwind at build time, and it would not be included in the output CSS file of Tailwind.

Suppose we have to change the border color of our element based on the color code passed in props. There are two ways to it:

Defining a separate class name for each state value. This is only applicable if you know all the expected values of borderColor at build time.

 const BorderBox = ({ borderColor }) => {
   return (
     "border border-solid", {
         "border-black": borderColor === "black",
         "border-red-500": borderColor === "red",
         "border-green-500": borderColor === "green",
       })}
     >
       Some Random Text
     
   );
 };
 // Note: clsx is utility package for constructing className strings conditionally.

If we do not know all the expected values of borderColor at the build time, it is better to pass the border color in the style attribute of the element to support unknown values.
```
 const BorderBox = ({ borderColor }) => {
   return (
     "border border-solid" style={{ borderColor }}>
       Some Random Text
     
   );
 };
```

The Game-Changing Content Configuration Hack

While everyone obsesses over purging unused CSS (which, yes, is important), there is a more subtle performance killer hiding in plain sight: poorly configured content paths.

Most developers do this:

// tailwind.config.js - The WRONG way
module.exports = {
  content: [
    "./src/**/*.{js,jsx,ts,tsx,html}",
    "./public/**/*.html",
    "./components/**/*.{js,jsx}",
  ],
  // ... rest of config
}

Looks innocent, right? Wrong.

This overly broad configuration forces Tailwind to scan thousands of unnecessary files, creating massive build time and bloated CSS output. Your development server crawls, your production build takes forever, and your final CSS bundle includes styles you will never use.

Here’s the hack that changed everything for me:

// tailwind.config.js - The OPTIMIZED way
module.exports = {
  content: [
    // Be surgical about your paths
    "./src/components/**/*.{jsx,tsx}",
    "./src/pages/**/*.{jsx,tsx}",
    "./src/app/**/*.{jsx,tsx}",

    // Exclude heavy directories
    "!./src/assets/**",
    "!./src/utils/**",
    "!./node_modules/**",

    // Include only files that actually use Tailwind
    {
      files: ["./src/**/*.{js,jsx,ts,tsx}"],
      transform: (content) => content.match(/class[Name]*\s*[:=]\s*["`']([^"`']*)["`']/g) || []
    }
  ],
  // Enable JIT mode for instant compilation
  mode: 'jit',
  // ... rest of config
}

The magic happens in three ways:

Surgical Path Targeting: Instead of scanning everything, we target only files that actually contain Tailwind classes
Smart Exclusions: We explicitly exclude heavy directories that don’t need scanning.
Content Transformation: We use a custom transform to extract only relevant class patterns.

After implementing this hack in a React e-commerce project:

Build time: 45 seconds → 12 seconds (73% faster)
Development server startup: 8 seconds → 2.5 seconds
Final CSS bundle: 145KB → 23KB (84% smaller)
Lighthouse Performance Score: 67 → 94

My client was speedless. The same website that used to take 8 seconds now loads in under 2 seconds.

Creating a utility to read Tailwind Configuration in JavaScript

In web applications, a situation rarely arises where you need to read some CSS design token value in JavaScript, but when it does, we generally hardcode the CSS design token value in our code while working with Tailwind. This is not a good practice, as in the future, if you change your design token value in your Tailwind configuration, your code might still refer to the old value, which can cause unwanted behavior.

Hence, we can build a custom utility function to read the Tailwind configuration in our code.

import resolveConfig from "tailwindcss/resolveConfig";
import tailwindConfig from "../tailwind.config";

const getTailwindConfiguration = () => {
  return resolveConfig(tailwindConfig).theme;
};

const config = getTailwindConfiguration();

console.log(config.colors.red[500]); // would print #ef4444

Defining Tailwind Plugins to register new/complex CSS styles

Tailwind provides us with plugins to register new styles and inject them into the user’s stylesheet using JavaScript instead of writing custom CSS styling in stylesheets.

I prefer this approach, as writing custom CSS classes means essentially rewriting CSS and sacrificing Tailwind’s organized workflow and simple maintenance.

Suppose we want to create a .btn class that has several styles attached to it. This is how we can achieve it:

import plugin from "tailwindcss/plugin";

const config = {
  content: [
    "./src/**/*.{js,ts,jsx,tsx,mdx}",
  ],
  plugins: [
    plugin(function ({ addComponents }) {
      addComponents({
        ".btn": {
          padding: ".5rem 1rem",
          borderRadius: ".25rem",
          fontWeight: "600",
        },
      });
    }),
  ],
};

export default config;

This is how the .btn class would look like when you hover over it:

Tailwind supports registering complex styles as well, along with user-provided values. You can go through the Tailwind official documentation for the plugin to know more about it.

Tailwind CSS Tips & Tricks

Styling children from the parent element (`&_*`)

Generally, you can just put utility classes on any element to style it. But, there is a case when you don’t have control over certain elements, like when you are using external components.

In that case, you can use this class to style elements inside those components. There are 2 ways to style elements inside their parent:

Using *:{utility-class} to style direct children, which is documented here.
Using [&_{children-selector}]:{utility-class} to style any descendant of the parent element. I don’t know why, but this way is not documented in the official documentation.

<div class='[&>p]:font-bold *:uppercase [&_.link-class]:text-teal-500'>
    <p>
        This text is styled by{' '}
        <a class='link-class' href='#'>
            its ancestor
        a>
    p>
div>

The underscore in the code is a replacement for a space. You can also use id or class selectors.

Let the DOM state style itself (data/aria, peer, and group)

Skip JS for visual states you already have in the DOM.

Toggle data-* or aria-* attributes and let Tailwind variants do the heavy lifting.

Tabs with data-state:

class="flex gap-2" role="tablist">

Disclosure with aria-expanded + peer:

<button aria-expanded="false" id="acc-1" class="peer px-3 py-2 rounded-brand border">
  FAQ
button>
<div class="max-h-0 overflow-hidden peer-[aria-expanded=true]:max-h-96 transition-[max-height]">
  <p>Answer goes here.p>
div>

Nested hover/focus with group:

<a class="group block p-4 rounded-brand border">
  <span class="underline group-hover:no-underline">Read morespan>
a>

👉Reality: If you need complex timelines or animations, sure — write JS.

But for 80% of UI toggles, the semantics are already in the markup. Use them.

Style based on sibling state peer-*

You can use peer-{state}:{utility-class} to style an element based on its sibling state.

<form class='max-w-sm mx-auto'>
    <label class='block'>
        <span class='block text-sm font-medium text-slate-700'>Emailspan>
        <input
            type='email'
            class='peer rounded p-3 w-full outline-none border border-solid border-slate-300'
            placeholder='Type an invalid email to see error message'
        />
        <p class='mt-2 invisible peer-invalid:visible text-pink-600 text-sm'>Please provide a valid email address.p>
    label>
form>

In the demo above, you can see that the error message is only visible when the input element (sibling) has invalid state.

Style based on descendant has-*

There is also a way to style an element based on its children or descendants. The example use case for this is when looping a post list that the post item can contain an image or not.

In real use cases, you probably use JavaScript logic instead using has-[{element-selector}] to style based on the descendant element. But, has-* also supports for descendant state.

In the demo above, you can see that I used has-[img:hover] to changed the background when the image hovered. You can use another state like invalid, disabled, focus, etc. This is the best case where you can use has-* selector.

You can also combine has-* with another modifier like peer-has-*.

Custom Classes with Arbitrary Values

Custom classes with Arbitrary Classes are like writing CSS directly inside the class. It looks something like text-[#09836d] or mr-[75px]. You can use a class with arbitrary as the last resort when you can’t find any predefined utility class that fulfills your use case.

You can pass any value that is valid, such as the CSS property class, to a custom class. You can even pass Tailwind CSS variables. You can find more examples of Arbitrary values in the official documentation.

One thing that usually becomes an issue when using classes with arbitrary values is when you need to pass a value with a space. For example, when you want to pass box-shadow value 0 0 2px 0 #abcdef. In this case, you can replace the space with _, so the class will be shadow-[0_0_2px_0_#abcdef].

Keep in mind that a CSS class can’t contain whitespace.

Color Opacity

Did you know that you can apply opacity to your color classes? It works in classes that contain color value like bg-{color}, text-{color}, border-{color}. You just need to add /{opacity-value} after the class. The opacity value is 0 to 100 with an interval of 5.

Customize / Disable Tailwind container class

Tailwind CSS comes with a built-in responsive container class. The container will adjust in xs, sm, md, and lg breakpoints. By default, the container class has no padding and center positioning. But if you want to customize it, you can add container configurations in tailwind.config.js file.

 /** @type {import('tailwindcss').Config} */
module.exports = {
 ...,
  theme: {
    container: {
      center: true,
      padding: '1rem'
 },
 },
}

You can also disable or remove the container class by setting container: false in corePlugins configuration.

/** @type {import('tailwindcss').Config} */
module.exports = {
 ...,
  corePlugins: {
    container: false
 },
}

Space between elements (space-* and gap-*)

When displaying a list or grid, we usually need spacing between list or grid items. We often use padding-{top/bottom/left/right} or margin-{top/bottom/left/right} and end up with excess spacing in the last item.

You can solve this by using space-* or gap-* in the list or grid container. space works for all element displays (block, flex, grid, etc), while gap-* only works for flex and grid element.

If you use space-*, you have to define the direction, whether vertical or horizontal spacing. Use space-x-* for horizontal space and space-y-* for vertical spacing.

Replace Js substring() with truncate and line-clamp-*

Before I knew truncate and line-clamp-*, I usually used the JavaScript function substring(0, n) to truncate a string. However, the sentences often have inconsistent widths because each letter has a different width.

truncate and line-clamp-* solve this, because they don’t care about the number of letters; they only care about the number of lines.

You can use truncate to truncate sentences into 1 line. If you want to truncate a paragraph after, let’s say 3 lines, you can use line-clamp-3.

class='max-w-xs mx-auto bg-slate-100 rounded p-3 mb-3'>
    class='truncate'>
        This is text with `truncate`: Lorem ipsum dolor sit amet, consectetur adipiscing elit. Lorem ipsum dolor sit amet, consectetur
        adipiscing elit.
    

class='max-w-xs mx-auto bg-slate-100 rounded p-3'>
    class='line-clamp-2'>
        This is text with `line-clamp-2`: Lorem ipsum dolor sit amet, consectetur adipiscing elit. Lorem ipsum dolor sit amet, consectetur
        adipiscing elit.

backdrop-blur-* – The Frosted Glass Effect You Forgot

Everyone loves a good glassmorphism effect — until they forget how easy Tailwind makes it.

class="backdrop-blur-sm bg-white/30">
  class="text-white">Frosty content

Instantly adds depth and modernity.

And no, you don’t need five layers of CSS anymore.

scroll-mt-* – Scroll-To Sections Done Right

Ever anchor to a section only to find your fixed header hiding it?

scroll-mt-* to the rescue:

"features" class="scroll-mt-16">Features

Now, your content actually shows below the header.

UX magic, powered by one tiny utility.

prose (Typography plugin) – Markdown Never Looked So Good

Stop styling every

manually.

Wrap your Markdown content in a prose container:

class="prose lg:prose-xl">

Clean, beautiful typography out of the box.

Your blog posts, docs, and release notes will thank you.

isolate and isolation-auto – Z-Index Nightmares? Solved.

Ever get stuck fighting z-index wars? Adding isolate to your container creates a new stacking context, keeping your modal, dropdown, or tooltip sane.

class="relative isolate">

No more random overlaps. Just clean, predictable layering.

Use @layer components + @apply to codify patterns (not micro-utilities)

@apply is not a religion. It’s a screwdriver.

Use it to standardize repeatable “atoms” like buttons, inputs, and cards—so you stop micromanaging 14 classes every time.

/* components.css */
@tailwind base;
@tailwind components;
@tailwind utilities;

@layer components {
  .btn { @apply inline-flex items-center justify-center font-medium rounded-brand shadow-sm transition; }
  .btn-primary { @apply btn bg-brand/100 text-white hover:bg-brand/90 active:bg-brand/80; }
  .btn-ghost { @apply btn bg-transparent text-fg hover:bg-fg/5; }
  .field { @apply w-full rounded-brand border border-fg/20 bg-white/90 px-3 py-2 shadow-sm focus:outline-none focus:ring-2 focus:ring-brand/40; }
  .card { @apply rounded-brand border border-fg/10 bg-white/70 p-4 shadow; }
}

Now your HTML stays readable:

<button class="btn-primary">Publishbutton>
<input class="field" placeholder="Email"/>
<div class="card">...div>

👉Reality: Don’t wrap every single utility in a class.

The goal is to capture patterns, not hide Tailwind. If a style is used once, keep the utilities inline.

References

https://dev.to/madza/18-github-repositories-to-become-a-css-master-lab

https://defensivecss.dev/

https://moderncss.dev/12-modern-css-one-line-upgrades/?ref=dailydev

https://dev.to/poetryofcode/5-hidden-css-properties-you-didnt-know-existed-12h8

https://dev.to/alvaromontoro/css-one-liners-to-improve-almost-every-project-18m?ref=dailydev

https://medium.com/design-bootcamp/7-new-css-features-you-dont-know-about-226dd2921cb4

https://medium.com/design-bootcamp/remove-image-backgrounds-with-one-line-of-css-181581eb05fc

https://medium.com/syncfusion/5-modern-css-styles-you-should-know-in-2024-3c2bc3ec6093

https://blog.stackademic.com/the-top-6-css-cheatsheets-that-will-save-you-hours-2e1d29ed5c24

https://matemarschalko.medium.com/20-css-one-liners-every-css-expert-needs-to-know-bef568ddc265

https://medium.com/@karstenbiedermann/goodbye-sass-welcome-back-native-css-b3beb096d2b4

https://kaderbiral26.medium.com/15-useful-css-properties-you-should-know-about-d924343d6f9c

https://dev.to/stephikebudu/-vs-in-css3-13le?ref=dailydev

https://medium.com/better-programming/why-tailwind-css-became-so-popular-a-developers-guide-11213c08fa46

https://medium.com/coding-at-dawn/why-tailwind-css-is-48-better-for-performance-than-css-in-js-93c3f9fd59b1

https://medium.com/@imanshurathore/best-practises-for-tailwind-css-in-react-ae2f5e083980

https://devaradise.com/tailwind-css-tips-tricks/

https://pradipkaity.medium.com/css-only-click-handlers-you-might-not-be-using-but-you-should-69b6c9a07bf2

https://medium.com/developers-corner/these-css-pro-tips-and-tricks-will-blow-your-mind-8b58a4a682e5

https://medium.com/@karstenbiedermann/css-and-vibe-coding-why-good-frontend-devs-still-matter-in-the-age-of-ai-09797a7f1287

https://medium.com/@karstenbiedermann/the-10-best-new-css-features-in-2025-already-supported-in-all-major-browsers-c4a4cbbf71ea

https://javascript.plainenglish.io/exploring-the-difference-between-width-100-and-width-auto-81a89c6b6f52

https://javascript.plainenglish.io/stop-overthinking-media-queries-just-use-these-3-breakpoints-f4abb99329aa

https://medium.com/design-bootcamp/5-css-features-you-may-not-heard-of-but-super-useful-6eec0912779b

https://railsdesigner.com/modern-css-overview/?ref=dailydev

https://cody-by-umar.medium.com/responsive-tables-are-hard-heres-a-pattern-that-works-4104af327210

https://medium.com/@orami98/next-gen-web-animations-15-css-javascript-techniques-that-will-make-your-website-300-more-c85a948486ea

https://javascript.plainenglish.io/css-devtools-secrets-every-developer-should-master-2ffee437a4fb

https://medium.com/full-stack-forge/7-tailwindcss-utilities-youre-probably-underusing-a74896c7efde

https://medium.com/full-stack-forge/this-one-css-trick-cleaned-up-my-entire-codebase-f0d3682b9a3c

https://javascript.plainenglish.io/top-10-css-mistakes-even-experienced-devs-still-make-52577991a417

https://javascript.plainenglish.io/9-simple-css-tricks-that-make-your-website-feel-faster-689ac395a9d8

https://medium.com/@Krishnajlathi/from-janky-to-smooth-the-css-scroll-trick-you-need-in-2025-9a1d0c942085

https://medium.com/full-stack-forge/how-to-use-css-dev-tools-like-a-senior-developer-e6e99bba6c19

https://medium.com/mern-mastery/the-secret-tailwind-hack-that-made-my-website-3x-faster-and-my-clients-finally-stopped-5e106b4faf9b

https://javascript.plainenglish.io/the-one-css-trick-every-frontend-dev-shouldve-learned-years-ago-a20cb77b9542

https://javascript.plainenglish.io/stop-overusing-classes-use-these-css-attribute-selectors-instead-0a51b0e514a4

https://pixicstudio.medium.com/css-concepts-every-developer-should-know-f988b28d00d7

🔥 Mastering HTML

Tuan Tran Van — Mon, 13 Jan 2025 09:47:41 GMT

HTML is a tool for creating web pages. It offers a wide range of functions and a clear structure.

However, many developers have overlooked these features, even though they can greatly enhance web development efficiency and user experience.

But in this article, I will show you the rest of the iceberg and what HTML is capable of.

Semantic HTML isn’t just for Screen Readers - It’s a superpower you are probably ignoring

Let me tell you something I have noticed after conducting dozens (maybe hundreds) of frontend interviews over the years — from junior devs to so-called “staff engineers“ with 10+ years under their belt.

Most of them know semantic HTML exists.
Very few actually understand it.

They can rattle off that

, and

exist. Some even throw in a

or for good measure.

But when I ask:
“Why would you use a

instead of a

?”
…I usually get a pause, followed by a vague answer about “accessibility,” or “SEO,” or “structure.”

So, What is Semantic HTML —Really?

Semantic HTML is about meaning, not appearance.

When you use semantic tags, you are telling the browser (and everything that reads HTML — search engines, screen readers, assistive tools, crawlers) what the content represents, not how it looks.

And, guess what? They aren’t just fancier divs.

They play a critical role in how assistive tech, search engines, and even future developers understand your layout.

🎯 Why Should You Care? (Beyond Passing a Lighthouse Audit)

Most frontend engineers treat semantic HTML like flossing.
They know they should do it… but they don’t really feel the urgency.

So let’s break down why it matters:

1. Accessibility That Works Without JavaScript

Screen readers like VoiceOver or NVDA rely on semantic structure to announce content properly.