Scroll listeners are easy to get wrong and they can cause performance issues on long lists. IntersectionObserver lets the browser do the hard work: I put a sentinel div at the bottom of the list and trigger fetchNextPage when it becomes visible. I als

API docs shouldn’t be a wiki page that drifts from reality. I generate an OpenAPI spec from code-adjacent definitions so changes get reviewed alongside implementation. The frontend benefits too: typed clients, mock servers, and even contract tests bec

Leaking secrets into the browser bundle is an easy mistake. Vite only exposes env vars with the VITE_ prefix, and I keep that rule strict. I also define a small typed wrapper so components don’t read import.meta.env directly everywhere. The wrapper gi

Most security issues aren’t exotic—they’re missing headers and unsafe defaults. helmet gives a sensible baseline: headers that reduce clickjacking risk, tighten content-type sniffing, and improve general browser hardening. I still configure CSP explic

A “quick view” is basically a show page rendered inside a frame. I implement it by adding a turbo_frame_tag 'quick_view' on the index page, and making item links target that frame. If Turbo is disabled or if the response doesn’t include the frame, the

Brittle test suites often come from mocking fetch at every call site. MSW lets me mock at the network layer: components make real HTTP calls, but the test environment intercepts them and returns deterministic responses. That keeps tests closer to real

I instrument services because I don’t want performance and reliability to be a guessing game. In Service instrumentation, I wrap the work in ActiveSupport::Notifications.instrument and emit a stable payload (things like IDs and counts, not giant blobs

Signals allow different parts of the application to respond to model events without tight coupling. I use post_save for actions after an object is created or updated, like sending notifications or updating related records. The @receiver decorator is c

Django's message framework provides one-time notifications to users. I use messages.success(), messages.error(), messages.warning(), and messages.info() to add messages. Messages persist across redirects and are displayed once. I configure message sto

CSP is a strong defense-in-depth measure for XSS. Start with report-only to learn what breaks, then enforce. Keep it explicit and include nonces for inline scripts when needed.

I send HTML emails using Django templates for consistent branding. The EmailMultiAlternatives class supports both plain text and HTML versions. I render templates with render_to_string and context data. For transactional emails, I queue them via Celer

For webhooks, I assume the internet is hostile by default. I don’t trust that a request ‘looks like’ it came from Stripe/GitHub/etc; I verify the signature over the raw request body and use crypto.timingSafeEqual to avoid leaking information via timin