I'm currently building a production-ready Calendly clone using Django REST Framework — Day 15 of a 12-week build. Today I implemented JWT authentication with token rotation and blacklisting. Here's one engineering decision that took me time to understand: The refresh token goes in an HttpOnly cookie not localStorage. Why? JavaScript cannot read HttpOnly cookies. That means even if someone injects malicious script into the page (XSS attack), they cannot steal the refresh token. localStorage is accessible to all JavaScript on the page — one vulnerability exposes every user's session. The access token (15 min TTL) goes in the response body and is stored in memory. Short TTL means even if it is stolen, the damage window is small. Small decision. Big security implication. Building this publicly on GitHub as I go: https://lnkd.in/e-bfN9BU #Django #DRF #BackendEngineering #Python #JWT

LeetCode Day 15 : Problem 151 (Reverse Words in a String) Just solved another LeetCode problem. It was "Reverse Words in a String", sounds familiar, right? But here's what I actually learned: Sometimes the best solution is knowing exactly which built-in tools to chain together. trim() removes leading and trailing spaces. split(/\s+/) splits on one or more spaces with no empty strings. reverse() flips the array. join(" ") puts it back with single spaces. Four methods, one line, done. This problem would have taken me much longer at the start of this journey. But after solving whitespace problems before, the /\s+/ regex was already in my toolkit. Every problem you solve teaches you something you use again later. The insight that made it click, strings are just arrays of words waiting to be manipulated. Know your array methods and string problems become much easier. Eighteen problems in. Sometimes the lesson isn't about a new algorithm or pattern. Sometimes it's about recognising that the tools you already have are exactly what you need. The real lesson? Build your toolkit problem by problem. Each solution you learn is a tool you carry into the next one. #DSA #LeetCode #JavaScript #CodingJourney #Programming

🔦 Truthy and Falsy Values     Falsy values:     false , 0 , "" , null , undefined , NaN     Everything else is truthy, including:     "0" , "false" , [] , {} , function(){} 🧠 Mindset JavaScript will often auto-convert types behind the scenes. Always stay aware of what data type you’re working with. ❓ Common Confusions typeof null is "object" — this is a bug. undefined means the variable was never assigned. null means you intentionally set it to "nothing". '5' + 1 is "51" but '5' - 1 is 4 . #ABK #programming #javaScript #react #codingjourney

A thought-provoking piece for crafters: "GitHub - Distributive-Network/PythonMonkey: A Mozilla SpiderMonkey JavaScript engine embedded into the Python VM, using the Python engine to provide the JS host environment." PythonMonkey embeds Mozilla's SpiderMonkey JavaScript engine directly into the Python runtime, letting developers call JavaScript from Python and Python from JavaScript within the same process — no serialization or IPC required. The project shares memory backing stores between languages for strings, typed arrays, and buffers, making cross-language data transfer extremely fast. Python dicts and lists automatically behave as JS objects and arrays (and vice versa), with full method support through proxy wrappers. It ships with a CommonJS module system, an event loop (supporting setTimeout and Promises as Python awaitables), and standard JS globals like console and XMLHttpRequest. The project reached MVP in September 2024, installs via `pip install pythonmonkey`, and Distributive actively maintains it while welcoming external contributions.

I’ve been trying to understand `reduce()` better. At first, I was only using `reduce()` in JavaScript to calculate totals. That’s it. But as I kept learning and practicing, I started exploring more use cases — and realized it’s much more powerful than I thought. I used `reduce()` while learning: • Data aggregation (totals, counts) • Data cleanup (removing duplicates, formatting data) • Creating lookup tables (turning arrays into objects) 👉 What helped me learn: • Working on small examples • Solving the same problem in different ways • Understanding how the accumulator changes step by step At first, it felt confusing, so I used to avoid it 😅 But with practice, it gradually became clear. Still learning, but now I actually enjoy using `reduce()`. If `reduce()` feels hard at first — take your time. It gets easier. #JavaScript #Coding #LearningJourney

Django's CSRF token changes on every single form render. The one in the HTML is never identical to the one in the cookie. That's not a bug, it's the whole point. Here's what actually happens: 1. Django stores a 32-character random secret in the CSRF cookie. That secret never changes across the session. 2. What goes into the form is a masked token. It is a fresh 32-character salt concatenated with the XOR of that salt and the secret. 64 characters total, different every render. 3. On every unsafe request (POST, PUT, PATCH, DELETE), CsrfViewMiddleware.process_view() intercepts. It extracts the salt from the submitted token, XORs back to recover the embedded secret, then compares that to the cookie secret. 4. The tokens never match directly. The secrets do. This masking exists to defeat BREACH. It is a compression-based attack where seeing the same ciphertext repeatedly across responses leaks the underlying secret over time. The trap: - setting CSRF_COOKIE_HTTPONLY = True makes the cookie unreadable by JavaScript. - SPAs that read the token via document.cookie and inject it as X-CSRFToken silently break. Every POST returns 403. The CSRF token is a cryptographic proof that the sender could read a cookie. The XOR masking is what every tutorial skips and what actually makes that proof hold. What's the most confusing CSRF failure that turned out to be a config issue rather than a code bug? #Python #Django #BackendDevelopment #WebSecurity

The Blueprint for Stateful AI Agents in PHP Building a "Coding Agent" isn't just about sending prompts to an LLM. It's about state management, file system safety, and orchestration. We built Maestro as a reference implementation of Neuron v3. It’s our way of showing that PHP can handle complex agentic workflows with the same rigor as Python or Go. In this technical breakdown, Valerio Barbera dives into: 🔹 Workflow State: How we manage interruptions and long-running agent tasks. 🔹 Human-in-the-Loop: Implementing mandatory approval gates for file system actions. 🔹 Model Switching: Running Claude 3.5 for logic and local Llama3 for smaller tasks. If you’re moving from simple prompts to complex agentic systems, this is the architectural guide you need. 👉 https://lnkd.in/dK5tkgGi

I worked on a small JavaScript exercise focused on password validation using regex and conditional logic. The function returns an object with the password and its strength level (“Weak”, “Medium”, or “Strong”). #javascript #backend #coding #learninginpublic

Web Scraping Learning Roadmap Phase 1 - HTTP Clients: Understanding how the web works at the request level. requests, urllib, axios. Phase 2 - HTML Parsing: Extracting structured data from raw HTML using BeautifulSoup, lxml, and cheerio. Phase 3 - Browser Automation: Tackling JavaScript-heavy, dynamic pages with Selenium, Playwright, and Puppeteer. Phase 4 - Full Framework: Bringing it all together with Scrapy for production scale crawling. Each phase builds on the previous. By the end, you understand every layer of how data is fetched, parsed, and collected at scale. If you're learning web scraping too follow along! #WebScraping #Python #JavaScript #BeautifulSoup #Selenium #Playwright #Scrapy #DataEngineering #100DaysOfCode

Built an MCP server this week that searches 100K+ remote jobs from the terminal. Just wanted to learn about MCP architecture and build something with it. The interesting part was the debugging journey, not the final code: -> Tried scraping Naukri. Empty HTML. It's a Next.js app, so the job data loads via JavaScript after page render. httpx only sees the skeleton. -> Hit their internal API directly. Got a 406 back: "recaptcha required." -> Launched headless Chromium via Playwright. Akamai bot detection returned "Access Denied" before the page even loaded. -> Found a public JSON API (Himalayas). Free, no auth, 100K+ listings. 20 lines of Python and done. Every failed attempt taught more than the working version did. Sometimes the answer isn't fighting harder, it's pivoting faster. Stack: Python, FastMCP, httpx, Himalayas API Code: https://lnkd.in/grB7fnSg #Python #MCP #BuildInPublic