Developer.
Glossary

A lightweight, text-based data interchange format that represents data as key-value pairs and arrays. JSON is the near-universal format for web API communication and configuration files. It is defined by RFC 8259 and ECMA-404. Despite the name, JSON is language-independent and is supported natively in virtually every programming environment.

An encoding scheme that converts binary data into a sequence of 64 printable ASCII characters. Used to transmit binary content — images, cryptographic keys, file data — through channels that only support text, such as HTTP headers and JSON payloads. Base64 is encoding, not encryption. The original content is fully recoverable without any key.

A method of representing special characters in URLs by replacing them with a percent sign followed by a two-digit hexadecimal code. A space becomes %20, a single quote becomes %27, an ampersand becomes %26. Required when including user-supplied data in URL parameters to prevent misinterpretation of reserved characters.

A character encoding standard that can represent every character in the Unicode standard using 1 to 4 bytes per character. The dominant encoding for web pages, email, and most modern file formats. UTF-8 is backward-compatible with ASCII for the first 128 characters, which is why plain English text is encoded identically in both standards.

American Standard Code for Information Interchange. A 7-bit encoding standard defining 128 characters: the uppercase and lowercase Latin alphabet, digits 0–9, punctuation marks, and control characters such as newline and tab. UTF-8 is a superset of ASCII — any valid ASCII document is also valid UTF-8.

The process of removing unnecessary whitespace, line breaks, comments, and verbose formatting from code files to reduce their file size without changing their functionality. Minified JavaScript and CSS files load faster because they are smaller to transfer over the network. The code becomes unreadable to humans but executes identically.

A 128-bit identifier defined by RFC 4122, formatted as 32 hexadecimal digits in five groups separated by hyphens: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx. UUID v4 is randomly generated with a collision probability so low it is effectively zero for any practical application. UUID v7 uses a timestamp prefix for better database index performance.

An alternative identifier format designed for web applications. CUID2 produces 24-character lowercase alphanumeric strings with no hyphens, making them URL-safe and shorter than UUIDs. The timestamp prefix makes CUIDs roughly time-sortable. Useful when you want the brevity of URL-safe identifiers without the hyphens of UUID format.

A URL-friendly version of a title or name containing only lowercase letters, numbers, and hyphens, with spaces replaced by hyphens and special characters removed. "My Blog Post Title" becomes "my-blog-post-title". Slugs make URLs readable and avoid encoding issues with spaces and special characters.

A small fixed-size value derived from a larger block of data, used to detect errors in transmission or storage. If the checksum of a received file does not match the expected checksum, the data was corrupted or modified in transit. MD5 and SHA-256 are commonly used as checksums for file verification, though they serve very different security roles.

An attack technique where malicious SQL code is inserted into user-supplied input that is then executed as part of a database query. Exploits applications that construct SQL by concatenating user input directly into the query string. The attacker can bypass authentication, extract data, modify records, or delete entire tables. Prevented entirely by parameterized queries.

A technique for safely including user input in database queries by separating the SQL structure from the data. The query structure is compiled and optimized first. User-supplied values are then bound as typed parameters — they are never interpreted as SQL syntax, regardless of what characters they contain. This eliminates SQL injection at the architectural level.

An attack where malicious scripts are injected into web pages that other users view. Occurs when user-supplied content is rendered in a browser without proper escaping. An attacker can use XSS to steal session cookies (and thus account access), redirect users to malicious sites, or silently modify page content. Prevented by escaping all user-supplied output before rendering it as HTML.

An attack that tricks a user's authenticated browser into making an unintended request to a web application. For example, a malicious page could trigger a bank transfer in the background using the victim's existing session. Mitigated by including a unique, secret CSRF token in every state-changing request that the server validates before processing.

A mathematical function that transforms input of any length into a fixed-size output called a hash or digest. Cryptographic hash functions are one-way — given only the hash, recovering the original input is computationally infeasible. The same input always produces the same hash. Used for password storage, data integrity verification, and digital signatures.

A cryptographic hash function producing a 256-bit (64 hexadecimal character) digest. Part of the SHA-2 family, designed by the NSA and standardized by NIST. No known practical collision attack exists. The current standard for security-sensitive applications including TLS certificates, code signing, and password hashing pipelines. Bitcoin uses SHA-256 for both proof-of-work and address generation.

A hash function producing a 128-bit (32 hexadecimal character) digest. MD5 collisions can be computed in seconds on modern hardware, making it cryptographically broken. Never use MD5 for passwords, authentication, or any security purpose. Its only remaining legitimate uses are non-security checksums (verifying a file arrived undamaged) and legacy system compatibility.

Fundamentally different operations that are frequently confused. Encoding (Base64, URL encoding) transforms data into a different representation that is completely reversible without any key — it provides no security. Encryption uses a secret key to transform data so only those with the correct key can reverse it. Using encoding where encryption is needed is a serious security mistake.

Cleaning user-supplied input to remove or neutralize potentially dangerous content before storing or displaying it. Common examples include stripping HTML tags from text input or escaping quotes in database values. Sanitization reduces attack surface but is not a substitute for parameterized queries against SQL injection — both should be applied.

A defined set of protocols and rules through which software systems communicate. Web APIs expose application functionality over HTTP, allowing different systems to exchange data. An API defines what requests can be made, what parameters they accept, and what responses they return — the contract between client and server.

An architectural style for web APIs using standard HTTP methods to operate on resources identified by URLs. GET retrieves, POST creates, PUT updates, DELETE removes. RESTful APIs are stateless — each request contains all information needed to process it, with no session state stored on the server between requests.

A specific URL in an API that responds to requests for a particular resource or action. GET /users returns a list of users; POST /users/42 might update user 42. Each endpoint typically corresponds to one operation on one type of resource. Well-designed APIs use consistent naming conventions and HTTP methods across all their endpoints.

A compact, URL-safe token format for transmitting claims between parties. A JWT has three Base64URL-encoded sections: header (algorithm), payload (claims), and signature. The payload is readable by anyone — only the signature provides integrity verification. Standard JWTs are not encrypted. Often used for stateless authentication tokens.

A browser security mechanism restricting how web pages can request resources from a different domain than the one that served the page. A server permits cross-origin requests by including specific response headers. Without correct CORS configuration, browser-based JavaScript cannot call APIs on different domains — requests are silently blocked by the browser.

The actual data content of a network request or response, as opposed to headers and metadata. In an HTTP POST request, the payload is the request body containing the data being sent to the server. In a message queue, the payload is the message content itself, separate from routing metadata.

A property of an operation meaning that performing it multiple times produces the same result as performing it once. GET, PUT, and DELETE are designed to be idempotent — making the same request twice should not produce different side effects. POST is generally not idempotent, as submitting the same form twice may create duplicate records.

Software that sits between two systems or layers, processing requests or responses as they pass through. In web frameworks, middleware functions run before or after route handlers to handle cross-cutting concerns: authentication checks, request logging, rate limiting, error handling, and request body parsing.

A sequence of characters that defines a pattern for matching, finding, or replacing text. Regex can validate whether an email address is correctly formatted, extract phone numbers from a document, or replace all occurrences of a pattern in a string. Regex syntax is largely consistent across languages but has some variations between implementations.

Verifying that data conforms to a defined structure and set of constraints before it is processed. JSON Schema is the most common format for defining expected JSON structure — specifying required fields, data types, allowed values, and format rules. Schema validation catches structural errors before they cause runtime failures.

Automated checking of source code for stylistic errors, potential bugs, and deviations from coding standards, without executing the code. Linters catch common mistakes such as undefined variables, unused imports, and inconsistent formatting. ESLint is the dominant JavaScript linter; Pylint and flake8 serve the same role for Python.