The Daily
A note a day on APIs and the realities of shipping web applications. Stuff I've actually learned across 25 years of doing the work.
Row-Level Security Is the Audit Log Feature You're Not Using
PostgreSQL's RLS can enforce HIPAA audit requirements at the database layer — where they can't be bypassed by a bug in your app code.
The thing that keeps me up at night on healthcare projects isn't a breach — it's an audit that reveals someone quietly read records they had no business reading, and my application logs are silent about it. Row-level security in PostgreSQL solves a chunk of that problem in a way that application-layer code simply…
Read the daily →ImageKit Is the Cloudinary Alternative I Should Have Found Sooner
After years of quietly absorbing Cloudinary's bills for image-heavy clients, I switched. Here's what I found.
Cloudinary is great. It's also expensive in a way that sneaks up on you. I had a real estate client whose Cloudinary bill crossed $400/month because of listing photo volume, and when I sat down to actually audit what we were using, I realized we were paying enterprise prices for a feature set we were only…
Read the daily →Postgres JSON Columns: When They're a Lifesaver and When They're a Trap
I've shipped both approaches in production. Here's when JSON columns save you and when they quietly wreck you.
I've reached for Postgres JSON columns at least a dozen times in the last five years and been grateful for it maybe half of those times. The other half I was cursing myself six months later when the "flexible" column had become an unmapped wasteland of inconsistent keys and missing data. The choice isn't complicated…
Read the daily →Knock Handles Notification Plumbing So I Don't Have To
I wired up Knock for a client's in-app notification center and stopped dreading the words 'can we add email alerts too?'
Every serious web app eventually needs notifications. Not the "we'll send one welcome email" kind — the real kind, where users need to know when something happened, across whatever channel they prefer, with preferences they can actually control. I've built that system from scratch three times and patched it twice. I…
Read the daily →Cloudflare R2: S3 Minus the Egress Fees — What Changes in Your Code
R2 is genuinely useful and the migration from S3 is mostly painless — but there are a few rough edges that will bite you if you're not paying attention.
The egress fees on S3 are a quiet tax that most developers don't notice until a client asks why their AWS bill jumped. I moved a media-heavy e-commerce project off S3 and onto Cloudflare R2 last year and the storage line item dropped substantially — but the thing I actually want to talk about is what changes in your…
Read the daily →