Developer Glossary
Essential terms across web, security, data, and infrastructure.
By Λ · Updated May 18, 2026 · ~6 min read
I wrote this glossary over a weekend because I noticed I kept linking to Wikipedia for definitions in my blog posts. The entries here are short, opinionated, and link to the relevant tools where applicable.
A
- API Application Programming Interface
- A contract that lets one program call another. Modern web APIs almost always use HTTP, return JSON, and follow REST or GraphQL conventions. See API testing without Postman.
- Argon2id
- A memory-hard password hashing function and the 2026 default recommendation. Replaces bcrypt for new applications. See hashing passwords in 2026.
- ASCII
- American Standard Code for Information Interchange. 7-bit encoding with 128 codes (0-127) covering control characters and basic Latin alphabet. Modern systems use UTF-8 which extends ASCII without breaking it. See the ASCII table.
B
- Base64
- Encoding that maps 3 binary bytes to 4 printable characters. Used for embedding binary in JSON, transmitting credentials in Basic auth headers, encoding email attachments. Not encryption: anyone can decode it. See the Base64 tool.
- Bcrypt
- Password hashing function from 1999 with a tunable cost factor. Acceptable in 2026 at cost >= 12, but Argon2id is the modern recommendation. See bcrypt generator.
- BPE Byte Pair Encoding
- The tokenization algorithm used by GPT, Claude, and most LLMs to split text into sub-word units. A 1000-word English document is roughly 1300 BPE tokens. See counting LLM tokens.
C
- CIDR Classless Inter-Domain Routing
- Notation for IP subnets: an address followed by a slash and prefix length.
10.0.0.0/24means the first 24 bits are network, 8 bits are host (256 addresses). See the subnet math post.
- CDN Content Delivery Network
- A network of servers that cache and serve content geographically close to users. Reduces latency and offloads origin servers. Cloudflare, Fastly, Akamai are the major operators.
- CMP Consent Management Platform
- A system that manages cookie consent. Required for EU/UK/Swiss users serving Google ads since 2024. Google's free Funding Choices is the official CMP for AdSense publishers.
- CORS Cross-Origin Resource Sharing
- The browser security mechanism that allows servers to permit cross-origin requests. Behind the "your request is blocked by CORS" error every developer has cursed at. See the CORS debugging post.
- CRUD
- Create, Read, Update, Delete. The four basic operations on persistent data. REST APIs map these to POST, GET, PUT/PATCH, DELETE.
- CSP Content Security Policy
- An HTTP response header that tells the browser which origins can load scripts, styles, images, etc. Primary defense against XSS attacks.
- Cron
- Unix utility and syntax for scheduled tasks. Five fields (minute, hour, day-of-month, month, day-of-week) plus the command. See the cron visualizer.
D
- DNS Domain Name System
- The internet's phone book: maps human-readable names (example.com) to IP addresses and other metadata. See DNS records reference and DNS lookup tool.
- DNSSEC
- DNS Security Extensions. Cryptographically signs DNS records to prevent spoofing. Activated at both your DNS provider (DNSKEY) and your registrar (DS record).
- DoH DNS over HTTPS
- Encrypted DNS queries sent over HTTPS instead of plaintext UDP. Cloudflare's 1.1.1.1 and Google's 8.8.8.8 both offer DoH endpoints.
- DST Daylight Saving Time
- The clock-shift cycle. Causes a specific class of bugs every March and November when timestamps cross the boundary. Use IANA timezone names (e.g.
America/Los_Angeles), never UTC offsets, to handle correctly.
E
- E-E-A-T
- Experience, Expertise, Authoritativeness, Trustworthiness. Google's 2026 framework for evaluating content quality, especially for YMYL (your money or your life) topics. Influences search rankings and AdSense approval.
- EXIF Exchangeable Image File Format
- Metadata embedded in image files: camera model, exposure settings, and (often) GPS coordinates. Strip before publishing personal photos. See the EXIF viewer.
G
- GraphQL
- An API query language and runtime developed at Facebook. Lets clients request exactly the fields they need in a single request. Alternative to REST for complex data needs. See GraphQL formatter.
H
- HMAC Hash-based Message Authentication Code
- A keyed hash construction.
HMAC-SHA256(key, message)proves the holder ofkeywrotemessage. Used in JWT signing, webhook verification, AWS request signing. See HMAC generator.
- HSTS HTTP Strict Transport Security
- HTTP response header that tells browsers to only ever load this site over HTTPS. Prevents downgrade attacks.
- HTTP HyperText Transfer Protocol
- The application-layer protocol behind the web. HTTP/1.1 (1997), HTTP/2 (2015), HTTP/3 (2022) are all in active use. See HTTP methods reference.
I
- IANA Internet Assigned Numbers Authority
- The body that maintains canonical lists of well-known identifiers: port numbers, top-level domains, timezone database (tzdata), language codes, media types.
- Idempotent
- Property of an operation where running it once and running it N times produce the same result. GET, PUT, DELETE are idempotent; POST is not.
- IPv4 / IPv6
- Internet Protocol versions. IPv4 uses 32-bit addresses (4.3 billion); the world ran out years ago and uses NAT to share. IPv6 uses 128-bit addresses (~3.4 × 10^38). See subnet calculator.
J
- JSON JavaScript Object Notation
- Data interchange format defined in 2001 by Douglas Crockford. Won the data-interchange wars; is now the default for APIs, configs, logs. See JSON guide and JSON formatter.
- JSONPath
- Query language for extracting data from JSON, similar to XPath for XML. Standardized in RFC 9535 (2024). See JSONPath tester.
- JWT JSON Web Token
- A signed JSON token used for authentication and information exchange. Three parts: header, payload, signature, all Base64url-encoded and dot-separated. Not encrypted; anyone can read the payload. See JWT decoder.
M
- Markdown
- Lightweight markup language created by John Gruber in 2004. Plain text with simple conventions (asterisks, pound signs) that render as formatted HTML. The default for READMEs, blog posts, and notes apps.
O
- OAuth 2.0
- Authorization framework that lets a user grant a third-party app access to their account without sharing the password. The "Sign in with Google" flow uses OAuth 2.0.
- OKLCH
- CSS color function using perceptually uniform Lightness, Chroma, Hue. Replaces HSL for design tokens because brightness is consistent across hues. See modern CSS color.
R
- Regex Regular Expression
- Pattern-matching mini-language for strings. Looks like
^[a-z0-9._-]+@[a-z0-9.-]+\.[a-z]{2,}$; once learned, indispensable. See regex guide and regex tester.
- REST Representational State Transfer
- An architectural style for APIs. Resources have URLs; operations use HTTP methods (GET, POST, PUT, DELETE); responses are typically JSON. Most web APIs are REST-ish even when not strictly compliant.
- RFC Request for Comments
- Standards documents published by the IETF. RFC 7231 = HTTP/1.1. RFC 9562 = UUID formats. RFC 6238 = TOTP. Reading the relevant RFC is often the fastest way to settle a technical argument.
S
- SHA-256
- Cryptographic hash function in the SHA-2 family. Produces a 256-bit digest. Used for file integrity, content addressing, HMAC, and many other cryptographic constructions. NOT for password storage (use Argon2id/bcrypt).
- Slug
- The URL-safe portion of a path derived from a title. "How to do X" becomes "how-to-do-x". See slug generator.
- SPF / DKIM / DMARC
- Email authentication standards. SPF lists IPs allowed to send for a domain; DKIM cryptographically signs each message; DMARC tells receivers what to do when SPF/DKIM fail. All three are TXT records.
- SVG Scalable Vector Graphics
- XML-based vector image format. Scales without pixelation. Native browser support. The right choice for icons, logos, and diagrams.
T
- TCF Transparency & Consent Framework
- IAB Europe standard for managing user consent for ads. AdSense requires TCF v2.3 since March 2026 for EU/UK/Swiss traffic.
- TLS Transport Layer Security
- The encryption protocol behind HTTPS. TLS 1.2 is the minimum; TLS 1.3 (2018) is the modern default. TLS 1.0 and 1.1 are deprecated and should be disabled.
- TOTP Time-based One-Time Password
- The "6-digit code from your authenticator app" standard. RFC 6238. See TOTP generator and the TOTP post.
U
- UUID Universally Unique Identifier
- 128-bit identifier. v4 is random; v7 (the 2024 default) embeds a timestamp for better database performance. See UUID generator and v7 migration.
- Unicode
- The character set covering every script in active use, plus emoji, math symbols, and historical scripts. UTF-8 is the dominant byte-encoding.
- UTC Coordinated Universal Time
- The world's time-zone-of-record. No DST. Store all event timestamps in UTC; convert to local time only at display.
W
- WAF Web Application Firewall
- HTTP filter that blocks malicious requests (SQL injection attempts, exploit probes, etc.) before they reach the origin. Cloudflare, AWS WAF, Akamai are major providers.
- WCAG
- Web Content Accessibility Guidelines. WCAG 2.2 is the current standard. Defines requirements for contrast, keyboard navigation, alt text, and dozens of other accessibility criteria.
- WebAuthn
- Browser API for hardware security keys (YubiKey, Titan, fingerprint, FaceID). Phishing-resistant alternative to TOTP for high-stakes auth.
- WebSocket
- Browser API for bidirectional, low-latency communication over a single TCP connection. Used for chat, real-time games, live data feeds.
X
- XPath
- Query language for XML, similar in spirit to JSONPath. Used in XSLT, web scraping (browsers expose it via DOM), SOAP processing.
- XSS Cross-Site Scripting
- Vulnerability where untrusted content executes as JavaScript in the user's browser. Defended against with proper output encoding, CSP headers, and not using
innerHTMLwith user input.
Y
- YAML YAML Ain't Markup Language
- Human-friendly data serialization format. Used heavily in cloud-native tooling (Kubernetes, Docker Compose, GitHub Actions, Ansible). Has footguns; see when each format wins.
- YMYL Your Money or Your Life
- Content category Google scrutinizes harder: financial, medical, legal, safety. Requires stronger E-E-A-T signals. Almost never a fit for developer tool sites.
Last updated