Lighthouse runs in a simulated environment that doesn't reflect what real users see. Here's what to measure instead, and why CrUX should be your source of truth.
Notes from the workshop
Practical writing on performance, security, AI-generated code, and shipping the web
How to debug a Core Web Vitals regression in 30 minutes
A practical, ordered checklist for tracking down LCP, INP, and CLS regressions before they hurt your search rankings.
How to set up pre-commit hooks that actually catch bugs
Most pre-commit hooks just run a formatter and call it done. Here's the setup I use, and why each piece earns its place.
AI-generated code keeps shipping the same five mistakes
After auditing codebases that lean heavily on Cursor, Claude Code, and Copilot, the bugs aren't random. The same five categories show up over and over.
What I run before pushing a website to production
Every dev has their own checklist. Mine got long. Here it is, in the order I actually run it.
Picking a stack for a side project (without regretting it in a year)
I've shipped a lot of side projects. Most got abandoned. A few turned into businesses. The stack you pick at the start matters more than people think, but probably not for the reasons you think.
How to actually test your Content Security Policy
A Content Security Policy is meant to stop XSS. Most CSPs in production are ornamental. Here's how to figure out if yours actually works.
The dependency update problem nobody talks about
Dependabot has been around for years. So has Renovate. Both are fine. Both miss the actual problem: nobody knows whether to update.
Cookie banners are doing nothing for you
Every cookie banner you've ever clicked is a fiction. Yours probably is too. Here's how to do this properly, or skip it entirely.
Why I run scans locally instead of in CI
The standard advice is: put your linter, your tests, your security scans in CI. I disagree. Local-first is better for everything except the build itself.