A useful place to start
Encryption vs Encoding vs Hashing: What Each One Does
A clear decision guide to choosing encryption, encoding, or hashing so you use the right tool for the job.
Encrypt Online field notes
Short, practical guides for the moments when a token fails, a certificate looks wrong, or two formats that seem alike behave very differently.
115 maintained guides
A useful place to start
A clear decision guide to choosing encryption, encoding, or hashing so you use the right tool for the job.
Browse the library
115 guides, ordered by most recently updated.
A beginner-friendly explanation of leaf certificates, intermediates, and why chain issues break trust.
A safe conversion workflow for certificate containers so you preserve the exact material you need instead of discovering too late that the key or intermediate was dropped.
Use CSP hashes and nonces intentionally by matching them to static or dynamic site architectures instead of treating them as interchangeable syntax.
A practical way to read issuer, subject, SANs, validity, fingerprints, and signature details without getting lost in certificate jargon.
A practical migration guide for moving a small website from HTTP to HTTPS with fewer surprises.
Redirect URI mismatch errors usually come from small string differences. Compare the callback value, environment, path, port, and encoding before changing provider or application settings.
Understand what the OIDC discovery document is, which metadata fields matter first, and how to debug auth setup when issuer, jwks_uri, or authorization endpoints do not line up.
Choose the right certificate container by understanding what each format holds, what platforms expect, and where conversion mistakes usually happen.
Use SRI deliberately for external scripts and stylesheets by understanding when fixed hashes improve trust and when mutable assets make them painful.
Understand PEM boundary lines, Base64 content, and the block types that tell you whether you are looking at a certificate, a key, or a CSR.
Understand leaf and intermediate ordering so your certificate bundle can actually be validated by clients instead of looking correct in a text editor.
A practical renewal checklist covering challenge continuity, automation, notifications, and post-renewal deploy steps.
A plain-language ACME guide that explains what your Let’s Encrypt tooling is actually doing during issuance and renewal.
Compare AES-CBC and AES-GCM, including integrity, IVs, authentication tags, AAD, and common decryption failures.
A practical guide to authenticated encryption and why “encrypted” does not automatically mean “safe from tampering.”
A practical SigV4 guide that explains canonical requests, signed headers, and the normalization details behind SignatureDoesNotMatch.
Choose between Base32 and Base64 by looking at readability, transcription risk, and the workflows where each encoding is a better fit.
A direct explanation of why Base64 is for representation and transport, not secrecy, plus the right moments to use it.
Learn how omitted padding and alphabet differences create subtle failures in tokens, PKCE code challenges, and signed URL workflows.
A practical guide to the differences between standard Base64 and URL-safe Base64 so you stop breaking tokens and query values.
How bcrypt cost works, why slower can be safer, and how to think about tuning without turning your login flow into a support issue.
A decision guide for Base16, Base32, and Base64 that starts from the job to be done instead of treating every encoding as interchangeable.
When Blowfish still shows up, how to use it carefully for compatibility, and why modern workflows usually point elsewhere.
A plain-English explanation of the strengths and limits of browser-side protection so you can use local tools with realistic expectations.
A capstone guide to using browser-first tools responsibly for sensitive debugging without turning random paste bins into part of your security workflow.
A clean workflow for generating, comparing, and documenting SHA-256 fingerprints for files, strings, and deployment handoffs.
Use canonical JSON when signatures or hashes must survive formatting differences instead of relying on pretty-printing conventions.
Preserve the exact request bytes before parsing JSON so Stripe, GitHub, and other webhook signatures stop failing for boring reasons.
Understand the file extensions and encodings that appear in certificate and key workflows.
Stop mixing up certificate fingerprints, serial numbers, subjects, and issuers by learning what each identifier is actually for.
A practical selector guide so visitors land on the right tool first instead of bouncing between similar-looking workflows.
Reduce broken payloads and formatting mistakes when moving structured text between tools, docs, and tickets.
A valid JWT signature is not enough. These are the claim checks teams skip when issuer, audience, timing, and token type actually decide whether a token should be accepted.
The most common ways good encryption workflows fail in practice, and the fixes that make them dependable for real handoffs.
A failure-led guide to diagnosing JWT verification issues in RS256 and ES256 workflows without guessing at keys or claims.
A practical guide to timing-safe comparison so secret verification code does not leak more information than intended.
Understand how daylight saving transitions affect cron schedules so recurring jobs stop surprising you every spring and fall.
Move data between rows and structured objects without losing track of where each format works best.
A practical CSV guide that explains why simple-looking files still fail once they move between spreadsheets, databases, APIs, and shell scripts.
How to share internal docs, staging URLs, and one-off destinations more safely by encrypting the link and sending the passphrase separately.
A clear decision guide to choosing encryption, encoding, or hashing so you use the right tool for the job.
A practical guide to expiry windows so tokens, signed URLs, and cached content stay valid for exactly as long as you intended.
How to encrypt a file, verify the output, share it safely, and avoid the handoff mistakes that break real-world file sharing.
Pick the right primitive for files by separating integrity checks, origin verification, and confidentiality instead of reaching for one tool for every job.
A calm, ordered checklist for the first few minutes of a website incident.
How to move between Hex and ASCII when reading payloads, logs, and low-level outputs without losing track of what the data represents.
Choose between shared-secret HMAC and public-key signatures by comparing trust model, rotation, verification scope, and operational overhead.
A practical guide to `kid`, JWKS caching, and key rollover so JWT verification failures make sense when the signing key changes.
Learn how to match a JWT to the correct key in a JWKS document and how to handle tokens that arrive without a usable kid.
A clean workflow for inspecting Base64-wrapped API payloads and immediately turning them back into readable JSON or XML.
Decrypt OpenSSL enc output by matching its cipher, PBKDF2, digest, salt, and Base64 settings, then verify the recovered bytes.
A step-by-step workflow for comparing JSON, YAML, XML, and text with fewer false positives.
A practical workflow for encrypting short text in the browser, testing decryption, and sharing the passphrase the right way.
Encrypt text with OpenSSL using a salted PBKDF2 recipe, preserve the settings needed for decryption, and verify the exact result.
Learn how to read UUID version and variant bits so existing identifiers stop being opaque strings in logs and payloads.
A practical guide to protecting PDFs with a password, checking the result, and choosing the right sharing flow afterward.
A practical CSR guide that explains what you are really requesting, what CAs use, and why SANs matter more than the old common-name habit.
A practical guide to redacting tokens, cookies, API keys, and .env values before you paste logs into tickets, chat, or incident docs.
A practical operational guide to recovery secret splitting that focuses on custody, labeling, rehearsal, and survivable recovery.
Use a command generator to speed up certificate setup while still understanding what the flags and challenge choices mean.
A clean workflow for checking plaintext against a bcrypt hash and understanding what successful verification really proves.
Choose the right verification method for a downloaded artifact by comparing local checksums, public signatures, and browser-side integrity checks.
Verify webhook signatures with the exact raw request body, the correct secret, and constant-time comparison so replay and tampering bugs are easier to spot.
Use formatting to review markup and PHP templates faster before publishing or comparing changes.
How to move content between HTML, Markdown, and plain text without turning a small cleanup task into formatting chaos.
Choose the right validation method for issuance and renewal based on your hosting, DNS control, and certificate scope.
These token types are not interchangeable. Know which token proves login, which one authorizes APIs, and which one should stay out of front-end logs and requests.
Understand why JavaScript object literals and JSON look similar but are not interchangeable.
Use the right JSON workflow by knowing when to validate, pretty-print, compress, or restore JSON.
Learn how JSON Patch operations behave in practice so partial updates feel predictable instead of risky.
A practical JSON Pointer guide that makes escaping, arrays, and root paths readable instead of magical.
Use JSON Schema as a contract, not just a lint check, so payload validation becomes predictable and explainable.
How to encode JSON for text-only transport, inspect it later, and avoid turning encoding into accidental confusion.
Choose the right config format by balancing readability, tooling, strictness, and conversion needs.
Understand when you need a query language like JSONPath and when you need an exact address like JSON Pointer.
Use JWK thumbprints to create stable cryptographic key identifiers and understand how they differ from free-form kid values.
A practical guide to JWK, JWKS, and PEM so you can feed the right key material into JWT verification and conversion workflows.
Understand the difference between signed and encrypted JOSE objects so you know when decode is possible and when it is not.
A practical walkthrough of the JWT claims that break most often in staging and production, especially around time and audience validation.
Decode tells you what a token says. Verify tells you whether you should trust it. Use both in the right order when auth debugging gets noisy.
A practical migration pattern for teams moving away from legacy MD5 password storage toward a safer password-hash workflow.
A practical timestamp debugging guide for spotting unit mistakes quickly when values in logs or APIs look almost right.
A practical guide to flattening nested JSON into CSV without pretending every tree-shaped structure belongs in rows and columns.
A practical explanation of PEM and DER formats so certificate and key conversions stop feeling mysterious.
How to read encoded URLs from logs and network traces, isolate the broken layer, and repair the value without guessing.
Learn the practical OpenPGP workflow with GnuPG: verify a key fingerprint, encrypt and decrypt a message, and check signatures correctly.
Use ping as a quick network signal without confusing it for full application monitoring.
A practical PKCE guide that shows the relationship between the verifier and challenge and the exact encoding steps that usually go wrong.
Understand common PEM labels and the structures they represent so you can stop renaming files and start importing the right thing.
A practical pre-launch checklist for teams publishing small web tools, forms, and content experiences.
Connect signed-request freshness checks to clock drift and replay windows so HMAC and SigV4 failures stop feeling random.
A practical guide to the timestamp formats that show up in APIs, logs, and tokens, with clear rules for units, offsets, and normalization.
Learn why RSA encryption and RSA signatures solve different problems and how to keep padding, purpose, and tooling straight.
A practical explanation of salts and peppers, what problem each one solves, and where teams often misunderstand the difference.
A plain-language guide to reset flows that respect password hashing, avoid recoverability traps, and reduce support pain.
A practical chooser for checksums, integrity fingerprints, and password storage so you pick the right hash workflow the first time.
Where quick browser tools help, where they stop helping, and the rules teams should follow for secret material that must remain recoverable.
Clean up case, spacing, counts, and formatting before you encrypt, convert, or publish text-based content.
A practical Shamir guide that shows where threshold sharing reduces real risk and where simpler backup or access-control patterns are the better answer.
Compare ULID and UUID v7 by looking at sort order, timestamp visibility, text form, and ecosystem fit instead of treating one as universally better.
How to encode and decode query values correctly so spaces, symbols, and special characters survive web transport.
Use cron expressions for weekday and business-hour schedules without forgetting the time-zone and DST realities behind the expression.
Learn why a numeric UTC offset cannot replace a real time zone when future local-time behavior matters.
A practical UUID guide that compares privacy, sortability, and operational behavior before your identifier choice gets baked into logs, databases, and APIs.
Learn why webhook verification often fails after a framework parses the body and how to keep the exact bytes required for HMAC checks.
Token introspection answers whether a token is active right now, but it is not the right tool for every JWT. Use it when revocation, opaque tokens, or central policy checks matter.
A realistic guide to the remaining checksum-style uses of MD5 and the places where modern workflows should move elsewhere.
Compare Ed25519 and RSA for signing workflows by looking at compatibility, key size, signature size, and developer ergonomics.
The difference that matters most in authentication design: passwords should be verified, not recoverable.
A small step that prevents a disproportionate number of support requests, broken handoffs, and lost time in encrypted workflows.
Choose the right certificate scope by balancing simplicity, DNS requirements, and operational risk.
Handle XML safely by formatting for review, minifying for transport, and converting only when another format is required.
A practical XML namespace guide that explains prefixes, URIs, and default namespaces without turning into a theory lecture.
How to wrap XML in Base64 for transport, decode it again cleanly, and keep old integration workflows readable.
A practical guide to validating, formatting, and converting YAML without breaking indentation-sensitive configs.