Field Notes.
What actually happens.
From the trenches
Real problems. Real solutions. No theory, no fluff. These are tactical notes from actual client work and implementation projects – the stuff that breaks, the approaches that work, and the conventional wisdom that needs challenging. If you want thought leadership, look elsewhere. If you want solutions that actually ship, you're in the right place.
TLS-RPT Reports Cost Nothing to Receive. So Why Are You Paying?
TLS-RPT tells you when your mail encryption is failing. Receiving the reports costs nothing technically — yet every hosted service charges enterprise prices. Here's a free Cloudflare Worker that does the whole job.
Read field noteNo, We Are Not Cooked. But You Might Be Doing It Wrong.
Six months of actual changes to my stack, my workflow, and my reasoning — not a hot take, not a panic, not a victory lap. What shifted between WordPress and static, what AI integration looks like when it compounds rather than just assists, and why the “we are cooked” narrative is the laziest read on what is actually happening.
Read field noteYour Self-Hosted DNS Is Probably Open to the World and You Don’t Know It
You set up AdGuard Home on a VPS. You configure DNS-over-TLS on port 853. You point your router at it. It works. You feel good about it. What you probably did not do: restrict who can actually reach port 853. If your cloud firewall has port 853 open to the world, your private DNS resolver is a public DNS resolver — and services like mirrordns.xyz are actively advertising it as one.
Read field noteEra 4. Sure.
I cannot output JSON-LD in Etch. The security layer strips it. JSON-LD is Schema.org structured data — by definition, a web standard. Etch’s own documentation promises “Web Standards” and “Full Empowerment — complete control over your code without limitations.” Except, apparently, that one. Meanwhile, AI that can copy a stranger’s layout for $0.07 just became the top priority on the roadmap. It wasn’t on the list at all in January.
Read field noteTwo bugs, one silent canvas: how Etch, ACSS, and Yabe Webfont break each other
A client's Etch builder canvas looked nothing like the frontend. The page was usable, but all AutomaticCSS styles were unavailable, custom properties, tokens, utility classes, gone.
Read field noteYour Security Stack Is Blocking You From Your Own Site
Opening your page builder shouldn’t trigger a security ban on your own site. But when the editor fires 54 API requests in 47 seconds, your intrusion detection doesn’t know it’s you — it sees a crawler. Here’s why IP whitelisting is the wrong fix, and what to do instead.
Read field noteAuthentik Forward Auth Broke Seven Different Ways Before It Worked
Authentik's forward auth documentation assumes NGINX and Authentik share a Docker network. Real infrastructure — separate servers, Cloudflare Tunnels, multiple domains, WordPress on bare metal — breaks every assumption in that snippet. The embedded outpost has a confirmed bug. Cookie domains contaminate each other when outposts are shared. Callback hostnames must match cookie domains or sessions silently fail. This is the complete implementation guide for the setup the docs never cover, including the error cheat sheet for every status code you'll hit along the way.
Read field noteBlocking /wp-admin/ With a WAF Rule Is Not a Security Strategy
Blocking /wp-admin/ with a WAF rule also blocks admin-ajax.php, which plugins use for legitimate front-end requests. It leaves wp-login.php — the actual attack target — fully exposed. WAF rules are for traffic filtering. Zero Trust is for identity-based access control. They’re complementary tools, not alternatives. Using one to do the other’s job breaks both layers.
Read field noteAuthentik Forward Auth on Standalone NGINX Is a Minefield Nobody Maps
What if the Authentik docs for NGINX forward auth are fundamentally incomplete for real-world deployments?
Read field noteYour Page Builder’s CSS Shortcut Is a Vendor Lock-In Trap
What if adopting your builder’s recommended CSS approach is the thing that makes your components worthless outside of it?
Read field note