Blog
Notes on web utilities, scripting recipes, and tools we build at utilrepo.
- Developer
CSV to JSON: the quoting, typing, and encoding traps
CSV looks trivial until you actually parse it. The quoting rules, the everything-is-a-string problem, embedded newlines, and the encoding issues that turn a clean-looking spreadsheet into broken JSON.
- Calculators
How Japanese net salary (手取り) is calculated: from gross to take-home
What gets deducted between your stated salary and the money that lands in your account in Japan — health insurance, pension, employment insurance, income tax, and resident tax — and why the first-year resident tax surprise happens.
- Time
Japanese era dates: converting Reiwa, Heisei, and Shōwa to Western years
How the Japanese era (元号) calendar works, why the conversion isn't a fixed offset, the transition-year edge cases, and where era dates still show up in official documents.
- Calculators
Korean annual leave (연차) rules: how paid days off accrue
How annual paid leave works under Korean labor law — the first-year monthly accrual, the 15-day baseline after one year, the long-service increase, and the points that trip up both employees and employers.
- Text
Korean romanization: Revised Romanization vs McCune-Reischauer
Why the same Korean name shows up spelled two different ways, how the official Revised Romanization differs from the older McCune-Reischauer system, and which one to use when.
- Security
RSA key pairs explained: public, private, and what each one does
What the public and private halves of an RSA key actually do, the difference between encrypting and signing, why key size matters, and when to reach for EdDSA instead.
- Time
Time zones, UTC offsets, and why you should store UTC
The difference between a UTC offset and a time zone, why daylight saving time makes offsets unreliable, and the rule that prevents most date bugs: store UTC, convert at the edges.
- Developer
UUID v4 vs v7: which version to use for IDs
Random v4 UUIDs and time-ordered v7 UUIDs solve different problems. Why v7 is usually the better primary key, when v4 is still right, and what the version bits actually mean.
- Image
What's inside a QR code: structure, capacity, and error correction
How a QR code stores data, what the finder patterns and quiet zone are for, why error-correction level changes how much you can encode, and the practical limits worth knowing before you generate one.
- Developer
YAML gotchas: the Norway problem and other silent traps
YAML's convenience comes from implicit typing, which is also where it bites — countries turning into false, version numbers losing digits, and times becoming integers. The traps and how to avoid them.
- Developer
Percent-encoding: reserved characters and the double-encoding bug
How URL percent-encoding works, why space is %20 in a path but + in a form body, encodeURIComponent vs encodeURI, and how the double-encoding bug produces %2520.
- Security
Verifying webhook signatures with HMAC
Why a webhook endpoint needs HMAC authentication, the standard provider signing pattern, the raw-body and constant-time gotchas, and what HMAC does not protect against.
- Developer
Validating API payloads with JSON Schema
How JSON Schema replaces hand-written payload validation with a declarative contract, the keywords that matter, and the format gotcha that bites people.
- Developer
Unix timestamps, epochs, and the year 2038 problem
What a Unix timestamp actually is, the seconds-vs-milliseconds bug that bites everyone, and why signed 32-bit time overflows at 03:14:07 UTC on 19 January 2038.
- Developer
Hashing, encryption, and encoding: three things people confuse
Encoding, encryption, and hashing solve three different problems. Mixing them up is how passwords leak and tokens get forged. Here is the precise distinction.
- Developer
Catastrophic backtracking and other regex traps
How backtracking regex engines blow up on hostile input, why nested quantifiers cause ReDoS, and the anchors, atomic groups, and linear engines that fix it.
- Developer
Cron expression gotchas: fields, ranges, and Vixie vs POSIX
The cron fields and special characters, the day-of-month vs day-of-week OR quirk that bites people, timezone and DST hazards, and the seconds-field portability trap.
- Developer
Reading CIDR notation: subnets, masks, and host counts
How to read CIDR notation: what /n means, converting prefixes to netmasks, computing usable host counts, finding network and broadcast addresses, and the /31 and /32 edge cases.
- Developer
Base64 is not encryption: what it actually does
Base64 is a binary-to-text transport encoding, not a security measure. How it works, where it belongs, and why treating it as secrecy is a real mistake.
- Developer
JSON vs YAML: when to use which, and the footguns of each
JSON and YAML model the same data, but their failure modes differ sharply: YAML's type coercion and whitespace traps versus JSON's missing comments and verbosity.
- Developer
Reading the AWS Cost Explorer CSV: a field-by-field guide
What every column in an AWS Cost Explorer CSV export actually means, the schema gotchas that bite first-time readers, and how to slice the file for the answers you usually want.
- Developer
Seven AWS cost-management pitfalls common at Japanese enterprises
Approval workflows, fiscal-year budgets, tagging discipline, and FX risk — the organizational realities that shape AWS cost work at Japanese corporations, and how to navigate them.
- Developer
JWT signing algorithms compared: HS256, RS256, ES256, EdDSA
The trade-offs between the four JWT signing algorithms that matter in 2026, what each one means for key distribution, and the algorithm-confusion attacks that still appear in real systems.
- Developer
Why your AWS bill suddenly spikes — 7 common causes
The seven shapes an unexpected AWS cost increase takes, what each one looks like in Cost Explorer, and how to track them down before they recur.
- Calendar
Business days vs calendar days: computing deadlines with holidays
How to count and add business days correctly — the O(1) weekday formula, the holiday-calendar problem, and the inclusive/exclusive and time-zone edge cases that break naive code.
- Calculators
How Korean net salary is calculated: the four insurances and income tax
How a gross salary offer in Korea becomes your take-home pay: the four national insurances, the employee/employer split, withholding tax, and year-end reconciliation.
- Text
Slugifying URLs: Unicode, diacritics, and collisions
How to turn a title into a URL-safe slug: the lowercase-normalize-transliterate pipeline, why diacritics and non-Latin scripts break it, and how to handle collisions.
- Design
Color contrast and WCAG: passing accessibility checks
How WCAG color contrast ratios are computed, the AA and AAA thresholds for text and UI, the failures audits flag most, and where WCAG 2 math falls short.
- Image
EXIF metadata: what your photos reveal and how to strip it
What EXIF metadata embeds in your photos — device, timestamp, GPS coordinates — where it survives, where it gets stripped, and how to remove it safely.
- Developer
Reading a curl command and translating it to code
How to read a curl command field by field and translate it to fetch or Python requests correctly, including the implicit-POST gotcha that trips up most translations.
- Security
How TOTP authenticator codes actually work
How TOTP (RFC 6238) turns a shared secret and the current time into a 6-digit code, why both sides agree, and what it protects against and what it does not.
- Security
Password entropy explained: what actually makes a password strong
How password entropy is measured in bits, why random length beats complexity rules, and where the entropy bar should sit for keys, tokens, and passphrases.