Blog
- Schema.org mistakes that Google's validator won't catch
I found a structured data bug on my site that passed every validator. The property existed in schema.org, the JSON was valid, but it was on the wrong type. Nothing caught it. So I built a CLI that does.
- CVE-2026-33306: bcrypt on JRuby is broken at cost=31
I found my first CVE. A signed integer overflow in bcrypt-ruby's Java backend causes cost=31 to skip all 2 billion key-strengthening rounds. The hash looks valid but protects nothing.
- In Defense of Tulip Bubbles
The tulip bubble is used as a cautionary tale about speculation. But almost 400 years later, the Netherlands still dominates the global flower trade. Maybe bubbles are features, not bugs.
- Making KevHQ Available Everywhere - Part 1
Turning a personal site into something hilariously hard to kill.
- Setting up secure custom email domain: My Email Security Setup
How I moved to Proton Mail, set up kevhq.com, and hardened it with MTA-STS, TLS-RPT, and other best practices for secure, private email.
- From Zero to A+, securing kevhq.com
How I took a brand-new domain live on S3 + CloudFront with DNSSEC, HSTS, strict CSP, and a few other tweaks to hit an A+ security score.