Part 18: Glossary
Quick-reference definitions for every term used throughout this series.
How to use the glossary: This isn't meant to be read top-to-bottom. Use the search bar (top right of the site) or Ctrl/Cmd-F to jump to a specific term. Every term you encounter in the other chapters is defined here in plain English.
If you're a total beginner, the most useful terms to skim first: HTTP, HTTPS, DNS, server, client, API, REST, JSON, database, SQL, framework, frontend, backend, deployment, CI/CD, environment variable, repository, branch, pull request. If those nineteen terms feel familiar, you have a solid working vocabulary.
Terms are alphabetized, then organized by their first letter. Cross-references appear in italics.
A
A11y — Shorthand for "accessibility" (11 letters between the A and Y). The practice of building software usable by people with disabilities.
ABAC (Attribute-Based Access Control) — Authorization model where permissions depend on attributes of the user, resource, and context. Contrast with RBAC.
ACID — Atomicity, Consistency, Isolation, Durability. Guarantees provided by traditional relational databases.
ACME (Automatic Certificate Management Environment) — The protocol that automates issuing and renewing TLS certificates (proving domain control, fetching the signed cert). Popularized by Let's Encrypt; clients include Certbot and Caddy. See: TLS & HTTPS internals → Let's Encrypt and ACME.
ADR (Architecture Decision Record) — A short document recording why an architectural decision was made, what alternatives were considered, and what the consequences are. See: The Documentation Trade-Off.
Agent (AI) — An LLM-based system that plans and executes multi-step actions by calling tools, observing results, and continuing until a task is complete. See: Pattern 4: Agentic Workflows.
Algorithm — A defined sequence of steps to solve a problem. In CS interviews, often refers to standard techniques like binary search, BFS/DFS, dynamic programming.
API (Application Programming Interface) — A defined contract that lets one piece of software interact with another. On the web, usually HTTP-based.
API Gateway — A server that sits in front of backend services, handling cross-cutting concerns like authentication, rate limiting, and request routing.
AppSec (Application Security) — The discipline of securing software applications. Includes code review, threat modeling, penetration testing.
Argon2 — A modern password hashing algorithm. Better than bcrypt for new applications.
Astro — A web framework optimized for content-heavy sites. Ships zero JavaScript by default; uses "islands" of interactivity.
Autoscaling — Automatically adjusting compute capacity based on load.
AWS (Amazon Web Services) — The largest cloud provider. Hundreds of services.
Axum — A modern Rust web framework.
B
Backstage — Spotify's open-source internal developer portal, widely used as a service catalog.
BaaS (Backend as a Service) — Services like Supabase or Firebase that provide ready-made backends.
Baseline — A cross-browser support label (Web Platform / MDN): a feature is "Baseline" once all major engines (Chromium, Safari/WebKit, Firefox/Gecko) ship it — "newly available" when it just cleared the bar, "widely available" after ~2.5 years. The practical signal for "safe to use this CSS/JS feature without a fallback." See: Advanced CSS → Modern CSS that's now Baseline.
Bazel — Google's monorepo build system. Used by many large companies.
bcrypt — A widely-used password hashing algorithm. Older than Argon2 but still common.
BFF (Backend For Frontend) — A backend service tailored to a specific frontend (web BFF, mobile BFF), aggregating data from underlying services.
Biome — A fast, unified linter and formatter written in Rust. Increasingly replaces ESLint + Prettier.
BFS (Breadth-First Search) — Graph traversal algorithm; visits nearest neighbors first.
Blue/Green Deployment — A strategy where two identical environments run; traffic switches between them for zero-downtime deploys and easy rollback.
Bun — A JavaScript runtime, package manager, bundler, and test runner. Faster than Node + npm.
Bundler — A tool that combines JavaScript modules into deployable bundles. Examples: Webpack, Vite, Turbopack, esbuild.
C
Cache-Control — HTTP header that tells browsers and CDNs how to cache responses.
Canary Deployment — Rolling out a new version to a small percentage of users first to detect problems before full rollout.
CA (Certificate Authority) — An organization trusted by browsers/OSes to verify domain ownership and issue TLS certificates (e.g. Let's Encrypt, DigiCert). A CA that misissues gets distrusted. See: TLS & HTTPS internals → Certificate Authorities.
CCPA (California Consumer Privacy Act) — California's data privacy law. Similar in spirit to GDPR.
Certificate chain — The trust path a browser walks to validate a TLS cert: leaf (your domain) → intermediate (the CA) → root (pre-installed in the trust store). See: TLS & HTTPS internals → The certificate chain.
CDN (Content Delivery Network) — A globally distributed network of servers that caches content close to users. Examples: Cloudflare, Akamai, Fastly.
Chaos Engineering — Deliberately breaking things in production to verify resilience. Pioneered by Netflix's Chaos Monkey.
Chunking (in RAG) — Splitting large documents into smaller pieces for embedding and retrieval.
CI (Continuous Integration) — Automatically running tests and checks on every code change.
CD (Continuous Deployment / Delivery) — Continuous Deployment: every change automatically deploys to production. Continuous Delivery: every change is deployable, but a human triggers actual deployment.
Clerk — A popular drop-in auth-as-a-service for modern web apps.
Clickjacking — Attack where your real page is loaded in an invisible iframe over a decoy, so a user's click lands on a hidden button (e.g. "confirm transfer"). Mitigated with X-Frame-Options: DENY or CSP frame-ancestors. See: Security headers & checklist.
Client Component — In React, a component that runs in the browser (and is also pre-rendered on the server for initial HTML).
Cloudflare — A major CDN, edge platform, and infrastructure provider. Workers, Pages, R2, D1, KV are key products.
Cloudflare R2 — S3-compatible object storage with no egress fees.
CMS (Content Management System) — Software for managing content (e.g., WordPress, Sanity, Contentful).
CodeQL — GitHub's semantic code analysis tool for finding security vulnerabilities.
Cohort Analysis — Analyzing groups of users defined by shared characteristics (e.g., users who signed up in the same month).
Compositing — In browser rendering, combining layers into the final image (often on the GPU).
Controlled component — A form input whose value lives in React state (value + onChange), making React the single source of truth. Contrast with Uncontrolled component. See: Forms & Server Actions.
CORS (Cross-Origin Resource Sharing) — HTTP mechanism for letting one origin's JS read responses from another origin. A relaxation of the browser's same-origin policy (set via Access-Control-Allow-* response headers on the resource's server), not a server-side defense. See: Security headers & checklist → CORS.
CQRS (Command Query Responsibility Segregation) — Architectural pattern separating write models from read models.
CRDTs (Conflict-free Replicated Data Types) — Data structures that converge correctly under concurrent updates. Used for collaborative editing.
CRUD (Create, Read, Update, Delete) — The basic operations on data; most web apps mostly do CRUD.
CSP (Content Security Policy) — HTTP header that restricts what resources a page can load, mitigating XSS. Roll out safely with Content-Security-Policy-Report-Only first. See: Security headers & checklist → CSP rollout.
CSR (Client-Side Rendering) — Rendering HTML in the browser via JavaScript, after the page loads. Contrast with SSR, SSG.
CSRF (Cross-Site Request Forgery) — Attack where a malicious site causes a user's browser to perform actions on another site they're logged into. Mitigated with SameSite cookies and CSRF tokens.
CSS (Cascading Style Sheets) — The styling language of the web.
CSS Modules — A CSS technique where class names are automatically scoped to the file they're defined in.
D
DAST (Dynamic Application Security Testing) — Security testing that probes running applications. Contrast with SAST.
DB (Database) — Where persistent data lives.
Dead Code Elimination — Build optimization that removes code that's never executed.
Defer (script) — <script defer> tells the browser to download the script asynchronously but execute it after the document is parsed.
Deno — A JavaScript runtime, alternative to Node. Built by the original creator of Node.
Dependabot — GitHub's built-in tool that watches your lockfile and opens pull requests to bump outdated or vulnerable dependencies. See: Package Managers → Supply-chain security.
Dependency Injection — Pattern where a function or class receives its dependencies as parameters rather than constructing them itself.
Design system — A shared, reusable kit of design tokens, primitives, and components (plus usage rules and docs) a team builds UIs from, for consistency and accessibility at scale. See: Design Systems & Storybook.
Design token — A named design value (e.g. color.primary, space.4, radius.md) that is the single source of truth for a design decision, referenced everywhere instead of hardcoded. See: Design Systems & Storybook → tokens.
DevEx (Developer Experience) — The quality of life for developers using tools or working in a codebase.
DevOps — Practices and culture combining software development and IT operations.
DFS (Depth-First Search) — Graph traversal algorithm; goes deep before backtracking.
Diff — Difference between two versions of files. Git diffs show what changed.
Distributed System — A system whose components run on multiple networked computers.
DKIM (DomainKeys Identified Mail) — Email authentication; signs outgoing email so recipients can verify the sender.
DMARC — Email authentication policy framework; tells receivers what to do with unauthenticated email.
DNS (Domain Name System) — The internet's naming system; translates domain names to IP addresses.
Docker — Containerization platform; runs applications in isolated environments.
DOM (Document Object Model) — The browser's in-memory representation of a webpage.
Doppler — A secrets management service for development teams.
Drizzle — A TypeScript-first ORM popular in 2026 for its lightweight, SQL-like API.
Durable Object — Cloudflare's stateful primitive at the edge; a single object instance with persistent storage.
E
E2E (End-to-End) Testing — Testing the entire application by simulating user interactions, typically with a real browser.
Edge Computing — Running code geographically close to users, often at CDN points of presence.
Edge Function — Server function that runs at the edge (e.g., Cloudflare Workers, Vercel Edge Functions).
Embeddings — Numerical vector representations of text, images, or other data. Similar items have similar vectors. See: Pattern 5: Embeddings for Semantic Search.
ESM (ECMAScript Modules) — The standard JavaScript module system. import and export.
ESLint — A JavaScript linter. Being replaced by Biome in many new projects.
Etag — HTTP header containing a version identifier for a resource; used for cache validation.
Eventual Consistency — Distributed systems property where data eventually converges to consistent state, but may be temporarily inconsistent.
Express — A minimal Node.js web framework, dominant for many years; now being supplanted by Hono, Fastify.
F
Fastify — A fast Node.js web framework, popular alternative to Express.
FedRAMP — US federal government cloud security authorization.
Feature Flag — A toggle that enables or disables a feature without redeploying code.
FERPA — US law protecting student education records.
Figma — The dominant collaborative design tool.
FinOps — Financial operations for cloud spending; a discipline of cost management.
Flexbox — A CSS layout model for one-dimensional arrangements.
FOIT (Flash of Invisible Text) — When custom fonts cause text to be invisible until the font loads. Mitigate with font-display: swap.
Fly.io — A platform for running apps in containers across many global regions.
Function Calling — Pattern where an LLM produces structured calls to predefined functions/tools. See: Pattern 3: Function Calling.
G
GCP (Google Cloud Platform) — Google's cloud, third-largest after AWS and Azure.
GDPR (General Data Protection Regulation) — EU privacy law. Affects any company with EU users.
GitHub — The dominant Git hosting platform, owned by Microsoft.
GitOps — Operations driven by Git: the desired infrastructure state is described in Git, and a controller continuously reconciles real state with desired state.
GLBA (Gramm-Leach-Bliley Act) — US law requiring financial institutions to safeguard customer data.
GraphQL — A query language for APIs; clients specify exactly what data they want.
Grid (CSS) — Two-dimensional CSS layout system.
gRPC — A high-performance binary RPC framework, used heavily for internal service communication.
H
Hallucination (AI) — When an LLM produces confident but false output (a made-up citation, a non-existent API, an invented fact). The dominant correctness failure mode for LLMs; mitigated with RAG, citations, validation, and evals. See: AI Safety and Privacy.
Hashing — Converting input data into a fixed-size value. Used for passwords (one-way), data integrity checks, etc.
Headless CMS — A CMS that provides only the content API, leaving the frontend entirely to you.
Helm — Kubernetes package manager; charts define applications and their dependencies.
HIPAA — US law protecting healthcare information.
Hono — A fast, edge-friendly web framework that runs on any JavaScript runtime. Rising star in 2026.
HSTS (HTTP Strict Transport Security) — HTTP header that tells browsers to always use HTTPS for a domain, defending against downgrade attacks. The preload flag is effectively permanent — add it only when ready. See: Security headers & checklist → HSTS.
HTML (HyperText Markup Language) — The structural language of web pages.
HTTP (HyperText Transfer Protocol) — The protocol web clients and servers use to communicate.
HTTPS — HTTP over TLS (encrypted).
HTTP/2 — Newer HTTP version with multiplexing.
HTTP/3 — Newest HTTP version, runs over QUIC (UDP-based).
Hydration — Process of attaching JavaScript event handlers to server-rendered HTML, making it interactive.
I
IaC (Infrastructure as Code) — Defining infrastructure in version-controlled code rather than manual configuration.
IAM (Identity and Access Management) — Managing user identities and what they can access.
Idempotent — An operation that has the same effect when performed multiple times as when performed once.
IndexedDB — Browser-side database for large structured data.
Inngest — A modern, durable workflow execution platform.
Internationalization (i18n) — Designing software to support multiple languages and regions.
ISR (Incremental Static Regeneration) — Hybrid rendering strategy: static pages that are regenerated on a schedule or on demand.
Istio — A popular service mesh for Kubernetes.
J
JIT (Just-In-Time) Compilation — Compiling code at runtime rather than ahead of time. Used by V8 and other JS engines.
JSX — JavaScript extension that lets you write HTML-like syntax in React.
JWT (JSON Web Token) — A self-contained, signed token used for authentication. Encodes user info in a base64-encoded JSON payload.
A JWT looks like xxxxx.yyyyy.zzzzz — three base64 sections separated by dots: a header (algorithm), a payload (user claims like { "sub": "user_123", "exp": 1735689600 }), and a signature. Servers verify the signature with a secret or public key, then trust the claims.
K
Kafka — A distributed event streaming platform; dominant for event-driven architectures at scale.
Kubernetes (K8s) — Container orchestration system; the dominant platform for running containers at scale.
L
Laravel — A popular PHP web framework.
Let's Encrypt — A free, nonprofit Certificate Authority that issues TLS certs (valid 90 days) and automates issuance/renewal via ACME. See: TLS & HTTPS internals → Let's Encrypt and ACME.
Local-first — An app architecture where reads/writes happen instantly against a local copy of the data and a sync engine reconciles with the server in the background — so the UI feels 0ms and keeps working offline. Generalizes the CRDT/collaboration idea to ordinary apps. See: Realtime collaboration & CRDTs → the local-first / sync-engine pattern.
Latency — Time delay between a request and a response.
LCP (Largest Contentful Paint) — Core Web Vital measuring when the largest visible element renders.
Linter — A tool that analyzes code for potential errors and style violations.
LLM (Large Language Model) — Neural network trained on huge text datasets to generate text. Examples: GPT, Claude, Gemini, Llama. See: AI Integration overview.
Load Balancer — A server that distributes incoming requests across multiple backend servers.
Lockfile — A file (e.g., package-lock.json, bun.lock) that records exact dependency versions for reproducible installs.
M
MAU (Monthly Active Users) — Common SaaS metric; users who used the product at least once in the past month.
MCP (Model Context Protocol) — Open protocol introduced in late 2024 for exposing tools, resources, and prompts to AI clients in a standard way. By 2026, MCP servers are a common way to give AI assistants (Claude Code, Cursor, etc.) access to external data and actions.
Meilisearch — An open-source, fast search engine.
Mesh (Service Mesh) — Infrastructure layer that handles service-to-service concerns transparently. Istio, Linkerd.
MFA (Multi-Factor Authentication) — Authentication requiring multiple proofs (e.g., password + SMS code).
Microservices — Architectural style where an application is built as many small, independently deployable services.
Migration — A schema change to a database, applied as code.
Modular Monolith — Single-deployment application internally organized into modules with clear boundaries. The recommended pattern for small/medium teams. See: The Team Size Heuristic.
Monorepo — A single repository containing many projects or services.
MPA (Multi-Page Application) — A web application where each navigation is a full page load. Contrast with SPA.
MTLS (Mutual TLS) — TLS where both client and server authenticate each other.
N
Neon — Serverless Postgres provider with database branching.
Next.js — The dominant React framework, by Vercel.
NestJS — An opinionated TypeScript backend framework with dependency injection.
Node.js — JavaScript runtime built on V8. The original way to run JS on servers.
NoSQL — Non-relational databases (document, key-value, graph, etc.).
Nuxt — The Vue equivalent of Next.js.
O
OAuth — Authorization framework; powers "Sign in with Google" and similar flows.
On-device AI — Running model inference in the browser/device itself (via WebGPU + a library like transformers.js) instead of calling a server API. Trades model-download size and device reach for privacy, offline support, and zero per-call cost. See: On-Device AI.
OIDC (OpenID Connect) — Identity layer on top of OAuth 2.0.
OKRs (Objectives and Key Results) — Goal-setting framework; objectives are aspirational, key results are measurable.
OpenAPI — Specification format for REST APIs; tools can generate clients, docs, mocks from it.
Optimistic update — Showing the expected result of a mutation immediately, before the server confirms, then reconciling (or rolling back) when the real response arrives — making the UI feel instant. See: Forms & Server Actions → optimistic updates.
OpenTelemetry — Vendor-neutral standard for instrumenting code with telemetry (logs, metrics, traces).
ORM (Object-Relational Mapper) — Library that maps database tables to programming-language objects. Drizzle, Prisma.
P
Pagination — Splitting large result sets into smaller pages. Common styles: offset-based, cursor-based.
Partial Prerendering (PPR) — Rendering strategy: static shell with dynamic streamed-in sections. The original experimental PPR flag was folded into Cache Components (the "use cache" directive) in Next.js 16, which is its finished form.
Passkey — Modern passwordless authentication using public-key cryptography and biometrics. Supported via WebAuthn.
PCI-DSS — Payment Card Industry Data Security Standard; required for handling credit cards.
Permissions-Policy — HTTP response header that disables powerful browser features (camera, microphone, geolocation, etc.) a page doesn't use, so injected code can't abuse them either. See: Security headers & checklist.
PG (Postgres / PostgreSQL) — Open-source relational database; the 2026 default for most new projects.
pgvector — Postgres extension for vector similarity search; popular for RAG applications. See: Pattern 2: RAG.
PHP — Server-side scripting language; powers WordPress and a large portion of the web.
PII (Personally Identifiable Information) — Information that can identify a specific individual.
Pinecone — Managed vector database for AI applications.
PostHog — Open-source product analytics platform; includes session replay and feature flags.
Preflight (CORS) — An automatic OPTIONS request the browser sends before a "non-simple" cross-origin request (e.g. a JSON body, a PUT/DELETE, or a custom header) to ask the server's permission via Access-Control-Allow-* headers. See: Security headers & checklist → simple vs preflighted.
Prisma — A popular TypeScript ORM with schema-first design.
Primitive (UI) — The lowest-level building block of a design system (e.g. Box, Text, Stack, Icon) that consumes tokens and is composed into components. See: Design Systems & Storybook.
Production — The live environment used by real users.
Progressive Delivery — Deployment strategies that gradually expand a release (canary, percentage rollout, feature flags).
Progressive enhancement — Building so the core experience works with plain HTML (no JavaScript), then layering on richer behavior when JS loads. A form wired to a Server Action submits even before hydration. See: Forms & Server Actions.
Prompt Engineering — Crafting input text to LLMs to get desired output.
Prompt Injection — Attack where user input attempts to override an LLM's instructions. See: AI Safety and Privacy.
Protobuf (Protocol Buffers) — Binary serialization format developed by Google; used heavily with gRPC.
PR (Pull Request) — Proposed change to a codebase, reviewed before merging.
PRD (Product Requirements Document) — A specification describing what a product or feature should do.
Q
Qdrant — An open-source vector database.
Query Builder — Library that constructs database queries via code (e.g., Kysely).
QUIC — Transport protocol underlying HTTP/3; runs over UDP.
R
RAG (Retrieval-Augmented Generation) — Pattern of giving an LLM relevant retrieved context to help it answer a question. See: Pattern 2: RAG.
Railway — A simple platform-as-a-service for running apps.
RBAC (Role-Based Access Control) — Authorization model where permissions are attached to roles, and roles are assigned to users.
React — A JavaScript library for building user interfaces from components. Maintained by Meta.
React Hook Form (RHF) — The dominant React form library; uses uncontrolled inputs under the hood for performance and pairs with Zod (via a resolver) for validation. See: Forms & Server Actions.
React Server Components (RSCs) — React components that render only on the server; can directly fetch data without API roundtrips.
Renovate — A configurable dependency-update bot (works on any platform) that opens pull requests to keep dependencies current and patched. Like Dependabot, but vendor-neutral. See: Package Managers → Supply-chain security.
Referrer-Policy — HTTP response header controlling how much of the current URL is sent in the Referer header on outbound navigations/requests, preventing tokens or IDs in URLs from leaking to other sites. A common safe value is strict-origin-when-cross-origin. See: Security headers & checklist.
Redis — In-memory data store; used for caching, sessions, queues.
Remix — A React framework focused on web standards; now merged with React Router v7.
REST (Representational State Transfer) — Architectural style for APIs using HTTP methods on resources.
RFC (Request for Comments) — A written proposal for a change, reviewed by peers before adoption. See: The Team Size Heuristic.
RLS (Row-Level Security) — Database-enforced rules about which rows each user can access.
RPC (Remote Procedure Call) — Calling a function on a remote system as if it were local. gRPC is a popular form.
RSC — See React Server Components.
RUM (Real User Monitoring) — Measuring performance from actual user sessions, not synthetic tests.
Rust — Systems programming language with memory safety guarantees.
S
S3 (Simple Storage Service) — AWS's object storage service. The de facto standard; many providers offer S3-compatible APIs.
Same-Origin Policy — The browser's default security rule: JS on one origin (scheme + host + port) may send requests to another origin but can't read the response unless that server opts in via CORS. See: Security headers & checklist → CORS.
SAML — XML-based standard for enterprise single sign-on.
Sanity — A headless CMS.
SAST (Static Application Security Testing) — Security testing that analyzes source code without running it. Contrast with DAST.
SCA (Software Composition Analysis) — Scanning dependencies for known vulnerabilities.
Security headers — The set of HTTP response headers that harden a page in the browser: HSTS, Content-Security-Policy, X-Content-Type-Options, X-Frame-Options/frame-ancestors, Referrer-Policy, Permissions-Policy. See: Security headers & checklist.
Schema — The structure of data (database schema = tables and columns; API schema = endpoints and shapes).
SCSS / Sass — CSS preprocessors that add features like nesting and variables. Less common now that CSS itself has these features.
SNI (Server Name Indication) — A field in the TLS ClientHello stating the target hostname (in the clear), so a server hosting many HTTPS sites on one IP can pick the right certificate. See: TLS & HTTPS internals → SNI.
SDK (Software Development Kit) — A package providing tools/libraries for working with a service.
Sentry — Dominant error-tracking service.
Serverless — Cloud model where functions run on demand without provisioning servers. AWS Lambda, Cloudflare Workers.
Server Action — A server-only function (marked "use server") callable directly from a form or client component without a separate API route; the modern mutation pattern in React 19 / Next.js 16. See: Forms & Server Actions.
Server Component — In React, a component that renders only on the server. Contrast with Client Component.
Service Mesh — See Mesh.
Session — Server-side state associated with a user between requests, typically tracked via a cookie.
shadcn/ui — A collection of accessible React components built on Radix and Tailwind; copy-paste rather than npm-install.
Sharding — Splitting data across multiple databases for scale.
SIEM — Security Information and Event Management. Centralized security log analysis.
Single-Page App (SPA) — App that loads once and updates content via JavaScript without full page navigations.
SLA (Service Level Agreement) — Contractual commitment to customers about service reliability.
SLI (Service Level Indicator) — A measurable signal of service quality (e.g., latency).
SLO (Service Level Objective) — Internal target for an SLI (e.g., "99.9% of requests under 200ms").
SOAP — Old XML-based API protocol; largely replaced by REST and gRPC.
SOC 2 — Audit framework attesting to security practices.
SoLid (SolidJS) — A fast, fine-grained reactive UI library.
Sourcemap — File that maps minified production code back to original source for debugging.
SOX (Sarbanes-Oxley) — US law requiring financial controls in public companies.
SPA — See Single-Page App.
SPF (Sender Policy Framework) — Email authentication; specifies which servers are allowed to send mail for a domain.
Spring Boot — A popular Java backend framework.
SQL (Structured Query Language) — Standard language for relational database queries.
SQLite — A single-file relational database; lightweight, increasingly used in production at the edge.
SRI (Subresource Integrity) — A cryptographic hash pinned on a <script>/<link> (integrity="sha384-…") so the browser refuses to execute a CDN file whose bytes don't match — defending against a compromised/tampered CDN. For immutable, version-pinned URLs only. See: Security headers & checklist → SRI.
SSE (Server-Sent Events) — Long-lived HTTP connection for server-to-client streaming. Used for LLM responses. See: Pattern 1: Streaming Chat.
SSG (Static Site Generation) — Rendering HTML at build time; serving as static files.
SSO (Single Sign-On) — Authenticating to multiple applications via one identity provider.
SSR (Server-Side Rendering) — Rendering HTML on the server for each request.
Staging — Pre-production environment for final testing.
Story (Storybook) — A single rendered state of a component (e.g. "Button / Disabled"); the unit Storybook displays, documents, and tests. See: Design Systems & Storybook.
Storybook — A tool for building, documenting, and testing UI components in isolation, outside the app, with auto-generated controls and docs. See: Design Systems & Storybook.
Stripe — Dominant payments platform for developers.
Supabase — Open-source Firebase alternative; Postgres + auth + storage + realtime.
Supply chain (software) — The full transitive tree of dependencies your project runs; a real attack surface, since a compromised dependency runs with your code's access. Defended with lockfiles, npm audit, Dependabot/Renovate, and restricting install-time scripts. See: Package Managers → Supply-chain security.
Svelte — A frontend framework that compiles components to vanilla JS at build time.
SvelteKit — Application framework for Svelte (analog to Next.js for React).
T
Tailwind CSS — Utility-first CSS framework. Dominant in 2026.
TanStack Query — Library for managing server state in React (formerly React Query).
TanStack Start — A type-safe full-stack React framework (built on TanStack Router + Vite + Nitro). Routes and server-function calls are checked at compile time; positioned as the type-safe alternative to Next.js. See: Frontend Frameworks → TanStack Start.
TCP (Transmission Control Protocol) — Reliable, connection-oriented transport protocol; underlies most internet traffic.
Terraform — Infrastructure-as-code tool from HashiCorp. OpenTofu is the open-source fork.
TLS (Transport Layer Security) — Encryption protocol for network traffic; HTTPS uses TLS.
Token (auth) — A string representing authentication; usually a JWT or a session identifier.
Trigger.dev — A modern, TypeScript-native background job platform.
tRPC — End-to-end type-safe API library for TypeScript stacks; no schemas needed.
Trunk-Based Development — Branching strategy where everyone commits to main (or short-lived branches that merge within hours).
TS — Shorthand for TypeScript.
TTL (Time To Live) — How long cached data is valid before being re-fetched.
Turbopack — Vercel's Rust-based bundler.
Turborepo — A build system for JavaScript monorepos.
Turso — A distributed SQLite service.
TypeScript — JavaScript with types; the modern web dev default.
Typesense — Modern, fast search engine.
Typosquatting — Publishing a malicious package under a name one keystroke off a popular one (e.g. loadsh, crossenv) so a typo in an install command pulls the attacker's code. See: Package Managers → Supply-chain security.
U
Uncontrolled component — A form input that keeps its own value in the DOM, read on demand (via a ref or FormData) rather than living in React state. Contrast with Controlled component. See: Forms & Server Actions.
UDP (User Datagram Protocol) — Connectionless transport protocol; faster but less reliable than TCP. Used by HTTP/3 (QUIC).
URL (Uniform Resource Locator) — A web address.
Upstash — Serverless Redis provider.
V
V8 — Google's JavaScript engine; powers Chrome and Node.
Valkey — Open-source fork of Redis after Redis Labs's license change.
Vector Database — Database optimized for similarity search on high-dimensional vectors (embeddings). See: Pattern 2: RAG.
Vercel — Hosting platform optimized for Next.js and other frameworks.
Vercel AI SDK — Dominant TypeScript abstraction for LLM integrations. As of mid-2026: v5 is the stable floor (typed UIMessage/ModelMessage, transport-based useChat, toUIMessageStreamResponse()); v6 adds a first-class Agent abstraction and a stable @ai-sdk/mcp package. See: Pattern 1: Streaming Chat.
View Transitions — A browser API/CSS feature that animates between two UI states by tweening before/after snapshots. Same-document transitions (within an SPA) reached Baseline in Oct 2025; cross-document (between page loads) is still progressive enhancement as of mid-2026. See: Advanced CSS.
Vite — Modern JavaScript build tool; very fast dev experience. As of mid-2026: Vite 7 (Rollup for prod builds), with Vite 8 moving the bundler to Rolldown (Rust).
Visual-regression testing — Testing that screenshots a component (often each Storybook story) and pixel-diffs it against an approved baseline, flagging any unintended appearance change. See: Design Systems & Storybook.
Vitest — A Vite-native test runner; replacing Jest in many projects.
Vue — Frontend framework; major alternative to React.
W
WAF (Web Application Firewall) — Filters HTTP traffic to block attacks; Cloudflare offers one.
WASM (WebAssembly) — Binary instruction format that runs in browsers at near-native speed. Languages like Rust, C++, and Go can compile to WASM.
WCAG (Web Content Accessibility Guidelines) — Standards for web accessibility.
WebAuthn — Standard for passwordless authentication using public-key cryptography and biometrics. Powers passkeys.
WebGPU — Browser API giving JavaScript near-native access to the GPU for graphics and general compute — including AI inference. Reached cross-browser availability (Chrome, Safari, Firefox) in early 2026; the engine behind in-browser model libraries like transformers.js. See: On-Device AI.
Webhook — HTTP callback; one service calls a URL on another when an event happens.
WebRTC — Browser API for real-time peer-to-peer communication (video, audio, data).
WebSockets — Persistent, bidirectional connections between browser and server.
WebTransport — Modern low-latency, multiplexed connections over HTTP/3.
WHATWG — Web Hypertext Application Technology Working Group; the standards body for HTML and many web APIs.
Wireframe — Low-fidelity sketch of UI structure, used in design.
WorkOS — Service providing enterprise auth (SAML, SCIM) as an API.
X
X-Content-Type-Options — HTTP response header; the value nosniff stops the browser from MIME-sniffing a response into a different type (e.g. running an uploaded image as HTML/JS). See: Security headers & checklist.
X-Frame-Options — HTTP response header (DENY/SAMEORIGIN) that stops your page being embedded in an iframe, defending against clickjacking. The modern replacement is CSP frame-ancestors. See: Security headers & checklist.
XHR (XMLHttpRequest) — The original way browsers made HTTP requests from JavaScript. Largely replaced by fetch.
XSS (Cross-Site Scripting) — Attack where malicious JS is injected into a page and runs in users' browsers. Mitigated by escaping output and CSP.
Y
Yarn — A JavaScript package manager; alternative to npm. Yarn 4 (modern) is innovative but niche.
Yjs — A library for collaborative editing using CRDTs.
Z
Zod — A TypeScript-first schema validation library. Pairs with everything.
Zustand — A small, popular global state management library for React.
Closing Note
This concludes the comprehensive 2026 web development guide series. The eleven files cover:
- 00 — Introduction and reading guide
- 01 — Foundational concepts
- 02 — Universal development lifecycle
- 03 — The 2026 tech stack decoded
- 04 — Personal website / side project workflow
- 05 — Small company / startup workflow
- 06 — Large company / enterprise workflow
- 07 — Side-by-side comparison
- 08 — Decision frameworks
- 09 — AI integration patterns
- 10 — Career path and learning
- 11 — This glossary
Use them as reference, as study material, as a checklist when starting projects, or as a way to mentor others. Web development is a field where the fundamentals stay stable while the tools evolve constantly — the goal of this guide is to give you the fundamentals so you can adapt to whatever the tools become next.
Good luck building.