Hello readers! 👋

Hope you've had a solid week. Here's a quick roundup of what I've been building, reading, and thinking about.

🚀 What I shipped

Been heads-down on my personal site this week. The big additions:

• Media library — drag-and-drop uploads, copy URLs, delete files, all in one place
• Newsletter management — write broadcasts right from the admin in Markdown, with draft saving and scheduled sends
• Admin logs — a live audit trail of every action taken through the panel

Small things that quietly make the day-to-day a lot smoother.

📖 What I'm reading

Currently working through The Pragmatic Programmer again. This line keeps sticking with me:

"Don't live with broken windows. Fix bad designs, wrong decisions, and poor code when you see them."

It's the kind of advice that sounds obvious until you're staring at a six-month-old hack wondering why you left it there.

🛠 Tip of the week: CSRF in Next.js API routes

If you're building an admin panel with Next.js App Router, here's a simple two-layer CSRF defence that doesn't need tokens:

// 1. Custom header — can't be set cross-origin without a CORS preflight
if (req.headers.get("x-admin-request") !== "1") {
  return NextResponse.json({ error: "Forbidden" }, { status: 403 });
}
// 2. Origin check — belt and braces
const origin = req.headers.get("origin");
if (origin && origin !== process.env.NEXT_PUBLIC_SITE_URL) {
  return NextResponse.json({ error: "Forbidden" }, { status: 403 });
}

Pair it with SameSite=Lax session cookies and you're well covered.

That's all for this one. If anything resonated or you have questions, just reply — I read every message.

Until next week, Peery