Glossary

Domain Name System

The "phone book of the Internet": translates human-readable domain names (e.g. example.com) into IP addresses that computers need to communicate.

DNS record that maps a domain name to an IPv4 address.

DNS record that maps a domain name to an IPv6 address.

Canonical Name

Alias record that points a domain name to another domain name instead of an IP address.

Mail Exchange

DNS record specifying which mail servers are responsible for receiving emails for a domain, including priorities.

Free-text DNS record, commonly used for verifications and email authentication (SPF, DKIM, DMARC).

Start of Authority

Central DNS record of a zone containing administrative details such as primary nameserver, serial number, and refresh intervals.

Name Server

Specifies the authoritative name servers responsible for a domain. Balou Tools checks their consistency.

Certification Authority Authorization

DNS record that specifies which Certificate Authorities (CAs) are allowed to issue certificates for a domain.

DNS Security Extensions

Extension that cryptographically signs DNS responses, protecting against manipulation (spoofing/cache poisoning).

DNS-based Authentication of Named Entities

Binds TLS certificates to a domain via DNS (TLSA record, secured by DNSSEC), creating trust independently of CAs.

Pointer / Reverse DNS

Reverse DNS record that maps an IP address back to a hostname – critical for email reputation.

Delegation Signer

Hash of the DNSKEY stored at the parent (TLD) that anchors the DNSSEC chain of trust from the parent zone down to the domain.

Service Binding

Modern DNS record types that provide connection parameters (e.g. ALPN/HTTP version, ports, ECH) before the connection is even established.

Time To Live

Validity duration (in seconds) of a DNS record in cache before it must be queried again.

The time it takes for DNS changes to spread globally across resolvers. Balou Tools checks this across multiple resolvers in parallel.

Sender Policy Framework

Email authentication specifying via TXT record which servers are allowed to send emails for a domain. Limited to max 10 DNS lookups.

DomainKeys Identified Mail

Method that adds a digital signature to outgoing emails; the public key is stored as a DNS record under a selector.

Domain-based Message Authentication, Reporting & Conformance

Policy building on SPF and DKIM specifying how to handle unauthorized emails (none/quarantine/reject) – including reporting.

Brand Indicators for Message Identification

Standard that displays the sender's brand logo in the inbox for authenticated emails.

Mail Transfer Agent Strict Transport Security

Mechanism enforcing encrypted (TLS) transport of emails between servers, preventing downgrade attacks.

TLS Reporting

Mechanism sending reports on errors in encrypted email transport (e.g., failed TLS connections).

Registration Data Access Protocol

Protocols to query registration data of a domain (owner, registrar, expiration date). RDAP is the modern, structured successor to WHOIS.

Secure Sockets Layer / Transport Layer Security

Protocols for encrypted data transmission over the network. TLS is the modern successor to SSL; "SSL" is still colloquially used.

Combination of cryptographic algorithms (key exchange, authentication, encryption, MAC) securing a TLS connection. Weak suites are penalized.

Negotiation phase at the beginning of a TLS connection, where client and server agree on protocol version, cipher suite, and keys.

Server Name Indication

TLS extension by which the client communicates the desired hostname during handshake – allows multiple certificates per IP address.

Seamless chain from the server certificate through intermediate certificates to a trusted root CA. Balou Tools checks completeness and trust.

Certificate Authority

Authority that issues digital certificates and confirms their authenticity.

Certificate Signing Request

Application for certificate issuance, containing the public key and applicant data. Balou Tools generates CSRs entirely client-side.

Subject Alternative Name

Certificate field listing additional hostnames/domains for which a certificate is valid.

Online Certificate Status Protocol

Method where the server includes a current proof of validity for its certificate directly, so the client doesn't need to query the CA.

Free, automated certificate authority (Let's Encrypt) and its companion tool (Certbot) that issues and automatically renews TLS certificates via the ACME protocol.

Certificate Transparency / Signed Certificate Timestamp

Public, auditable logs of all issued certificates. An SCT proves that a certificate was entered into these logs.

Rivest–Shamir–Adleman

Established asymmetric encryption and signature method. Keys under 2048 bits are considered insecure.

Elliptic Curve Digital Signature Algorithm

Modern signature methods based on elliptic curves – shorter keys with equivalent security compared to RSA.

One-way function mapping data to a fixed-length value (e.g. SHA-256). The source cannot be reconstructed from the hash.

Hash-based Message Authentication Code

Method combining a hash with a secret key to verify the integrity and authenticity of a message.

Deliberately slow hashing algorithms for secure password storage; they hinder brute-force attacks.

JSON Web Token

Compact, signed token format for secure exchange of claims (e.g., identity), consisting of header, payload, and signature.

JSON Web Key Set

Set of public keys published via URL, used to verify JWT signatures.

Web Cryptography API

Browser interface for cryptographic operations. Balou Tools uses it for 100% client-side crypto tools.

Long, random-looking value with high character variety. Such values are often API keys, session tokens or other secrets and should be masked and rotated.

Hypertext Transfer Protocol (Secure)

Protocol for transmitting web pages. HTTPS is the TLS-encrypted version of HTTP.

Modern HTTP versions. HTTP/2 multiplexes requests over one connection; HTTP/3 uses QUIC (UDP) for lower latency.

Quick UDP Internet Connections

UDP-based transport protocol underlying HTTP/3 – faster connection establishment and integrated encryption.

Application-Layer Protocol Negotiation

TLS extension by which client and server negotiate the application protocol (e.g., h2, http/1.1) during handshake.

Zero Round Trip Time

TLS 1.3/QUIC feature sending data during connection setup without extra round trips – fast, but vulnerable to replay attacks.

HTTP Strict Transport Security

Security header forcing browsers to access a domain exclusively via HTTPS. Options: max-age, includeSubDomains, preload.

Content Security Policy

Security header specifying allowed sources for scripts, styles, etc. to mitigate XSS attacks. Balou Tools detects bypasses.

Cross-Site Scripting

Attack where malicious code (mostly JavaScript) is injected into a website and executed in the browsers of other users.

HTTP header controlling the embedding of a page in frames to prevent clickjacking.

HTTP header (value nosniff) preventing browsers from guessing the content type ("MIME-sniffing").

HTTP header controlling how much referrer information is transmitted when navigating to other pages.

HTTP header regulating access to browser features (camera, microphone, geolocation, etc.) per page.

COOP / COEP / CORP

Header trio isolating a document from foreign origins (Cross-Origin-Opener/Embedder/Resource-Policy) – protects against Spectre and is a prerequisite for powerful browser APIs.

Widely used compression method that shrinks text responses (HTML/CSS/JS) before transmission, reducing load time.

Modern compression method by Google that usually achieves higher compression ratios than Gzip for text content; browsers fall back to Gzip automatically.

CSP directive allowing trusted scripts (via nonce/hash) to load further scripts – without an explicit allowlist.

Mechanisms to specifically allow individual inline scripts: a unique random value (nonce) or a checksum of script content (hash).

Server-Side Request Forgery

Attack forcing a server to send requests to internal/unallowed targets. Balou Tools protects every redirect hop.

HTTP redirection (3xx) from one URL to the next. Each step is a "hop"; Balou Tools measures latency, cookies, and HSTS per hop.

Unsecure HTTP resources embedded in an HTTPS page – they undermine encryption and are blocked by modern browsers.

Regular Expression Denial of Service

Attack forcing inefficient regular expressions to extreme execution times via custom inputs. The Regex Tester warns of this.

Performance score of a web page (0–100) via Google PageSpeed Insights API; Balou Tools averages mobile and desktop scores.

Credentials embedded directly in a URI, e.g. postgres://user:pass@host/db. Convenient but risky because they easily end up in logs, screenshots or repositories.

Concrete Lighthouse/PageSpeed optimization recommendation, such as reducing unused JavaScript, optimizing images or improving cache headers.

Google metrics for user experience: LCP for loading speed, CLS for visual stability and INP/FID for responsiveness.

Largest Contentful Paint

Core Web Vital measuring when the largest visible viewport element has loaded. Target: ideally below 2.5 seconds.

Total Blocking Time

Lighthouse lab metric for the time during which the main thread is blocked by long JavaScript tasks and user input is delayed.

Cumulative Layout Shift

Core Web Vital measuring unexpected layout shifts during loading. Lower values mean a more stable interface.

Attack where previously sent data is replayed. With 0-RTT/Early Data, non-idempotent requests are especially critical.

HTTP status code allowing a server to reject risky Early Data requests so the client retries them after the full TLS handshake.

Data sent with TLS 1.3/QUIC before the full handshake is complete. Speeds up repeat visits but requires replay protection.

Artificial Intelligence

Collective term for methods by which machines solve tasks requiring human intelligence – here, mainly language processing.

Large Language Model

Large language model trained on huge text volumes to understand and generate text. Balou Tools uses gemini-2.5-flash-lite.

Retrieval-Augmented Generation

Method enriching an LLM with specific retrieved expertise before it answers – for more precise, verifiable answers.

Numerical vector representation of text capturing its meaning. Balou Tools uses gemini-embedding-001 with 768 dimensions.

Database storing embeddings and searching them by similarity. Here: PostgreSQL with pgvector extension.

PostgreSQL extension for storing and performing similarity search on vectors.

Hierarchical Navigable Small World

Efficient index algorithm for approximate nearest neighbor search in vector databases.

Measure of similarity between two vectors (0.0–1.0). Balou Tools requires a value of ≥ 0.6 for relevant matches.

Number of most relevant document chunks retrieved from vector search (here: up to 4).

Splitting long documents into overlapping sections (chunks) that can be individually embedded and searched.

Subsequent reweighting of search results based on additional factors (category, keywords, language, workspace) to improve relevance.

Cache recognizing semantically identical requests (cosine similarity ≥ 95%) and returning saved answers without calling the LLM again.

Automatic reformulation of imprecise queries to improve the subsequent vector search.

Input text or instruction controlling an LLM. Balou Tools structures prompts from system, diagnostic, and RAG contexts.

Smallest processing unit of an LLM (word fragment/character). Model costs and limits are measured in tokens.

Spring Framework module providing a unified abstraction for LLMs and vector databases (here version 2.0.0-M8).

The visible part of the application running in the browser. In Balou Tools, based on Astro and Svelte.

Server-side part of the application providing logic, diagnostic checks, and APIs. Here: Spring Boot with Java.

Web framework focused on statically optimized, fast-loading pages and selective interactivity (islands).

Reactive UI framework compiling components into efficient JavaScript at build time. Balou Tools uses the Runes API (v5).

Concept where only individual interactive components ("islands") load client-side JavaScript, leaving the rest as static HTML.

Server-Side Rendering / Static Site Generation

SSR renders pages on the server at runtime; SSG generates static pages at build time. Both improve load time and SEO.

Java framework for rapid development of standalone, production-ready backend applications (here version 4.0.6).

Lightweight threads from Java 21+/25 that efficiently parallelize mass blocking I/O operations – without typical thread pool bottlenecks.

Representational State Transfer

Architectural style for web APIs addressing resources via standardized HTTP methods (GET, POST, etc.).

Server-Sent Events

Technology where the server continuously streams data to the browser – here used for character-by-character output of AI answers.

Upstream server (here Nginx) receiving requests, terminating TLS, and forwarding them to backend services.

HTTP headers by which a reverse proxy passes the original client IP to the backend; nginx restores it via set_real_ip_from/real_ip_header (e.g. behind Cloudflare).

Temporary storage of results to reduce latency and costs. Balou Tools uses Caffeine (local) and Redis (distributed).

Extremely fast in-memory cache library for Java applications.

Fast, distributed in-memory data store, used here as a scalable cache (Port 6379).

Powerful open-source relational database; used also as a vector database (pgvector) in Balou Tools.

Limiting requests per time unit and client to protect against abuse and overload.

Operating model where multiple customers (tenants/workspaces) use the same application in isolation.

Stateless service that does not store session data between requests – facilitates scaling and fault tolerance.

Central protected store for secrets. Applications fetch credentials at runtime instead of committing them in .env files or source code.

Internationalization

Preparing an application for multiple languages and regions. Balou Tools uses localized copy for German, English and French.

Automated check for fixed visible strings in components. It helps find missing i18n keys and inconsistent translations early.

Content management systems like WordPress generate pages dynamically and benefit strongly from caching, image optimization, plugin cleanup and clean asset loading.

React framework for SSR/SSG, routing and optimizations such as next/image, next/font and ISR. PageSpeed fixes vary by server/client component usage.

JavaScript Object Notation

Lightweight, human-readable data format for exchanging structured data.

YAML Ain't Markup Language

Indentation-based, highly readable data format, frequently used for configuration files.

Encoding converting binary data into ASCII text, e.g. for embedding in JSON or URLs.

Regular Expression

Pattern for searching and validating strings. The Regex Tester offers match highlighting and capture group tables.

Parenthesized part of a regular expression whose match can be separately extracted.

Named Capture Group

Capture group with its own name ((?<name>…)) whose match is read by name instead of index – more readable and robust.

Assertions without a match of their own: lookahead (?=…)/(?!…) checks what follows, lookbehind (?<=…)/(?<!…) what precedes – without consuming those characters.

Reference (\1 or \k<name>) to the content already matched by a previous group – e.g. to find duplicated words.

g i m s u y

Modifiers that change the behavior of a pattern: global (g), ignore-case (i), multiline (m), dotAll (s), unicode (u) and sticky (y).

Universally Unique Identifier

128-bit identifier that is practically unique and can be generated without a central authority.

Comparison of two texts to display differences. Balou Tools offers line-based and semantic JSON diffs.

Comparison that respects the meaning (e.g. JSON structure) and ignores formatting and key order.

Formal description of the allowed structure of a JSON document against which validation can be performed.

Short value for detecting data errors; a mismatching value indicates a change in the data.

Artificially generated test data. The generator supports de-CH localization and SQL INSERT exports.

Text-based configuration file for environment variables such as API URLs, feature flags or local development values. It should not contain production secrets.

Comment at the end of a .env line, typically after whitespace and #. Inside quoted values, # belongs to the value; after the closing quote it is a comment.

Concrete stack-specific recommendation, e.g. for WordPress/CMS, Next.js or Astro, instead of only generic performance advice.

General Data Protection Regulation / Federal Act on Data Protection

EU (GDPR) and Swiss (FADP) regulations for protecting personal data, which Balou Tools complies with.

Design principle where sensitive user data does not leave the device – many tools run 100% client-side.

Secret, server-side value appended to data (e.g. IP addresses) before hashing for additional security.

Procedure that does not store IP addresses in plain text, but hashed (via HMAC-SHA256 with pepper) – GDPR compliant for rate limiting.

Automatic obscuring of sensitive data (passwords, API keys, JWTs) before passing them to the AI pipeline.

Active agreement of the user to data processing, a prerequisite for certain features (e.g., lead/email features).

Unique identifier assigned to an error and shown to the user instead of internal details – facilitates debugging without leaking information.

Accidental disclosure of sensitive values such as API keys, tokens, passwords or private keys through commits, logs or shared configuration files.