Forem: Mario Herreros

How to Craft Effective Prompts Using PARTS

Mario Herreros — Tue, 19 Aug 2025 14:42:00 +0000

GenAI is transforming the way developers write and refine code. From generating boilerplate to debugging complex issues, AI can save hours of work—but only if you ask it the right way. The secret? Crafting clear, detailed prompts.

Think of your prompt as the specification document for the AI. If it’s vague, you’ll get something generic. If it’s precise, you’ll get code that fits your needs.

To make this easy, use PARTS:

P – Persona: Identify Your Role

Start by telling the AI who you are and your context. This shapes the complexity, depth, and tone of the response.

Examples:

I am a backend engineer working on a microservices architecture using Node.js.
I am a DevOps specialist automating CI/CD pipelines for a Kubernetes environment.
I am a full-stack developer integrating Stripe payments into a React app.

Why it matters: A DevOps engineer might expect infrastructure-as-code templates, while a backend engineer wants clean, modular functions.

A – Aim: State Your Objective

Clearly state what you want the AI to do. Start with a strong verb: write, debug, optimize, explain, convert, etc.

Examples:

Write a Python script to upload large files to AWS S3 using multipart upload.
Debug the following Dockerfile for a Node.js app that crashes on startup.
Optimize this SQL query for faster performance on a 10M-row PostgreSQL table.
Convert this Express.js middleware to TypeScript with proper types.

Pro tip: Always specify the language, framework, and purpose. “Write a login feature” is vague. “Write a Next.js API route for user authentication using JWT” is clear.

R – Recipients: Specify the Audience

Who will use this code? Your audience determines complexity and style. Is it for:

Your dev team (production-ready, optimized, minimal comments)
Open-source contributors (clean, documented, maintainable)
Junior developers (extra comments, educational tone)

Examples:

The code should be production-ready for a fintech app with strict security requirements.
Output should include comments for maintainability because multiple teams will contribute.
Provide a lightweight solution that avoids external dependencies for a performance-critical system.

T – Theme: Define Style and Constraints

This is where you set coding conventions, tone, and any restrictions.

Examples:

Follow PEP 8 guidelines and include type hints.
Use functional programming principles; no OOP classes.
Avoid any third-party libraries; stick to Node.js core modules.
Add inline comments explaining performance trade-offs.

S – Structure: Specify the Format

Decide how you want the answer delivered. Just code? Code + explanation? Step-by-step?

Examples:

Provide the final code only—no explanation.
Show the code, then explain the solution in bullet points.
Include unit tests using Jest for the provided function.
Give two versions: a basic solution and an optimized one.

Example of a Full Prompt Using PARTS

Here’s how you can combine everything into a real-world scenario:

I am a backend engineer building a payment service (Persona). Write a Node.js function to generate Stripe payment intents with error handling (Aim). The code will be reviewed by senior developers and deployed to production (Recipients). Use modern JavaScript (ES2022) and include JSDoc comments for maintainability (Theme). Provide the function and an example usage snippet (Structure).

Why PARTS Makes Your Prompts Better

By applying PARTS, you turn vague instructions like:

“Write code to handle payments.”

Into:

“I am a backend engineer building a payment service. Write a Node.js function to generate Stripe payment intents with error handling. The code will be reviewed by senior developers and deployed to production. Use modern JavaScript (ES2022) and include JSDoc comments for maintainability. Provide the function and an example usage snippet.”

The second prompt gives the AI context, goals, and constraints, resulting in code that’s closer to what you actually need—saving you time and reducing rewrites.

✅ Pro-Tip: Test and Iterate

Prompt engineering is like debugging: the first try may not be perfect. Iterate, refine, and add details until the output meets your expectations.

Not Just for Coding

Although this article focuses on coding, the PARTS works for many other domains:

Design: I am a UX designer creating wireframes (Persona). Suggest 5 user flow improvements for a food delivery app (Aim)...
Content Writing: I am a tech blogger writing an article on AI ethics (Persona). Generate 10 catchy titles (Aim)...
Project Management: I am a product manager preparing a sprint plan (Persona). Create a roadmap for a SaaS product launch (Aim)...

Any time you need AI to generate content, brainstorm ideas, analyze data, or create structured output, PARTS gives you a blueprint for clarity and precision.

Setting Up Custom Instructions for GitHub Copilot

Mario Herreros — Wed, 13 Aug 2025 15:13:48 +0000

Your company has just purchased GitHub Copilot licences for the entire development team.

The promise is appealing: faster delivery, less repetitive work, more focus on the important stuff.

But after a few weeks… problems start to emerge:

Code that is inconsistent with project standards.
Missing unit tests.
Insecure implementations in critical areas such as cookies, authentication, or input validation.

This happens because Copilot, by default, does not know your internal rules.

The solution: create a shared custom instructions file that every developer can use.

1. What are “Custom Instructions” for Copilot?

Instead of giving instructions in every comment or prompt, you can define a persistent set of rules that Copilot will always consider.

When it suggests code, it will then respect:

Project style guidelines.
Security practices.
The correct framework and internal libraries.
Linter rules.

💡 These instructions can be stored in a file (e.g., .copilot-instructions.md) and distributed to the whole team.

2. Example `.copilot-instructions.md` file

# GitHub Copilot – Corporate Instructions

## Style and Linter
- Always follow the rules from `.eslintrc.json` for JavaScript and `.pylintrc` for Python.
- Use single quotes in JavaScript/TypeScript.
- Always end statements with `;` in JS/TS.

## Security
- For cookies: set `httpOnly`, `secure`, `sameSite: strict`, and `maxAge`.
- Never include passwords or secrets in code.
- Validate all external input using patterns from `utils/validators`.

## Tests
- Always generate unit tests alongside new code.
- Use Jest for JS/TS projects and pytest for Python.
- Minimum coverage: 90%.

## Internal Libraries
- Use `logger` for logs, not `console.log`.
- Use `fetchWithAuth` instead of `fetch` for authenticated HTTP calls.

## Other
- Document every public function with JSDoc or Python docstrings.
- Avoid external dependencies not listed in `approved-deps.json`.

3. How to implement this across your team

Create the file .github/.copilot-instructions.md at the root of your project (create .github folder if you don't have it).

Share it in the base repository or in your project templates.

Configure Copilot so that it applies these rules: If you use Visual Studio Code, open the file at the start of a session and paste its content into Copilot’s “Custom Instructions” settings.

If your team uses GitHub Copilot Chat, paste the content as initial context.

In enterprise setups, include it as part of onboarding scripts or IDE initialisation steps.

4. Example in practice

Without instructions, Copilot might produce:

res.cookie('sessionId', id);

With .copilot-instructions.md in place, it will suggest:

res.cookie('sessionId', id, {
  httpOnly: true,
  secure: process.env.NODE_ENV === 'production',
  sameSite: 'strict',
  maxAge: 1000 * 60 * 60 // 1 hour
});

5. Benefits

Consistency: all developers receive aligned suggestions.
Security: reduced risk of unsafe implementations.
Less friction: no need to repeat the same instructions in every prompt.
Faster onboarding: new joiners produce better code from day one.

Conclusion

Copilot is not a senior developer – it needs context.
A corporate instructions file turns that “intuition” into a set of explicit rules, helping Copilot to produce code that is secure, consistent, and compliant with your organisation’s standards.

For more details, see the Github Docs

Scrum Must Die ☠️

Mario Herreros — Mon, 11 Aug 2025 18:04:00 +0000

Scrum was born as the savior of development teams.

Now, in too many companies, it’s turned into a corporate religion with more sermons than miracles.

And like any bureaucratic religion... it either reforms, or it dies.

Scrum: from agile revolution to organizational theater 🎭

Years ago, when someone said "we're agile," people smiled.

Today, it means: "brace yourself for more meetings, more metrics, and more PowerPoints."

Once, companies hired Scrum Masters and Agile Coaches like rare Pokémon.

Now? They're laying them off, merging their roles, or keeping them as ceremony police.

The slow death of technical excellence ⚰️💻

Scrum doesn't ship technical practices out of the box.

Without a strong engineering commitment — tests, CI/CD, TDD, living architecture — the framework becomes a conveyor belt of broken features.

The result:

Code that ages worse than a banana forgotten in a drawer.
Deadlines that dictate more than quality.
Developers stuck in chronic burnout.

The mutant Scrum Master 🧪

In too many organizations, the Scrum Master is gone.

Instead, we have the Scrum-PM-Dev-Tester-CoffeeMaker: a hybrid creature that doesn't lead or serve, just survives.

A role meant to protect agility now spends the day filling spreadsheets and chasing tickets instead of empowering teams.

Management overload and the cost of ignorance 💸

There's a growing management overload in many "agile" organizations: too many decision-makers with too little technical background.

This creates a dangerous loop:

Decisions are made without understanding the engineering impact.
Expensive mistakes are repeated in the name of "delivery".
Teams feel they're being managed, not led.

When non-technical managers dictate technical priorities, the result is often waste, rework, and long-term pain disguised as "progress".

The Agile Industrial Complex 🏭

Agility has been packaged into certifications, workshops, and consulting packages that promise transformation but deliver empty mechanics.

Scrum becomes a theater where everything is done "by the book" but without soul, values, or real continuous improvement.

Reform it or throw it overboard? 🚢🔥

If you still want to rescue Scrum, here's the recipe:

How Scrum could improve:

Less ceremony, more value: if the daily stand-up lasts 20 minutes, something's broken.
Integrate technical practices: TDD, CI/CD, Pair Programming… without this, forget about quality.
Clear roles: a Scrum Master is not your Project Manager, boss, or on-call developer.
Real autonomy: the team decides, not the hierarchy.
Technical literacy in management: decision-makers must understand the cost and complexity of engineering work.

Alternatives that might shine brighter:

Kanban: flows like water, no forced iterations.
Extreme Programming (XP): hardcore engineering, quality above all.
Lean: less waste, more focus on what matters.
Mix & Match: take what works, drop what doesn't — like a good buffet.

Conclusion: Scrum isn't the enemy... but your implementation might be 👀

Scrum doesn't have to die, but the zombie, bureaucratic, tech-agnostic Scrum we see in too many companies... that one should be buried.

Preferably with one last retrospective... and no sticky notes.

Strengthening Web Security with HTTP Headers in Express.js

Mario Herreros — Thu, 31 Jul 2025 16:10:00 +0000

When developing web applications, security should always be a top priority. A simple yet powerful way to protect your app and users is by configuring HTTP security headers. These headers instruct the browser on how to behave when handling content from your site, helping to mitigate common attacks like cross-site scripting (XSS), clickjacking, and content sniffing.

In this article, we’ll walk through an Express.js middleware that sets key HTTP headers, explain their purposes, and suggest additional headers you should consider for modern, robust protection.

An example of security header middleware

The following is an example of security header middleware:

const express = require('express');
const app = express();

app.use((req, res, next) => {
  res.set({
    'Strict-Transport-Security': 'max-age=63072000; preload',
    'X-Content-Type-Options': 'nosniff',
    'X-XSS-Protection': '1; mode=block',
    'Content-Security-Policy': "default-src 'self'; script-src 'self'; object-src 'none'; upgrade-insecure-requests",
    'Referrer-Policy': 'strict-origin-when-cross-origin',
    'Permissions-Policy': 'fullscreen=(self), camera=(), geolocation=()',
    'Cross-Origin-Embedder-Policy': 'require-corp',
    'Cross-Origin-Opener-Policy': 'same-origin',
    'Cross-Origin-Resource-Policy': 'same-origin'
  });
  next();
});

What These Headers Do

1. Strict-Transport-Security

Strict-Transport-Security: max-age=63072000; preload

This tells browsers to only connect via HTTPS for the next 2 years (63072000 seconds). The preload directive allows your domain to be added to browsers' HSTS preload list, preventing even the first request from using insecure HTTP.

Why it matters: Protects against SSL stripping attacks by ensuring all future connections are encrypted.

2. X-Content-Type-Options

X-Content-Type-Options: nosniff

Prevents browsers from guessing (or "sniffing") the MIME type of a resource. This is important because misinterpreted files (e.g., JavaScript served as images) can be dangerous.

Why it matters: Reduces risk of executing malicious files disguised as safe content.

3. X-XSS-Protection

X-XSS-Protection: 1; mode=block

This enables the XSS protection filter in some older browsers. It tells the browser to block the page if an attack is detected.

Why it matters: Offers limited protection against cross-site scripting attacks in legacy environments.

4. Content-Security-Policy (CSP)

Content-Security-Policy: default-src 'self'

Purpose: Controls which resources (scripts, images, styles, etc.) can be loaded. Strong CSP rules help prevent XSS and data injection attacks.

5. Referrer-Policy

Referrer-Policy: strict-origin-when-cross-origin

Purpose: Limits what referrer information is shared when navigating away from your site, protecting user privacy and sensitive URLs.

6. Permissions-Policy (formerly Feature-Policy)

Permissions-Policy: fullscreen=(self), camera=(), geolocation=()

Purpose: Restricts browser APIs (like camera, geolocation, microphone, etc.) to only allowed origins or disables them entirely.

7. Cross-Origin-Embedder-Policy (COEP), Cross-Origin-Opener-Policy (COOP) & Cross-Origin-Resource-Policy (CORP)

These help isolate your site from other origins and protect against cross-origin attacks and speculative execution vulnerabilities (like Spectre).

Recommended configuration:

Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Resource-Policy: same-origin

Using helmet — the easier way

Instead of manually adding headers, you can use helmet, a middleware package that sets many of these headers by default:

npm install helmet

Then in your app:

const helmet = require('helmet');
app.use(helmet());

You can also configure each header individually:

app.use(helmet.contentSecurityPolicy({
  directives: {
    defaultSrc: ["'self'"],
    scriptSrc: ["'self'"]
  }
}));

Conclusion

HTTP security headers are a simple but essential way to reduce your application’s attack surface. While no single measure guarantees complete protection, layering these headers with best practices (like input validation and HTTPS) significantly strengthens your web app’s defenses.

Start small, use tools like helmet, and review your security settings regularly—because protecting your users is not optional.

Forem: Mario Herreros

How to Craft Effective Prompts Using PARTS

P – Persona: Identify Your Role

A – Aim: State Your Objective

R – Recipients: Specify the Audience

T – Theme: Define Style and Constraints

S – Structure: Specify the Format

Example of a Full Prompt Using PARTS

Why PARTS Makes Your Prompts Better

✅ Pro-Tip: Test and Iterate

Not Just for Coding

Setting Up Custom Instructions for GitHub Copilot

1. What are “Custom Instructions” for Copilot?

2. Example .copilot-instructions.md file

3. How to implement this across your team

4. Example in practice

5. Benefits

Conclusion

Scrum Must Die ☠️

Scrum: from agile revolution to organizational theater 🎭

The slow death of technical excellence ⚰️💻

The mutant Scrum Master 🧪

Management overload and the cost of ignorance 💸

The Agile Industrial Complex 🏭

Reform it or throw it overboard? 🚢🔥

Conclusion: Scrum isn't the enemy... but your implementation might be 👀

Strengthening Web Security with HTTP Headers in Express.js

An example of security header middleware

What These Headers Do

1. Strict-Transport-Security

2. X-Content-Type-Options

3. X-XSS-Protection

4. Content-Security-Policy (CSP)

5. Referrer-Policy

6. Permissions-Policy (formerly Feature-Policy)

7. Cross-Origin-Embedder-Policy (COEP), Cross-Origin-Opener-Policy (COOP) & Cross-Origin-Resource-Policy (CORP)

Using helmet — the easier way

Conclusion

2. Example `.copilot-instructions.md` file