Every developer pastes a data:image/png;base64,iVBORw0K... blob into their CSS at some point, decodes a JWT to see what's inside, or hits a "Basic " auth header and wonders why the password is just... sitting there. Base64 is everywhere in web development, and it's quietly misunderstood by a lot of people who use it daily. Here's what it actually is, what it costs, and the one mistake that shows up in production security reviews.
Base64 is a costume for binary, not a lock
The core idea: Base64 turns arbitrary binary data into plain ASCII text so it can travel through channels that only expect text. Email bodies, URLs, JSON values, HTML attributes, and HTTP headers were all designed for text — hand them raw bytes (a PNG, a 0x00, a UTF-16 string) and something downstream mangles or drops them. Base64 re-expresses those bytes using only safe, printable characters that nothing along the way will touch.
The alphabet is exactly 64 characters: A–Z, a–z, 0–9, plus + and /. That's 26 + 26 + 10 + 2 = 64. There's also =, used only for padding (more on that below). Sixty-four characters is the whole trick — and it's where the name comes from.
Critically: Base64 is encoding, not encryption. It provides zero secrecy. Anyone can reverse it instantly — there's no key. If you've ever "hidden" a credential by Base64-encoding it, you've hidden nothing; you've just made it slightly less obvious to a human skimming, and completely obvious to literally any tool. We'll come back to why that matters.






