Step 1 • Internet & Networking
How the Internet Works beginner Understand how packets travel across networks using TCP/IP, what IP addressing means, how routers forward traffic, the difference between TCP (reliable, ordered) and UDP (fast, unreliable), and why latency and bandwidth matter for backend system design.
4h
Step 2 • Internet & Networking
HTTP and HTTPS in Depth beginner Learn HTTP methods (GET, POST, PUT, PATCH, DELETE) and when to use each, status codes by class (2xx success, 3xx redirect, 4xx client error, 5xx server error), request/response headers, content negotiation, caching directives (Cache-Control, ETag, Vary), cookies and their security flags, and how TLS secures connections.
8h
Step 3 • Internet & Networking
DNS, Ports, and Networking Tools beginner Understand DNS record types (A, AAAA, CNAME, MX, TXT, NS, SOA), TTL, propagation delays, well-known ports (80, 443, 5432, 6379, 3306), sockets (TCP/UDP), the loopback address, and how to use networking tools (dig, curl, netstat, tcpdump, nmap) to debug connectivity issues.
5h
Step 4 • OS and General Knowledge
Terminal, Shell, and Linux Basics beginner Navigate the filesystem, manage files and permissions (chmod, chown), inspect processes (ps, top, htop), pipe commands, write shell scripts for automation, use text processing tools (grep, sed, awk, jq), manage environment variables, and understand how SSH authentication works.
10h
Step 5 • OS and General Knowledge
Processes, Threads, and Concurrency beginner Understand the difference between processes and threads, CPU scheduling, context switching costs, blocking vs non-blocking I/O, how event loops achieve concurrency without threads (Node.js, Python asyncio), and why I/O-bound vs CPU-bound workloads demand different architectures.
8h
Step 6 • OS and General Knowledge
Version Control with Git beginner Treat code as a versioned artifact — branching strategies (trunk-based vs feature branches), commits and rebase workflows, pull request reviews, .gitignore, tagging releases, using git bisect to find regressions, and Conventional Commits for machine-readable changelogs.
6h
Step 7 • Language
Programming Foundations and Language Choice beginner Deepen your programming fundamentals — functions, recursion, higher-order functions, closures, error handling, modules, and debugging. Pick a primary backend language (Node.js/JavaScript, Python, Java, Go, C#) and understand its runtime model, standard library, and ecosystem conventions. Strong fundamentals outweigh language choice.
12h
Step 8 • Language
Data Structures and Algorithms intermediate Understand Big O notation, arrays, linked lists, hash maps, sets, stacks, queues, trees, graphs, and common algorithms (binary search, sorting, BFS/DFS). Backend performance issues regularly trace back to choosing the wrong data structure — a hash map lookup is O(1), a linear scan through 10,000 records is not.
15h
Step 9 • Databases
Relational Databases and SQL beginner Learn SQL fundamentals — SELECT, WHERE, JOIN (INNER, LEFT, RIGHT, FULL), GROUP BY, HAVING, ORDER BY, LIMIT, subqueries, CTEs (WITH), window functions (ROW_NUMBER, RANK, LAG), and aggregate functions. Understand when to use PostgreSQL (default choice), MySQL, or SQLite for different project needs.
12h
Step 10 • Databases
Database Design and Normalization intermediate Design schemas from product requirements — entity-relationship modeling, primary and foreign keys, 1NF/2NF/3NF normalization, when to intentionally denormalize for performance, constraints (NOT NULL, UNIQUE, CHECK), and soft deletes vs hard deletes. Understand schema migrations and how to run them safely in production.
10h
Step 11 • Databases
Indexing and Query Performance intermediate Understand how B-tree and hash indexes work, how the query planner uses them (EXPLAIN ANALYZE), composite index column ordering, partial indexes for filtered queries, index bloat, and when NOT to add an index (write-heavy tables). Diagnose slow queries and know the difference between a sequential scan and an index scan.
8h
Step 12 • Databases
Transactions, ACID, and Isolation intermediate Understand ACID properties (Atomicity, Consistency, Isolation, Durability), isolation levels (Read Uncommitted → Serializable), and the anomalies each prevents (dirty reads, non-repeatable reads, phantom reads). Learn optimistic vs pessimistic locking, deadlock causes and detection, and how to structure transactions to avoid concurrency bugs like the lost update problem.
8h
Step 13 • Databases
NoSQL Databases intermediate Know when to use NoSQL and which type — document stores like MongoDB for flexible schemas and nested data, key-value stores like Redis for caching and sessions, column stores like Cassandra for write-heavy time-series workloads, and search engines like Elasticsearch for full-text search. Understand eventual consistency vs strong consistency and the CAP theorem trade-offs.
8h
Step 14 • Databases
ORMs and Query Builders intermediate Use an ORM or query builder to interact with databases safely — understand the N+1 problem and how to fix it with eager loading, when raw SQL beats the ORM abstraction, connection pooling (why connections are expensive), prepared statements, and how to inspect and log generated SQL queries.
6h
Step 15 • APIs
REST API Design intermediate Design RESTful APIs with consistent resource naming (nouns, plural, hierarchical), correct HTTP method usage, meaningful status codes, pagination strategies (cursor vs offset), filtering/sorting conventions, versioning approaches (URL path, header, query param), and RFC 9457 Problem Details for error responses.
8h
Step 16 • APIs
Input Validation and Serialization intermediate Validate every untrusted input at the API boundary — type checking, length limits, format validation (email, URL, UUID), allowlists over denylists, and rejecting unexpected fields. Keep your transport schema (request/response DTOs) separate from your domain objects. Return clear, actionable error messages without leaking internals.
6h
Step 17 • Security
Authentication Fundamentals intermediate Implement authentication correctly — password hashing (bcrypt/Argon2, never MD5/SHA1), session-based auth (server-side session stores, HttpOnly cookies), token-based auth (JWTs: header.payload.signature, why to keep them short-lived), refresh token rotation, and brute-force protection (rate limiting login attempts, account lockout).
10h
Step 18 • Security
Authorization and Access Control intermediate Model permissions correctly — Role-Based Access Control (RBAC: assign roles, roles grant permissions), Attribute-Based Access Control (ABAC: evaluate resource+subject+environment), row-level security (can this user see this specific record?), and API scope-based authorization. Implement middleware that checks permissions before business logic runs.
8h
Step 19 • Security
OAuth 2.0 and OpenID Connect intermediate Understand the OAuth 2.0 authorization framework — authorization code flow with PKCE (for web/mobile apps), client credentials flow (service-to-service), implicit flow (deprecated and why), scopes, access/refresh token management, and OpenID Connect (OIDC) for identity on top of OAuth. Know when to implement vs delegate to an auth provider.
8h
Step 20 • Performance
Caching Strategies and Redis intermediate Reduce database load and latency with caching — cache-aside, read-through, write-through, and write-behind patterns. Use Redis for in-memory caching with TTLs, LRU eviction, and atomic operations. Understand cache stampede (and how to prevent it with probabilistic early expiry), cache poisoning, and the hardest problem in computing: cache invalidation.
8h
Step 21 • Performance
Background Jobs and Message Queues intermediate Offload slow or unreliable work (email delivery, image processing, webhook dispatch, report generation) to background workers. Understand message queues (BullMQ/Redis, RabbitMQ, SQS), job priorities, retries with exponential backoff and jitter, idempotency keys, dead-letter queues for unprocessable messages, and the transactional outbox pattern.
8h
Step 22 • Security
API Security and Rate Limiting intermediate Defend your API against common attacks — SQL injection (parameterized queries, never string concatenation), SSRF (validate and restrict outbound URLs), mass assignment (explicit allowlists), excessive data exposure (never return more than needed), and OWASP API Security Top 10. Implement rate limiting (per IP, per user, per endpoint) and request throttling.
7h
Step 23 • Quality
Testing Strategy for Backend intermediate Build a test suite that stays fast and reliable — unit tests for domain logic (fast, isolated, no I/O), integration tests for repositories and HTTP handlers (test the full stack with a real test database), and contract tests for external service integrations. Use test fixtures, factories, and database transaction rollback to keep tests independent.
8h
Step 24 • Infrastructure
Containers and Docker intermediate Package applications as Docker containers — write efficient Dockerfiles (multi-stage builds, non-root user, layer caching optimization), use Docker Compose for local multi-service development (app + database + Redis), understand image layering and how to reduce image size, and use .dockerignore to exclude build artifacts.
8h
Step 25 • Infrastructure
Cloud Platforms and Serverless intermediate Understand cloud fundamentals — virtual machines vs containers vs serverless (Lambda/Cloud Functions), managed databases vs self-hosted, object storage (S3), CDN for static assets, IAM (least-privilege roles and policies), VPCs, security groups, and cost awareness. Know enough to deploy and operate a production service on AWS, GCP, or Azure.
10h
Step 26 • Infrastructure
Configuration and Secrets Management intermediate Separate configuration from code (12-Factor App Config) — use environment variables for secrets and environment-specific settings, never commit secrets to git, use a secrets manager (AWS Secrets Manager, HashiCorp Vault, Doppler) for production, and understand how to rotate credentials without downtime.
5h
Step 27 • Infrastructure
CI/CD Pipelines intermediate Automate the path from commit to production — set up GitHub Actions (or GitLab CI) pipelines for lint, test, type-check, build Docker image, push to registry, and deploy. Use environment secrets, cache dependencies between runs, implement deployment stages (dev → staging → production), and block merges if checks fail.
8h
Step 28 • Operations
Observability — Logs, Metrics, Traces advanced Make production diagnosable — structured logging (JSON logs with request IDs, user IDs, durations), metrics (RED method: Rate, Errors, Duration), distributed tracing (OpenTelemetry spans across service calls), health check endpoints (/health/live and /health/ready), and dashboards and alerts in Grafana or Datadog.
8h
Step 29 • Ship It
Resilience and Production Delivery advanced Build and release software that fails gracefully — circuit breakers, timeouts (always set them), health checks (liveness vs readiness), graceful shutdown (drain in-flight requests before stopping), blue/green deployments, canary releases, feature flags, and runbooks for common failure scenarios. Know your SLOs and error budget.
10h
