Django Deep Dive Roadmap

Django is a Python web framework — Python fluency is non-negotiable. You need: Python classes (constructors, inheritance, dunder methods like __str__, class methods), decorators (@login_required is a decorator), list/dict comprehensions, generators, context managers (with statement), virtual environments (venv), pip, and f-strings. Understanding HTTP is equally important: request/response cycle, HTTP methods (GET/POST/PUT/DELETE/PATCH), status codes (200/301/302/400/401/403/404/500), cookies, sessions, and what a URL is. SQL basics (SELECT, JOIN, WHERE, INDEX) — Django's ORM generates SQL, but you need to understand what it's generating.

Backend Python 6h

Django separates concerns into 'apps' — modular units of functionality (users, blog, payments). Set up: python -m venv env, pip install django, django-admin startproject config . (the trailing dot puts config/ inside the project root, not inside another folder), python manage.py startapp posts. Learn the project structure — manage.py (command runner), config/settings.py (all configuration), config/urls.py (root URL configuration). Environment variables: separate settings for dev/staging/prod with django-environ or python-decouple. Never hardcode SECRET_KEY or database passwords. manage.py commands: runserver, migrate, makemigrations, createsuperuser, shell, collectstatic.

Backend Django 4h

Django's request cycle: HTTP request → URL router matches a pattern → calls a view function → view returns an HttpResponse. URLs: path() for exact matches (path('posts/<int:pk>/', views.post_detail)), re_path() for regex, include() to include app URLs in the root URLconf. Views: function-based views (simplest — takes request, returns response) and class-based views (ListView, DetailView, CreateView, etc. — DRY, but harder to customize). HttpResponse, render() shortcut (renders a template), redirect(), get_object_or_404() (returns 404 instead of 500 when an object doesn't exist). The request object — request.method, request.GET, request.POST, request.user.

Backend Django 6h

Understand Django's MIDDLEWARE setting and the request/response lifecycle — middleware wraps subsequent middleware like an onion. Write custom middleware as a callable class with __init__(get_response) and __call__(request). Implement request logging, response timing, custom authentication context, and CORS handling. Know the required built-in middleware order: SecurityMiddleware first, SessionMiddleware before AuthenticationMiddleware.

Backend Django 4h

Django's template language keeps logic out of HTML. Syntax: {{ variable }} for output, {% tag %} for logic, {{ variable|filter }} for transformations. Template inheritance — base.html with {% block content %}{% endblock %}, child templates {% extends 'base.html' %} and {% block content %}...{% endblock %}. Built-in tags: {% for %}, {% if %}, {% include %}, {% url 'name' args %}, {% static 'path' %} (for assets — requires django.contrib.staticfiles). Built-in filters: date, linebreaks, truncatewords, safe (mark string as safe HTML — use carefully), default_if_none. Create custom template tags with @register.simple_tag and @register.filter.

Backend Django 6h

Django's ORM maps Python classes to database tables. Define models in models.py (class Post(models.Model) with CharField, TextField, IntegerField, ForeignKey, ManyToManyField, DateTimeField with auto_now_add). Migrations: makemigrations (generate migration files from model changes), migrate (apply to DB), showmigrations. QuerySet API: Model.objects.all(), .filter(published=True), .exclude(), .get(), .create(), .update(), .delete(), .order_by('-created_at'), .select_related() (SQL JOIN for FK — prevents N+1 queries), .prefetch_related() (separate query for M2M), .annotate() (add computed fields), .aggregate(). F() expressions for field references in queries. Q() objects for complex OR/AND conditions.

Backend Django 8h

Django forms handle rendering, validation, and error display. ModelForm automatically generates a form from a model (class PostForm(forms.ModelForm) with Meta class defining model and fields). Form validation: built-in validators (required, max_length, email, URL), clean_fieldname() for field-level custom validation, clean() for cross-field validation. Rendering in templates: {{ form.as_p }}, custom {{ form.field_name }} with error display. CSRF protection is automatic ({% csrf_token %} in every POST form). File uploads: FileField/ImageField in model + form, MEDIA_ROOT/MEDIA_URL settings, serve media in dev with MEDIA_URL handling in urls.py.

Backend Django 6h

Django ships with a complete auth system. django.contrib.auth provides User model, login/logout views, password hashing (PBKDF2 by default), and session management. LoginView/LogoutView/PasswordChangeView/PasswordResetView are built-in CBVs. @login_required decorator and LoginRequiredMixin for CBVs. AbstractUser to extend the User model (add bio, avatar, etc. — do this at project start, not after). Permissions — model-level permissions (add, change, delete, view) and custom permissions. Groups for role-based access. django-allauth for social auth (Google, GitHub, Apple). The auth decorators/mixins check request.user.is_authenticated.

Backend Django 7h

Django's built-in admin (/admin/) is a production-ready management interface generated from your models. Out of the box it's functional but generic — heavy customization is what makes it powerful. Learn: ModelAdmin class (list_display, list_filter, search_fields, ordering, readonly_fields), custom actions (bulk operations on selected items), inline models (TabularInline, StackedInline — edit related objects on the parent's page), fieldsets (organize form layout into sections), save_model() override for custom logic on save, get_queryset() override to restrict visible records by role, raw_id_fields for FK fields with thousands of choices (avoids slow dropdowns), and list_select_related to prevent N+1 queries. For heavily customized admin, django-unfold or grappelli add a modern UI.

Backend Django 4h

Django REST Framework (DRF) is the standard for building REST APIs with Django. Serializers convert model instances to JSON and validate incoming data (ModelSerializer is the fastest path). Views: APIView (explicit), generic views (ListAPIView, CreateAPIView, RetrieveUpdateDestroyAPIView), and ViewSets + Routers (auto-generate URL patterns). Authentication: TokenAuthentication, SessionAuthentication, JWT via djangorestframework-simplejwt. Permissions: IsAuthenticated, IsAdminUser, custom permissions. Filtering with django-filter, pagination (PageNumberPagination, CursorPagination for large datasets), and versioning. The Browsable API for interactive documentation.

Backend Django 8h

Long-running operations (sending emails, processing images, generating reports) must not block HTTP responses — they belong in background tasks. Celery is the standard task queue for Django. Setup: pip install celery redis, configure CELERY_BROKER_URL = 'redis://...', create a celery.py in the config package. Define tasks with @shared_task. Call them asynchronously with task.delay(args) or task.apply_async(args, countdown=60). Monitor with Celery Flower (web UI). Beat for periodic tasks (like cron — CELERY_BEAT_SCHEDULE). django-celery-results stores task results in the database for querying status from the frontend. Handle retries with autoretry_for and max_retries.

Backend Django 7h

Django has a layered caching framework. Cache backends: in-memory (development), Redis (production — django-redis). Three levels: whole-site cache (middleware — rarely appropriate), per-view cache (@cache_page(60*15) decorator), and template fragment caching ({% cache 300 'sidebar' user.id %}). Low-level cache API (cache.get(key), cache.set(key, value, timeout), cache.delete()) for caching expensive query results. Cache invalidation — the hardest problem in caching. Versioning strategy (cache.set(f'post:{pk}:v{version}', data)). Cache warming. database-level caching with select_for_update() for preventing stale reads. django-debug-toolbar shows cache operations.

Backend Django 5h

Django comes with unittest-based testing, but pytest-django is preferred. TestCase (resets DB per test — slower), TransactionTestCase (for testing transactions), APITestCase (DRF — JSON helpers). pytest-django: @pytest.mark.django_db for DB access, fixtures for test data (pytest fixtures + factory_boy for model factories), client fixture (Django test client), rf fixture (RequestFactory). Test types: model method tests (no DB), view/endpoint tests (API assertions), integration tests (full request cycle). Coverage with pytest-cov. Use separate test database settings. Avoid mocking the database — test against a real (SQLite) DB.

Backend Django 7h

Django's security checklist (python manage.py check --deploy) catches many issues. Built-in protections: CSRF middleware (automatic on all POST forms), XSS protection (template auto-escaping — never use |safe on user input), SQL injection prevention (ORM uses parameterized queries — don't use raw() with user input), clickjacking protection (X-Frame-Options header). Security settings: DEBUG=False in prod, ALLOWED_HOSTS, SECURE_HSTS_SECONDS, SECURE_SSL_REDIRECT, SESSION_COOKIE_SECURE, CSRF_COOKIE_SECURE. Use django-axes to lock accounts after failed logins. Rate limit API endpoints with django-ratelimit. Content Security Policy with django-csp.

Backend Django 5h

Deploying Django in production. Gunicorn is the WSGI server — gunicorn config.wsgi:application --workers 4 --bind 0.0.0.0:8000 (workers = 2*cores+1 for I/O bound). Nginx as reverse proxy in front of Gunicorn — handles static/media files directly (Django should not serve these in production), SSL termination, and gzip. collectstatic gathers all static files to STATIC_ROOT — serve via Nginx or a CDN (WhiteNoise adds CDN headers automatically). Docker: Dockerfile with multi-stage build (build stage + runtime stage), docker-compose for dev (Django + PostgreSQL + Redis). Environment variables via .env. Health check endpoint (/health/). GitHub Actions CI: run tests + linting + build Docker image on every PR.

Backend Django 7h