playbooks

home / skills / jjuidev / jss / backend-development

backend-development skill

/.claude/skills/backend-development

This skill helps you design and implement production-ready backends with Node.js, Python, or Go, focusing on APIs, security, and performance.

npx playbooks add skill jjuidev/jss --skill backend-development

Review the files below or copy the command above to add this skill to your agents.

Files (12)
SKILL.md
4.0 KB
---
name: backend-development
description: Build backends with Node.js, Python, Go (NestJS, FastAPI, Django). Use for REST/GraphQL/gRPC APIs, auth (OAuth, JWT), databases, microservices, security (OWASP), Docker/K8s.
license: MIT
version: 1.0.0
---

# Backend Development Skill

Production-ready backend development with modern technologies, best practices, and proven patterns.

## When to Use

- Designing RESTful, GraphQL, or gRPC APIs
- Building authentication/authorization systems
- Optimizing database queries and schemas
- Implementing caching and performance optimization
- OWASP Top 10 security mitigation
- Designing scalable microservices
- Testing strategies (unit, integration, E2E)
- CI/CD pipelines and deployment
- Monitoring and debugging production systems

## Technology Selection Guide

**Languages:** Node.js/TypeScript (full-stack), Python (data/ML), Go (concurrency), Rust (performance)
**Frameworks:** NestJS, FastAPI, Django, Express, Gin
**Databases:** PostgreSQL (ACID), MongoDB (flexible schema), Redis (caching)
**APIs:** REST (simple), GraphQL (flexible), gRPC (performance)

See: `references/backend-technologies.md` for detailed comparisons

## Reference Navigation

**Core Technologies:**
- `backend-technologies.md` - Languages, frameworks, databases, message queues, ORMs
- `backend-api-design.md` - REST, GraphQL, gRPC patterns and best practices

**Security & Authentication:**
- `backend-security.md` - OWASP Top 10 2025, security best practices, input validation
- `backend-authentication.md` - OAuth 2.1, JWT, RBAC, MFA, session management

**Performance & Architecture:**
- `backend-performance.md` - Caching, query optimization, load balancing, scaling
- `backend-architecture.md` - Microservices, event-driven, CQRS, saga patterns

**Quality & Operations:**
- `backend-testing.md` - Testing strategies, frameworks, tools, CI/CD testing
- `backend-code-quality.md` - SOLID principles, design patterns, clean code
- `backend-devops.md` - Docker, Kubernetes, deployment strategies, monitoring
- `backend-debugging.md` - Debugging strategies, profiling, logging, production debugging
- `backend-mindset.md` - Problem-solving, architectural thinking, collaboration

## Key Best Practices (2025)

**Security:** Argon2id passwords, parameterized queries (98% SQL injection reduction), OAuth 2.1 + PKCE, rate limiting, security headers

**Performance:** Redis caching (90% DB load reduction), database indexing (30% I/O reduction), CDN (50%+ latency cut), connection pooling

**Testing:** 70-20-10 pyramid (unit-integration-E2E), Vitest 50% faster than Jest, contract testing for microservices, 83% migrations fail without tests

**DevOps:** Blue-green/canary deployments, feature flags (90% fewer failures), Kubernetes 84% adoption, Prometheus/Grafana monitoring, OpenTelemetry tracing

## Quick Decision Matrix

| Need | Choose |
|------|--------|
| Fast development | Node.js + NestJS |
| Data/ML integration | Python + FastAPI |
| High concurrency | Go + Gin |
| Max performance | Rust + Axum |
| ACID transactions | PostgreSQL |
| Flexible schema | MongoDB |
| Caching | Redis |
| Internal services | gRPC |
| Public APIs | GraphQL/REST |
| Real-time events | Kafka |

## Implementation Checklist

**API:** Choose style → Design schema → Validate input → Add auth → Rate limiting → Documentation → Error handling

**Database:** Choose DB → Design schema → Create indexes → Connection pooling → Migration strategy → Backup/restore → Test performance

**Security:** OWASP Top 10 → Parameterized queries → OAuth 2.1 + JWT → Security headers → Rate limiting → Input validation → Argon2id passwords

**Testing:** Unit 70% → Integration 20% → E2E 10% → Load tests → Migration tests → Contract tests (microservices)

**Deployment:** Docker → CI/CD → Blue-green/canary → Feature flags → Monitoring → Logging → Health checks

## Resources

- OWASP Top 10: https://owasp.org/www-project-top-ten/
- OAuth 2.1: https://oauth.net/2.1/
- OpenTelemetry: https://opentelemetry.io/

Overview

This skill helps you build production-ready backends using Node.js, Python, and Go with frameworks like NestJS, FastAPI, and Django. It focuses on API design (REST, GraphQL, gRPC), authentication/authorization, database design, security, testing, and deployment. Use it to create scalable, secure services that follow modern best practices and operational patterns.

How this skill works

The skill guides technology selection, API and schema design, and implementation patterns for authentication (OAuth 2.1, JWT), databases, caching, and microservices. It provides checklists for security (OWASP mitigations), performance tuning (caching, indexing, connection pooling), testing strategies, and DevOps practices including Docker, Kubernetes, CI/CD, and monitoring. Recommendations are pragmatic and tied to common backend needs and trade-offs.

When to use it

  • Designing and implementing REST, GraphQL, or gRPC APIs
  • Building authentication/authorization systems (OAuth, JWT, RBAC, MFA)
  • Optimizing databases, queries, and caching for performance
  • Designing scalable microservices, event-driven systems, or CQRS
  • Hardening services against OWASP Top 10 vulnerabilities
  • Preparing CI/CD, deployments (blue-green/canary), and observability

Best practices

  • Pick the right language/framework for the need (NestJS for fast dev, FastAPI for Python ML integration, Go for concurrency)
  • Follow API-first design: schema, validation, documentation, and contract tests
  • Use parameterized queries, Argon2id for passwords, rate limiting and security headers
  • Adopt a 70-20-10 testing pyramid: unit, integration, E2E plus contract and migration tests
  • Use Redis for caching, proper DB indexing, connection pooling, and run load tests
  • Deploy with containerized CI/CD, use feature flags, and instrument with OpenTelemetry + Prometheus/Grafana

Example use cases

  • Build a user management API with OAuth 2.1, JWT sessions, RBAC and secure password storage
  • Create a public GraphQL API backed by PostgreSQL with caching and pagination
  • Implement internal gRPC services for high-throughput microservices communication
  • Migrate a monolith to event-driven microservices with CQRS and saga patterns
  • Set up CI/CD pipelines with blue-green deployments, health checks, and end-to-end monitoring

FAQ

Which language should I choose for a new backend?

Choose Node.js/NestJS for fastest developer velocity, Python/FastAPI if you need ML/data integration, and Go for high concurrency and low-latency services.

How do I prioritize security measures?

Start with OWASP Top 10 mitigations: input validation, parameterized queries, strong password hashing (Argon2id), rate limiting, and secure headers. Add auth best practices like OAuth 2.1 + PKCE and short-lived tokens.