Back-end web development: a reading path from servers to production APIs
This curriculum takes a complete beginner from zero back-end knowledge to confidently building and deploying production-ready web applications. The four stages build deliberately: first establishing how the web and servers actually work, then learning a real back-end runtime and framework, then mastering databases and authentication, and finally tackling APIs, architecture, and deployment — the skills that separate hobbyists from professional back-end engineers.
How the Web Works — Foundations
BeginnerUnderstand the core concepts powering the internet: HTTP, clients, servers, requests/responses, and the role of back-end code — so nothing in later stages feels like magic.
▸ Study plan for this stage
Pace: 6–8 weeks, ~25–30 pages/day (HTTP: 2–3 weeks; Computer Networking: 4–5 weeks)
- HTTP request/response cycle: methods (GET, POST, etc.), headers, status codes, and message structure
- Client-server architecture: how browsers and servers communicate over networks
- DNS and domain name resolution: translating URLs into IP addresses
- TCP/IP protocol stack: how data travels across the internet in packets and layers
- Stateless nature of HTTP and the role of cookies/sessions in maintaining state
- Network layers (application, transport, network, link): what each layer does and why separation matters
- How back-end code intercepts and processes HTTP requests before sending responses
- Common HTTP status codes (2xx, 3xx, 4xx, 5xx) and what they signal about request outcomes
- What happens step-by-step when you type a URL into your browser and press Enter?
- Explain the difference between an HTTP GET and POST request, and when you'd use each.
- What is a status code, and what do the 2xx, 4xx, and 5xx families tell you about a response?
- How does DNS work, and why is it necessary for accessing websites?
- Describe the four-layer TCP/IP model and explain what happens at each layer when you send an HTTP request.
- Why is HTTP stateless, and how do cookies and sessions solve the problem of maintaining user state across requests?
- Use browser developer tools (Network tab) to inspect real HTTP requests and responses from a live website; identify headers, status codes, and request methods.
- Write out the full HTTP request and response for a simple GET request (by hand or in a text editor) using the format shown in Gourley's book.
- Use curl or Postman to make HTTP requests to a public API (e.g., JSONPlaceholder) with different methods (GET, POST, PUT, DELETE) and observe the responses.
- Trace a DNS lookup using nslookup or dig to see how a domain name resolves to an IP address; document the steps.
- Build a minimal HTTP server using Node.js or Python (Flask/http.server) that responds to GET and POST requests; test it with curl or your browser.
- Create a diagram of the TCP/IP layers and annotate it with examples of protocols at each layer (HTTP, TCP, IP, Ethernet) and what data looks like at each stage.
Next up: With a solid grasp of how HTTP works and how data moves through network layers, you're ready to learn how back-end frameworks and languages (like Node.js, Python, or Java) actually handle incoming requests and generate responses—transforming raw HTTP into dynamic, database-driven applications.

The single most thorough treatment of HTTP — the protocol every back-end developer lives inside. Reading this first means you'll understand *why* servers, routing, and APIs are designed the way they are.

Grounds you in how data actually travels across networks, covering TCP/IP, DNS, and sockets — the invisible infrastructure your back-end code relies on every second.
Servers & Routing — Building Your First Back-End
BeginnerWrite real server-side code, handle routes, process requests, and return responses using Node.js and Express — the most widely taught back-end stack for beginners.
▸ Study plan for this stage
Pace: 4–5 weeks, ~40–50 pages/day (mix of reading and hands-on practice)
- Node.js runtime environment: how JavaScript runs on the server, the event loop, and asynchronous I/O
- HTTP fundamentals: requests, responses, status codes, headers, and the request–response cycle
- Express.js framework: middleware, routing, request/response objects, and application structure
- Route handling: defining routes with different HTTP methods (GET, POST, PUT, DELETE), URL parameters, and query strings
- Request processing: parsing request bodies, handling form data, JSON payloads, and file uploads
- Response generation: sending HTML, JSON, status codes, and redirects
- Middleware: understanding middleware chains, built-in middleware, and custom middleware for logging, authentication, and error handling
- Server lifecycle: starting a server, listening on ports, and graceful shutdown
- How does Node.js handle asynchronous operations, and why is this important for server performance?
- What is the difference between a route and middleware in Express, and how do they interact?
- How would you extract and use URL parameters, query strings, and request body data in an Express route handler?
- Explain the request–response cycle: what happens when a client makes an HTTP request to your server?
- How do you create custom middleware, and what are common use cases (logging, authentication, error handling)?
- What HTTP status codes should you return for different scenarios (success, client error, server error), and why does this matter?
- Set up a Node.js project with npm, install Express, and create a basic server that listens on port 3000 and responds to a GET request at the root path
- Build a multi-route application with at least 5 different routes (GET, POST, PUT, DELETE) that handle different HTTP methods and return appropriate responses
- Create a route that accepts URL parameters (e.g., /users/:id) and query strings (e.g., ?sort=name), extract both, and return them in a JSON response
- Write a POST route that accepts JSON request body data, validates it, and returns a success or error response with the appropriate HTTP status code
- Implement custom middleware for logging (log every incoming request with method, path, and timestamp) and apply it globally to your application
- Build a simple form handler: create an HTML form, POST it to an Express route, parse the form data, and return a confirmation page or JSON response
Next up: This stage equips you with the core skills to build functional servers and handle client requests, setting the foundation for the next stage where you'll learn to persist data with databases, manage application state, and structure larger projects with proper architecture patterns.

A gentle, hands-on introduction to Node.js that covers the event loop, modules, and building basic servers — the perfect on-ramp before picking up a framework.

The canonical Express.js book: routing, middleware, templating, and project structure are all covered in a practical, project-driven way that directly follows the Node fundamentals.
Databases & Authentication — Storing and Securing Data
IntermediateDesign and query relational and non-relational databases, model data correctly, and implement secure user authentication and authorization in a back-end application.
▸ Study plan for this stage
Pace: 12–14 weeks, ~40–50 pages/day (mix of theory and hands-on practice)
- Relational database design: normalization, schema design, primary/foreign keys, and ACID properties
- SQL fundamentals: SELECT, JOIN, WHERE, GROUP BY, aggregate functions, and query optimization
- Document-oriented databases: MongoDB collections, BSON, indexing, and query patterns for non-relational data
- Data modeling trade-offs: when to use relational vs. non-relational databases based on application requirements
- User authentication: password hashing, salt, session management, and token-based authentication
- Authorization and access control: role-based access control (RBAC), permission models, and enforcing authorization checks
- Common web application vulnerabilities: SQL injection, NoSQL injection, cross-site scripting (XSS), and CSRF attacks
- Secure data handling: encryption at rest and in transit, secure password storage, and protecting sensitive information in logs
- How would you design a normalized relational schema for a multi-user application, and what are the trade-offs of different normalization levels?
- Write a complex SQL query using JOINs, subqueries, and aggregation functions to answer a real business question from sample data.
- When would you choose MongoDB over a relational database, and how would you model the same data in both systems?
- How do you implement secure password storage, and why is salting and hashing critical even if your database is compromised?
- Describe the difference between authentication and authorization, and how you would implement role-based access control in a web application.
- How would you prevent SQL injection and NoSQL injection attacks in your application code, and what are the limitations of each defense?
- Using 'Learning SQL': Design and normalize a schema for a blog platform (users, posts, comments, tags), then write 10+ SQL queries (SELECT with JOINs, GROUP BY, HAVING, subqueries) to retrieve meaningful data.
- Create a relational database in PostgreSQL or MySQL, populate it with sample data, and optimize slow queries using indexes and EXPLAIN plans.
- Using 'MongoDB': Model the same blog platform data as MongoDB collections, then write equivalent queries using MongoDB's query language and aggregation pipeline.
- Build a small Node.js/Python/Go application that connects to both a relational database and MongoDB, performing CRUD operations on the same logical data.
- Implement user authentication from scratch: hash passwords with bcrypt, create session/JWT tokens, and store them securely; test with multiple users.
- Using 'The Web Application Hacker's Handbook': Identify and exploit SQL injection vulnerabilities in a deliberately vulnerable application (e.g., DVWA or WebGoat), then patch them.
- Implement authorization checks: create users with different roles (admin, editor, viewer), enforce permissions on API endpoints, and verify unauthorized access is blocked.
- Conduct a security audit of a sample application: check for XSS, CSRF, insecure direct object references, and missing authentication/authorization; document findings and fixes.
Next up: Mastering databases and authentication establishes the secure, scalable foundation required for the next stage—building robust APIs and deploying production-ready applications with proper error handling, logging, and monitoring.

SQL is the lingua franca of back-end data work. This book builds a solid, practical foundation in relational databases before you touch an ORM or a NoSQL store.

Covers the most popular NoSQL database used alongside Node.js, including schema design, indexing, and aggregation — essential for understanding when and how to use document databases.

Understanding how attackers exploit authentication and session flaws is the fastest way to learn how to implement them securely — this book makes auth concepts concrete and urgent.
APIs, Architecture & Deployment — Thinking Like a Back-End Engineer
ExpertDesign clean REST and GraphQL APIs, apply proven architectural patterns, and deploy scalable back-end systems to the cloud — ready to build and ship production applications.
▸ Study plan for this stage
Pace: 12–14 weeks, ~40–50 pages/day (RESTful Web APIs: ~6 weeks; Designing Data-Intensive Applications: ~6–8 weeks)
- REST principles (resources, representations, HATEOAS, content negotiation) and how to design APIs that leverage HTTP semantics effectively
- API versioning, backwards compatibility, and evolution strategies for long-lived services
- Hypermedia as the Engine of Application State (HATEOAS) and its role in decoupling clients from server implementation details
- Data modeling for scalability: partitioning, replication, and consistency trade-offs (CAP theorem, eventual consistency)
- Distributed system challenges: consensus algorithms, failure handling, and monitoring in production environments
- Query optimization and indexing strategies for data-intensive applications at scale
- Event sourcing and stream processing as architectural patterns for building resilient, auditable systems
- Deployment patterns: containerization, orchestration, and infrastructure-as-code for cloud-native applications
- What are the core REST constraints, and how do they differ from RPC-style APIs? When should you choose REST over GraphQL?
- How do you design an API that can evolve without breaking existing clients? What are the trade-offs between versioning strategies?
- Explain HATEOAS and why it matters for decoupling. How would you implement it in a real API?
- What is the CAP theorem, and how do you choose between consistency and availability in a distributed system?
- How do replication and partitioning strategies affect query performance and fault tolerance?
- What are the advantages and trade-offs of event sourcing compared to traditional state-based storage?
- How do you monitor and debug a distributed back-end system in production?
- Design a complete REST API for a real-world domain (e.g., e-commerce, social media) following REST principles; document resources, representations, and HTTP methods; include HATEOAS links in responses
- Build a versioning strategy for an existing API and implement backwards-compatible changes; test that old clients continue to work
- Implement a simple event-sourced system: design an event schema, build an event store, and derive current state from the event log
- Set up a multi-node distributed database (PostgreSQL with replication or MongoDB sharding); experiment with consistency levels and observe trade-offs under failure
- Design a data partitioning scheme for a high-volume dataset; calculate partition sizes, identify hot partitions, and propose mitigation strategies
- Deploy a containerized back-end application to a cloud platform (AWS, GCP, or Azure) using infrastructure-as-code; set up monitoring and logging
- Analyze a real production API (e.g., GitHub, Stripe, Twitter) and document its design choices: versioning, pagination, error handling, and rate limiting
Next up: This stage equips you with the architectural thinking and deployment skills to build production-grade back-end systems; the next stage will deepen your expertise in security, performance optimization, and operational excellence under real-world constraints.

The definitive guide to designing REST APIs correctly — covering hypermedia, resource modeling, and versioning so your APIs are intuitive and maintainable from day one.

The most important book for thinking at scale: databases, replication, consistency, and distributed systems explained with rare clarity — bridges intermediate skills to senior-level thinking.
Discussion
Keep reading
Paths that share books, cover the same subject, or open a related topic.