--- name: backend-development description: "Production backend systems development. Stack: Node.js/TypeScript, Python, Go, Rust | NestJS, FastAPI, Django, Express | PostgreSQL, MongoDB, Redis. Capabilities: REST/GraphQL/gRPC APIs, OAuth 2.1/JWT auth, OWASP security, microservices, caching, load balancing, Docker/K8s deployment. Actions: design, build, implement, secure, optimize, deploy, test APIs and services. Keywords: API design, REST, GraphQL, gRPC, authentication, OAuth, JWT, RBAC, database, PostgreSQL, MongoDB, Redis, caching, microservices, Docker, Kubernetes, CI/CD, OWASP, security, performance, scalability, NestJS, FastAPI, Express, middleware, rate limiting. Use when: designing APIs, implementing auth/authz, optimizing queries, building microservices, securing endpoints, deploying containers, setting up CI/CD." license: MIT version: 1.0.0 --- # Backend Development Skill Production-ready backend development with modern technologies, best practices, and proven patterns. ## When to Use - Designing RESTful, GraphQL, or gRPC APIs - Building authentication/authorization systems - Optimizing database queries and schemas - Implementing caching and performance optimization - OWASP Top 10 security mitigation - Designing scalable microservices - Testing strategies (unit, integration, E2E) - CI/CD pipelines and deployment - Monitoring and debugging production systems ## Technology Selection Guide **Languages:** Node.js/TypeScript (full-stack), Python (data/ML), Go (concurrency), Rust (performance) **Frameworks:** NestJS, FastAPI, Django, Express, Gin **Databases:** PostgreSQL (ACID), MongoDB (flexible schema), Redis (caching) **APIs:** REST (simple), GraphQL (flexible), gRPC (performance) See: `references/backend-technologies.md` for detailed comparisons ## Reference Navigation **Core Technologies:** - `backend-technologies.md` - Languages, frameworks, databases, message queues, ORMs - `backend-api-design.md` - REST, GraphQL, gRPC patterns and best practices **Security & Authentication:** - `backend-security.md` - OWASP Top 10 2025, security best practices, input validation - `backend-authentication.md` - OAuth 2.1, JWT, RBAC, MFA, session management **Performance & Architecture:** - `backend-performance.md` - Caching, query optimization, load balancing, scaling - `backend-architecture.md` - Microservices, event-driven, CQRS, saga patterns **Quality & Operations:** - `backend-testing.md` - Testing strategies, frameworks, tools, CI/CD testing - `backend-code-quality.md` - SOLID principles, design patterns, clean code - `backend-devops.md` - Docker, Kubernetes, deployment strategies, monitoring - `backend-debugging.md` - Debugging strategies, profiling, logging, production debugging - `backend-mindset.md` - Problem-solving, architectural thinking, collaboration ## Key Best Practices (2025) **Security:** Argon2id passwords, parameterized queries (98% SQL injection reduction), OAuth 2.1 + PKCE, rate limiting, security headers **Performance:** Redis caching (90% DB load reduction), database indexing (30% I/O reduction), CDN (50%+ latency cut), connection pooling **Testing:** 70-20-10 pyramid (unit-integration-E2E), Vitest 50% faster than Jest, contract testing for microservices, 83% migrations fail without tests **DevOps:** Blue-green/canary deployments, feature flags (90% fewer failures), Kubernetes 84% adoption, Prometheus/Grafana monitoring, OpenTelemetry tracing ## Quick Decision Matrix | Need | Choose | |------|--------| | Fast development | Node.js + NestJS | | Data/ML integration | Python + FastAPI | | High concurrency | Go + Gin | | Max performance | Rust + Axum | | ACID transactions | PostgreSQL | | Flexible schema | MongoDB | | Caching | Redis | | Internal services | gRPC | | Public APIs | GraphQL/REST | | Real-time events | Kafka | ## Implementation Checklist **API:** Choose style → Design schema → Validate input → Add auth → Rate limiting → Documentation → Error handling **Database:** Choose DB → Design schema → Create indexes → Connection pooling → Migration strategy → Backup/restore → Test performance **Security:** OWASP Top 10 → Parameterized queries → OAuth 2.1 + JWT → Security headers → Rate limiting → Input validation → Argon2id passwords **Testing:** Unit 70% → Integration 20% → E2E 10% → Load tests → Migration tests → Contract tests (microservices) **Deployment:** Docker → CI/CD → Blue-green/canary → Feature flags → Monitoring → Logging → Health checks ## Resources - OWASP Top 10: https://owasp.org/www-project-top-ten/ - OAuth 2.1: https://oauth.net/2.1/ - OpenTelemetry: https://opentelemetry.io/