--- name: ck-backend-development description: Build production-ready backends with Node.js, Python, Go. Use for REST/GraphQL/gRPC APIs, authentication (OAuth, JWT), database design, microservices, OWASP security, Docker and Kubernetes deployment. --- # ck-backend-development Production-ready backend development with modern technologies, best practices, and proven patterns. ## When to Use - Designing RESTful, GraphQL, or gRPC APIs - Building authentication and authorization systems - Optimizing database queries and schemas - Implementing caching and performance optimization - OWASP Top 10 security mitigation - Designing scalable microservices - Testing strategies (unit, integration, E2E) - CI/CD pipelines and deployment - Monitoring and debugging production systems ## Don't Use When - Frontend UI work — use `ck-frontend-development` or `ck-frontend-design` - Infrastructure-only work (K8s manifests, Dockerfiles) — use `ck-devops` - Database schema design only — use `ck-databases` ## Technology Selection **Languages:** - Node.js/TypeScript — full-stack teams, fast iteration - Python — data/ML integration, scientific computing - Go — high concurrency, performance-critical services - Rust — maximum performance, memory safety **Frameworks:** NestJS, FastAPI, Django, Express, Gin **Databases:** PostgreSQL (ACID), MongoDB (flexible schema), Redis (caching) **APIs:** REST (simple/public), GraphQL (flexible queries), gRPC (internal services, performance) ## Quick Decision Matrix | Need | Choose | |------|--------| | Fast development | Node.js + NestJS | | Data/ML integration | Python + FastAPI | | High concurrency | Go + Gin | | ACID transactions | PostgreSQL | | Flexible schema | MongoDB | | Caching | Redis | | Internal services | gRPC | | Public APIs | GraphQL/REST | | Real-time events | Kafka | ## Key Best Practices (2025) **Security:** - Argon2id for password hashing - Parameterized queries (eliminates SQL injection) - OAuth 2.1 + PKCE for authentication - Rate limiting on all public endpoints - Security headers (HSTS, CSP, X-Frame-Options) **Performance:** - Redis caching (reduces DB load significantly) - Database indexing on frequently queried columns - CDN for static assets - Connection pooling (pgBouncer for PostgreSQL) **Testing:** 70% unit / 20% integration / 10% E2E pyramid **DevOps:** Blue-green or canary deployments, feature flags, Prometheus/Grafana monitoring ## Implementation Checklists **API:** Choose style → Design schema → Validate input → Add auth → Rate limiting → Documentation → Error handling **Database:** Choose DB → Design schema → Create indexes → Connection pooling → Migration strategy → Backup/restore → Test performance **Security:** OWASP Top 10 → Parameterized queries → OAuth 2.1 + JWT → Security headers → Rate limiting → Input validation → Argon2id **Testing:** Unit 70% → Integration 20% → E2E 10% → Load tests → Migration tests **Deployment:** Docker → CI/CD → Blue-green/canary → Feature flags → Monitoring → Logging → Health checks ## Domain References - **API Design**: REST/GraphQL/gRPC patterns and best practices - **Security**: OWASP Top 10 2025, input validation, auth patterns - **Authentication**: OAuth 2.1, JWT, RBAC, MFA, session management - **Performance**: Caching, query optimization, load balancing, scaling - **Architecture**: Microservices, event-driven, CQRS, saga patterns - **Testing**: Testing strategies, frameworks, CI/CD testing - **DevOps**: Docker, Kubernetes, deployment strategies, monitoring ## Resources - OWASP Top 10: https://owasp.org/www-project-top-ten/ - OAuth 2.1: https://oauth.net/2.1/ - OpenTelemetry: https://opentelemetry.io/