Rate limiting
How to cap request rates per IP, per user, or per API key โ token bucket, sliding window, leaky bucket, fixed window. Distributed implementations with Redis, the NAT-vs-corporate-network trap, and how to communicate limits back to the client.
Caching
Every layer of a web stack caches. Browser cache, CDN, app cache (Redis/Memcached), database query cache, prompt caching. How each one works, when to use it, and why "the two hard things in computer science" includes cache invalidation.
Secrets & API keys
Where secrets live (env vars, secret managers, KMS), how to never ship them to the browser, key rotation, the principle of least privilege, and the ephemeral-key pattern that lets a browser talk directly to a third-party API without exposing your long-lived secret.
Observability
The three pillars of production debugging โ structured logs, metrics (counters/gauges/histograms), distributed traces. SLOs and SLIs, RED and USE methods, alerting principles, and how to build a system you can debug at 3am without crying.
Testing
The test pyramid in practice โ unit, integration, e2e, contract, snapshot, property-based. What to mock and what not to. How to keep a test suite fast and trustworthy. The discipline that lets you ship without fear.
Debugging
Bug-finding as a discipline โ hypothesis-driven debugging, bisection, reading stack traces, instrumentation, the "what changed" question, and the patterns that separate engineers who solve bugs in minutes from those who flail for hours.