Topics

Backend study topic clusters

Browse the core content clusters behind Backend Study Lab: 142 published anchors and 2 planned articles or tools.

Java

Java Collections

Practical guides for understanding Java collection classes, equality, hashing, tradeoffs, complexity, and common interview questions.

published

TreeMap vs HashMap in Java

Compares hash-table lookup with sorted map behavior, range queries, comparator rules, and backend defaults.

comparison
published

HashSet vs TreeSet in Java

Compares hash-based membership with sorted set behavior, range operations, comparator rules, and null handling.

comparison
published

Queue vs Deque in Java

Compares FIFO queues, double-ended operations, ArrayDeque, LinkedList, stack usage, and concurrent queue choices.

comparison

Backend

Spring Backend Basics

Spring Boot backend fundamentals for REST controllers, validation, service boundaries, error handling, and API contracts.

planned

Spring Boot Request Validation Explained

Planned companion for Bean Validation, field errors, nested DTOs, and API-friendly validation responses.

tutorial
planned

Spring Boot Exception Handling Explained

Planned guide for @RestControllerAdvice, consistent error shapes, request IDs, and status code mapping.

tutorial

API Design

API Design

Clear comparisons, checklists, schemas, authentication patterns, CORS preflight behavior, service credentials, abuse prevention, scopes, and contracts for maintainable backend APIs.

published

REST vs RPC

Pillar comparison for API style decisions.

comparison
published

PUT vs PATCH in REST APIs

Clarifies full replacement vs partial update semantics, idempotency, validation, and status code choices.

comparison
published

JSON Schema vs OpenAPI Schema

Compares standalone JSON Schema with OpenAPI Schema in HTTP API contracts, validation, docs, examples, and tooling.

comparison
published

REST API Design Checklist

Checklist for reviewing REST resources, methods, status codes, errors, pagination, idempotency, auth, versioning, and OpenAPI docs.

reference
published

JSON Schema Generator

Generate starter JSON Schema drafts from example API payloads locally.

reference
published

JSONPath Tester

Query nested API payloads and inspect matched values locally.

reference
published

JSON Pointer Resolver

Resolve exact JSON node locations for OpenAPI, JSON Schema, JSON Patch, and API debugging.

reference
published

API Key Design Best Practices

Design safer API keys with identifiable prefixes, hashed secrets, scopes, rotation, rate limits, and audit logs.

tutorial
published

API Authentication Best Practices

Explains API credential choices, token validation, scopes, rotation, gateways, 401/403 behavior, and safe logs.

tutorial
published

Cookie vs Token Authentication

Compares cookies, bearer tokens, sessions, JWTs, CSRF, XSS, storage, CORS, and client tradeoffs.

comparison
published

OAuth Scopes Explained

Explains scope naming, least privilege, consent, token claims, resource server validation, and common mistakes.

informational
published

Service Accounts Explained

Explains machine identities, scoped credentials, least privilege, rotation, audit logs, and decommissioning.

informational
published

API Abuse Prevention Explained

Explains rate limits, quotas, enumeration, bot patterns, security event logging, gateways, and clear API errors.

informational
published

UUID Generator

Generate UUID v4 values for idempotency keys, request IDs, and backend test data.

reference
published

API Versioning Explained

Covers URL versions, header versions, backward compatibility, deprecation, and migrations.

informational
published

API Gateway Explained

Explains gateway routing, authentication, rate limiting, observability, and architecture tradeoffs.

informational
published

CORS Preflight Explained

Explains browser OPTIONS checks, allowed methods, headers, credentials, caching, debugging, and backend mistakes.

informational
published

Webhooks Explained

Covers webhook delivery, signatures, retries, idempotency, ordering, and receiver design.

tutorial
published

Webhook Signature Verification

Explains HMAC signatures, raw request bodies, timestamps, replay protection, secret rotation, and safe webhook failures.

tutorial

Backend

Authentication

Backend authentication and authorization concepts explained through practical implementation, cookies, CORS, OAuth, service account, token, API key, and permission tradeoffs.

published

RBAC vs ABAC

Compares role-based and attribute-based authorization models for backend access control.

comparison
published

Password Hashing Explained

Explains password hashing, salts, peppers, verification, reset tokens, and storage mistakes.

informational
published

MFA Explained for Web Apps

Explains multi-factor authentication, enrollment, backup codes, recovery, and step-up checks.

informational
published

Session Fixation Explained

Explains session fixation attacks, session ID rotation, cookie controls, and login trust transitions.

informational
published

Cookie vs Token Authentication

Compares cookies, bearer tokens, sessions, JWTs, CSRF, XSS, storage, CORS, and client tradeoffs.

comparison
published

Refresh Token Rotation Explained

Explains rotating refresh tokens, reuse detection, token families, revocation, and refresh race conditions.

informational
published

OAuth 2.0 vs OpenID Connect

Explains delegated authorization, login, ID tokens, access tokens, and OIDC boundaries.

comparison
published

API Key vs OAuth Token

Compares long-lived API keys with scoped OAuth tokens for integrations and delegated API access.

comparison
published

API Key Design Best Practices

Explains API key format, hashing, scopes, rotation, rate limits, audit logs, and safe storage.

tutorial
published

OAuth Scopes Explained

Explains scopes, consent, roles vs scopes, least privilege, tenant checks, and API permission validation.

informational
published

Service Accounts Explained

Explains machine identities, scoped credentials, least privilege, rotation, audit logs, and decommissioning.

informational
published

JWT Claims Explained

Covers registered claims, custom claims, scopes, roles, tenant context, and validation mistakes.

informational
published

CSRF vs XSS

Security comparison useful for auth and web backend clusters.

comparison
published

CORS Preflight Explained

Explains browser OPTIONS checks, allowed methods, headers, credentials, caching, debugging, and backend mistakes.

informational
published

SameSite Cookies Explained

Explains SameSite cookie modes, CSRF risk, OAuth callbacks, and secure session cookie design.

informational
published

Cookie Security Checklist

Checklist for HttpOnly, Secure, SameSite, CSRF, session rotation, prefixes, expiration, scope, and logging.

reference
published

Secure HTTP Headers Explained

Explains HSTS, CSP, frame protection, referrer policy, permissions policy, and cookie-related limits.

informational
published

JWT Decoder

Local-only tool for inspecting JWT header and payload claims without signature verification.

reference

Backend

Backend Security

Security-focused backend guides for authentication, authorization, cookies, CORS, OAuth scopes, service credentials, browser risks, secrets, audit logs, API abuse controls, and safe API behavior.

published

RBAC vs ABAC

Compares RBAC, ABAC, ownership checks, tenant boundaries, role explosion, and policy complexity.

comparison
published

Password Hashing Explained

Explains safe password storage with one-way hashes, salts, cost factors, reset tokens, and login flow risks.

informational
published

MFA Explained for Web Apps

Explains MFA enrollment, TOTP, WebAuthn, backup codes, recovery flows, and step-up authentication.

informational
published

Session Fixation Explained

Explains session fixation attacks, session ID rotation, cookie controls, and MFA trust transitions.

informational
published

JWT vs Session Authentication

Compares stateless bearer tokens with server-side sessions, logout, revocation, and browser storage tradeoffs.

comparison
published

Cookie vs Token Authentication

Compares cookies, bearer tokens, sessions, JWTs, CSRF, XSS, storage, CORS, and client tradeoffs.

comparison
published

Refresh Token Rotation Explained

Explains rotating refresh tokens, reuse detection, token families, revocation, and refresh race conditions.

informational
published

OAuth 2.0 vs OpenID Connect

Explains delegated authorization, login, ID tokens, access tokens, and OIDC boundaries.

comparison
published

API Key vs OAuth Token

Compares API keys and OAuth tokens for service access, user context, scopes, rotation, and expiration.

comparison
published

API Key Design Best Practices

Explains API key format, hashing, scopes, rotation, rate limits, audit logs, and safe storage.

tutorial
published

API Authentication Best Practices

Explains protected API credentials, token validation, least privilege, gateways, auth failures, and security logs.

tutorial
published

OAuth Scopes Explained

Explains scope design, least privilege, consent, resource server checks, and common authorization mistakes.

informational
published

Service Accounts Explained

Explains machine identities, scoped credentials, least privilege, rotation, audit logs, and decommissioning.

informational
published

Security Event Logging Explained

Explains auth events, API abuse signals, safe metadata, alerting, retention, and investigation workflows.

informational
published

API Abuse Prevention Explained

Explains rate limits, quotas, enumeration, bot patterns, security event logging, gateways, and clear API errors.

informational
published

JWT Claims Explained

Covers registered claims, custom claims, scopes, roles, tenant context, and validation mistakes.

informational
published

CORS Preflight Explained

Explains browser OPTIONS checks, allowed methods, headers, credentials, caching, debugging, and backend mistakes.

informational
published

Secure HTTP Headers Explained

Explains HSTS, CSP, frame protection, referrer policy, permissions policy, and cookie-related limits.

informational
published

SameSite Cookies Explained

Explains SameSite cookie modes, CSRF risk, OAuth callbacks, and secure session cookie design.

informational
published

Cookie Security Checklist

Checklist for HttpOnly, Secure, SameSite, CSRF, session rotation, prefixes, expiration, scope, and logging.

reference
published

CSRF vs XSS

Compares request forgery and script injection risks for browser-backed backend systems.

comparison
published

Webhook Signature Verification

Explains HMAC signatures, raw request bodies, timestamps, replay protection, secret rotation, and safe webhook failures.

tutorial
published

API Gateway Explained

Explains gateway routing, authentication, rate limiting, observability, and architecture tradeoffs.

informational
published

JWT Decoder

Local-only JWT inspection tool for test tokens and auth debugging.

reference
published

HTTP Status Code Lookup

Quick reference for 401, 403, 429, 5xx, and other security-relevant API responses.

reference

Algorithms

Algorithms and Complexity

Algorithm fundamentals for backend developers, with emphasis on practical complexity, array patterns, and interview readiness.

published

Prefix Sum Algorithm Explained

Explains range-sum preprocessing, subarray sums, difference arrays, Java examples, and complexity.

tutorial

System Design

System Design Basics

Foundational backend architecture topics for databases, query performance, operations, concurrency, scaling, reliability, and production tradeoffs.

published

Database Indexes Explained

Explains index tradeoffs, composite indexes, query planning, and backend performance reviews.

informational
published

N+1 Query Problem Explained

Explains hidden ORM query loops, eager loading, joins, batching, query counts, and list endpoint performance.

tutorial
published

Optimistic Locking Explained

Covers version columns, lost updates, compare-and-swap updates, and 409 conflict responses.

informational
published

Caching Strategies Explained

Explains cache-aside, TTLs, invalidation, cache stampedes, and backend freshness tradeoffs.

tutorial
published

Message Queues Explained

Covers producers, consumers, retries, dead-letter queues, ordering, and idempotent processing.

informational
published

Database Sharding Explained

Covers shard keys, routing, hot shards, cross-shard queries, and sharding tradeoffs.

informational
published

Load Balancing Explained

Covers traffic distribution, algorithms, health checks, sticky sessions, and deployment tradeoffs.

informational
published

Distributed Locks Explained

Explains lease-based locks, fencing tokens, failure modes, and safer alternatives.

informational
published

Retry Patterns Explained

Covers timeouts, exponential backoff, jitter, retry budgets, and idempotent retries.

tutorial
published

Background Jobs Explained

Explains queues, workers, scheduled jobs, idempotency, status tracking, and monitoring.

tutorial

Developer Tools

Developer Tools

Utility pages that pair SEO-friendly explanations with fast browser-based developer tools.

published

Text Diff Checker

Compare text snippets line by line for API responses, configs, SQL, logs, and documentation.

reference
published

Markdown Table Generator

Convert CSV, TSV, and pasted rows into Markdown tables for docs and READMEs.

reference
published

CSV to JSON Converter

Convert CSV, TSV, and delimited text into JSON arrays or objects locally.

reference
published

JSON Schema Generator

Generate starter JSON Schema drafts from example JSON payloads.

reference
published

JSONPath Tester

Test common JSONPath expressions against API responses, fixtures, and logs.

reference
published

JSON Pointer Resolver

Resolve RFC 6901 JSON Pointers against JSON locally with value and path metadata output.

reference
published

JSON Formatter

Format and minify JSON locally in the browser.

reference
published

Regex Tester

Test JavaScript regex patterns with matches, groups, and replacement previews.

reference
published

Big-O Cheat Sheet

Look up common data structure and algorithm complexities with Java-oriented notes.

reference
published

Cron Parser

Explain five-field cron expressions and preview upcoming run times locally.

reference
published

SQL Formatter

Format and minify SQL queries locally before debugging or code review.

reference
published

JWT Decoder

Decode JWT header and payload claims locally for authentication debugging.

reference
published

Unix Timestamp Converter

Convert Unix seconds, milliseconds, UTC, and local browser dates for backend debugging.

reference
published

UUID Generator

Generate UUID v4 values locally for request IDs, idempotency keys, and test data.

reference