🗂️

Resources & Checklists

Ready-to-use checklists, recommended books, essential tools, and cheat sheets. Save them, print them, use them on every project.

Pre-Deployment Checklist

Run through this before every production deployment. Takes 5 minutes and can save hours of incident response.

🚀 Pre-Deployment Checklist

🔴 Critical  🟡 Important  ☐ Standard
  • All tests passing in CI (unit, integration, e2e)
  • Code review approved by at least 2 engineers
  • Database migration tested on staging with production-sized data
  • Rollback plan documented and tested
  • Staging environment validated manually
  • Feature flags configured for gradual rollout
  • Monitoring alerts configured for new features
  • On-call engineer notified of deployment
  • CHANGELOG / release notes updated
  • API documentation updated (if endpoints changed)
  • Environment variables set in production
  • Third-party integrations tested in staging
  • Performance regression tests run (load time <2x baseline)
  • Security scan run (npm audit, Snyk, or equivalent)
  • Deployment scheduled during low-traffic window
  • Customer support notified of UX changes

🔍 Code Review Checklist

Use this when reviewing any PR
  • No hardcoded secrets, API keys, or passwords
  • User input validated and sanitized (SQL injection, XSS)
  • Authentication/authorization checked on all new endpoints
  • Error handling covers all failure paths (network, null, empty)
  • No N+1 database queries in loops
  • Tests cover happy path, edge cases, and error cases
  • Variable and function names are descriptive and clear
  • Functions do one thing and are under ~30 lines
  • No commented-out code left behind
  • No unnecessary console.log or debug statements
  • Complex logic has explanatory comments (WHY, not WHAT)
  • Dependencies added are justified and actively maintained
  • Breaking changes documented in PR description
  • Performance: no blocking operations on main thread
  • Accessibility: interactive elements have ARIA labels

🔒 Security Checklist (OWASP-based)

Validate before every release
  • Passwords hashed with bcrypt/argon2 (never MD5/SHA1)
  • JWT tokens have expiration (max 24h for access, 30d for refresh)
  • All user inputs sanitized against XSS (no raw innerHTML with user data)
  • SQL queries use parameterized statements only
  • HTTPS enforced on all endpoints (HSTS header set)
  • Rate limiting on auth endpoints (max 5 attempts/15 min)
  • CORS configured — not wildcard (*) in production
  • Content-Security-Policy header configured
  • Dependencies scanned for known vulnerabilities (npm audit)
  • Sensitive data not logged (passwords, tokens, PII)
  • File uploads: type validation, size limits, stored outside webroot
  • Error messages don't expose internal stack traces to users
  • Admin endpoints require additional authentication (2FA/IP allowlist)
  • Secrets stored in environment variables, not in code or git

Essential Engineering Books

These books are referenced by senior engineers at Google, Meta, Netflix, and Amazon. If you read 5 of these, you'll think differently about software forever.

📗

Clean Code

Robert C. Martin • 2008

The bible of software craftsmanship. Learn to write code that humans can actually read and maintain. Every chapter has before/after examples.
📘

Designing Data-Intensive Applications

Martin Kleppmann • 2017

The definitive guide to databases, distributed systems, and data at scale. Understanding replication, consensus, and stream processing will change how you design systems.
📙

The Phoenix Project

Gene Kim et al. • 2013

DevOps as a novel. Follow a struggling IT manager who discovers lean manufacturing principles. Teaches the Three Ways of DevOps through compelling storytelling.
📕

Site Reliability Engineering

Google SRE Team • 2016

How Google runs production at planet scale. Error budgets, SLOs, blameless postmortems, and eliminating toil through automation. Free to read online.
📓

Accelerate

Nicole Forsgren et al. • 2018

Data-driven research on what makes high-performing software teams. The 4 DORA metrics. Proves that speed and stability are not in conflict — the best teams have both.
📒

A Philosophy of Software Design

John Ousterhout • 2018

Focuses on complexity as the root cause of all software problems. Teaches deep modules, good abstractions, and designing for the reader rather than the writer.

Essential Developer Tools

The tools used by high-performing engineering teams. These are the tools that, once you start using, you can't imagine working without.

GitHub Actions

CI/CD

Free CI/CD built into GitHub. 2000 minutes/month free. Supports matrix builds, caching, and 15,000+ community actions. The default choice for most teams.

Docker + Compose

Containerization

Package your app with its dependencies. docker-compose for local dev environments that mirror production exactly. Essential for onboarding new developers in minutes.

Prometheus + Grafana

Monitoring

Open-source metrics collection and visualization. Prometheus scrapes metrics, Grafana visualizes them. Self-hosted, free, and used by thousands of teams.

Sentry

Error Tracking

Real-time error monitoring with stack traces, user context, and release tracking. Know about bugs before your users report them. Free tier for small teams.

LaunchDarkly / Flagsmith

Feature Flags

Feature flag management. Flagsmith is open-source and self-hostable. LaunchDarkly is enterprise-grade with advanced targeting and experimentation.

k6 / Artillery

Load Testing

Load testing tools that run from CLI or CI. Simulate 1000+ concurrent users to find performance bottlenecks before launch. Write tests in JavaScript.

Git Commands Cheat Sheet

# EVERYDAY COMMANDS
git status                           # see what's changed
git log --oneline -10                # last 10 commits, compact
git diff HEAD                        # unstaged changes
git stash push -m "wip: feature X"  # save work temporarily

# BRANCHING
git checkout -b feature/my-feature  # create + switch branch
git branch -d feature/my-feature    # delete local branch
git push origin --delete feature/x  # delete remote branch

# MERGING & REBASING
git merge --no-ff feature/x         # merge with commit (preserves history)
git rebase main                      # replay commits on top of main
git rebase -i HEAD~3                 # squash last 3 commits interactively

# UNDOING
git reset HEAD~1 --soft             # undo last commit, keep changes staged
git reset HEAD~1 --mixed            # undo last commit, keep changes unstaged
git revert <commit-hash>            # create new commit that undoes a commit (safe)
git restore src/file.js             # discard changes in a file

# FINDING THINGS
git log --all --grep="bug fix"       # search commit messages
git blame src/utils.js              # who changed each line and when
git bisect start                    # binary search for bug-introducing commit

Docker Commands Cheat Sheet

# BUILD & RUN
docker build -t myapp:1.0 .           # build image from Dockerfile
docker run -d -p 3000:3000 myapp:1.0  # run detached, map port
docker run --rm -it myapp bash        # interactive shell, auto-remove

# INSPECT
docker ps                              # running containers
docker ps -a                           # all containers including stopped
docker logs -f my-container           # stream logs
docker exec -it my-container sh       # shell into running container
docker inspect my-container          # detailed container info (JSON)
docker stats                          # live CPU/memory usage

# DOCKER COMPOSE
docker compose up -d                  # start all services detached
docker compose up -d --build          # rebuild and start
docker compose down -v               # stop and remove volumes
docker compose logs -f backend       # stream logs for one service

# CLEANUP
docker system prune -af              # remove ALL unused images/containers
docker volume prune                   # remove unused volumes
docker images | grep none            # find dangling images