HTML, CSS, JavaScript and SEO get you building — these eight areas get you trusted with production. Work through the checklists below; your progress saves in this browser, so you can come back and keep going.
Your readiness score0 of 52 checks
How the Web Works
0/6
Understanding what happens between typing a URL and seeing a page is the skill that separates web developers from framework users. It makes every bug — slow loads, CORS errors, stale caches — explainable instead of mysterious.
Every page load is the same journey: the browser resolves the domain to an IP address (DNS), opens a connection (TCP), secures it (TLS), sends an HTTP request, receives a response, then parses HTML into the DOM, computes styles, and paints pixels. Each stage can fail, be slow, or be cached — and each produces different symptoms. Step through the journey:
DNS lookup
1 / 7
HTTP status codes — quick reference
Code
Name
What it actually means
No codes match — try “4”, “redirect” or “server”.
Make it a habit
Security
0/8
Most attacks on websites aren't clever — they exploit the same handful of oversights, year after year. Knowing the top few puts you ahead of the majority of shipped sites.
The classics: XSS (user-supplied text rendered as live HTML — the reason you escape output; try the HTML entity tool), CSRF (another site triggering actions with your users' cookies — mitigated by SameSite cookies and tokens), supply-chain risk (that convenient npm package and its 300 dependencies run with full access to your page), and secrets in client code — anything shipped to the browser is public, including API keys in your JavaScript. Security headers are the highest-value low-effort defence; this very site ships the set below.
Security headers starter pack
Tighten or loosen CSP per site — start strict, then allow only what breaks. Test with your browser DevTools console open; violations are logged there.
Make it a habit
Performance & Core Web Vitals
0/7
Speed is a feature users feel and Google measures. Three numbers — the Core Web Vitals — summarise it, and they're ranking factors.
Vital
Measures
Good
Poor
LCP
Largest Contentful Paint — when the main content appears
≤ 2.5s
> 4.0s
INP
Interaction to Next Paint — how fast the page responds to input
≤ 200ms
> 500ms
CLS
Cumulative Layout Shift — how much the page jumps around
≤ 0.1
> 0.25
The biggest wins are boring: compress and size images properly (reserve space with the aspect ratio tool to protect CLS), let the browser cache aggressively, load JavaScript only where it earns its weight, and keep third-party scripts on a short leash. Caching is where most sites leave speed on the table — these three recipes cover the common cases:
Cache-Control recipes
no-cache does not mean “don't cache” — it means “store it, but check with the server before reusing it”. The one that disables caching entirely is no-store.
Make it a habit
ADVERTISEMENT
Accessibility
0/8
Roughly one in six people has a disability that affects how they use the web. Accessibility isn't an add-on for them — it's baseline quality, and increasingly a legal requirement (WCAG 2.2 AA in the UK and EU).
The 80/20 of accessibility is semantic HTML: real <button>s, real <a>s, headings in order, landmarks (<nav>, <main>, <footer>). Native elements bring keyboard support, focus behaviour and screen-reader announcements for free — a <div onclick> brings none of them. Reach for ARIA attributes last, only when no native element fits. And check your colours with the contrast checker.
Avoid
Prefer
Why
<div onclick>
<button>
Keyboard, focus and screen-reader support built in
outline: none
Visible :focus-visible style
Keyboard users need to see where they are
alt="" on meaningful images
Descriptive alt text
Empty alt is only correct for decoration
Colour as the only signal
Colour + icon/text
1 in 12 men has a colour vision deficiency
Tiny tap targets
≥ 24 × 24 px targets
WCAG 2.2 minimum; fingers aren't cursors
Make it a habit
Git & Version Control
0/6
Git is the safety net that makes fearless experimentation possible — and the collaboration layer every team assumes you know. You need about twenty commands, used well, not two hundred.
The mental model that makes Git click: commits are snapshots of your whole project, branches are just movable labels pointing at a snapshot, and almost nothing is ever truly lost. Small, focused commits with messages that explain why turn your history into documentation.
Daily rhythm
Branch & merge
Undo safely
Sync & inspect
Make it a habit
Deployment & Hosting
0/7
A site on localhost helps nobody. Getting comfortable with domains, DNS and hosting turns “it works on my machine” into a URL you can put on a business card.
The modern path for static sites is genuinely easy: push to Git, connect a host (Cloudflare Pages, Netlify, GitHub Pages, Vercel), and every push deploys automatically with HTTPS included. The part that still confuses everyone is DNS — the records that point your domain at your host:
Record
Points to
Typical use
A
An IPv4 address
Root domain → server IP
AAAA
An IPv6 address
Same as A, for IPv6
CNAME
Another domain name
www → your host's URL
TXT
Arbitrary text
Domain verification, email security (SPF/DKIM)
MX
A mail server
Where your domain's email goes
NS
Name servers
Which DNS provider is in charge
DNS changes take time to spread (propagation, up to 24–48h but usually minutes). Lower the record's TTL before a planned switch, and don't panic-edit while it propagates. Before launch, generate your robots.txt and submit your sitemap.
Launch-day checklist
ADVERTISEMENT
Testing
0/5
Tests aren't bureaucracy — they're the difference between “I think it still works” and “I know it still works”, every time you change anything.
E2E — few, slow, whole-app confidence
Integration — components working together
Unit — many, fast, pure logic
Layer
Typical tools
Answers
Unit
Vitest, Jest
“Does this function return the right thing?”
Integration
Testing Library
“Does this form validate and submit correctly?”
End-to-end
Playwright, Cypress
“Can a real user actually check out?”
Start where the value is: pure logic first (date maths, price calculations, validators — cheap to test, painful to break), then your critical user paths (sign-up, checkout, the thing your site exists for). A handful of tests on what matters beats hundreds of tests on what doesn't. Test behaviour users can see, not implementation details — tests that break on every refactor teach teams to ignore them.
Make it a habit
Privacy & Data Responsibility
0/5
Privacy law (GDPR in Europe, similar laws spreading worldwide) turned “collect everything, sort it out later” into a liability. The principle that keeps you safe is simple: collect the minimum, and be honest about it.
Usually fine without consent
Needs informed consent first
Strictly necessary cookies (login sessions, carts)
Analytics cookies that identify or profile visitors
Anonymous, aggregated counts
Advertising and cross-site tracking cookies
Data the user explicitly submits to you
Sharing data with third parties for their own use
Local preferences (theme, language) kept on-device
Fingerprinting or location tracking
You've already seen this page practise it: the cookie banner here defaults analytics to denied until you accept, and every tool on this site runs client-side precisely so your input never needs collecting. “We don't store it” is the easiest privacy policy to honour. When you do collect data, know why, say so plainly, and delete it when the reason expires.
Make it a habit
Website Builders vs Hand-Coding
Decision guide
Wix, Squarespace, Shopify, WordPress, Webflow — or a code editor? There's no universally right answer, only a right answer for a given project. Here's the honest comparison.
Builders earn their popularity. They take a site from idea to live in an afternoon, with hosting, SSL, updates and backups managed for you. Templates give non-designers a professional look, e-commerce works out of the box, and a small business owner can edit their own content without waiting on a developer. For a brochure site, a booking page, or validating a business idea quickly, that trade is genuinely good.
Hand-coding buys control. Every byte is yours: no platform ceiling on performance, no feature blocked behind a pricing tier, no lock-in when you want to move hosts, and no subscription running for the site's lifetime. It's also how skills compound — every project you hand-build makes you a better engineer, because everything on the page is something you understood well enough to create.
The considerations people skip. Extensible platforms inherit the security posture of their least-maintained extension — the platforms themselves patch quickly, so in practice the risk usually lives in outdated or abandoned third-party plugins and themes. That's not a reason to avoid builders; it's a reason to keep extensions few, reputable and updated, exactly as you'd audit npm packages in a coded project. Also weigh: export paths if you outgrow the platform, performance ceilings on heavy themes, and what the monthly fee totals over five years.
Website builder
Hand-coded
Speed to launch
Hours to days
Days to weeks
Cost model
Monthly subscription
Hosting only (often pennies)
Customisation
Within the platform's limits
Unlimited
Performance control
Theme-dependent
Total — every byte is chosen
Maintenance
Platform handles it
You handle it
Security responsibility
Platform core + your plugin choices
Entirely yours — smaller surface, but yours
Portability
Varies — check export options
Move anywhere, any time
Skills growth
Platform skills
Transferable engineering skills
Which should you choose?
Scenario
Sensible default
Small business brochure site, no dev on staff
Builder — managed and self-editable is the point
Validating an online shop idea fast
Builder (e.g. hosted e-commerce), migrate if it takes off
Portfolio, or learning web development
Hand-code — the process is the value
Unique product, app or custom functionality
Hand-code — you'll fight a builder's limits
Content site with non-technical editors, custom frontend
Hybrid — headless CMS + hand-coded frontend
Plenty of professionals use both, per project. The skill isn't loyalty to one camp — it's matching the tool to the job, knowing what you're trading away, and being able to build it yourself when the project deserves it.
Why this knowledge separates juniors from seniors
Frameworks and syntax are the entry ticket — but production trust is earned in the areas on this page. The developer who can explain why a page is slow (and prove it with the Network tab), keep user data safe by default, ship without breaking the site, and make interfaces work for everyone is the one teams rely on. None of it requires memorising specifications: each area has a small core of habits, and the checklists above are exactly those habits.
Work through them one topic at a time against a real project — your own site is perfect. Your ticks are saved in this browser, so treat it as a running self-audit: every box you can honestly tick is something a code reviewer, a security audit or a lighthouse report won't catch you on later.
Keep the whole toolbox handy
These essentials pair with the rest of FrontendHelpers: audit your metadata and generate robots.txt with the SEO & HTML tools, keep motion tasteful and performant with the CSS animation library, and write cleaner code with the explained JavaScript tricks — all free, all client-side, no sign-up.