The web dev knowledge that isn't code

HTML, CSS, JavaScript and SEO get you building — these eight areas get you trusted with production. Work through the checklists below; your progress saves in this browser, so you can come back and keep going.

Your readiness score 0 of 52 checks

How the Web Works

0/6

Understanding what happens between typing a URL and seeing a page is the skill that separates web developers from framework users. It makes every bug — slow loads, CORS errors, stale caches — explainable instead of mysterious.

Every page load is the same journey: the browser resolves the domain to an IP address (DNS), opens a connection (TCP), secures it (TLS), sends an HTTP request, receives a response, then parses HTML into the DOM, computes styles, and paints pixels. Each stage can fail, be slow, or be cached — and each produces different symptoms. Step through the journey:

DNS lookup

1 / 7

HTTP status codes — quick reference

CodeNameWhat it actually means

Make it a habit

Security

0/8

Most attacks on websites aren't clever — they exploit the same handful of oversights, year after year. Knowing the top few puts you ahead of the majority of shipped sites.

The classics: XSS (user-supplied text rendered as live HTML — the reason you escape output; try the HTML entity tool), CSRF (another site triggering actions with your users' cookies — mitigated by SameSite cookies and tokens), supply-chain risk (that convenient npm package and its 300 dependencies run with full access to your page), and secrets in client code — anything shipped to the browser is public, including API keys in your JavaScript. Security headers are the highest-value low-effort defence; this very site ships the set below.

Security headers starter pack

Tighten or loosen CSP per site — start strict, then allow only what breaks. Test with your browser DevTools console open; violations are logged there.

Make it a habit

Performance & Core Web Vitals

0/7

Speed is a feature users feel and Google measures. Three numbers — the Core Web Vitals — summarise it, and they're ranking factors.

VitalMeasuresGoodPoor
LCPLargest Contentful Paint — when the main content appears≤ 2.5s> 4.0s
INPInteraction to Next Paint — how fast the page responds to input≤ 200ms> 500ms
CLSCumulative Layout Shift — how much the page jumps around≤ 0.1> 0.25

The biggest wins are boring: compress and size images properly (reserve space with the aspect ratio tool to protect CLS), let the browser cache aggressively, load JavaScript only where it earns its weight, and keep third-party scripts on a short leash. Caching is where most sites leave speed on the table — these three recipes cover the common cases:

Cache-Control recipes

no-cache does not mean “don't cache” — it means “store it, but check with the server before reusing it”. The one that disables caching entirely is no-store.

Make it a habit

ADVERTISEMENT

Accessibility

0/8

Roughly one in six people has a disability that affects how they use the web. Accessibility isn't an add-on for them — it's baseline quality, and increasingly a legal requirement (WCAG 2.2 AA in the UK and EU).

The 80/20 of accessibility is semantic HTML: real <button>s, real <a>s, headings in order, landmarks (<nav>, <main>, <footer>). Native elements bring keyboard support, focus behaviour and screen-reader announcements for free — a <div onclick> brings none of them. Reach for ARIA attributes last, only when no native element fits. And check your colours with the contrast checker.

AvoidPreferWhy
<div onclick><button>Keyboard, focus and screen-reader support built in
outline: noneVisible :focus-visible styleKeyboard users need to see where they are
alt="" on meaningful imagesDescriptive alt textEmpty alt is only correct for decoration
Colour as the only signalColour + icon/text1 in 12 men has a colour vision deficiency
Tiny tap targets≥ 24 × 24 px targetsWCAG 2.2 minimum; fingers aren't cursors

Make it a habit

Git & Version Control

0/6

Git is the safety net that makes fearless experimentation possible — and the collaboration layer every team assumes you know. You need about twenty commands, used well, not two hundred.

The mental model that makes Git click: commits are snapshots of your whole project, branches are just movable labels pointing at a snapshot, and almost nothing is ever truly lost. Small, focused commits with messages that explain why turn your history into documentation.

Daily rhythm
Branch & merge
Undo safely
Sync & inspect

Make it a habit

Deployment & Hosting

0/7

A site on localhost helps nobody. Getting comfortable with domains, DNS and hosting turns “it works on my machine” into a URL you can put on a business card.

The modern path for static sites is genuinely easy: push to Git, connect a host (Cloudflare Pages, Netlify, GitHub Pages, Vercel), and every push deploys automatically with HTTPS included. The part that still confuses everyone is DNS — the records that point your domain at your host:

RecordPoints toTypical use
AAn IPv4 addressRoot domain → server IP
AAAAAn IPv6 addressSame as A, for IPv6
CNAMEAnother domain namewww → your host's URL
TXTArbitrary textDomain verification, email security (SPF/DKIM)
MXA mail serverWhere your domain's email goes
NSName serversWhich DNS provider is in charge

DNS changes take time to spread (propagation, up to 24–48h but usually minutes). Lower the record's TTL before a planned switch, and don't panic-edit while it propagates. Before launch, generate your robots.txt and submit your sitemap.

Launch-day checklist

ADVERTISEMENT

Testing

0/5

Tests aren't bureaucracy — they're the difference between “I think it still works” and “I know it still works”, every time you change anything.

LayerTypical toolsAnswers
UnitVitest, Jest“Does this function return the right thing?”
IntegrationTesting Library“Does this form validate and submit correctly?”
End-to-endPlaywright, Cypress“Can a real user actually check out?”

Start where the value is: pure logic first (date maths, price calculations, validators — cheap to test, painful to break), then your critical user paths (sign-up, checkout, the thing your site exists for). A handful of tests on what matters beats hundreds of tests on what doesn't. Test behaviour users can see, not implementation details — tests that break on every refactor teach teams to ignore them.

Make it a habit

Privacy & Data Responsibility

0/5

Privacy law (GDPR in Europe, similar laws spreading worldwide) turned “collect everything, sort it out later” into a liability. The principle that keeps you safe is simple: collect the minimum, and be honest about it.

You've already seen this page practise it: the cookie banner here defaults analytics to denied until you accept, and every tool on this site runs client-side precisely so your input never needs collecting. “We don't store it” is the easiest privacy policy to honour. When you do collect data, know why, say so plainly, and delete it when the reason expires.

Make it a habit

Website Builders vs Hand-Coding

Decision guide

Wix, Squarespace, Shopify, WordPress, Webflow — or a code editor? There's no universally right answer, only a right answer for a given project. Here's the honest comparison.

Builders earn their popularity. They take a site from idea to live in an afternoon, with hosting, SSL, updates and backups managed for you. Templates give non-designers a professional look, e-commerce works out of the box, and a small business owner can edit their own content without waiting on a developer. For a brochure site, a booking page, or validating a business idea quickly, that trade is genuinely good.

Hand-coding buys control. Every byte is yours: no platform ceiling on performance, no feature blocked behind a pricing tier, no lock-in when you want to move hosts, and no subscription running for the site's lifetime. It's also how skills compound — every project you hand-build makes you a better engineer, because everything on the page is something you understood well enough to create.

The considerations people skip. Extensible platforms inherit the security posture of their least-maintained extension — the platforms themselves patch quickly, so in practice the risk usually lives in outdated or abandoned third-party plugins and themes. That's not a reason to avoid builders; it's a reason to keep extensions few, reputable and updated, exactly as you'd audit npm packages in a coded project. Also weigh: export paths if you outgrow the platform, performance ceilings on heavy themes, and what the monthly fee totals over five years.

Website builderHand-coded
Speed to launchHours to daysDays to weeks
Cost modelMonthly subscriptionHosting only (often pennies)
CustomisationWithin the platform's limitsUnlimited
Performance controlTheme-dependentTotal — every byte is chosen
MaintenancePlatform handles itYou handle it
Security responsibilityPlatform core + your plugin choicesEntirely yours — smaller surface, but yours
PortabilityVaries — check export optionsMove anywhere, any time
Skills growthPlatform skillsTransferable engineering skills

Which should you choose?

ScenarioSensible default
Small business brochure site, no dev on staffBuilder — managed and self-editable is the point
Validating an online shop idea fastBuilder (e.g. hosted e-commerce), migrate if it takes off
Portfolio, or learning web developmentHand-code — the process is the value
Unique product, app or custom functionalityHand-code — you'll fight a builder's limits
Content site with non-technical editors, custom frontendHybrid — headless CMS + hand-coded frontend

Plenty of professionals use both, per project. The skill isn't loyalty to one camp — it's matching the tool to the job, knowing what you're trading away, and being able to build it yourself when the project deserves it.