Compétences techniques essentielles du FullStack Developer
8 briques clés : Front, Back, DB, APIs, CI/CD, Cloud, Observabilité, Sécurité — avec livrables, KPIs, anti-patterns, checklists et snippets.
Front : React/Vue/Angular, Tailwind, TS Back : Node/Django/Spring/Laravel/Rails DB : PostgreSQL, MySQL, MongoDB, Redis Cloud : AWS/Azure/GCP, Docker, K8s
1) Front-end (React, Vue, Angular, HTML5, CSS3, Tailwind, TypeScript)
À retenir
- React/Vue/Angular : SPA/SSR/ISR, routing, state mgmt (RTK/Pinia/RxJS).
- TypeScript : modèles typesafe, DX, refactoring rapide.
- CSS : Tailwind/SCSS, design tokens, theming (dark), animations.
- A11y : WCAG 2.1 AA, ARIA roles, focus, keyboard-first.
Livrables
- Design System + Storybook, tokens & variantes.
- Guides performance (CWV budgets, images AVIF/WebP).
- Tests e2e (Cypress/Playwright) + a11y (axe-core).
KPIs & Anti-patterns
- LCP < 2.5s, CLS < 0.1, INP < 200ms, Lighthouse ≥ 90.
- Bundle p95 < 200–300 KB, code-splitting & prefetch.
- Anti-patterns : CSS non scoping, images non optimisées, tout en client-side.
// React + TS – code splitting
const Page = React.lazy(() => import('./Page'));<img src="/img/pic.avif" width="800" height="600" loading="lazy" alt="...">// Web Vitals report
import { onLCP, onINP } from 'web-vitals'; onLCP(console.log); onINP(console.log);2) Back-end (Node.js, Django, Spring Boot, Laravel, Rails)
À retenir
- Node/Express (API IO-bound), Django/DRF (sécurité/ORM), Spring (entreprise), Laravel/Rails (productivité).
- Clean architecture, DTO/serializers, validation schémas.
- Jobs & schedulers, idempotence, retry + DLQ.
Livrables & KPIs
- OpenAPI/Schema contracts versionnés, smoke tests.
- p95 < 150ms, erreurs < 1%, MTTR < 30m.
- Migrations contrôlées (expand/contract), seed & fixtures.
Anti-patterns
- Logique métier dans les contrôleurs, N+1 queries, transactions non bornées.
- Endpoints “fourre-tout”, absence de timeouts/circuit-breakers.
# Django REST – Serializer
class UserSerializer(serializers.ModelSerializer):
class Meta:
model = User
fields = ["id","username","email"]// Node – timeout & JSON
app.use(express.json({ limit:"1mb" }));
app.use((req,res,next)=>{ res.set('X-Request-Id', crypto.randomUUID()); next(); });// Spring – validation
@Valid @PostMapping("/users") public User create(@RequestBody UserDTO dto){...}3) Bases de données (SQL, NoSQL, Caches)
À retenir
- PostgreSQL/MySQL pour transactions & reporting.
- MongoDB documents, Redis cache/session, rate-limit.
- Indexation, partitionnement, transactions bornées.
KPIs & livrables
- Top requêtes + plans d’exécution (EXPLAIN/ANALYZE).
- p95 lecture < 80ms, réplication < 5m, RPO ≤ 5m.
- Runbook sauvegarde/restore testé (hebdo).
Anti-patterns
- Migration “big bang”, clés étrangères manquantes, types inadaptés.
- Données PII en clair, dev = prod.
-- PostgreSQL – index GIN full-text
CREATE INDEX idx_search ON docs USING gin(to_tsvector('french', body));# Redis – Python
import redis; r=redis.Redis(); r.setex("rate:u1",60,10)-- MySQL – pagination performante
SELECT * FROM t WHERE id > ? ORDER BY id ASC LIMIT 50;4) APIs (REST, GraphQL, WebSockets)
REST
- Idempotence, cache, pagination, versionnage.
- OpenAPI, tests de contrat, mocks (Prism).
openapi: 3.0.3
paths: { /users: { get: { responses: { 200: { description: OK }}}}}GraphQL
- Schema-first (SDL), persisted queries, limites de profondeur.
- DataLoader (N+1), directives @cache.
type Query { user(id: ID!): User, search(q:String!): [User!]! }WebSockets
- Auth par jeton, backpressure, rooms/topics.
- Fallback SSE/long-poll, QoS, retry expo.
// WS – broadcast
wss.on('connection', ws => ws.send('hello'))Anti-patterns : endpoints non versionnés, schémas implicites, absence de limites & timeouts, messages WS sans auth.
5) CI/CD & Qualité (GitLab CI/CD, GitHub Actions, Jenkins)
Pipeline type
- build → unit → integ → e2e → sast/dast → deploy → smoke.
- Preview env par branche (auto-stop).
- Gate “critical vulns = block”.
KPIs
- Lead time < 1j, CFR < 15%, fréquence déploiements ≥ hebdo.
- Coverage ≥ 80%, flaky tests < 2%.
Anti-patterns
- Tests lents/flaky non traités, déploiements manuels ad-hoc.
- Pas d’environnements éphémères, pas de rollback.
# GitLab CI – Node tests
stages: [build,test,security,deploy]
test:
image: node:20
script: [ "npm ci", "npm run test -- --ci", "npm run build" ]# GitHub Actions – Python
on: [push]
jobs:
test:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-python@v5
with: { python-version: "3.12" }
- run: pip install -r requirements.txt && pytest -q6) Cloud & Conteneurs (AWS, Azure, GCP, Docker, Kubernetes)
Services & patterns
- EKS/AKS/GKE, ECS, serverless (Lambda/Functions/Cloud Run).
- DB managées, réseaux privés, WAF, CDN, Object Storage.
- IaC (Terraform), Helm, GitOps (ArgoCD/Flux), secrets manager.
FinOps & SLO
- Right-size, autoscale, idle killer sur previews.
- Budget €/mois & alertes, coût/req suivi.
- Uptime ≥ 99.9% (multi-AZ), RTO ≤ 30m, RPO ≤ 5m.
Anti-patterns
- Images lourdes non scannées, probes absentes.
- Ingress sans TLS, secrets en clair, pas de PSP/PodSecurity.
# K8s – Deployment (readiness/liveness)
apiVersion: apps/v1
kind: Deployment
metadata: { name: app }
spec:
replicas: 3
selector: { matchLabels: { app: app } }
template:
metadata: { labels: { app: app } }
spec:
containers:
- name: app
image: registry/app:1.0
ports: [{containerPort: 3000}]
readinessProbe: { httpGet:{ path:"/healthz", port:3000 }, initialDelaySeconds:5 }
livenessProbe: { httpGet:{ path:"/healthz", port:3000 }, initialDelaySeconds:20 }
7) Observabilité & Monitoring (Logs, Metrics, Traces)
Pilier 3× (logs/metrics/traces)
- Logs JSON, corrélation
trace_id/span_id. - Prometheus : RED/USE, Grafana dashboards.
- OpenTelemetry : propagation headers (W3C TraceContext).
KPIs & alertes
- p95 API < 150ms, erreurs < 1%, disponibilité ≥ 99.9%.
- MTTR < 30m, erreur budget suivi (SLOs).
- Coûts journaliers anormaux (alerte FinOps).
Anti-patterns
- Logs verbeux (PII), sampling non contrôlé.
- Pas de corrélation inter-services, pas de santé /healthz.
# Prometheus – alerte latence API
- alert: HighLatency
expr: histogram_quantile(0.95, rate(http_request_duration_seconds_bucket[5m])) > 0.15
for: 2m// Node + OTel auto-instr.
const { NodeSDK } = require('@opentelemetry/sdk-node');
const { getNodeAutoInstrumentations } = require('@opentelemetry/auto-instrumentations-node');
new NodeSDK({ instrumentations: [getNodeAutoInstrumentations()] }).start();8) Sécurité intégrée (DevSecOps, RGPD, OWASP, Secrets)
AppSec & RGPD
- OWASP Top-10, CSP/HSTS, CSRF/SSR F guard, rate-limit.
- Privacy by design : minimisation, durée, export/suppression.
- Masquage PII en pré-prod, journal d’accès.
DevSecOps
- SAST/DAST, SBOM (Syft), Trivy/Grype, Dependabot.
- Policy-as-Code (OPA/Conftest), revue de rôles.
- Gate “critical=block” dans la CI.
Secrets & IAM
- Vault/KMS, rotation, scopes min (least-privilege).
- MFA, clés à courte durée, authent. fédérée (OIDC).
- Pas de secrets en variables d’environnement non chiffrées.
# Express – Helmet
const helmet = require('helmet'); app.use(helmet());# GitLab CI – SAST rapide
sast:
stage: test
script: [ "npm audit --audit-level=high" ]# Django – CSP (extrait)
CSP_DEFAULT_SRC = ("'self'",)
CSP_SCRIPT_SRC = ("'self'","cdn.jsdelivr.net")Anti-patterns : secrets en clair, logs avec PII, dépendances obsolètes, absence de scans / de revocation.