HIT · CS Concentrations

COURSE · SE4

Back-End Web Development & APIs

פיתוח צד-שרת ו-APIs

resource-oriented architecture, the relational model, transactional theory, and consistency under scale

Design robust back-end services, APIs, and data layers

Year 313 weeks2h lecture + 2h practiceProject-based

About this course

Design server-side applications and well-structured APIs that power web and mobile clients, with attention to data modeling, authentication, and scale.

Course format. Thirteen weeks, four contact hours each: a two-hour lecture (concepts and theory) and a two-hour practice session. The course is project-based; teams carry one running project end to end and present it three times, in weeks 5, 8, and 13.
What you will build

Built a back-end API platform on Node.js or FastAPI exposing both REST and an Apollo GraphQL layer over a normalized, indexed PostgreSQL schema, secured with JWT authentication and role-based access control, accelerated with Redis caching, and load-tested with k6 against scaling targets.

Expected outcomes

  • Explain the architectural constraints of REST and resource-oriented design
  • Compare REST and GraphQL and reason about their trade-offs
  • Model relational and non-relational data and analyze normalization
  • Design and implement APIs with versioning and clear contracts
  • Implement authentication, sessions, and authorization securely
  • Apply caching strategies and reason about consistency and invalidation
  • Analyze database indexing, transactions, and query performance
  • Scale back-end services horizontally and handle concurrency
  • Validate APIs with automated and contract testing
  • Evaluate consistency, availability, and latency trade-offs in data systems

Key topics

  • REST & GraphQL APIs
  • Databases & data modeling
  • Authentication & sessions
  • Caching & scaling

Theoretical foundations

The concepts and results this course rests on.

  • REST architectural constraints and resource-oriented design
  • The relational model and normalization theory
  • ACID transactions, isolation levels, and indexing internals
  • Token and federated identity flows for authentication
  • Cache coherence, invalidation, and consistency trade-offs
  • Replication, statelessness, and the CAP trade-off
  • Role and attribute-based access control and least privilege

Prerequisites

This is a Year-3 course. It assumes the mandatory CS core: data structures and algorithms, operating systems, computer networks, databases, software engineering, and the core mathematics (linear algebra, probability and statistics, calculus, discrete mathematics). It additionally requires the specific prior courses listed below.

Course-specific prerequisites:

  • Databases
  • Computer networks
  • Software engineering and a server-side language

Weekly schedule 13 weeks · lecture + practice

Foundations
Wk 1
Web Services and HTTP
LectureExamine HTTP semantics, statelessness, and the architectural style behind web services.
PracticeScaffold the project service and implement a first set of HTTP endpoints.
ProjectProject service skeleton with basic endpoints is established.
WatchNode.js and Express Full Course (freeCodeCamp) · Stateful vs Stateless Architectures Explained (freeCodeCamp)
Wk 2
REST and Resource Design
LectureCover REST constraints, resource modeling, hypermedia, and the Richardson maturity model.
PracticeDesign RESTful resources and routes for the project domain.
ProjectProject exposes a coherent RESTful resource model.
WatchFull Stack Open Part 2: Communicating with Server (REST) · REST APIs and the Richardson Maturity Model Explained
Data
Wk 3
Data Modeling and Relational Databases
LectureTeach the relational model, normalization theory, and entity-relationship design.
PracticeDesign the project schema and connect the service to a relational database.
ProjectProject persists data through a normalized relational schema.
WatchLearn Relational Databases by Building a Mario Database (freeCodeCamp) · Full Stack Open Part 13: Using Relational Databases
Wk 4
Queries, Indexing, and Transactions
LectureAnalyze query execution, indexing, and ACID transactions with isolation levels.
PracticeAdd indexes, transactions, and tuned queries to the project data layer.
ProjectProject data access is transactional and performance-tuned.
WatchDatabase ACID Transactions Explained (Hussein Nasser)
Wk 5
Specification MilestonePresentation
LectureReview API contracts and how data modeling shapes service architecture.
PracticeStudent teams present their project specification: domain model, API contract, and scaling goals.
ProjectApproved specification with data model and API contract is delivered.
APIs
Wk 6
GraphQL
LectureExamine the GraphQL type system, resolvers, and trade-offs against REST.
PracticeAdd a GraphQL layer over the project domain with schema and resolvers.
ProjectProject offers a GraphQL interface alongside its REST API.
WatchGraphQL Full Course, Novice to Expert (freeCodeCamp) · Full Stack Open Part 8: GraphQL
Wk 7
API Design, Versioning, and Validation
LectureDiscuss contract design, versioning strategies, pagination, and error modeling.
PracticeAdd validation, pagination, and versioning to the project APIs.
ProjectProject APIs are validated, paginated, and versioned.
WatchFull Stack Open Part 3: Programming a Server with Node and Express
Wk 8
Interim Demo MilestonePresentation
LectureCover authentication models, tokens, and session management foundations.
PracticeStudent teams present an interim demo of the project APIs and data layer.
ProjectWorking API and data layer are demonstrated.
WatchFull Stack Open Part 4: Token Authentication and User Administration
Security
Wk 9
Authentication and Sessions
LectureExamine session versus token authentication, OAuth, and OpenID Connect flows.
PracticeImplement secure authentication and session handling in the project.
ProjectProject enforces authenticated, session-aware access.
WatchSession vs Token Authentication in 100 Seconds (Fireship) · Full Stack Open Part 4: Token Authentication
Wk 10
Authorization and Access Control
LectureDiscuss role and attribute-based access control and least-privilege design.
PracticeAdd fine-grained authorization rules to project endpoints.
ProjectProject enforces role-based access control across resources.
WatchRBAC vs ABAC: Access Control Compared (IBM Technology)
Scale
Wk 11
Caching
LectureAnalyze caching layers, invalidation strategies, and consistency trade-offs.
PracticeAdd response and data caching with an invalidation strategy to the project.
ProjectProject serves cached responses with controlled invalidation.
WatchDatabase ACID and Caching Live Stream (Hussein Nasser)
Wk 12
Scaling and Concurrency
LectureCover horizontal scaling, statelessness, replication, and the CAP trade-off.
PracticeLoad test the project and add scaling and concurrency safeguards.
ProjectProject sustains load through scaling and concurrency control.
WatchHorizontal Scaling, Database Scalability and the CAP Theorem
Capstone
Wk 13
Final Demo and DefensePresentation
LectureSynthesize API, data, security, and scaling principles for back-end systems.
PracticeStudent teams present the final demo with an oral defense of API, data, and scaling decisions.
ProjectFinal back-end system is delivered with documentation and defense.
AI tools in this course.

Students use AI assistants to generate REST and GraphQL handlers, refactor resolvers, and draft normalized SQL schemas with sensible indexes and migrations. They prompt tools to write contract and integration tests, seed realistic data, and build k6 load scripts, while connecting agents to database and API MCP servers to inspect query plans and propose tuning. AI helps reason about caching and invalidation strategies and draft JWT and role-based access rules, which students then probe for authorization gaps. Every generated query and auth rule is reviewed, since a plausible-looking AI suggestion can leak data or trigger an N+1 performance cliff.

Student project

Teams build one back-end service that grows from basic endpoints into a complete API platform with a tuned data layer. The service exposes both REST and GraphQL, enforces secure authentication and authorization, and adds caching and scaling to meet load targets. Each increment is validated with automated and contract tests.

Requirements

  • Build a working system, not a set of disconnected exercises.
  • Be original: a new system that solves a real problem, not a re-implementation of a tutorial or course demo.
  • Show real depth: real data, real users or realistic load, and engineering trade-offs that are measured rather than assumed.
  • Carry one running project from specification to a deployed, defensible result across the whole term.
  • Work in a team of three or four and defend the design at each of the three presentations (weeks 5, 8, and 13).

Example projects

Blogging and CMS APIE-commerce catalog and ordersSocial feed backendBooking and scheduling serviceProject management APIInventory and warehouse systemLearning platform backendPayments ledger service

Assessment & grading

Grading is project-based, with no written exam. Teams of three or four present one running project three times.

ComponentWhat it coversWeight
Project · SpecificationPresentation 1 (week 5): problem, objectives, and architecture20%
Project · InterimPresentation 2 (week 8): the working system demonstrated live30%
Project · FinalPresentation 3 (week 13): end-to-end demo with oral defense50%

Tools & platforms

Free online courses

Existing free, video-based courses this course can build on, for self-study or as a teaching basis.

In Hebrew · בעברית

Primary literature

Seminal works to read for graduate-level depth.

References

Books and resources link to an online or publisher page.

Role in each concentration

ConcentrationRole
Intelligent Software SystemsCore · Semester 2
Networking & Cyber SecurityElective
AI & RoboticsElective
AI and Quantum Computing for FinanceElective
Immersive Systems & Game DevelopmentElective
Defense Technologies & Autonomous SystemsElective
← SE3 · Modern Front-End Web DevelopmentSE5 · Engineering of AI Systems →