Resources Curated external references. The first place to go for each discipline, picked for being authoritative and freely readable. Every link opens in a new tab.
Inclusion criterion: free or zero-friction free tier. No paywalled books, no "free trial that converts to paid", no marketing-gated PDFs. If a course costs money for the certificate but is free to audit, it's listed. If a book has its full text online for free, it's listed; if it doesn't, it isn't. The bar is "a viber on hopes and dreams and empty wallets can use this today."
Engineering discipline Application security Design and UX CS fundamentals Software architecture Deep learning and AI engineering Accessibility Audit and review Supply chain Observability and operations AI-assisted coding Engineering discipline How code is structured, named, organized, and reviewed. Vibe-coded apps reach the same bar as hand-written code only when these are deliberately practiced, not assumed.
12-Factor App https://12factor.net/
The reference model for SaaS apps that are configurable, deployable, and operable. Twelve principles, each worth internalizing.
Google Engineering Practices Documentation https://google.github.io/eng-practices/
Open-sourced internal docs on code review (both as reviewer and as author). Short, practical, free.
OpenAPI Specification https://www.openapis.org/
The standard way to describe an HTTP API. Type-safe clients, generated docs, contract tests.
Conventional Commits https://www.conventionalcommits.org/
A small spec for commit messages that pays for itself in auto-generated changelogs and PR review speed.
TypeScript Handbook https://www.typescriptlang.org/docs/handbook/intro.html
The closer-to-canon reference for TypeScript itself. Better than most blog posts that claim to summarize it.
Application security The authoritative references behind most of PreFlight's probes. Read OWASP first; everything else makes more sense after it.
OWASP Top 10 (2025) https://owasp.org/Top10/
The ten highest-prevalence application-security risks. Each entry has a "what to do about it" section.
OWASP LLM Top 10 (2025) https://genai.owasp.org/llm-top-10/
The LLM-specific equivalent. Covers prompt injection, sensitive information disclosure, agent autonomy, and seven more.
OWASP API Security Top 10 https://owasp.org/API-Security/
For HTTP-only systems (no UI rendering), this is the more relevant list.
OWASP Cheat Sheet Series https://cheatsheetseries.owasp.org/
Concrete how-to guidance per topic. Auth, sessions, JWT, CORS, XSS, CSP, every concrete control.
MITRE CWE https://cwe.mitre.org/
Common Weakness Enumeration. The taxonomy every CVE traces back to. PreFlight findings carry CWE IDs that link here.
CISA Cybersecurity Advisories https://www.cisa.gov/news-events/cybersecurity-advisories
US-government threat intel. The named actor groups, the active campaigns, the patch advisories.
Design and UX A vibe-built app can be functionally correct and still unusable. Free design references that produce usable, accessible interfaces by default.
Practical Typography (Matthew Butterick) https://practicaltypography.com/
A free book on typography written for working developers. The opinionated defaults section alone is worth reading.
Nielsen Norman Group articles https://www.nngroup.com/articles/
Forty years of UX research, summarized in readable articles. The reference for how users actually behave.
Refactoring.Guru — Design Patterns https://refactoring.guru/design-patterns
Software design patterns explained with diagrams and worked code.
Material Design 3 https://m3.material.io/
A complete design system with research-backed defaults. Even if you don't adopt it wholesale, the rationale per component is valuable.
Apple Human Interface Guidelines https://developer.apple.com/design/human-interface-guidelines
Apple's reference for what good UI feels like across their platforms. Free.
IBM Carbon Design System https://carbondesignsystem.com/
IBM's open-source design system. Tokens, components, patterns, all documented.
Atlassian Design System https://atlassian.design/
Atlassian's design system. Strong on collaboration / workflow patterns.
CS fundamentals If you came up without a CS degree and want to fill in the gaps, this is where to start. Free curricula and textbooks. Stop pretending you have to pay $10k to learn what a hash table is.
Harvard CS50 https://cs50.harvard.edu/
Harvard's intro CS course. Free to audit on edX, full lecture videos on YouTube. The default "where do I start" answer.
Teach Yourself Computer Science https://teachyourselfcs.com/
A curated curriculum of nine free university-grade CS courses + textbooks, in recommended order.
Open Source Society University (CS) https://github.com/ossu/computer-science
A community-curated CS degree using only free online materials. Path through algorithms, systems, theory, AI.
MIT Missing Semester https://missing.csail.mit.edu/
The class that teaches the tooling no CS program does: shell, vim, git, debugging, profiling, security tools.
MIT OpenCourseWare https://ocw.mit.edu/
Free lecture notes, problem sets, and (often) video from most MIT undergrad classes including the entire 6.xxx CS sequence.
Crafting Interpreters https://craftinginterpreters.com/
A free book that builds a working programming language from scratch. The clearest single text on how compilers work.
Open Data Structures https://opendatastructures.org/
A free textbook covering every data structure a working developer encounters.
The Algorithms (GitHub) https://github.com/TheAlgorithms
Reference implementations of every standard algorithm in every common language. Read, don't paste.
freeCodeCamp https://www.freecodecamp.org/
Free, hands-on, browser-based curriculum across CS, web dev, data, ML, security. Verified certifications, no paywall.
roadmap.sh https://roadmap.sh/
Visual roadmaps for major paths (frontend, backend, devops, AI engineer, etc.) linking to free resources.
Software architecture Once you have more than one moving part, you need a vocabulary for how the pieces fit. Free references; the field has more good free writing than good paid books.
Martin Fowler's bliki https://martinfowler.com/bliki/
Martin Fowler's long-running architecture blog. Microservices, CQRS, event sourcing, the original sources for many terms.
Software Engineering at Google (free PDF) https://abseil.io/resources/swe-book
O'Reilly published it as a book; Google posts the full PDF free. How engineering works at scale.
Google SRE books (free online) https://sre.google/books/
Two free books on running production. SRE Book + Workbook. The reference for the SLO/SLI/error-budget vocabulary.
AWS Well-Architected Framework https://aws.amazon.com/architecture/well-architected/
AWS's framework for designing reliable, secure, efficient, sustainable workloads. Vendor-flavored but transferable.
Microsoft Azure Architecture Center https://learn.microsoft.com/en-us/azure/architecture/
Microsoft's catalog of architecture patterns with worked examples per pattern. Free.
High Scalability http://highscalability.com/
A long-running blog featuring detailed writeups of how real systems at scale are built. Mostly free.
Papers We Love https://paperswelove.org/
A community curating classic and current CS papers. Distributed systems, databases, programming languages, security.
Pat Helland's papers https://www.microsoft.com/en-us/research/people/phelland/
One of the clearest writers in distributed systems. "Life Beyond Distributed Transactions" is mandatory.
CNCF Cloud Native Glossary https://glossary.cncf.io/
The cross-vendor reference for cloud-native terminology. Pairs well with our internal glossary.
Deep learning and AI engineering If you're shipping AI features, this is the ground floor. All free, all from the people actually building the field.
fast.ai https://www.fast.ai/
The two free deep-learning courses everyone recommends. Practical Deep Learning for Coders is the entry point.
Hugging Face Course https://huggingface.co/learn
Free courses on NLP, audio, computer vision, RL, agents. Hands-on with the ecosystem most people actually use.
Andrej Karpathy — Neural Networks: Zero to Hero https://karpathy.ai/zero-to-hero.html
A free YouTube series that builds up to GPT-style models from scratch. The closest to first-principles you'll find.
Deep Learning (Goodfellow, Bengio, Courville) https://www.deeplearningbook.org/
The reference textbook. The complete book is free online. Heavy on theory; pair with hands-on courses.
Dive into Deep Learning https://d2l.ai/
A free interactive textbook with code in PyTorch, TensorFlow, JAX, MXNet. Used in 500+ universities.
3Blue1Brown — Neural Networks https://www.3blue1brown.com/topics/neural-networks
The visualization series that finally makes backpropagation make sense. Free.
Distill.pub https://distill.pub/
Long-form interactive explainers of deep learning research. Inactive since 2021 but the archive is gold.
Stanford CS231n / CS229 / CS224N https://cs231n.stanford.edu/
Stanford's computer-vision, ML, and NLP courses. Lecture videos and assignments posted free.
MIT 6.S191 — Introduction to Deep Learning http://introtodeeplearning.com/
MIT's intro DL course. New videos each year, all free, with labs.
Anthropic Cookbook https://github.com/anthropics/anthropic-cookbook
Hands-on examples for building with Claude. Tool use, agents, RAG, evaluations.
OpenAI Cookbook https://cookbook.openai.com/
OpenAI's recipes for embeddings, RAG, function calling, fine-tuning, evaluation. Free.
LangChain documentation https://python.langchain.com/docs/get_started/introduction
The most-cited agent / chain framework. Docs are free; the framework decisions are opinionated.
Accessibility 15-20% of users need accessibility considerations. The guidelines below are what regulators look at and what assistive tech expects. PreFlight's A11y Landmarks probe surfaces a subset.
WCAG 2.2 https://www.w3.org/TR/WCAG22/
The authoritative web accessibility guidelines. Read the success criteria (numbered like 2.4.7) not the principles overview.
WebAIM https://webaim.org/
Practical accessibility guidance and the WebAIM Million annual report on real-world site accessibility.
MDN — Accessibility https://developer.mozilla.org/en-US/docs/Web/Accessibility
Reference docs for ARIA roles, accessible patterns, and browser-level accessibility APIs.
Inclusive Components https://inclusive-components.design/
A book's worth of "how to build common UI components accessibly," free online.
Audit and review PreFlight is one audit surface. The broader practice of code and security review is its own discipline.
OWASP Code Review Guide https://owasp.org/www-project-code-review-guide/
A long PDF covering how to do an application security code review end to end.
Stripe API Review (engineering blog) https://stripe.com/blog/api-versioning
Worked example of how Stripe versions its API for a decade-plus without breaking integrations. The audit discipline at scale.
GitHub Security Lab https://securitylab.github.com/
Open-source advisories, CodeQL queries, and write-ups of real bugs. Excellent for learning how vulnerabilities actually present.
Supply chain The 2025-2026 wave of npm worms ([Shai-Hulud](/learn/incidents/mini-shai-hulud-tanstack-2026-05), [Sapphire Sleet](/learn/incidents/sapphire-sleet-axios-2026-03), [Bitwarden CLI](/learn/incidents/intercom-client-bitwarden-cli-2026-04)) was a wake-up call. The references below carry the discipline forward.
Observability and operations What happens after the audit. Logs, metrics, traces, alerting, and the discipline of running production.
OpenTelemetry https://opentelemetry.io/
The cross-vendor standard for tracing, metrics, and logs. Stops you from being locked into one observability vendor.
Google SRE Books https://sre.google/books/
Two free books on running production at Google scale. Even if you operate at much smaller scale, the discipline is portable.
CNCF Observability Whitepaper https://github.com/cncf/tag-observability/blob/main/whitepaper.md
Vendor-neutral framing of what observability means and what it costs.
AI-assisted coding The audience PreFlight is built for. References for using AI coding tools deliberately rather than incidentally.
Spot a broken link or a reference that should be here? File an issue or open a PR at github.com/midatlanticAI/PreFlight . The list lives in src/components/learn/ResourcesView.jsx and is reviewed against Demi's voice rules before merge.