# application security
// [49] real interview questions. Answers and sources live in the practice app.
practice this topic- Broken Access Control is A01 in the OWASP Top 10 2021. What does it look like in a real API, and how do you prevent it?(mid)
- How do you prevent SQL injection — and why is the answer more than just 'use an ORM'?(mid)
- In code review you find a SQL query built by string concatenation. The author says 'it's fine, the input is validated at the API layer.' How do you respond?(mid)
- You need to let users sort a table by a column they choose. Why can't you parameterize the ORDER BY clause, and what do you do instead?(senior)
- Why does XSS prevention require different output encoding per context, and what are the main contexts?(mid)
- What is a DOM XSS 'sink'? Name common dangerous sinks and their safe alternatives.(mid)
- How does Content-Security-Policy mitigate XSS, and why does allowing 'unsafe-inline' largely defeat it?(mid)
- You want to roll out a strict CSP on a large legacy application without breaking it. What is your rollout plan?(senior)
- What is CSRF, and what are the standard defenses?(junior)
- Explain the SameSite cookie attribute values, and why SameSite=Lax alone is not a complete CSRF defense.(mid)
- What is SSRF, and why is it especially dangerous in cloud environments?(mid)
- Your product adds a webhook feature: customers register a URL and your backend POSTs events to it. How do you design this to resist SSRF?(senior)
- Why do blocklist-based SSRF filters (e.g., 'reject URLs containing 127.0.0.1') routinely fail?(mid)
- Why is deserializing untrusted data dangerous, and how do you handle it safely?(mid)
- OWASP A08:2021 is 'Software and Data Integrity Failures.' What does that category cover beyond insecure deserialization?(senior)
- What does good dependency / supply-chain hygiene look like on a real project?(mid)
- Your scanner flags a critical CVE in a transitive dependency, but the maintainer hasn't released a patch. What are your options?(senior)
- How should application secrets (API keys, DB passwords) be stored and delivered in a production system?(mid)
- A developer accidentally committed an AWS access key to a public GitHub repo an hour ago. Walk through your incident response.(senior)
- Why should secrets be rotated regularly, and what makes rotation hard in practice?(mid)
- You're asked to threat model a new 'export my data' feature before it ships. How do you approach it?(mid)
- What does STRIDE stand for in threat modeling? Give a one-line example of each.(junior)
- Which HTTP security response headers would you set on a typical web application, and what does each one do?(mid)
- What does the Strict-Transport-Security (HSTS) header do, and what should you consider before adding 'preload'?(junior)
- What are the classic JWT validation pitfalls a backend must defend against?(mid)
- A user clicks 'log out' but their JWT is still valid until it expires. How do you handle revocation with stateless tokens?(mid)
- Where should a browser SPA store its auth token — localStorage or a cookie — and why?(mid)
- Where does rate limiting fit into application security, and what would you rate limit on a typical web app?(mid)
- What makes session management secure? Cover cookie attributes and session lifecycle.(mid)
- What's the difference between encryption and hashing, and which one do you use for storing passwords?(junior)
- Explain the Same-Origin Policy, and how a careless CORS configuration undermines it.(mid)
- What is clickjacking, and how do you prevent it?(junior)
- Your OAuth login lets users sign in with Google, and a pentester reports they can take over accounts. Walk through the classic OAuth/OIDC misconfigurations that cause this.(senior)
- What is PKCE, which problem does it solve, and why is it now recommended for all OAuth clients, not just mobile apps?(mid)
- A build engineer asks 'why can't we just install any npm/pip package the code imports?' Explain dependency confusion and typosquatting as concrete supply-chain attacks, and the defensive setup.(senior)
- How do you set up secret scanning so a leaked API key is caught before it ever reaches a public repo — and what do you do about the years of git history you already have?(mid)
- After a code review you realize a former contractor's access, some long-lived tokens, and a few over-permissioned service accounts were never cleaned up. How do you reason about and fix this from a least-privilege standpoint?(senior)
- 'Secure by default' keeps coming up in security reviews. What does it actually mean at the level of a framework config or an API design, with concrete examples?(mid)
- Your session store is a single Redis and you're scaling to millions of concurrent users across regions. What session-management pitfalls appear at scale, and how do you keep it both secure and available?(senior)
- You're doing a secure-defaults review of a new service before launch. What's the concrete checklist you run through, and why each item?(mid)
- What is mass assignment (a.k.a. autobinding / object injection), and how does it turn a normal update endpoint into privilege escalation?(mid)
- A security-conscious teammate wants to add a WAF and call the app 'protected'. How do you frame what a WAF does and doesn't do, without dismissing it?(senior)
- Why is logging both a security control and a security risk? What belongs in a security log and what must never go into one?(mid)
- A password reset flow is being designed. List the ways it can be attacked and the secure design, because reset flows are a favorite target.(senior)
- Your team argues about whether to validate input with an allow-list or a block-list. What's the difference, and when is each the right tool?(mid)
- You type your card number into a shopping site and it charges you — but afterward the merchant can refund you without ever storing your real card number. How is that possible?(mid)
- Your password manager auto-fills your login on the real bank site but stays silent on a look-alike phishing page that looks identical to you. How does it know the difference when you can't tell?(mid)
- Your work laptop is stolen from a train. IT tells you the thief "can't read your files even though they physically have the drive." What technology makes that true, and where's its weak point?(senior)
- You're logged into your bank in one tab, then a random site in another tab tries to quietly make your browser POST a transfer to that bank using your session. Why can that even happen, and what stops it?(mid)