# application security

// [49] real interview questions. Answers and sources live in the practice app.

practice this topic
  1. Broken Access Control is A01 in the OWASP Top 10 2021. What does it look like in a real API, and how do you prevent it?(mid)
  2. How do you prevent SQL injection — and why is the answer more than just 'use an ORM'?(mid)
  3. In code review you find a SQL query built by string concatenation. The author says 'it's fine, the input is validated at the API layer.' How do you respond?(mid)
  4. You need to let users sort a table by a column they choose. Why can't you parameterize the ORDER BY clause, and what do you do instead?(senior)
  5. Why does XSS prevention require different output encoding per context, and what are the main contexts?(mid)
  6. What is a DOM XSS 'sink'? Name common dangerous sinks and their safe alternatives.(mid)
  7. How does Content-Security-Policy mitigate XSS, and why does allowing 'unsafe-inline' largely defeat it?(mid)
  8. You want to roll out a strict CSP on a large legacy application without breaking it. What is your rollout plan?(senior)
  9. What is CSRF, and what are the standard defenses?(junior)
  10. Explain the SameSite cookie attribute values, and why SameSite=Lax alone is not a complete CSRF defense.(mid)
  11. What is SSRF, and why is it especially dangerous in cloud environments?(mid)
  12. Your product adds a webhook feature: customers register a URL and your backend POSTs events to it. How do you design this to resist SSRF?(senior)
  13. Why do blocklist-based SSRF filters (e.g., 'reject URLs containing 127.0.0.1') routinely fail?(mid)
  14. Why is deserializing untrusted data dangerous, and how do you handle it safely?(mid)
  15. OWASP A08:2021 is 'Software and Data Integrity Failures.' What does that category cover beyond insecure deserialization?(senior)
  16. What does good dependency / supply-chain hygiene look like on a real project?(mid)
  17. Your scanner flags a critical CVE in a transitive dependency, but the maintainer hasn't released a patch. What are your options?(senior)
  18. How should application secrets (API keys, DB passwords) be stored and delivered in a production system?(mid)
  19. A developer accidentally committed an AWS access key to a public GitHub repo an hour ago. Walk through your incident response.(senior)
  20. Why should secrets be rotated regularly, and what makes rotation hard in practice?(mid)
  21. You're asked to threat model a new 'export my data' feature before it ships. How do you approach it?(mid)
  22. What does STRIDE stand for in threat modeling? Give a one-line example of each.(junior)
  23. Which HTTP security response headers would you set on a typical web application, and what does each one do?(mid)
  24. What does the Strict-Transport-Security (HSTS) header do, and what should you consider before adding 'preload'?(junior)
  25. What are the classic JWT validation pitfalls a backend must defend against?(mid)
  26. A user clicks 'log out' but their JWT is still valid until it expires. How do you handle revocation with stateless tokens?(mid)
  27. Where should a browser SPA store its auth token — localStorage or a cookie — and why?(mid)
  28. Where does rate limiting fit into application security, and what would you rate limit on a typical web app?(mid)
  29. What makes session management secure? Cover cookie attributes and session lifecycle.(mid)
  30. What's the difference between encryption and hashing, and which one do you use for storing passwords?(junior)
  31. Explain the Same-Origin Policy, and how a careless CORS configuration undermines it.(mid)
  32. What is clickjacking, and how do you prevent it?(junior)
  33. Your OAuth login lets users sign in with Google, and a pentester reports they can take over accounts. Walk through the classic OAuth/OIDC misconfigurations that cause this.(senior)
  34. What is PKCE, which problem does it solve, and why is it now recommended for all OAuth clients, not just mobile apps?(mid)
  35. A build engineer asks 'why can't we just install any npm/pip package the code imports?' Explain dependency confusion and typosquatting as concrete supply-chain attacks, and the defensive setup.(senior)
  36. How do you set up secret scanning so a leaked API key is caught before it ever reaches a public repo — and what do you do about the years of git history you already have?(mid)
  37. After a code review you realize a former contractor's access, some long-lived tokens, and a few over-permissioned service accounts were never cleaned up. How do you reason about and fix this from a least-privilege standpoint?(senior)
  38. 'Secure by default' keeps coming up in security reviews. What does it actually mean at the level of a framework config or an API design, with concrete examples?(mid)
  39. Your session store is a single Redis and you're scaling to millions of concurrent users across regions. What session-management pitfalls appear at scale, and how do you keep it both secure and available?(senior)
  40. You're doing a secure-defaults review of a new service before launch. What's the concrete checklist you run through, and why each item?(mid)
  41. What is mass assignment (a.k.a. autobinding / object injection), and how does it turn a normal update endpoint into privilege escalation?(mid)
  42. A security-conscious teammate wants to add a WAF and call the app 'protected'. How do you frame what a WAF does and doesn't do, without dismissing it?(senior)
  43. Why is logging both a security control and a security risk? What belongs in a security log and what must never go into one?(mid)
  44. A password reset flow is being designed. List the ways it can be attacked and the secure design, because reset flows are a favorite target.(senior)
  45. Your team argues about whether to validate input with an allow-list or a block-list. What's the difference, and when is each the right tool?(mid)
  46. You type your card number into a shopping site and it charges you — but afterward the merchant can refund you without ever storing your real card number. How is that possible?(mid)
  47. Your password manager auto-fills your login on the real bank site but stays silent on a look-alike phishing page that looks identical to you. How does it know the difference when you can't tell?(mid)
  48. Your work laptop is stolen from a train. IT tells you the thief "can't read your files even though they physically have the drive." What technology makes that true, and where's its weak point?(senior)
  49. You're logged into your bank in one tab, then a random site in another tab tries to quietly make your browser POST a transfer to that bank using your session. Why can that even happen, and what stops it?(mid)