# auth & security
// [35] real interview questions. Answers and sources live in the practice app.
practice this topic- How does HTTPS work, and how does it differ from plain HTTP?(mid)
- How do SSL/TLS certificates work, and what is the purpose of a Certificate Authority?(mid)
- What is a man-in-the-middle attack, and why does HTTPS help protect against it?(mid)
- What is the difference between encryption and hashing, and which do you use for storing passwords?(junior)
- What is Cross-Site Scripting (XSS), and how do you prevent it?(mid)
- Write down a snippet of code affected by SQL injection and fix it.(junior)
- What is Cross-Site Request Forgery (CSRF), and how do you prevent it in practice?(mid)
- Explain the Same-Origin Policy and its importance. How does CORS relate to it?(mid)
- How can you prevent a user's session from being stolen, and what do you do once you suspect it has been?(mid)
- Describe how secure session management works in a web application: how is a session established, maintained, and terminated?(mid)
- Why are first-party cookies and third-party cookies treated so differently by browsers?(mid)
- How can web cookies compromise security, and which attributes do you set to safeguard them?(junior)
- What is two-factor authentication, and how would you add it to an existing web application?(senior)
- Logs risk containing sensitive information such as passwords or tokens. How would you deal with this?(mid)
- Why is it said that you should never invent or implement cryptography yourself?(junior)
- What is clickjacking, and what measures prevent it?(mid)
- Describe OAuth in relation to API security. What problem does it solve, and how does the authorization code flow work?(mid)
- How do you write secure code? What does 'secure by default' mean in day-to-day backend work?(senior)
- Which OAuth 2.0 flow do you pick for: a server-rendered web app, a mobile app, two backend services, and a smart TV?(senior)
- OAuth 2.0 vs OpenID Connect vs SAML — what does each one actually do?(junior)
- What's inside a JWT, how do you validate one, and what are the classic implementation mistakes?(mid)
- What is session fixation, and how is it different from session hijacking?(mid)
- Why do systems pair short-lived access tokens with refresh tokens, and how does refresh token rotation detect theft?(mid)
- A logged-in user changes /api/orders/1234 to /api/orders/1235 and sees someone else's order. What bug class is this, and how do you prevent it systematically?(mid)
- Where should secrets — database passwords, API keys — live in a production system, and what do you do when one leaks into git?(mid)
- Your login endpoint suddenly sees 100k failed attempts per hour spread across many accounts. What is happening, and how do you defend without wrecking UX?(mid)
- How do you secure a WebSocket endpoint, and what is cross-site WebSocket hijacking?(mid)
- TLS vs mutual TLS: what does mTLS add, and when do you actually need it?(senior)
- How would you detect that your application is vulnerable to — or actively being attacked via — SQL injection?(mid)
- When you click "Sign in with Google" on a site you've never used, that site logs you in without ever seeing your Google password. How does that work?(mid)
- You stay logged in to a social app for weeks, but your banking app kicks you out after five minutes idle. What mechanism explains both, and why the difference?(mid)
- The 6-digit code in your authenticator app changes every 30 seconds even with your phone in airplane mode. How is it generated, and why is it considered safer than an SMS code?(junior)
- A site warns you "this password appeared in a data breach" — yet you never told it your password was compromised, and it doesn't seem to send your password anywhere. How can it know without knowing your password?(senior)
- When you forget your password, the site emails you a reset LINK instead of just emailing you your current password. Why is that the secure design?(junior)
- You log in once at your company and then open email, chat, and the HR portal without ever typing your password again. What is happening behind that "log in once" experience, and how is it different from your browser just remembering the password?(senior)