Security

Question 1

AuthN vs AuthZ

Answer 1

Authentication (AuthN) = who you are (validate identity). Authorization (AuthZ) = what you are allowed to do (enforce permissions on actions/resources).

Question 2

CIA triad

Answer 2

Confidentiality (prevent data leaks), Integrity (prevent unauthorized changes), Availability (keep service usable). Security decisions usually trade off among these.

Question 3

Least privilege

Answer 3

Grant only the minimum permissions needed (IAM policies, DB roles, app permissions). Reduce blast radius if credentials are leaked.

Question 4

Trust boundary

Answer 4

A point where data crosses from a less-trusted zone to a more-trusted one (client→API, service→service, API→DB). Re-validate/authorize at each boundary.

Question 5

Defense in depth

Answer 5

Use multiple independent layers (network controls + IAM + app authz + validation + logging). Assume one layer can fail.

Question 6

What is OWASP Top 10 used for?

Answer 6

A reference list of common web app/API risk categories (e.g., broken access control, injection, misconfiguration). Useful as a checklist for reviews.

Question 7

Broken Access Control (example)

Answer 7

IDOR: user accesses /accounts/123 and can see another user’s data by guessing IDs. Fix: authorize access to the specific resource (ownership/tenant checks).

Question 8

IDOR prevention

Answer 8

Never trust only the resource ID. Always check ownership/tenant match server-side. Prefer opaque IDs when possible (still must authorize).

Question 9

SQL injection prevention

Answer 9

Use parameterized queries/prepared statements. Avoid string concatenation for SQL. Validate/allowlist dynamic sort fields and column names.

Question 10

Sensitive data exposure prevention

Answer 10

TLS for in-transit, encryption at rest, strict access controls, minimize data returned, avoid logging secrets/PII, and strong key management.

Question 11

Security misconfiguration examples

Answer 11

Publicly accessible databases, overly permissive security groups, default credentials, verbose error pages, missing security headers.

Question 12

SSRF (what is it?)

Answer 12

Server-Side Request Forgery: attacker makes your server fetch internal/privileged URLs (metadata endpoints, internal services). Prevent with allowlists, egress controls, and URL validation.

Question 13

Input validation principle

Answer 13

Validate at boundaries (controller DTO validation + business rules). Prefer allowlists over blocklists (e.g., enum values).

Question 14

Do not trust client claims

Answer 14

Never accept roles/tenant IDs from request body; derive them from the validated token or server-side lookup.

Question 15

Encryption in transit

Answer 15

Use HTTPS/TLS for client↔API and ideally TLS/mTLS for service↔service in sensitive environments.

Question 16

Encryption at rest

Answer 16

Encrypt DB/storage (e.g., RDS encryption, EBS, S3 SSE). Ensure backups and snapshots are encrypted too.

Question 17

Token vs session (high level)

Answer 17

Sessions often use cookies and server-side state; tokens (JWT) are usually stateless and validated on each request.

Question 18

JWT is not encrypted

Answer 18

JWT payload is Base64URL-encoded, not encrypted by default. Never put secrets in JWT claims.

Question 19

JWT must-validate checklist

Answer 19

Validate signature, expiration (exp), issuer (iss), audience (aud), and token not-before (nbf) if used. Reject tokens with weak/none algorithms.

Question 20

JWT key rotation

Answer 20

Use key IDs (kid) and rotate signing keys. Services should fetch keys from a JWKS endpoint and cache with TTL.

Question 21

OAuth2 in one sentence

Answer 21

A framework for delegated authorization. APIs often act as ‘resource servers’ validating access tokens issued by an Identity Provider.

Question 22

Scopes vs roles

Answer 22

Scopes are typically OAuth2 permissions for an app/client (e.g., read:orders). Roles are user/group permissions. Many systems map both into authorities.

Question 23

Access token vs refresh token

Answer 23

Access token: short-lived, used on requests. Refresh token: longer-lived, used to obtain new access tokens (should be stored/handled very carefully).

Question 24

Why short-lived tokens?

Answer 24

Limits damage if token is stolen. Combine with rotation and revocation strategies where needed.

Question 25

Replay attack (API)

Answer 25

An attacker reuses a captured request/token. Mitigate with TLS, short token TTLs, nonce/idempotency keys for sensitive operations, and server-side checks.

Question 26

Idempotency key

Answer 26

A client-provided key used so the server can safely handle retries without duplicating side effects (e.g., payments). Store key + result for a time window.

Question 27

CORS (what is it?)

Answer 27

A browser security mechanism controlling cross-origin requests. It’s not an API security control by itself; servers still must authenticate/authorize.

Question 28

CORS best practice

Answer 28

Allow only required origins, methods, and headers. Avoid wildcard origins for authenticated endpoints.

Question 29

CSRF (what is it?)

Answer 29

Cross-Site Request Forgery: attacker causes a user's browser to send authenticated requests. Relevant for cookie-based auth; less so for pure token-in-header APIs.

Question 30

CSRF mitigation

Answer 30

Use CSRF tokens for cookie sessions, SameSite cookies, and avoid state-changing GETs.

Question 31

Spring Security: common approach for APIs

Answer 31

Configure Spring Boot as a resource server to validate JWTs, enforce authentication on endpoints, and use method/URL authorization rules.

Question 32

Constructor injection and security

Answer 32

Constructor injection makes dependencies explicit and testable (including security-related services like authorization checks).

Question 33

Method-level authorization benefit

Answer 33

Enforcing authz in the service layer protects reused code paths and reduces reliance on controller-only checks.

Question 34

Example: RBAC

Answer 34

Role-based access control: roles like ADMIN/USER. Simple but can be too coarse for multi-tenant ownership rules.

Question 35

Example: ABAC

Answer 35

Attribute-based access control: policies based on attributes like tenantId, department, resource ownerId. More flexible and safer for multi-tenant.

Question 36

Multi-tenant golden rule

Answer 36

Always enforce tenant isolation server-side. Every query should be scoped by tenantId derived from the token/context.

Question 37

Tenant ID source

Answer 37

Prefer tenantId from validated token claims or server-side session context, not user input.

Question 38

Object-level authorization

Answer 38

Authorization based on a specific resource instance (e.g., user can read order only if order.ownerId == user.id).

Question 39

Centralized error handling (security)

Answer 39

Return consistent errors (401/403/400) without leaking stack traces. Log internal details with correlation IDs.

Question 40

401 vs 403

Answer 40

401 Unauthorized = not authenticated/invalid token. 403 Forbidden = authenticated but lacks permission.

Question 41

Security logging rule

Answer 41

Never log passwords, tokens, secret keys. Mask sensitive fields. Use correlation IDs for tracing.

Question 42

Rate limiting purpose

Answer 42

Protects against brute force and abuse; improves availability. Apply to login endpoints and expensive operations.

Question 43

Brute force login mitigation

Answer 43

Rate limit, lockout with care, CAPTCHA/MFA if applicable, and monitor suspicious patterns.

Question 44

Password hashing best practice

Answer 44

Use bcrypt/scrypt/Argon2; never store plaintext. Do not use fast hashes like SHA-256 for passwords.

Question 45

Why bcrypt/Argon2?

Answer 45

They are slow and resistant to brute-force (cost factor), making stolen hashes harder to crack.

Question 46

Secure password reset

Answer 46

Use one-time, time-limited tokens. Don’t reveal whether an email exists. Invalidate tokens after use.

Question 47

Principle of fail-safe defaults

Answer 47

Default deny: if you’re unsure, reject the request. Explicitly allow only what is necessary.

Question 48

Security headers (high-level)

Answer 48

Use headers like HSTS, X-Content-Type-Options, Content-Security-Policy (web), and set correct cache headers for sensitive data.

Question 49

Data minimization

Answer 49

Return only necessary fields in API responses. Use DTOs; avoid exposing internal entity models.

Question 50

Avoid verbose error messages

Answer 50

Do not return internal exception details to clients. Provide a stable error code and message; log details internally.

Question 51

Dependency vulnerabilities

Answer 51

Keep libraries updated. Use dependency scanning (SCA) in CI to detect known CVEs.

Question 52

SAST vs DAST

Answer 52

SAST scans source/bytecode for patterns; DAST tests the running app. Both are complementary.

Question 53

Secret scanning

Answer 53

Use tooling (GitHub secret scanning, pre-commit hooks) to prevent committing credentials.

Question 54

Where should secrets live?

Answer 54

In a secret manager (AWS Secrets Manager / SSM Parameter Store) or CI secret store; injected at runtime.

Question 55

AWS IAM: user vs role

Answer 55

Prefer roles for workloads (EC2 instance profile, ECS task role, Lambda role). Avoid long-lived access keys.

Question 56

AWS IAM policy scope

Answer 56

Limit actions and resources (ARNs). Avoid '*'. Use condition keys when possible.

Question 57

Security groups

Answer 57

Stateful firewall rules attached to instances/ENIs. Allow least required inbound/outbound.

Question 58

NACLs

Answer 58

Stateless subnet-level rules. Typically a second layer; security groups are primary in many setups.

Question 59

Public vs private subnets

Answer 59

Public: route to Internet Gateway. Private: no direct inbound from internet; use NAT for outbound if needed.

Question 60

Database exposure best practice

Answer 60

Keep DB in private subnets; restrict inbound to app security group only; avoid public endpoints.

Question 61

Encryption in RDS (concept)

Answer 61

Enable storage encryption and enforce TLS connections where supported; rotate credentials regularly.

Question 62

S3 security basics

Answer 62

Block public access by default, use bucket policies carefully, enable encryption (SSE), and least privilege IAM access.

Question 63

mTLS (what is it?)

Answer 63

Mutual TLS: both sides present certificates. Strengthens service-to-service authentication inside a network.

Question 64

Timeouts are security too

Answer 64

Timeouts prevent resource exhaustion and cascading failures; they also reduce attack surface for slow-loris style abuse.

Question 65

Retries: safe use

Answer 65

Retry only idempotent operations and use exponential backoff + jitter. Cap retries to avoid thundering herds.

Question 66

Circuit breaker purpose

Answer 66

Stops repeated calls to failing dependencies, preventing cascades and improving availability.

Question 67

Audit logging (what to capture)

Answer 67

Who did what and when: actor, action, target resource ID, outcome, traceId—without sensitive payloads.

Question 68

PII handling principle

Answer 68

Collect/store the minimum needed; restrict access; encrypt; redact in logs; comply with retention policies.

Question 69

Data retention

Answer 69

Keep data only as long as needed; define retention and deletion policies (important for compliance).

Question 70

Secure file uploads

Answer 70

Validate content type, limit size, scan for malware, store outside web root, use random filenames, and restrict access.

Question 71

Content-type validation risk

Answer 71

Relying only on file extension is unsafe. Validate MIME type and/or inspect file headers (magic bytes).

Question 72

Open redirect risk

Answer 72

Avoid redirecting to user-supplied URLs. Use allowlists or relative paths.

Question 73

Clickjacking (web)

Answer 73

Prevent embedding with headers (X-Frame-Options / CSP frame-ancestors). Mostly relevant for web UIs.

Question 74

Deserialization risk

Answer 74

Avoid unsafe deserialization of untrusted data. Prefer JSON libraries with safe configs; do not deserialize arbitrary objects.

Question 75

HTTP security: safe methods

Answer 75

Avoid state changes via GET. Use POST/PUT/PATCH/DELETE for mutations. Helps prevent CSRF-like issues and caching surprises.

Question 76

Authentication at gateway vs service

Answer 76

Gateway can authenticate, but services should still authorize (and sometimes re-validate tokens) depending on architecture.

Question 77

Service-to-service auth options

Answer 77

JWT with service identities, mTLS, or signed requests. Choose based on threat model and platform capabilities.

Question 78

RBAC pitfall

Answer 78

Role explosion or overly broad roles. Consider permissions/ABAC for fine-grained access.

Question 79

Authorization caching pitfall

Answer 79

Caching permissions can cause stale auth decisions. If caching, keep TTL short and design for revocation.

Question 80

JWT revocation challenge

Answer 80

Stateless tokens are hard to revoke immediately. Use short TTLs, refresh tokens, and optionally token introspection/deny lists.

Question 81

Principle of secure by default

Answer 81

New endpoints should require auth by default; explicit exceptions only (e.g., health checks).

Question 82

Least privilege for DB accounts

Answer 82

Use separate DB users/roles per service with minimal permissions; avoid using superuser accounts.

Question 83

Protect against mass assignment

Answer 83

Bind only allowed fields in request DTOs; don’t map arbitrary JSON into entities without controls.

Question 84

Mass assignment example

Answer 84

If API accepts user JSON and maps directly to entity, attacker may set isAdmin=true. Fix: DTO allowlist fields.

Question 85

Prevent information disclosure in 404

Answer 85

Don’t reveal whether a resource exists if user lacks access. Consider returning 404 instead of 403 for some resources (policy-driven).

Question 86

Security testing: what to add

Answer 86

Unit tests for authz rules, integration tests for 401/403 flows, and regression tests for known vulnerabilities.

Question 87

Threat modeling (basic)

Answer 87

Identify assets, entry points, trust boundaries, attackers, and mitigations. Use it to guide security priorities.

Question 88

What is a security incident?

Answer 88

An event that compromises confidentiality, integrity, or availability (e.g., data leak, account takeover, ransomware).

Question 89

Incident response priorities

Answer 89

Containment/mitigation first, then root cause, then prevention (patches, monitoring, postmortem action items).

Question 90

Logging for incident response

Answer 90

Keep enough context (traceId, actor, action) to investigate, but avoid storing secrets/PII unnecessarily.

Question 91

Principle of separation of duties

Answer 91

Separate permissions for deploy, admin actions, and data access. Reduce risk of single credential compromise.

Question 92

Secure defaults for Spring endpoints

Answer 92

Require authentication for all routes, explicitly permit only public endpoints, and avoid exposing actuator endpoints publicly.

Question 93

Actuator endpoint security

Answer 93

Protect Actuator with auth and network restrictions; expose only required endpoints; avoid leaking env/config.

Question 94

Avoid hard-coded crypto

Answer 94

Use proven libraries and platform features. Don’t implement your own encryption or token signing.

Question 95

Salt vs pepper (passwords)

Answer 95

Salt is per-user and stored with hash; pepper is a secret global value stored separately. Many systems only use salt via bcrypt/Argon2.

Question 96

Why use constant-time compares?

Answer 96

To reduce timing attacks when comparing secrets/tokens. Many libs provide safe comparison methods.

Question 97

Secure pagination/filtering

Answer 97

Avoid exposing unrestricted queries. Add limits, validate sort fields, and protect against expensive filters.

Question 98

DoS protection basics

Answer 98

Rate limiting, request size limits, timeouts, circuit breakers, and resource quotas.

Question 99

Secure configuration management

Answer 99

Separate config from code, use profiles, validate required settings, and avoid secrets in config files.

Question 100

Key management basics

Answer 100

Rotate keys, limit access, audit usage, and use managed KMS where possible.

Question 101

KMS in one sentence

Answer 101

AWS Key Management Service manages encryption keys and allows controlled encrypt/decrypt operations with auditing.

Question 102

Audit vs application logs

Answer 102

Audit logs track security-relevant actions; application logs track operational behavior. Both should be correlated via traceId.

Question 103

Security reviews: checklist items

Answer 103

AuthN/AuthZ, input validation, data exposure, logging redaction, dependency updates, least privilege, and safe defaults.

Question 104

Common security code smells

Answer 104

String-built SQL, direct entity exposure, trusting request-provided roles/tenantId, logging tokens, and public resources by default.

Question 105

If you can only do 3 security things

Answer 105

1) Strong AuthN/AuthZ with ownership checks, 2) Secure secrets + least privilege, 3) Good observability (logs/metrics) with redaction.

Question 106

What is 'authentication at the edge'?

Answer 106

Performing authentication at an API gateway/load balancer layer. Still ensure services enforce authorization and don’t trust unauthenticated internal traffic.

Question 107

Why separate environments (dev/staging/prod) for security?

Answer 107

Limits exposure and reduces risk. Prod should have strict access, secrets, and logging; dev should not share prod credentials.

Question 108

How to handle 3rd-party API keys securely?

Answer 108

Store in secret manager, rotate regularly, scope permissions if possible, and avoid logging them.

Question 109

How do you secure admin endpoints?

Answer 109

Require strong auth, separate roles, consider network restrictions, and log/audit all admin actions.

Question 110

What is 'secure coding' in one sentence?

Answer 110

Writing code that assumes inputs can be hostile, enforces access control consistently, protects data, and fails safely.