Cybersecurity Interview Questions

Common web risks: injection, broken auth, sensitive data exposure, XXE, broken access control, security misconfiguration, XSS, insecure deserialization, using components with known vulnerabilities, insufficient logging & monitoring.

• Prioritize fixes based on risk and exploitability
• Adopt secure defaults and defense-in-depth

Authentication verifies who you are (login); authorization decides what you can do (permissions/roles). Always check authorization on the server.

JWT: stateless tokens signed by server; quick to scale; must manage expiration/rotation and avoid storing sensitive data. Sessions: state kept server-side; simple to revoke; requires shared store for scale.

// Express cookie-session
app.use(session({ secret: process.env.SESSION_SECRET, cookie: { httpOnly: true, secure: true } }));

XSS injects scripts into pages viewed by users; prevent via escaping, CSP, and input sanitization. CSRF tricks a logged-in user to perform actions; prevent via same-site cookies and CSRF tokens.

Cross-Origin Resource Sharing allows browsers to request resources from different origins. Safely configure allowed origins/methods/headers; avoid wildcard on credentials.

// Express CORS (example)
import cors from 'cors';
app.use(cors({ origin: 'https://example.com', methods: ['GET','POST'], credentials: true }));

Store passwords using slow, salted hashes (bcrypt, scrypt, Argon2). Never store plain hashes without salt. Use HKDF/PBKDF2 for key derivation.

// bcrypt example
import bcrypt from 'bcryptjs';
const hash = await bcrypt.hash(password, 12);
const ok = await bcrypt.compare(input, hash);

TLS encrypts data in transit using certificates issued by CAs. Keep protocols/ciphers modern, enable HSTS, and rotate certificates automatically.

Use parameterized queries/ORM, validate inputs, and least-privilege DB users. Avoid string concatenation to build queries.

// Parameterized query
await db.query('SELECT * FROM users WHERE email = $1', [email]);

Common risks like injection, broken auth, sensitive data exposure, XXE, XSS, security misconfigurations, etc.; prioritize mitigations accordingly.

Authn verifies who you are; authz defines what you can do. Implement with RBAC/ABAC and least privilege.

Avoid long-lived tokens; use aud/iss claims, rotate secrets, reject none alg, and minimize payload PII.

Escape user input, use Content Security Policy, SameSite cookies and CSRF tokens; prefer HTTP-only cookies for session storage.

Store secrets in vaults/KMS, never in code; rotate regularly and restrict access via IAM policies.

SAST scans source for vulnerabilities; DAST tests running apps externally. Use both in CI with SBOM for supply chain security.