Security (FE & BE)

Treat this hub as something you rehearse out loud. Senior interviewers probe whether you describe trust boundaries, specific controls, and what you'd watch in logs—not whether you memorized acronym lists.

How to use this page

Memorize contrasts in AuthN/Z + sessions vs tokens.
Use Recognition to map interviewer phrases to exploit classes instantly.
Run timed drills (below) weekly.

Topic study plan (deep pages)

Each topic: /security/topics/... with Core details → Understanding → Senior understanding → Diagram.

Topic	Focus
Identity: sessions vs bearer	Cookies, JWT trade space, rotation
TLS, secrets & rotation	Termination, vaults, leak response
Injections & safe sinks	SQLi, CMDi, deserialization
SSRF & controlled outbound HTTP	Egress, allowlists
XSS & Content-Security-Policy	Sinks, CSP depth
CSRF & session cookies	SameSite, tokens, origins
Audit logging & redaction	PII scrubbing, immutable audit

Future topic scaffolding: `content/core-docs/security/topics/topic-page-template.mdx` (`publishDocs: false`) — synced by `utils/sync-core-docs-publish.mjs`.

Core basics — identity & sessions

AuthN vs AuthZ

Term	Means	Typical staff trap
AuthN	prove who you are	weak MFA rollout
AuthZ	what you may do on object X	IDOR-style gaps
Federation/OIDC-ish	IdP-mediated login	sloppy `redirect_uri` + PKCE hygiene

Interview script:

“The SPA cannot enforce authZ. Every mutation API must authorize with server-side tenancy + resource ownership—even if FE hides navigation.”

Session cookies (`HttpOnly` + `Secure` + `SameSite`)

Wins	Obligations
JS cannot casually exfil credential	Provide CSRF defenses for ambient cookie replay
Server can revoke rapidly	Operational session-store scaling

JWT / bearer tokens

Wins	Obligations
Good for horizontal services	Stored in hostile JS ⇒ XSS amplification
Short verification latency	Mention `aud`, `iss`, `exp` + rotation

Transport & secrets hygiene

Operational checklist you'll say verbatim:

Item	Goal
TLS automation	no manual cert drift
protocol/cipher posture	phased tightening
HSTS rollout	degrade SSL stripping gradually
clear termination topology	LB/mesh/pod—who decrypts

Secrets: vault-backed, short TTL creds—not infinite env vars pasted in chats.

Leak response choreography:

Rotate → quantify exposure window → forensic logs scope → playbook-notify stakeholders per policy tier.

Input handling & injections (backend)

Class	Boundary	Primary control
SQLi	strings → queries	parameterized SQL / safe ORM idioms
Command injection	user text → shell	never shell interpolate—call structured APIs
Path traversal	path strings → filesystem	canonicalization + sandbox roots
Template injection	data → templating engines	escaping discipline + hardened templates
Unsafe deserialization	bytes → graphs	disallow untrusted formats; schemas + signatures

Defense-in-depth layering: narrowing input shapes does not substitute parameterized sinks—pair both.

SSRF — high-signal senior topic

Threat story: attacker-supplied fetch URL → internal or metadata-style endpoints → lateral movement.

Controls you should list fast:

Layer	Control
Network	egress default deny
Application	deterministic host/port allowlists
Parsing	deny odd URL schemes (`file://`, unexpected handlers); beware IP-encoded bypass attempts
Cloud awareness	hardened metadata access posture when relevant

Interview line: “Treat server-side HTTP fetch URLs as hostile input—assume metadata-style pivot risk until egress and allowlists prove otherwise.”

Browser platform defenses

Cross-site scripting (XSS)

Sink	Typical miss	Controls
HTML interpolation	naive string concat	contextual encoding helpers
URL attributes (`href`)	pasted user URL	sanitization lists
Dangerous sinks (`innerHTML`-class)	copy-pasta HTML	sanitization + CSP narrowing

Content-Security-Policy narrows blast radius. Nonces/hashes imply build pipeline choreography—mention cost honestly.

CSRF

Happens where cookies carry ambient authority hitting state-changing verbs.

Mitigations toolbox:

SameSite cookies; synchronous anti-CSRF tokens when needed; Origin / Referer checks acknowledging corporate proxy privacy caveats.

Clickjacking

frame-ancestors CSP / legacy X-Frame-Options compatibility awareness.

OAuth / OIDC pitfalls (conceptual bullets)

Mis-scoped redirect_uri, missing PKCE for SPA/native, refresh tokens mishandled, mixing public vs confidential client assumptions without audit.

Keep vendor specifics optional—pattern recognition wins.

Cryptography pragmatic boundaries

No custom primitives. Mention platform-supported categories only:

Use platform authenticated encryption (AEAD-style APIs)—no custom primitives. Centralize password hashing (argon2 / bcrypt-class) instead of per-service invention.

Distinguish disk encryption at rest vs field-level app crypto motivating compliance segregation of duties.

OWASP thematic map

Macro theme	Narrative snippet
Broken access control	IDOR enumeration + missing tenant predicates
Cryptographic gaps	lingering weak TLS remnants
Injection	templating/database confusion rows above
Misconfiguration	public buckets/debug toggles accidental
Sensitive data mishandling	logs/traces/screenshots exposures
Vulnerable deps	CVE intake SLA upgrades
Logging failures	intrusion invisible until invoices

Treat as mapping aid—not exhaustive memorization fetishizing numeric category IDs verbatim.

Supply chain safeguards

Pin versions + deterministic installs (lockfiles).
Automated dependency updates with a CVE response SLA (Renovate/Dependabot-class).
Immutable, signed release artifacts + protected default branches.
Least-privilege CI tokens (contents: write only where unavoidable).

Auditing vs noisy logs

Keep immutable audit logs (who changed IAM, roles, tenancy) separate from noisy developer debug telemetry so investigations remain trustworthy.

Automatically redact bearer tokens PAN-like PHI patterns at ingestion boundary—not optional grep hope culture.

STRIDE tactical micro-pass

Pick two letters relevant per scenario (verbosity dilutes credibility):

Letter	Quick question
S	spoofing feasible? MFA binding?
T	attacker tampering transport/stored payload unnoticed? integrity controls?
R	disputed actions undeniable? audits?
I	telemetry oversharing?
D	brute force / resource abuse possible? quotas?
E	escalate privilege via mis-tokened API? scopes tight?

Recognition cues (speed map)

If interviewer says…	Lead with
JWT debates	TTL + rotation + revocation + XSS story
CSRF mechanism	ambient cookies + verbs + defenses
SSRF remediation	egress + allowlisting + layering
IDOR probing	reproducible enumeration + ACL tests
Secret leak	blast rotation + scanners + IaC leakage
“Top risks” succinct	Broken access control + SSRF + supply chain succinct triad plausible

Memory hooks

Treat fetch URLs like shell.
AuthZ repeats per object—even when cookies look trusted.
CSP + encoding are partners, never substitutes.

Ignoring object-level ACL regressions disguised behind role-level RBAC only.

JWT without rotation TTL clarity — silent security debt.

Recording raw tokens / PII in analytics warehouse—silent compliance catastrophe.

/backend — SSRF egress, outbound service identity.
/frontend — DOM sinks & bundle hygiene.
/gen-ai + /dsa/interview-prep/generative-ai — injection via documents + risky tools.