Security Best Practices Flashcards
(10 cards)
What is SQL injection, and how do you prevent it?
SQL injection inserts malicious SQL via user input. Prevent with parameterized queries. Example: In Node.js with pg: await pool.query('SELECT * FROM users WHERE id = $1', [userId]); avoids injection.
How do you prevent Cross-Site Scripting (XSS) in a full-stack app?
Sanitize user input and escape output. Example: Use DOMPurify in React to clean HTML input, or set Content-Security-Policy headers in Express to limit scripts.
What is CSRF, and how do you mitigate it?
CSRF (Cross-Site Request Forgery) tricks users into unwanted actions. Mitigate with CSRF tokens. Example: Use csurf middleware in Express to validate tokens on POST requests.
How do you securely store passwords in a backend?
Hash passwords with a strong algorithm like bcrypt. Example: const bcrypt = require('bcrypt'); bcrypt.hash('password', 10, (err, hash) => { /* store hash */ });.
What are secure HTTP headers, and which are critical?
Secure headers protect against attacks. Critical: Strict-Transport-Security (enforces HTTPS), X-Content-Type-Options: nosniff (prevents MIME sniffing). Set via Helmet in Express.
How do you implement secure JWT authentication?
```javascript
const jwt = require(‘jsonwebtoken’);
function generateToken(user) {
return jwt.sign({ id: user.id }, ‘secret’, { expiresIn: ‘1h’ });
}
// Explanation: Use short-lived tokens, store secret securely, verify on each request.
~~~
What is the principle of least privilege in security?
Grant minimal access needed. Example: Use a database user with read-only access for API queries, not admin privileges, to limit damage if compromised.
How do you protect against API abuse?
Implement rate limiting and input validation. Example: Use express-rate-limit to cap requests at 100/hour per IP, validate payloads with Joi.
What is an OWASP Top 10 vulnerability?
OWASP Top 10 lists common security risks. Example: Broken Authentication (e.g., weak passwords). Mitigate with strong passwords, MFA, and JWT validation.
How do you secure sensitive environment variables?
Store in .env files, exclude from Git, and use secrets management (e.g., AWS Secrets Manager). Example: DB_URL=postgres://... loaded with dotenv in Node.js.
