Security, Performance & Deployment

Question 1

What is the OWASP Top 10?

Answer 1

The OWASP Top 10 is a list of the most critical web application security risks, such as Injection, Broken Authentication, and Cross-Site Scripting (XSS).

Question 2

What is Helmet in Node.js?

Answer 2

Helmet is a middleware for Express that sets various HTTP headers to secure apps from common web vulnerabilities.

Question 3

What is rate limiting in Express apps?

Answer 3

Rate limiting controls the number of requests a client can make to an API within a time window to prevent abuse or DoS attacks.

Question 4

What is clustering in Node.js?

Answer 4

Clustering is a technique that allows Node.js to spawn multiple processes (workers) to handle concurrent connections on multicore systems.

Question 5

What is a load balancer?

Answer 5

A load balancer distributes incoming traffic across multiple servers or instances to enhance reliability and performance.

Question 6

What is CI/CD?

Answer 6

CI/CD (Continuous Integration/Continuous Deployment) automates code testing and deployment to improve software delivery efficiency and reliability.

Question 7

What is Docker?

Answer 7

Docker is a platform that uses containers to run software consistently across environments by packaging code with dependencies.

Question 8

What is PM2 in Node.js?

Answer 8

PM2 is a production-grade process manager for Node.js applications that enables monitoring, clustering, and zero-downtime restarts.

Question 9

What is New Relic used for?

Answer 9

New Relic is an APM (Application Performance Monitoring) tool that tracks performance metrics, errors, and transactions in real time.

Question 10

What is Prometheus used for?

Answer 10

Prometheus is an open-source monitoring system that collects metrics from applications and supports alerting and visualization.

Question 11

What are the advantages of using Helmet?

Answer 11

Helmet is simple to use, improves default security posture, and mitigates common attacks like clickjacking and MIME sniffing.

Question 12

What are the disadvantages of rate limiting?

Answer 12

If misconfigured, it can block legitimate users or degrade user experience during traffic spikes.

Question 13

What are best practices for Node.js security?

Answer 13

Use Helmet, validate input, sanitize data, use HTTPS, manage dependencies, and follow OWASP guidelines.

Question 14

What is a use case for Docker in Node.js apps?

Answer 14

Running a Node.js app in the same environment across development, testing, and production systems.

Question 15

What is the impact of load balancing on system design?

Answer 15

It requires stateless services or external session storage and affects how services scale and failover.

Question 16

How does clustering improve performance?

Answer 16

It allows better CPU utilization on multicore machines, increasing throughput and responsiveness.

Question 17

What is a CI/CD pipeline example?

Answer 17

GitHub Actions or Jenkins running tests, building a Docker image, and deploying to a server or Kubernetes cluster.

Question 18

What is the architectural implication of using PM2?

Answer 18

Enables zero-downtime deployments, process monitoring, and simplified log management in production.

Question 19

What is a performance benefit of Docker?

Answer 19

Isolated environments reduce conflicts, and container startup is faster than virtual machines.

Question 20

What is a fault tolerance advantage of clustering?

Answer 20

If one worker crashes, others continue to handle requests, reducing total application downtime.

Question 21

What is a monitoring best practice for production apps?

Answer 21

Track metrics like response time, error rate, memory usage, and use alerting tools like New Relic or Prometheus.

Question 22

What is a real-world tradeoff with Docker?

Answer 22

It adds an extra layer of complexity and may consume more resources than native environments in some cases.

Question 23

What’s a potential gotcha with rate limiting?

Answer 23

Clients behind the same IP (e.g., proxies) may get unfairly rate-limited if IP-based logic is used.

Question 24

What’s a common interview question about OWASP?

Answer 24

Can you explain some OWASP Top 10 risks and how to prevent them in Node.js applications?

Question 25

What’s a common interview question about clustering?

Answer 25

How does Node.js handle multi-core processing and how do you manage multiple processes?

Question 26

What’s a common interview question on CI/CD?

Answer 26

Describe a CI/CD pipeline you’ve implemented and the tools used for testing and deployment.

Question 27

What is the advantage of using Prometheus with Grafana?

Answer 27

Grafana provides visual dashboards and alerting on Prometheus metrics, improving observability.

Question 28

What is the role of secure headers in Helmet?

Answer 28

Secure headers reduce risks from XSS, CSRF, clickjacking, and other browser-based attacks.

Question 29

What is an example of a rate-limiting package in Express?

Answer 29

express-rate-limit is a popular middleware used to throttle incoming requests.

Question 30

How does load balancing support fault tolerance?

Answer 30

If one instance fails, traffic is routed to healthy ones, ensuring uninterrupted service.

Question 31

What’s a disadvantage of using clustering?

Answer 31

It doesn't share memory, so shared state must be managed via external tools like Redis.

Question 32

What’s a CI/CD deployment risk?

Answer 32

A bad deploy can affect users quickly; rollbacks and automated testing are critical safeguards.

Question 33

What’s a performance gotcha with PM2?

Answer 33

Misconfigured cluster mode can create bottlenecks if shared resources are not managed correctly.

Question 34

What is a Docker image?

Answer 34

A Docker image is a lightweight, standalone package of software that includes everything needed to run an app.

Question 35

What is zero-downtime deployment in PM2?

Answer 35

Using `pm2 reload`, the app restarts gracefully without dropping connections or causing user impact.

Question 36

What’s an example of an OWASP issue and a fix?

Answer 36

Injection attacks can be mitigated by using parameterized queries with database clients like `pg` or `mongoose`.

Question 37

What’s the benefit of infrastructure as code in CI/CD?

Answer 37

Automates consistent, reproducible environment setup and deployment.

Question 38

What’s the impact of improper clustering configuration?

Answer 38

Can lead to race conditions or data inconsistency if state isn't shared properly.

Question 39

What’s a common performance bottleneck in Node.js apps?

Answer 39

Blocking I/O operations or CPU-intensive tasks can degrade responsiveness.

Question 40

What’s a monitoring best practice in Dockerized apps?

Answer 40

Expose metrics endpoints and run exporters like node_exporter for Prometheus.

Question 41

What’s a Helm alternative for Kubernetes deployment?

Answer 41

Kustomize is another popular tool for managing Kubernetes manifests.

Question 42

What’s the benefit of externalizing secrets in Docker?

Answer 42

Using environment variables or secret managers prevents hardcoding sensitive data into images.

Question 43

What’s a tradeoff of using New Relic?

Answer 43

Provides rich metrics and insights but can add noticeable overhead or cost in large-scale apps.

Question 44

What is a potential rate-limiting gotcha in distributed systems?

Answer 44

Local rate limiters won’t sync across instances; use a shared store like Redis for consistency.

Question 45

How does CI/CD impact team productivity?

Answer 45

It speeds up feedback loops, reduces manual errors, and allows teams to ship faster and more reliably.

Question 46

What’s a best practice for secure Dockerfiles?

Answer 46

Use minimal base images, avoid running as root, and scan for vulnerabilities with tools like Snyk.

Question 47

How does Prometheus gather data?

Answer 47

It pulls metrics from targets using HTTP endpoints and stores them in a time-series database.

Question 48

What is the purpose of Docker Compose?

Answer 48

Docker Compose defines and runs multi-container applications using a simple YAML configuration file.

Question 49

How does rate limiting help with DDoS protection?

Answer 49

It reduces the impact of malicious traffic by blocking excessive requests from a single source.

Question 50

How do clusters handle requests in Node.js?

Answer 50

Each worker listens on the same port and the OS or master process balances the load between them.

Question 51

What is a security risk with outdated Node.js packages?

Answer 51

They may contain known vulnerabilities that can be exploited if not patched regularly.

Question 52

What’s a common interview question on Docker?

Answer 52

How do you build, run, and debug a Node.js app using Docker and Docker Compose?