10 · Engineering craft
Security
XSS, CSRF, CSP, and the client-side threats you must name.
The threats you're expected to name and defend against. "How would you prevent XSS here?" is a near-guaranteed follow-up.
Attacks & defenses
| Topic | Difficulty | Time | Tags | Best Resources |
|---|---|---|---|---|
| OWASP Top 10 overview | 🟡 | 1h | #overview |
OWASP Top 10 ⭐ |
| XSS (stored/reflected/DOM) | 🔴 | 1.5h | #xss #injection |
OWASP: XSS ⭐ |
| XSS defenses (escaping, sanitization) | 🔴 | 1h | #xss |
OWASP: XSS prevention ⭐ |
| CSRF | 🔴 | 1h | #csrf |
OWASP: CSRF ⭐ |
| Clickjacking & frame protection | 🟡 | 45m | #clickjacking |
OWASP: clickjacking ⭐ |
| Injection & input validation | 🟡 | 45m | #injection |
OWASP: input validation ⭐ |
| Prototype pollution | 🔴 | 45m | #injection #advanced |
OWASP ⭐ |
| Dependency & supply-chain security | 🟡 | 45m | #supply-chain |
OWASP: dependency check ⭐ |
Headers & policies
| Topic | Difficulty | Time | Tags | Best Resources |
|---|---|---|---|---|
| Content Security Policy (CSP) | 🔴 | 1h | #csp #headers |
MDN: CSP ⭐ |
| CORS (security view) | 🟡 | 45m | #cors |
MDN: CORS ⭐ |
| Security headers (HSTS, X-Frame-Options…) | 🟡 | 45m | #headers |
OWASP: secure headers ⭐ |
| Subresource Integrity (SRI) | 🟡 | 30m | #sri #headers |
MDN: SRI ⭐ |
| Trusted Types | 🔴 | 45m | #xss #modern |
web.dev: Trusted Types ⭐ |
| Permissions-Policy | 🟡 | 30m | #headers |
MDN ⭐ |
Auth & sessions
| Topic | Difficulty | Time | Tags | Best Resources |
|---|---|---|---|---|
| Authentication patterns | 🔴 | 1.5h | #auth |
Auth0: auth flows ⭐ |
| Authorization (RBAC/ABAC) | 🟡 | 1h | #authz |
OWASP: access control ⭐ |
| JWT: usage & pitfalls | 🔴 | 1h | #jwt #auth |
jwt.io intro ⭐ |
| OAuth 2.0 & OIDC | 🔴 | 1.5h | #oauth #auth |
OAuth 2.0 simplified ⭐ |
| Session management | 🟡 | 45m | #session |
OWASP: session cheat sheet ⭐ |
| Token storage (cookie vs localStorage) | 🔴 | 45m | #auth #storage |
OWASP: JWT cheat sheet ⭐ |
| Cookies & session security (SameSite, HttpOnly) | 🟡 | 45m | #cookies |
MDN: SameSite ⭐ |
❓ Rapid-fire security interview questions
Real frontend security questions asked at the SDE-2 / senior level. Answer out loud, then verify above.
- What is XSS and how do you prevent it (all three types)?
- What is CSRF and how do you prevent it?
- What is a Content Security Policy (CSP)?
- Where should you store auth tokens — cookie vs localStorage?
- Authentication vs authorization — what's the difference?
- How does OAuth 2.0 work at a high level?
- What do HttpOnly, Secure, and SameSite cookie flags do?
- What is CORS and how do you configure it safely?
- What is clickjacking and how do you prevent it?
- What is Subresource Integrity (SRI)?
- How do you safely render user/markdown/AI-generated content (avoid XSS)?
- What is a JWT and what are its pitfalls?
- Which security headers should every app set?
- What is prototype pollution?
- How do you keep API keys/secrets out of the frontend?
🎯 Scenario, advanced & real-incident questions (Senior / Staff)
These go beyond definitions into judgment, design, and real-world incidents — the differentiators in senior loops.
🧩 Scenarios
- A login page redirects to
?redirect=<url>after login. What vulnerability does this risk (open redirect) and how do you fix it? - Your SPA stores a JWT in
localStorage"because cookies are complicated." A pentest finds a stored-XSS bug and the tokens were exfiltrated. What would you change? - Your API sets
Access-Control-Allow-Origin: *andAccess-Control-Allow-Credentials: true— what's wrong? - A design-system
<RichText>renders raw HTML viadangerouslySetInnerHTML; someone wants arawHtmlprop that trusts all callers. Do you approve the API? Why not? - How would you implement "log out of all devices" with a stateless JWT architecture?
🔬 Advanced 6. Session fixation vs session hijacking — how do they differ? 7. How does refresh-token rotation work and what problem does it solve? 8. What is prototype pollution and how can a deep-merge utility introduce it? 9. What is dependency confusion and how can a frontend build pipeline be vulnerable? 10. What is a "secure context" and why do Service Workers / geolocation / clipboard require HTTPS? 11. Why isn't a CSRF token sufficient if it's also stored in a JS-readable cookie? 12. How do Trusted Types prevent DOM XSS at the platform level? 13. What is OpenID Connect and how does it differ from plain OAuth 2.0?
🚨 Real incidents
14. An app embedded an OAuth client secret in a mobile binary, later reverse-engineered. What went wrong, and what's the correct pattern for public clients (PKCE)?
15. A team trusted a client-side isEmployee flag to unlock admin routes. What principle did this violate?
16. The British Airways 2018 (Magecart) breach injected a form-skimming script. What frontend architecture (CSP, SRI, script isolation) would have mitigated it?
🐛 Debugging / ops
17. Users are logged out randomly after ~15 min despite being active — likely causes and how you'd investigate?
18. Your CSP report-uri is suddenly flooded with script-src violations — attack or false positive, and how do you tell?
19. How would you roll out a strict CSP to a legacy app with hundreds of inline scripts without breaking it overnight?
20. How would you migrate a session-cookie legacy app to JWT auth without a breaking "flag day"?
⚖️ Trade-offs 21. Where should least privilege apply on the frontend, given it can't fully enforce anything the server doesn't? 22. How do you balance instant client-side validation UX with the rule that client validation isn't a security boundary?
Related: 01-fundamentals · 12-networking · 13-state-management
Missing something? Add a row.