Security — Core Concepts

Interview Relevance: High — Security is a cross-cutting concern in every system. Know the full request lifecycle: from HTTPS at the wire to JWT validation at the service.

The Security Layers

HTTPS & TLS

Why HTTPS?

TLS Handshake (Simplified)

Key certificate concepts for interviews:

Concept	Meaning
CA (Certificate Authority)	Trusted third party that signs certificates (Let's Encrypt, DigiCert)
Certificate	Binds a domain name to a public key, signed by CA
TLS 1.3	Latest version — 1 round-trip handshake (vs 2 in TLS 1.2)
mTLS (Mutual TLS)	Both client AND server present certificates — used for service-to-service auth
Certificate pinning	Mobile apps reject certs not matching an expected fingerprint
HSTS	HTTP header forcing HTTPS-only for all future visits

Authentication vs. Authorization

JWT (JSON Web Token)

JWT is a self-contained token that carries identity claims. The server doesn't need to look up a session store.

JWT Structure

JWT Auth Flow

JWT Security Properties

✅ Stateless — no session store lookup needed (scales easily)
✅ Self-contained — payload carries all needed claims
✅ Tamper-proof — signature verifiable with public key only
✅ Works across services — any service can verify with public key

❌ Cannot be revoked before expiry (use short TTL + refresh tokens)
❌ Payload is Base64 encoded — NOT encrypted (don't put secrets in it)
❌ If private key is compromised — all tokens are compromised

JWT best practices:

• Access token TTL: 15 minutes (short — limits damage if stolen)
• Refresh token TTL: 7–30 days (long-lived, stored in HttpOnly cookie)
• Use RS256 (asymmetric) not HS256 (shared secret) for microservices
• Store in memory or HttpOnly cookie — never localStorage (XSS risk)
• Revocation: maintain a token blocklist in Redis (for logout/compromise)

OAuth 2.0

OAuth is an authorization framework that lets users grant third-party apps access to their data without sharing their password.

The Authorization Code Flow (Most Secure)

OAuth Roles

Role	Description	Example
Resource Owner	The user who owns the data	Alice
Client	The app requesting access	your-app.com
Authorization Server	Issues tokens after user consent	Google, Auth0, Okta
Resource Server	The API that has the user's data	Google APIs

OAuth Scopes

scope=email           → Read user's email address
scope=profile         → Read name, picture
scope=repo            → GitHub: read/write repos
scope=read:orders     → Your app: read orders only
scope=write:orders    → Your app: create/update orders

Principle of Least Privilege: Request only the scopes you need.

Authorization Models

RBAC — Role-Based Access Control

✅ Simple to understand and manage
✅ Good for well-defined roles (admin, editor, viewer)
❌ Role explosion: 100 roles for complex permission sets
❌ Not fine-grained enough for resource-level permissions

ABAC — Attribute-Based Access Control

✅ Very fine-grained — any attribute combination
✅ Dynamic — adapts to context (time, location, device)
✅ Used by AWS IAM policies, Google Cloud IAM
❌ Complex to write and debug policies
❌ Performance overhead (policy evaluation per request)

WAF — Web Application Firewall

A WAF sits in front of your application and filters HTTP traffic based on rules targeting known attack patterns.

OWASP Top 10 (What WAF Protects Against)

Rank	Vulnerability	Example Attack	WAF Defense
A01	Broken Access Control	Accessing `/admin` without auth	Auth enforcement rules
A02	Cryptographic Failures	Storing passwords in plaintext	Policy enforcement
A03	SQL Injection	`' OR '1'='1` in query params	SQLi pattern matching
A07	XSS (Cross-Site Scripting)	`<script>` in form input	XSS signature rules
A10	Server-Side Request Forgery	`url=http://169.254.169.254/` (AWS metadata)	SSRF blocklist rules

Encryption at Rest

Encryption levels:

Level	What	Tool
Disk encryption	Full disk encrypted (OS level)	AWS EBS encryption, Linux LUKS
DB-level	DB files on disk encrypted	MySQL TDE, PostgreSQL pgcrypto
Column-level	Only sensitive columns encrypted	Application-level AES-256
Field-level	Individual values encrypted in app	AWS KMS + envelope encryption

Worked Example: Secure URL Shortener

Security decisions table:

Concern	Solution	Reason
Transport	TLS 1.3 + HSTS	Encrypt in transit, prevent downgrade
DDoS	Cloudflare WAF + rate limiting	Block before reaching origin
AuthN	JWT RS256 (15min TTL) + refresh tokens	Stateless, short-lived
AuthZ	RBAC (free/paid tiers) + scope check	Principle of least privilege
Secrets	HashiCorp Vault (dynamic DB creds)	No hardcoded secrets, auto-rotated
Data at rest	AES-256 TDE + column encryption for PII	Defense in depth
Audit	Structured logs (who shortened what, when)	Compliance + breach investigation

Interview Cheat Sheet

One-Line Summaries

HTTPS/TLS:     Encrypts data in transit — prevents eavesdropping and MITM
mTLS:          Both sides present certs — used for service-to-service auth
JWT:           Self-contained signed token — stateless, tamper-proof, short-lived
OAuth 2.0:     Authorization framework — delegate access without sharing passwords
RBAC:          Role-based permissions — simple, good for well-defined roles
ABAC:          Attribute-based — fine-grained, dynamic (AWS IAM style)
WAF:           Filters malicious HTTP — blocks SQLi, XSS, OWASP Top 10
Encryption at rest: AES-256 on disk/DB — protects from physical/storage compromise
Secret Manager: Vault/KMS — no hardcoded credentials, auto-rotation

The Interview Phrase

"For security, I'd apply defense in depth across every layer:
 TLS 1.3 encrypts all traffic in transit. Cloudflare WAF sits at
 the edge blocking OWASP Top 10 attacks and DDoS. The API Gateway
 terminates TLS, enforces rate limits, and validates RS256-signed
 JWTs with a 15-minute TTL. Internal service-to-service calls use
 mTLS for mutual authentication. All secrets — DB credentials, API
 keys — are stored in HashiCorp Vault with daily rotation. PII data
 in the database is AES-256 encrypted at the column level, and all
 access is audit-logged for compliance."

Red Flags vs. Green Flags

🔴 Red Flag	🟢 Green Flag
Store JWT in localStorage	HttpOnly cookie — prevents XSS token theft
Long-lived access tokens (days)	15-min access token + 7-day refresh token
Hardcode DB passwords in code	HashiCorp Vault or AWS Secrets Manager
No WAF mentioned	WAF at edge (Cloudflare) for OWASP protection
Use HS256 in microservices	RS256 — only auth service has private key
Skip mTLS for internal services	mTLS for zero-trust service-to-service auth
Confuse AuthN and AuthZ	State explicitly: JWT = AuthN; RBAC/scope = AuthZ

IMPORTANT

Always mention defense in depth. A single security control is never enough. Say: "Security is applied at every layer — WAF at the edge, TLS in transit, JWT at the gateway, RBAC at the service, and AES-256 encryption at rest."

TIP

Mentioning mTLS for service-to-service communication and secret rotation via Vault/KMS signals senior-level security awareness that most candidates skip.

Security — Core Concepts ​

The Security Layers ​

HTTPS & TLS ​

Why HTTPS? ​

TLS Handshake (Simplified) ​

Authentication vs. Authorization ​

JWT (JSON Web Token) ​

JWT Structure ​

JWT Auth Flow ​

JWT Security Properties ​

OAuth 2.0 ​

The Authorization Code Flow (Most Secure) ​

OAuth Roles ​

OAuth Scopes ​

Authorization Models ​

RBAC — Role-Based Access Control ​

ABAC — Attribute-Based Access Control ​

WAF — Web Application Firewall ​

OWASP Top 10 (What WAF Protects Against) ​

Encryption at Rest ​

Worked Example: Secure URL Shortener ​

Interview Cheat Sheet ​

One-Line Summaries ​

The Interview Phrase ​

Red Flags vs. Green Flags ​