15 scenarios grouped by topic. Click any to see the right move and why the common mistakes are wrong.
You are shipping a brand-new web app and need to pick how to store user passwords. There is no legacy hash format to be compatible with and your servers have modern CPUs. Which approach is the right default in 2025?
A React SPA talks to a REST (Representational State Transfer) API on the same parent domain. You need to persist the user's session token across page reloads. Where should the access token live?
Your app authenticates users with a session cookie and exposes POST /transfer to move money. A user reports that visiting a sketchy site while logged in caused a transfer. You confirm the cookie is Secure and httpOnly. What is the minimum fix?
Users can write comments that other users see. Your template engine inserts the raw string into both an HTML body and a JavaScript onclick attribute. How should you defend against XSS (Cross-Site Scripting)?
A search endpoint receives a free-text query and your ORM exposes a raw() escape hatch. A teammate writes db.raw("SELECT * FROM items WHERE name LIKE '%" + q + "%'"). What is the correct fix?
GET /api/invoices/{id} returns an invoice. The handler looks up the invoice by id and returns it. Audit logs show user 42 successfully fetched invoice 9001, which belongs to user 77. What is missing?
Your service runs on an EC2 instance and needs to read objects from S3. A junior dev plans to bake AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY into the container image as environment variables. What should you do instead?
You are shipping a banking iOS app that talks to api.bank.example over HTTPS. The threat model includes users on hostile Wi-Fi and the possibility of a compromised public CA. What TLS (Transport Layer Security) posture makes sense?
You need to encrypt small JSON (JavaScript Object Notation) blobs (user notes) at rest in the database. You will manage the keys via KMS. Which symmetric mode should you reach for?
You are integrating Sign in with Google into a public SPA that has no backend it can call its own (the SPA talks directly to your API). Which OAuth flow should the SPA use?
Your /login endpoint is getting hammered: credential-stuffing attempts from thousands of residential IPs, sometimes one attempt per IP. You also do not want to lock real users out. What rate-limiting strategy fits?
A teammate adds middleware that logs every request and response body to make debugging easier in production. Endpoints include /login, /payments, and /users/me. What is your review feedback?
Your SaaS stores all tenants in one Postgres database with a tenant_id column on every table. A new engineer is writing queries and forgets the tenant filter on a JOIN, leaking data across tenants in staging. How do you prevent this systemically?
An /upload endpoint accepts a file and a JSON metadata blob. The metadata includes a filename, size, and mime_type that the client computes. The server stores the file under filename and trusts mime_type for Content-Type on later downloads. What is the safer design?
After a user changes their password from the settings page, what should happen to their other active sessions on other devices?