DEV Community

DevCorner
DevCorner

Posted on

Security in Backend Development: One-Stop Solution for Interviews

Backend security is crucial for protecting applications from attacks, data breaches, and unauthorized access. In this guide, we will cover key security concepts frequently asked in interviews.

1. OAuth 2.0 and JWT Tokens

OAuth 2.0

OAuth 2.0 is an authorization framework that enables secure API access without exposing user credentials. It involves four roles:

  • Resource Owner: The user granting access.
  • Client: The application requesting access.
  • Authorization Server: Issues access tokens.
  • Resource Server: The API or service that requires authentication.

OAuth 2.0 Grant Types:

  • Authorization Code Flow (Most Secure): Used for web applications.
  • Implicit Flow (Deprecated): For single-page applications.
  • Client Credentials Flow: Machine-to-machine authentication.
  • Resource Owner Password Flow: Direct credential exchange (not recommended).

JWT (JSON Web Token)

JWT is a self-contained token format used for stateless authentication. It consists of three parts:

  • Header: Algorithm and token type (e.g., { "alg": "HS256", "typ": "JWT" }).
  • Payload: Claims (e.g., user ID, roles, expiration time).
  • Signature: Ensures integrity and authenticity.

Why JWT?

  • Stateless: No need to store tokens in the backend.
  • Secure: Signed using a secret key (HMAC) or public/private key pair (RSA/ECDSA).
  • Efficient: Reduces database lookups.

2. Preventing SQL Injection and XSS Attacks

SQL Injection

SQL Injection occurs when attackers manipulate queries by injecting malicious SQL code.

Prevention:

  • Use Prepared Statements and Parameterized Queries 
  String query = "SELECT * FROM users WHERE username = ?";
  PreparedStatement stmt = connection.prepareStatement(query);
  stmt.setString(1, username);
Enter fullscreen mode Exit fullscreen mode
  • Use ORM Frameworks (e.g., Hibernate, JPA) that abstract direct SQL queries.
  • Validate and Sanitize User Input (e.g., restrict special characters).
  • Use Least Privilege Principle for database users.

Cross-Site Scripting (XSS)

XSS occurs when attackers inject malicious scripts into web pages.

Prevention:

  • Escape Output: Encode special characters (<, >, &, ", ').
  • Use Content Security Policy (CSP) to restrict allowed scripts.
  • Sanitize User Input using libraries like jsoup (Java) or DOMPurify (JavaScript).

3. CORS (Cross-Origin Resource Sharing)

CORS is a security mechanism that controls which domains can make requests to your API.

Handling CORS in Backend:

  • Enable CORS with Allowed Origins 
  @Configuration
  public class CorsConfig {
      @Bean
      public WebMvcConfigurer corsConfigurer() {
          return new WebMvcConfigurer() {
              @Override
              public void addCorsMappings(CorsRegistry registry) {
                  registry.addMapping("/**")
                          .allowedOrigins("https://example.com")
                          .allowedMethods("GET", "POST", "PUT", "DELETE")
                          .allowedHeaders("*");
              }
          };
      }
  }
Enter fullscreen mode Exit fullscreen mode
  • Use Proxy for Internal APIs: Avoid exposing APIs directly.
  • Implement Token-Based Authentication instead of relying on cookies.

4. Implementing Role-Based Access Control (RBAC)

RBAC restricts system access based on user roles.

Steps to Implement RBAC:

  1. Define Roles (e.g., Admin, User, Moderator).
  2. Assign Permissions (e.g., Admin can delete users, User can only view data).
  3. Enforce Role-Based Access in Code 
   @PreAuthorize("hasRole('ADMIN')")
   @DeleteMapping("/deleteUser/{id}")
   public ResponseEntity<String> deleteUser(@PathVariable Long id) {
       userService.deleteUser(id);
       return ResponseEntity.ok("User deleted");
   }
Enter fullscreen mode Exit fullscreen mode

5. Securing APIs Exposed to the Internet

Best Practices:

  • Use HTTPS: Encrypt communication with SSL/TLS.
  • Implement API Rate Limiting to prevent abuse (e.g., using Spring Boot’s RateLimiter).
  • Authenticate Every Request (Use OAuth 2.0, JWT, API Keys).
  • Validate and Sanitize Input to prevent injection attacks.
  • Log and Monitor Requests to detect anomalies.

6. Data Encryption at Rest and in Transit

Encryption at Rest

Protects stored data from unauthorized access.

  • Use Database-Level Encryption (e.g., AES-256 for MySQL, TDE for SQL Server).
  • Encrypt Sensitive Fields (e.g., passwords, credit card details).
  • Store Hashes for Passwords (Use bcrypt, Argon2, PBKDF2). 
  String hashedPassword = new BCryptPasswordEncoder().encode(password);
Enter fullscreen mode Exit fullscreen mode

Encryption in Transit

Secures data during transmission.

  • Use HTTPS (TLS 1.2 or higher) to encrypt traffic.
  • Enable Secure WebSockets (wss://) for real-time communication.
  • Implement Mutual TLS (mTLS) for client-server authentication.

Conclusion

Security in backend development requires a multi-layered approach. By implementing OAuth 2.0, JWT, SQL injection prevention, XSS protection, CORS handling, RBAC, API security best practices, and encryption mechanisms, you can build robust and secure applications. Mastering these concepts will not only help you ace interviews but also create secure backend systems in real-world applications.

✅ Next Steps: Practice implementing these security techniques in your backend projects to solidify your understanding! 🚀

Top comments (0)

Read next

resource_bunk_1077cab07da profile image

Master Automation with These Python Hacks

Resource Bunk -

criscmd profile image

From Breaking Things to Building Them: My Journey from a Curious Kid to a self taught CTO

Tao Christopher Takahashi -

linkbenjamin profile image

The Adventures of Blink S3e1: It's Time To Start Season 3!

Ben Link -

snappytuts profile image

Serverless Python APIs: Hype or Future?

Snappy Tuts -