Full Stack Developer Interview Questions

Product wants a 'save for later' cart feature shipped in two sprints. Walk through how you'd slice it across schema, API, React state, and analytics so each sprint delivers something usable, not just half a backend.

You're designing a GST invoice download feature for an Indian SaaS billing app. PDFs take 8–10 seconds to render. Design the full flow — API shape, async generation, polling versus push, and the UI states — and justify each choice.

A referral program needs unique codes, attribution on signup, and a rewards ledger. Sketch the tables, the endpoints, and where you'd enforce 'one reward per referred user' — client, API, or database constraint — and why.

Your team must add multi-tenancy to a single-tenant Express plus Postgres app already serving paying customers. Compare row-level tenancy versus schema-per-tenant end to end — migrations, connection pooling, frontend tenant context — and pick one for a 50-tenant scale.

You're adding an in-app notification center: unread counts, mark-as-read, and a dropdown feed. Decide what's computed server-side versus client-side, how you'd paginate the feed, and how the unread badge stays correct across two open tabs.

Design a bulk CSV import for 100k employee records: upload, validation, partial-failure reporting, and retry. Cover where validation lives, how you stream rather than buffer, and how the frontend shows row-level errors without freezing the browser.

Marketing wants feature flags so they can toggle a new checkout for 10% of users. Describe how you'd implement flag evaluation across server-rendered pages and client React code so a user never flips between variants mid-session.

You inherit a feature spec for collaborative document comments with @mentions and email digests. Identify the hidden hard parts — permissions inheritance, comment anchoring after edits, digest batching — and explain how you'd sequence delivery to de-risk them first.

A food-delivery client wants order tracking with four states: placed, preparing, out for delivery, delivered. Model the state machine, decide who can trigger each transition, and explain how the React UI handles an out-of-order status update.

You must add soft-delete with a 30-day restore window across a mature app. Walk through the ripple effects: unique constraints, list queries, cascading children, search indexes, admin restore UI, and the cron that finally purges data.

Your PM asks for 'export everything to Excel' on a reporting screen with twelve filters. Decide whether export reuses the list API or gets its own path, how you cap result size, and what you tell users at 200k rows.

Design an appointment booking system for a clinic chain across Indian time zones is easy — the hard part is double-booking under concurrency. Explain your locking or reservation-hold strategy, the API contract for holds expiring, and the UI countdown experience.

Leadership wants 'undo' for destructive actions across the product. Propose a generic approach — command log, soft-delete, or compensating transactions — and explain how the API, background jobs, and toast-with-undo frontend pattern fit together without corrupting downstream data.

Your mobile team complains the orders REST endpoint forces three round trips to render one screen. Compare fixing it with a composite endpoint, field expansion parameters, or introducing GraphQL — and what each costs the backend team long term.

You need to evolve a public REST API used by fifty external integrators without breaking them. Lay out your versioning policy, deprecation timeline, additive-change rules, and how you'd detect which clients still call the old shape.

A PUT endpoint for user profiles keeps wiping fields the client didn't send. Diagnose the contract problem, contrast PUT versus PATCH semantics in practice, and describe how you'd roll out the fix without breaking older app versions.

Your GraphQL gateway is getting hammered by deeply nested queries from a partner integration. Explain how you'd introduce depth limits, cost analysis, and persisted queries — and how you'd negotiate the change with the partner without downtime.

Frontend and backend teams keep shipping mismatched payloads despite a shared Postman collection. Propose a contract workflow — OpenAPI as source of truth, generated clients, CI schema diffs — and where you'd start with one week of effort.

Design the pagination contract for an activity feed that inserts items at the top constantly. Explain why offset pagination breaks here, how cursor tokens should be structured, and what guarantees you document for clients about duplicates and gaps.

A checkout API call sometimes times out on flaky Indian mobile networks and users retry, creating duplicate orders. Design idempotency into the contract — key generation, server-side storage, response replay — and the frontend retry behavior that uses it.

You're splitting a monolith API consumed directly by React into services behind a gateway. Decide what the frontend contract should look like afterwards — BFF per client, unchanged facade, or GraphQL federation — given a four-person team.

Your error responses are a mess: some endpoints return strings, some objects, some HTML from the proxy. Define a uniform error envelope, how validation errors map to form fields in React, and how you'd migrate incrementally.

A reporting endpoint needs filtering on twenty fields with AND/OR combinations. Compare encoding this in query strings, a POST search body, or GraphQL arguments — covering caching implications, URL length limits, and how you'd validate the filter tree server-side.

Two consumers want conflicting things from one endpoint: the admin panel wants rich nested objects, the mobile app wants tiny payloads for 3G users in tier-2 cities. Walk through the options and pick one with reasoning.

You're adding webhooks so customers can subscribe to order events. Define the delivery contract: payload versioning, signature verification, retry with backoff, and ordering guarantees — and what you explicitly refuse to guarantee in the docs.

A new endpoint returns money values, and you've been burned by floating point before. Decide the wire format for amounts in INR with paise, how dates and time zones travel, and how you enforce these conventions across every future endpoint.

Your React SPA stores JWTs in localStorage and security flagged it. Walk through migrating to httpOnly cookie sessions or refresh-token rotation — what breaks in the frontend, how CORS changes, and how you keep users logged in during rollout.

Users report being randomly logged out on your multi-instance Node deployment. Sessions are in-memory. Explain the diagnosis, then compare sticky sessions, Redis-backed sessions, and stateless JWTs as fixes — including how each handles deploys and instance restarts.

You're adding 'Sign in with Google' to an app with existing email-password accounts. Design the account-linking flow, what happens when emails collide, and which OAuth flow you'd use for a browser SPA with a Node backend.

An access token leaked through a logging vendor. Walk through your incident response: revocation strategy when JWTs are stateless, rotating signing keys without logging everyone out, and the architectural changes you'd make so revocation is possible next time.

Your refresh-token flow works on desktop but mobile users on intermittent Jio connections end up with both tokens expired mid-request. Design the client-side refresh logic — request queuing, single-flight refresh, retry — that survives flaky networks.

You must add role-based access control across forty Express routes and a React admin panel. Decide where permissions are evaluated, how the frontend learns what to hide, and why hiding buttons alone is insufficient — with a migration plan.

Support keeps getting 'session expired' complaints from users who leave forms open for an hour. Design a session-extension approach — silent refresh, activity-based sliding expiry, or save-draft-then-reauth — balancing security policy against losing a half-filled KYC form.

Your B2B customers demand SSO via their identity providers. Compare bolting SAML and OIDC onto your existing JWT auth yourself versus adopting an auth platform, covering tenant-specific login flows, JIT user provisioning, and what happens when their IdP is down.

An OTP-based login via SMS works in testing but production users in India report delays of two minutes, causing expired codes. Redesign the flow: OTP validity windows, resend throttling, fallback channels, and protecting the endpoint from OTP-bombing abuse.

You discover the JWT middleware trusts the alg header and an audit flags it. Explain the exploit class, how you'd patch verification, rotate to asymmetric keys for your microservices, and validate nothing else in the pipeline decodes tokens unsafely.

Product wants 'remember me for 30 days' but security wants 8-hour sessions. Design a layered approach — short-lived access, long-lived refresh, step-up auth for payments and profile changes — and how the React app reflects partial-auth states.

A logout button that only deletes the client-side token just failed a penetration test. Design real logout for a JWT system: server-side denylist or token versioning, propagation across microservices, and the latency-versus-storage trade-off you accepted.

Your admin panel and customer app share one auth service, and an admin cookie scoped too broadly let a tester reach customer APIs with elevated rights. Untangle this: cookie scoping, audience claims, separate token issuers, and the rollout order.

A dashboard fires six API calls on mount, and slow ones overwrite fast ones when users switch filters quickly. Explain the race condition, then fix it with request cancellation or a data-fetching library — and justify your pick.

Your React app duplicates server state in Redux, and stale data bugs keep recurring after mutations. Argue for or against migrating to a server-cache library like React Query, including invalidation strategy and how you'd migrate screen by screen.

Users on slow connections see a blank screen for four seconds while your SPA loads data. Walk through your options — skeletons, SSR, streaming, caching the last response locally — and pick the cheapest fix that meaningfully helps.

An optimistic-update implementation for likes occasionally leaves counts wrong when the API call fails after the user navigated away. Design a robust optimistic-mutation pattern: rollback, reconciliation on refetch, and when you'd simply not do optimistic updates.

A form with forty fields re-renders the entire page on every keystroke and typing lags on mid-range Android phones common in India. Diagnose with the profiler, then fix using state colocation, memoization, or an uncontrolled-form library.

You're integrating a React micro-frontend into a legacy server-rendered portal owned by another team. Cover script isolation, shared auth state, CSS leakage, and version coordination — and where you'd draw the contract boundary between the two teams.

The backend returns deeply nested order objects but your components need flat lookup by id across screens. Decide where normalization happens — API layer, client transform, or asking backend to change — and how that choice ages as screens multiply.

After a backend deploy added a field, three React screens crashed on undefined access. Design defenses across the stack: runtime schema validation at the API boundary, typed clients, contract tests, and what you do when validation fails in production.

Product wants infinite scroll on a results list that users also filter and share via URL. Design the integration: cursor state in the URL, scroll restoration on back navigation, and how you avoid refetching everything when one filter changes.

Your team ships a component library consumed by four product apps, and a breaking change just took down two of them. Set up the integration discipline: semver, codemods, canary versions, and visual regression checks — prioritized for a small team.

A file-upload screen must show per-file progress, allow cancel, and survive a flaky hotel Wi-Fi connection. Walk through the frontend pieces — XHR versus fetch streams, abort controllers, chunked retry — and the matching Express handling.

You must support a 'draft autosave' editor where the user types continuously and the API rate-limits writes. Design debounced saves, conflict detection against edits from another tab, dirty-state UX, and what the save endpoint contract needs to enable this.

Hydration mismatches keep appearing after you moved your marketing pages to SSR while the app stays client-rendered. Explain the common causes — dates, randomness, auth-dependent UI — and the patterns you'd enforce so the team stops reintroducing them.

An Express endpoint that resizes images is blocking the event loop and every other request slows down during uploads. Explain how you'd confirm event-loop blocking and compare worker threads, a job queue, or offloading to a separate service.

Your Node service leaks memory and gets OOM-killed every two days in production. Walk through your investigation — heap snapshots, comparing dumps, usual suspects like caches and listeners — and the guardrails you'd add so it's caught pre-release next time.

A teammate wrapped every Express handler in try/catch with copy-pasted error responses. Refactor the error-handling architecture: async wrapper, centralized error middleware, operational versus programmer errors, and what actually gets sent to the client versus logged.

Under festive-sale traffic, your Express API's p99 latency spikes although CPU sits at 40%. Walk through diagnosing the real bottleneck — connection pool exhaustion, DNS lookups, synchronous JSON of huge payloads, GC pauses — and how you'd instrument to distinguish them.

You need scheduled jobs — nightly reconciliation, hourly emails — in a Node app running three instances. Explain why naive setInterval breaks at multiple instances, then compare cron with distributed locks versus a queue with delayed jobs.

A background job processes refunds, and a crashed worker mid-batch caused some refunds to run twice. Redesign the worker for at-least-once delivery with idempotent handlers, visibility timeouts, poison-message handling, and the audit trail finance will ask for.

Your Express app reads the request body twice in different middleware and breaks for large streams. Explain Node stream semantics here and redesign the middleware chain so body parsing, signature verification for webhooks, and logging coexist safely.

You're asked whether to split a 60k-line Express monolith into services. Make the case for a modular monolith first: enforcing module boundaries, extracting the one genuinely independent workload, and the operational costs your three-engineer team would absorb with microservices.

An unhandled promise rejection in a fire-and-forget call crashed your Node 20 process at 2 a.m. Explain the crash semantics, how you'd find other fire-and-forget spots in the codebase, and the patterns you'd enforce for intentional background work.

Your API must call three downstream services per request, and one of them degrades regularly. Design the resilience layer in Node — timeouts, circuit breakers, fallbacks, bulkheads — and how you decide which downstream failures should fail the whole request.

Logs from your Express app are unstructured console.logs, useless during incidents. Design the logging upgrade: structured JSON, request ids propagated through async contexts, log levels, and redacting PII like phone numbers before logs reach a third-party aggregator.

A graceful-shutdown bug means in-flight requests get dropped on every deploy, and users see errors each release. Implement proper shutdown in Express — signal handling, stopping new connections, draining keep-alives, closing pools — and how you'd verify it in staging.

Your team debates clustering Node across 8 cores versus running 8 containers behind a load balancer. Compare the approaches for your stateful WebSocket traffic, covering memory overhead, deploy granularity, sticky routing, and which failure modes each one isolates better.

Your orders table stores shipping address as a snapshot but the profile address keeps changing, and support sees mismatches. Explain when to snapshot versus reference data, and redesign the model so historical orders stay truthful.

A wallet feature needs balances that are always correct under concurrent top-ups and deductions. Design the ledger model — append-only entries versus mutable balance, database constraints, isolation levels — and explain how you'd prove correctness under load.

A products table grew a JSON 'attributes' column that now holds price overrides, tax flags, and search keywords. Decide what gets promoted to real columns, what stays JSON, and how you'd run that migration on a live table.

You must add audit history — who changed what, when — across thirty tables for a compliance requirement. Compare triggers, application-level event logging, and CDC into a separate store, covering query patterns auditors actually use and storage growth.

List queries got slow at two million rows, and your teammate wants to 'just add indexes everywhere.' Walk through how you'd read the query plan, choose composite index column order, and explain the write-amplification cost of over-indexing.

Your multi-tenant Postgres has one tenant at 80% of all rows, wrecking statistics and query plans for everyone else. Walk through your options — partitioning, dedicated instance, partial indexes — and the migration plan that doesn't take downtime.

You need to store user phone numbers for an India-first product: country codes, WhatsApp-versus-call preferences, and OTP delivery history. Model this so duplicates are caught despite formatting differences, and uniqueness survives users changing numbers.

A schema migration adding a NOT NULL column locked your busiest table for four minutes in production. Explain what happened, then lay out your safe-migration playbook: nullable-first, backfill in batches, validate, then constrain — and how CI enforces it.

Your app needs category trees five levels deep with 'show all products under this node' queries. Compare adjacency list, materialized path, and closure table for your read-heavy catalog, and explain which you'd pick with Postgres recursive CTEs available.

Reports run against the same Postgres serving live traffic, and month-end analytics now cause checkout timeouts. Design the separation — read replica with lag handling, materialized views, or a warehouse pipeline — and the criteria that would push you to each.

A unique constraint on email blocks a legitimate flow: users deleting accounts and re-registering later. Reconcile soft-delete with uniqueness — partial unique indexes, email recycling policy, tombstones — and what the signup API should tell the returning user.

Your team stores money as floats and finance found paise discrepancies in GST reports. Plan the remediation: choosing integer-paise or numeric types, migrating historical data, finding every calculation in Node that compounds the error, and proving the books reconcile after.

Product wants 'fields configurable per customer' — custom attributes on core entities with filtering and sorting. Compare EAV, JSONB with expression indexes, and per-tenant columns, and describe how the API and React form builder consume whichever model you choose.

A teammate proposes MongoDB for a new invoicing module 'because schemas slow us down.' Invoices need joins to customers, strict totals, and GST reporting. Make the call, and explain what you'd actually concede about Postgres developer friction.

Your session store, product catalog, and order system all live in one Postgres. Traffic is up tenfold after a funding round. Decide which workload, if any, you'd move to Redis or a document store first — with reasoning grounded in access patterns.

You're building a notifications inbox: billions of small records, always queried by user and recency, rarely updated, deleted after 90 days. Argue which store fits — Postgres partitions, Cassandra-style wide column, or DynamoDB — for a team that knows only SQL.

An earlier team chose MongoDB, and now product wants transactional inventory deductions across warehouses with strict consistency. Evaluate staying on Mongo transactions versus migrating the inventory domain to Postgres, including the dual-write dangers during any migration.

Your search page needs typo-tolerant text search over two lakh product names with filters. Compare stretching Postgres full-text search versus adding Elasticsearch — covering sync complexity, infra cost on a startup budget, and what user-visible difference justifies the second system.

You must design storage for a chat feature: ordered messages, read receipts, edit history, hot recent data, and cold archives. Lay out a polyglot approach versus single-store pragmatism, and identify the exact query that would break your simpler choice.

An IoT client streams ten thousand sensor readings per minute, and your Postgres insert pipeline is falling behind. Decide between tuning Postgres with batching and partitions or adopting a time-series store, and the operational cost each adds.

Leadership wants 'we should be on DynamoDB for scale' in the architecture review. Your access patterns are still evolving weekly. Make the senior argument about when single-table NoSQL design pays off and why premature key-design lock-in hurts a young product.

Your cart service uses Redis as the only store, and a node eviction wiped live carts during a sale. Re-evaluate Redis as primary storage versus cache, and design the durability fix — persistence settings, write-through to SQL, or accepting loss.

A recommendation feature needs 'users who bought X also bought Y' traversals three hops deep. Decide whether that justifies a graph database or whether precomputed tables in Postgres suffice, given one data engineer and a nightly batch window.

You're storing flexible vendor onboarding forms where fields differ per state regulator in India. Compare JSONB in Postgres against a document database for this, focusing on validation, reporting across heterogeneous documents, and future queries compliance might demand.

Your analytics events go to Postgres, which now holds 900 million rows and slows nightly jobs. Plan the migration to a columnar or warehouse solution: what stays relational, the backfill strategy, and how dashboards keep working mid-migration.

Your product API gets identical catalog requests thousands of times a minute. Walk through layering caching — CDN, Redis, in-process — for this read path, and define the invalidation trigger when a merchant edits a price.

After adding Redis caching, users intermittently see other users' account data. Diagnose how a cache key collision or middleware-level caching of authenticated responses causes this, the immediate mitigation, and the review checklist preventing recurrence.

Your homepage hits origin for every request although the content changes twice a day. Design the CDN strategy: cache-control headers, surrogate keys for purging, and how personalized header elements coexist with cached pages via edge includes or client fetch.

A celebrity endorsement sends a traffic spike that stampedes your cache on expiry, and the database folds. Explain the thundering-herd mechanics, then implement protections — request coalescing, stale-while-revalidate, jittered TTLs — and where each lives in your stack.

Users in Chennai see 600ms latency on assets served from your Mumbai origin. Walk through introducing a CDN for static assets and images: cache busting via hashed filenames, image variants for low-end devices, and measuring the improvement honestly.

Your team cached a paginated, filtered search endpoint and hit ratio is 4%. Analyze why high-cardinality keys defeat caching, then redesign — caching the underlying datasets, normalizing filter order in keys, or moving the cache below the query layer.

A bug fix deployed Friday isn't visible to half your users because the old JS bundle is cached on devices and edge nodes. Explain the layers involved and design an asset-versioning and HTML-caching policy so deploys propagate predictably.

You cache computed dashboards per user for five minutes, but an account-level permission revoke must reflect immediately. Design selective invalidation — tag-based purge, versioned keys, event-driven busting — and discuss what 'immediately' should actually promise in the SLA.

Your Redis instance hit memory limits and started evicting keys your code assumed always exist, causing checkout errors. Separate cache from storage in the design, choose eviction policies per keyspace, and add the fallbacks that make eviction safe.

An API response cached at the CDN included a Set-Cookie header and sessions got shared between users. Explain how this happens with misconfigured cache rules, the audit you'd run across endpoints, and the header hygiene you'd codify.

Your mobile API serves the same config payload on every app launch, costing real bandwidth for users on metered Indian data plans. Implement conditional requests with ETags end to end, and explain what changes in Express and the client.

You introduced an in-process LRU cache in Node, and now three instances serve three different versions of a merchant's profile for minutes. Decide between accepting bounded staleness, pub/sub invalidation, or centralizing in Redis — with the consistency contract you'd document.

Cache warming after deploys takes twenty minutes, during which your database runs hot and latency doubles. Design a warm-up strategy — pre-deploy priming, gradual traffic shifting, persisting cache across releases — and how you'd measure when it's safe to take full traffic.

Your order-status page polls every three seconds and the backend team is complaining about load. Compare moving to long polling, SSE, or WebSockets for this one-directional update flow, factoring in proxies and corporate firewalls common with enterprise clients.

Your WebSocket chat works on one Node instance but messages stop crossing instances once you scale to three. Design the fan-out layer — Redis pub/sub or a message broker — plus sticky sessions versus connection-aware routing, and the failure modes each adds.

Mobile users on patchy networks lose WebSocket connections silently and miss live auction bids. Implement the client resilience kit: heartbeats, exponential backoff reconnect, and a resume protocol that replays missed events without duplicating ones already rendered.

A live cricket-score widget must push updates to two lakh concurrent users during India matches. Walk through capacity planning for WebSocket connections on Node, when you'd switch to SSE or managed push infrastructure, and the cost model behind that call.

Your collaborative editor sends every keystroke over WebSocket and the server chokes during demos. Design the batching and throttling strategy on the client, the server-side coalescing, and how you keep perceived latency low while cutting message volume tenfold.

Authentication for your WebSocket layer currently passes a JWT in the connection URL, and it's showing up in proxy logs. Redesign socket auth — ticket exchange, first-message auth, cookie upgrade — and handle token expiry on connections that live for hours.

Product wants 'user is typing' and presence indicators in your support chat. Decide what state lives in memory versus Redis, how you expire presence on dirty disconnects, and why exact presence is the wrong thing to promise.

During deploys, all fifty thousand WebSocket clients reconnect simultaneously and the reconnect storm takes down your auth service. Design the drain-and-migrate deploy flow, jittered reconnects, and the server-sent close codes that tell clients how to behave.

A notification badge updates in real time on the active tab but users keep five tabs open, each holding its own socket. Design tab coordination — SharedWorker, BroadcastChannel, or leader election — so one connection serves all tabs.

Your real-time dashboard shows different numbers than the REST API because socket events and fetches race. Define the consistency model: event versioning, snapshot-then-stream ordering, and how the React layer reconciles a stale fetch arriving after newer pushed data.

An auction feature needs server-authoritative bid ordering with sub-second feedback to bidders across India. Design the path from bid click to confirmed broadcast: optimistic UI limits, server sequencing, rejection UX, and what you log to settle disputes later.

Your SSE-based activity feed dies behind a customer's corporate proxy that buffers responses. Walk through diagnosing buffered streaming, the headers and heartbeat workarounds you'd try, and the fallback transport strategy when the network actively fights you.

Your deploys require a frontend build and a backend migration, and last release the new UI hit an old API for six minutes. Design the deployment order and compatibility rules so either side can ship first safely.

Releases happen at midnight with a maintenance banner, and leadership wants daytime zero-downtime deploys. Lay out the path: health checks, rolling or blue-green strategy, backward-compatible migrations, connection draining — and the first two changes that unlock most of the value.

Your CI pipeline takes 35 minutes and developers have started bypassing it with hotfix pushes. Audit where the time goes — install, build, tests — and cut it under ten minutes with caching, parallelization, and test splitting, without losing safety.

A bad release corrupted some rows before you rolled back, and the rollback didn't fix the data. Design your release safety net: canary with real traffic, migration-rollback policy, data backfill runbooks, and the decision tree for roll-forward versus roll-back.

Environment-specific bugs keep appearing because staging uses different env vars and a shared database. Redesign environment parity: configuration as code, seeded isolated data, and which differences from production you'd deliberately keep for cost reasons.

You ship a React SPA and a Node API from one monorepo, and every commit redeploys both even for a README change. Design path-based selective builds, shared-package dependency awareness, and how you'd keep deploy provenance traceable per service.

Your frontend deploy succeeded but users report a white screen; the new bundle references a chunk the CDN hasn't got. Explain how atomic asset deploys should work, ordering uploads before HTML switchover, and keeping old chunks alive for open sessions.

Compliance now requires approvals and audit trails on production deploys, but you refuse to lose daily release cadence. Design the pipeline: protected environments, automated checks replacing human gates where defensible, and emergency-deploy paths that stay auditable.

A feature took three weeks on a long-lived branch, and the merge broke main for a day. Make the trunk-based case to your team: feature flags over branches, small PRs, and what CI must guarantee for it to work.

Your startup deploys to a single Mumbai region, and an AWS ap-south-1 incident took you down for four hours. Weigh multi-region active-passive against better single-region resilience, covering data replication, DNS failover, and the honest cost for a Series-A budget.

Secrets are currently committed in an encrypted env file that three ex-employees can still decrypt. Migrate to a secrets manager: rotation plan, runtime injection for Node and build-time needs for React, and scrubbing history without breaking old releases.

Two squads deploy to the same Express service and keep stepping on each other's releases. Design the coordination: deploy queues versus decoupling the service, ownership boundaries, release trains versus continuous deploys, and the team conversation behind the technical fix.

Your canary deploys pass health checks but a payment bug still reached 100% of users because health means 'process up.' Redesign release verification: golden metrics per deploy, automated rollback triggers, and synthetic transactions that exercise the money path.

Your Node Docker image is 1.4GB and builds take twelve minutes in CI. Walk through slimming it — multi-stage builds, layer-order for dependency caching, choosing a base image — and the measurable targets you'd set before calling it done.

It works in the container locally but crashes in production with file-permission errors. Explain root-versus-non-root containers, filesystem expectations across your laptop and the orchestrator, and the Dockerfile and runtime conventions you'd standardize team-wide.

New developers take two days to get the stack running: Postgres, Redis, the API, the React app, and seed data. Design the docker-compose developer environment with one-command startup, and decide what still runs natively for fast frontend iteration.

Your containerized Node app gets OOM-killed in Kubernetes though local profiling shows modest memory. Explain how container memory limits interact with Node's heap defaults, the flags and limits you'd align, and the load test proving the fix.

Your React build bakes the API URL in at build time, so you rebuild the image per environment. Redesign for build-once-deploy-anywhere: runtime config injection, the trade-offs of window-config versus templated files, and keeping local dev simple.

A vulnerability scanner flags 200 CVEs across your service images the week before an enterprise security review. Triage realistically: base-image strategy, rebuild automation on upstream patches, distinguishing exploitable findings from noise, and the ongoing process so this never piles up again.

Hot reload doesn't work in your containerized dev setup and the team reverted to running Node on bare metal. Fix the inner loop: bind mounts versus rebuilds, file-watching quirks across OSes, and node_modules strategy inside versus outside the container.

Your staging environment diverged from production — different image tags, manual hotfixes applied via SSH into containers. Re-establish discipline: immutable images, tag promotion across environments instead of rebuilds, drift detection, and how you'd handle the next 'just SSH and fix it' emergency.

Database migrations currently run on container startup, and two replicas booting together raced and corrupted the migration table. Redesign where migrations execute — init containers, pipeline steps, manual gates — and the locking that makes concurrent attempts safe.

Per-PR preview environments would transform your review culture, but a full stack copy costs too much. Design lightweight ephemeral environments: shared versus isolated databases, seeded data strategy, TTL-based teardown, and which integrations get stubbed.

Your Node container shows healthy while its event loop is fully blocked, so the orchestrator keeps routing traffic to it. Design real liveness and readiness probes for Node services, what each should check, and the restart-loop dangers of overly aggressive probes.

Logs from your containers vanish on restart and the last crash left no trace. Set up the container logging pipeline: stdout discipline, log drivers, aggregation, and what you'd capture so the next 3 a.m. crash is diagnosable from your phone.

A user reports 'the page is broken' with no console errors and no failed API calls visible to support. Walk through your triage path across browser, network, API, and database layers, and the instrumentation gap this incident reveals.

Checkout fails for roughly 2% of users, only on Android Chrome, only in production, and you cannot reproduce it. Lay out your systematic approach: session replay, error tracking enrichment, cohort analysis, and the hypothesis tree you'd work through.

An API returns 200 with correct JSON in Postman but the React app renders empty. Enumerate the layers you'd check — CORS preflight, response interceptors, state mapping, conditional rendering — and the fastest way to bisect frontend versus backend.

A request travels React → CDN → gateway → Express → Postgres, and p99 latency tripled yesterday with no deploys. Design the elimination process using distributed traces, and explain what you'd do if tracing was never set up in the first place.

A bug appears only when users navigate from the listing page to detail and back twice. Reason about what categories of state cause navigation-sequence bugs — stale caches, effect cleanup, URL-state drift — and how you'd reproduce it deterministically.

Orders intermittently show as paid in the app but unpaid in the finance dashboard. Trace the data flow across the payment webhook, queue consumer, and two read models, and explain how you'd find where the events diverge — and backfill correctly.

Your error tracker shows a spike of 'undefined is not a function' from minified production bundles. Set up the path from useless stack traces to actionable ones — source maps, release tagging, user context — without leaking source code publicly.

A heisenbug disappears whenever you add logging and reappears in release builds. Discuss what classes of bugs behave this way — races, timing, optimization differences — and the non-invasive observation techniques you'd use to corner it in production.

Support escalates that a specific enterprise customer sees yesterday's data while everyone else is current. Walk the suspects in order — CDN edge, Redis key, replica lag, client cache — and the request headers and probes that exonerate each.

At 7 p.m. IST daily, API errors spike for ten minutes and self-heal before anyone can attach a profiler. Design the always-on capture you'd deploy — continuous profiling, scheduled diagnostics, traffic correlation with cron jobs and backups — to convict the cause.

A form submission works locally but production returns 413 errors for some users uploading scanned documents. Trace the size-limit chain — client validation, proxy body limits, Express limits, storage rules — and how you'd align them coherently.

After a dependency upgrade, one report endpoint silently returns wrong totals — no errors anywhere. Discuss how you'd catch silent correctness regressions: characterization tests, shadow-running old versus new code paths, and the data reconciliation that quantifies blast radius.

Two services log the same order with conflicting timestamps and your incident timeline makes no sense. Untangle clock skew, logging-pipeline delays, and timezone handling across IST and UTC — and standardize event-time discipline so postmortems stop arguing about ordering.

Your product listing page takes five seconds on a mid-range phone over 4G in a tier-2 city. Walk through how you'd attribute the time across DNS, TTFB, bundle, images, and API calls before touching any code.

You have one sprint to improve checkout conversion, and analytics says page speed is the blocker. Prioritize across bundle splitting, API latency, image weight, and render-blocking scripts — using what measurement to rank them, and what you'd explicitly skip.

An endpoint aggregates data from four tables and takes 1.8 seconds. Walk through your optimization ladder — query plan, indexes, denormalization, caching, precomputation — and the criteria for stopping at each rung instead of climbing further.

Your app's p50 is fine but p99 is ten seconds, and your biggest customer lives in that tail. Investigate tail latency across the stack — GC, lock contention, cold caches, heavyweight tenants — and explain why averages hid this for months.

Your React bundle is 2.3MB and most of it is libraries used on two admin screens. Plan the diet: route-level code splitting, dependency audit with bundle analysis, replacing heavy libraries, and the budget you'd enforce in CI afterwards.

A classic N+1: the orders API runs 300 queries per request after someone added a per-row enrichment. Fix it with batching or joins, but also answer the systemic question — how do you make N+1s visible in development before they ship?

Image-heavy pages drag on Indian mobile networks: product photos average 800KB each. Design the image pipeline — responsive srcsets, modern formats, lazy loading, CDN transforms — and how you'd verify real-user improvement rather than lab scores.

Leadership wants 'sub-second everything' but gives no infra budget. Negotiate the performance SLO realistically: pick percentile targets per journey, identify which wins are free, which need architecture, and how you'd present the cost-latency curve to non-engineers.

A search-as-you-type box fires an API call per keystroke, hammering the backend and showing flickering results. Implement the full fix — debouncing, request cancellation, minimum query length, server-side rate limits — and explain how each layer contributes.

After scaling API pods, throughput didn't improve — the database is the ceiling. Walk through confirming saturation, then your sequencing of connection pooling, read replicas, query optimization, and caching, including which combination risks making things worse.

Scrolling a 5,000-row transactions table janks badly even after pagination of the API. Decide between virtualized rendering, server-driven windowing, and rethinking the UX entirely — and what the DevTools performance tab would show you to justify the choice.

Your Node service spends 30% of CPU on JSON serialization of giant API responses. Attack it from both ends: response shaping and field selection in the contract, streaming serialization, compression trade-offs, and the frontend changes that let payloads shrink.

A B2B customer demo in Singapore was embarrassingly slow because everything runs from Mumbai. Without going multi-region for the database, design the latency mitigation — edge caching, regional API read paths, asset distribution — and quantify what each layer can realistically save.

A security researcher emails that your order endpoint returns any order if you increment the ID. Fix the IDOR class properly — object-level authorization, unguessable identifiers as defense-in-depth — and describe the codebase-wide audit for sibling bugs.

You're preparing for your first enterprise security questionnaire. Walk through hardening a typical React-Express-Postgres stack end to end — headers, dependency scanning, secrets, least-privilege database roles, audit logging — and what you'd honestly mark as 'roadmap' versus done.

Marketing added a rich-text testimonial widget that renders user-submitted HTML, and you spot it in review. Explain the XSS risk concretely, the sanitization approach across input and output, and why React's defaults alone don't save you here.

An attacker scripted your OTP login and is enumerating phone numbers of Indian users. Design layered abuse protection — rate limits per device and number, CAPTCHA escalation, anomaly detection, response uniformity that prevents enumeration — without wrecking legitimate login conversion.

Your file-upload feature accepts resumes, and a tester uploaded an HTML file that executes when viewed from your domain. Walk through the complete fix: content-type validation, serving from an isolated domain, storage permissions, and virus scanning placement.

A dependency audit shows a transitive package with a critical RCE in your Express app, but upgrading breaks two other libraries. Manage the situation: exploitability assessment, temporary mitigations at the gateway, fork-or-patch decisions, and the disclosure clock you're racing.

You find SQL string concatenation in a legacy reporting module that takes user filters. Plan the remediation across forty queries: parameterization, query-builder migration, the regression risk in subtle filter behavior, and the lint rule that prevents new occurrences.

Your app stores PAN and bank details for payouts, and a DPDP-style data-protection review is coming. Design the data-security posture: field-level encryption, key management, masking in logs and support tools, access audit trails, and deletion workflows that actually delete.

CSRF protection was disabled 'temporarily' when the team moved to cookie-based sessions for the SPA, eight months ago. Explain the actual attack scenario against your app, then implement the fix — SameSite policy, token approach — without breaking the mobile WebView.

A former employee's API key was found in a public GitHub repo, used by a scraper for three weeks. Run the incident: revocation, blast-radius analysis from access logs, customer notification judgment, and the secrets lifecycle controls you'd institute after.

Pen testers chained a verbose error page, a debug endpoint left in production, and an overly permissive CORS policy into data access. None alone seemed critical. Discuss defense-in-depth failures here and how you'd restructure release checks to catch 'minor' exposures.

Your admin panel is on admin.yourapp.in protected only by login. Layer the access controls — IP allowlisting versus VPN, MFA enforcement, separate session policy, audit logging — and justify the friction to internal users who will complain.

You're integrating Razorpay for subscriptions, and the webhook sometimes arrives before your create-order API call returns. Design the integration so payment confirmation is correct regardless of arrival order, including signature verification and the reconciliation job behind it.

UPI payments show success on the user's app but your payment gateway callback never arrives for some transactions. Design the pending-payment state machine, status-polling fallback, user communication during limbo, and the daily reconciliation against settlement reports.

Transactional emails — OTPs, receipts, password resets — go through one provider, and yesterday it had a four-hour outage. Design the failover: multi-provider abstraction, queue-backed sending with retries, and which message types justify SMS or WhatsApp fallback in India.

Your refund flow calls the payment gateway, updates the order, and emails the customer — and a partial failure left a customer refunded twice. Redesign with idempotency keys, a saga or outbox pattern, and the manual-intervention dashboard for stuck states.

Product wants invoices auto-pushed to customers' Tally and Zoho Books accounts. Scope the integration honestly: OAuth connection management, mapping your models to theirs, handling their rate limits, and what you'd build as generic export instead of deep integration.

A flaky shipping-partner API with 8% error rates sits in your checkout critical path for serviceability checks. Restructure the dependency: caching pin-code serviceability, async verification with optimistic acceptance, circuit breaking, and the business conversation about who owns the failure cost.

Your WhatsApp Business API notifications get your number rate-limited when a marketing batch and transactional OTPs share the channel. Separate the concerns: queue prioritization, template categories, per-category throughput budgets, and monitoring that catches quality-rating drops early.

You must support three payment gateways — Razorpay, PayU, Stripe for international — behind one checkout. Design the abstraction layer: normalized statuses and webhooks, per-gateway quirks isolation, routing rules by card type and geography, and how you test each path.

The CRM integration you built does a full sync every hour, and the vendor just throttled you. Move to incremental sync: change detection on your side, their delta APIs or webhooks, conflict rules when both systems edited a contact.

A vendor is sunsetting the SMS API your OTP flow depends on, with ninety days' notice and ten million sends a month. Plan the migration: parallel-running providers, traffic shifting with delivery-rate comparison by telecom circle, and rollback criteria.

Your payment webhook endpoint went down for two hours during a deploy, and the gateway's retries expired. Design recovery: replay via the gateway's API, detecting the gap from your own order states, and the alerting that catches webhook silence within minutes.

Finance reports a 0.3% mismatch between your orders database and the payment gateway's settlement files every month. Build the reconciliation system: ingesting settlement reports, matching with tolerance rules, classifying mismatches, and the workflow for resolving each category.

Your team has 400 unit tests, all green, yet production bugs are mostly integration failures between the React app and the API. Rebalance the test portfolio: contract tests, a thin E2E layer, and what you'd stop writing entirely.

You're asked to introduce testing to a legacy full-stack codebase with zero tests and weekly regressions. Sequence the first ninety days: characterization tests around the riskiest flows, seams for testability, CI gates — and the metrics proving it's working.

Your E2E suite of 120 Cypress tests fails randomly and the team now reruns until green. Diagnose the flakiness sources — async waits, shared test data, environment drift — and decide which tests to fix, quarantine, or delete.

Frontend and backend teams keep breaking each other despite both having tests, because each mocks the other optimistically. Implement consumer-driven contract testing: who owns contracts, how CI enforces them on both sides, and handling a contract change that's genuinely needed.

You need to test a checkout flow that depends on a payment gateway sandbox that's slow and rate-limited. Decide what gets a fake, what hits the sandbox nightly, and how you keep the fake honest as the gateway evolves.

A serious bug shipped despite 85% coverage, and leadership now wants 95% mandated. Push back constructively: explain why coverage percentage misled, propose mutation testing or critical-path risk coverage instead, and the review-process change that would actually have caught the bug.

Database-dependent tests share one dev database and fail when run in parallel. Redesign test data management: per-worker isolated schemas or transactions rolled back per test, factory functions over fixtures, and the speed trade-offs of each isolation level.

Your team must validate a money-moving reconciliation job where bugs mean real financial loss, but staging data never matches production's messiness. Design the safety strategy: property-based tests on invariants, anonymized production replays, shadow runs comparing outputs, and sign-off criteria.

Visual bugs keep slipping through — broken layouts on smaller screens that unit tests can't see. Evaluate adding visual regression testing: snapshot scope, handling intentional design changes, flake from fonts and animations, and whether the maintenance tax pays for itself.

You're defining the CI quality gate for a ten-developer full-stack team shipping daily. Decide what runs on every PR versus nightly versus pre-release, the maximum acceptable PR feedback time, and which failures block merges versus only alert.