Index · Interview talking points
1 min readRapid overview
Interview talking points
- Lead with the distinction: authentication vs authorization — and state that A01 is almost always an authorization failure, enforced inconsistently or in the wrong place (client, not server).
- Define IDOR crisply and give the fix in one sentence: scope the lookup to the authenticated principal and return 404 on miss — show you'd put the check in the query, not as an afterthought.
- Name horizontal vs vertical privilege escalation with a one-line example of each; it signals you think about both data ownership and function-level roles.
- Argue for deny-by-default as the architectural property that makes "we forgot a check" non-fatal, and pair it with least privilege across users and service accounts/tokens/DB connections.
- Call out the four classic trust mistakes: trusting client IDs, client roles, UI-only checks, and unverified JWT claims — and that fixing them means deriving identity and privilege from the server-side session or a verified token.
- Mention centralize the decision, enforce at the resource: a policy middleware or authorization service so checks aren't forgotten, applied uniformly across REST/GraphQL/gRPC/websockets and admin/batch jobs.
- Bring up force-browsing and metadata endpoints (Actuator, Swagger, GraphQL introspection,
.git, cloud metadata) — production hardening matters, and obscurity is not a control. - Close with defense-in-depth and detection: opaque IDs, rate limiting, anomaly alerting on enumeration patterns, and logging authorization denials — controls fail, so detect abuse and fail closed.