Top Backend Developer Interview Questions & Answers

REST: • Fixed endpoints, each returning a predefined data shape • Simple to cache (HTTP caching works natively) • Multiple round trips for complex data needs GraphQL: • Single endpoint, client specifies exact data needed • Eliminates over-fetching and under-fetching • Harder to cache, more complex server implementation Choose REST when: • Simple CRUD operations • Caching is critical (CDN-friendly) • Team is small and doesn't want schema maintenance overhead Choose GraphQL when: • Frontend needs vary significantly across clients (mobile, web, embedded) • Complex nested data relationships • Reducing network round trips matters (slow connections) Hybrid approach: Many companies use REST for simple services and GraphQL as a BFF (Backend for Frontend) aggregation layer.

What an index does: Creates a separate data structure (usually a B-tree) that allows the database to find rows without scanning the entire table. Like a book's index — look up a term and jump directly to the right page. When to add an index: • Columns frequently used in WHERE clauses • Columns used in JOIN conditions • Columns used in ORDER BY or GROUP BY • Foreign key columns When NOT to index: • Small tables (full scan is fast enough) • Columns with very low cardinality (e.g., boolean — only 2 values) • Tables with heavy write workloads (each insert/update must also update the index) • Columns rarely queried Types of indexes: • B-tree — Default, good for range queries and equality • Hash — Faster for exact equality, no range support • GiST/GIN — For full-text search, geometric data (PostgreSQL) • Composite — Multi-column index, column order matters

Authentication = "Who are you?" (identity verification) Authorization = "What can you do?" (permission checking) Common authentication approaches: 1. Session-based — Server stores session state; client sends session cookie. Simple but doesn't scale horizontally without shared session store (Redis). 2. JWT (JSON Web Token) — Stateless token containing user claims. Server validates signature without database lookup. Scales horizontally but can't be revoked easily (use short expiry + refresh tokens). 3. OAuth 2.0 / OIDC — Delegated authentication via a provider (Google, GitHub). Use for "Sign in with X" flows. Authorization patterns: • RBAC (Role-Based) — Users have roles; roles have permissions. Simple and sufficient for most apps. • ABAC (Attribute-Based) — Policies based on user attributes, resource attributes, and context. More flexible but more complex. Security essentials: • Hash passwords with bcrypt (never store plaintext) • Use HTTPS everywhere • Implement rate limiting on auth endpoints • CSRF protection for cookie-based auth