Episode 6 — Scaling Reliability Microservices Web3 / 6.8 — Production Hardening
6.8 — Exercise Questions: Production Hardening
Practice questions for all three subtopics in Section 6.8. Mix of conceptual, implementation, and scenario-based tasks.
How to use this material (instructions)
- Read lessons in order —
README.md, then6.8.a→6.8.c. - Answer closed-book first — then compare to the matching lesson.
- Code the implementations — spin up an Express server and test.
- Interview prep —
6.8-Interview-Questions.md. - Quick review —
6.8-Quick-Revision.md.
6.8.a — Rate Limiting (Q1–Q12)
Q1. Why is rate limiting considered mandatory for production APIs? Name at least four problems that occur without it.
Q2. Explain the fixed-window rate limiting algorithm. Draw a timeline showing how a client with a limit of 10 requests per minute could exploit the boundary to send 20 requests in 2 seconds.
Q3. How does the sliding window counter algorithm solve the burst problem of fixed-window? Show the weighted calculation if the previous window had 80 requests, the current window has 30, and we are 40% into the current window.
Q4. Compare the token bucket and leaky bucket algorithms. Which allows controlled bursts and which enforces perfectly smooth output? When would you choose each?
Q5. Write the Express middleware configuration using express-rate-limit that applies: (a) 100 requests per 15 minutes globally, (b) 5 login attempts per 15 minutes on /api/auth/login, (c) 10 writes per minute on POST endpoints.
Q6. What are the standard rate limit response headers? Write the headers that should appear on both a successful (200) response and a rate-limited (429) response.
Q7. Why does in-memory rate limiting break in a multi-server deployment? Describe the Redis-based solution and draw the architecture.
Q8. Explain tiered rate limiting by plan. Write the configuration for free (10/min), basic (100/min), pro (1000/min), and enterprise (10000/min) tiers.
Q9. What is the difference between gateway-level and service-level rate limiting in a microservices architecture? Why should you use both?
Q10. A company using your API has 500 employees behind one corporate NAT. They collectively hit your per-IP rate limit. How do you solve this?
Q11. Write a Lua script (pseudocode) for an atomic sliding window rate limiter in Redis. Why must this be atomic?
Q12. Hands-on: Implement an Express app with express-rate-limit and rate-limit-redis. Test it by making rapid requests with curl or a script. Verify that (a) rate limit headers appear, (b) 429 is returned after exceeding the limit, (c) the limit works across two server instances.
6.8.b — CORS and Secure Headers (Q13–Q24)
Q13. Explain the Same-Origin Policy in your own words. What constitutes an "origin" and what three parts must match?
Q14. What is the difference between a simple CORS request and a preflight request? Name three conditions that trigger a preflight.
Q15. Write the full CORS configuration for a production Express API that: (a) allows requests from https://app.example.com and https://admin.example.com, (b) supports credentials (cookies), (c) exposes rate limit headers to the frontend, (d) caches preflight for 24 hours.
Q16. Why can you never combine Access-Control-Allow-Origin: * with credentials: true? What happens in the browser if you try?
Q17. A developer sets CORS by reflecting the incoming Origin header back in Access-Control-Allow-Origin without validation. Why is this as bad as using *?
Q18. Your frontend at https://app.example.com makes a fetch() to https://api.example.com. It works for GET but fails for PUT. The error says "CORS preflight failed." What is likely missing?
Q19. List the security headers that helmet() sets by default. For each one, write a one-sentence description of what attack it prevents.
Q20. Write a Content-Security-Policy directive that: (a) only allows scripts from your own origin and a specific CDN, (b) blocks all plugins and iframes, (c) allows images from your origin and data URIs, (d) forces HTTPS for all resources.
Q21. Explain the three SameSite cookie values (Strict, Lax, None). For each, describe a real use case where it is the right choice.
Q22. What is HSTS and why is the preload directive significant? What risk does HSTS introduce if your SSL certificate expires?
Q23. Your security audit says the server responds with X-Powered-By: Express. Why is this a problem and how do you fix it with one line of code?
Q24. Hands-on: Create two Express servers on different ports (3000 and 4000). Have the server on 4000 serve a page that fetches from the API on 3000. Observe the CORS error, then configure CORS on port 3000 to allow port 4000. Verify preflight for a PUT request.
6.8.c — DDoS Protection (Q25–Q36)
Q25. Name and describe the three types of DDoS attacks (volumetric, protocol, application layer). Which is the most dangerous for a Node.js API and why?
Q26. Explain the Slowloris attack. Why is it particularly effective against Node.js, and how do you configure Express/Node.js server timeouts to mitigate it?
Q27. What is the difference between AWS Shield Standard and AWS Shield Advanced? When should a company pay $3,000/month for Advanced?
Q28. How does CloudFront act as a DDoS protection layer? Draw the traffic flow from attacker through CloudFront to your origin server.
Q29. List five types of WAF rules and explain what each blocks. Which AWS managed rule set would you enable first?
Q30. Write Express middleware that: (a) limits connection count to 1000, (b) enforces 30-second request timeouts, (c) limits JSON body to 1MB.
Q31. Explain geo-blocking at two levels: (a) at the WAF/CloudFront level, (b) at the application level. Why is WAF-level preferred?
Q32. Your API has an expensive /api/reports/generate endpoint that takes 30 seconds to process. During a DDoS, attackers hammer this endpoint. How do you protect it with queue-based processing?
Q33. What is the "defense in depth" principle as applied to DDoS protection? Draw the layers from internet to application.
Q34. A junior developer says "we have CloudFront and WAF, so we don't need application-level rate limiting." Write a scenario that proves them wrong.
Q35. Why is bot detection based solely on user-agent strings unreliable? What do production bot detection systems (AWS WAF Bot Control, CloudFlare) use instead?
Q36. Design exercise: Sketch a complete DDoS defense architecture for an e-commerce platform that uses CloudFront, ALB, ECS, and RDS. Label every protection layer and its role.
Answer Hints
| Q | Hint |
|---|---|
| Q2 | 10 requests at 0:59 + 10 at 1:01 = 20 in 2 seconds |
| Q3 | (80 x 0.60) + 30 = 48 + 30 = 78; under 100 = allowed |
| Q6 | RateLimit-Limit, RateLimit-Remaining, RateLimit-Reset; 429 adds Retry-After |
| Q10 | Use API key-based rate limiting instead of IP-based |
| Q14 | Custom headers, methods other than GET/HEAD/POST, content-type other than form-data/text/url-encoded |
| Q16 | Browser refuses to expose the response; spec forbids wildcard with credentials |
| Q18 | Server does not handle OPTIONS preflight or does not include PUT in Access-Control-Allow-Methods |
| Q22 | HSTS preload is baked into browser binaries; cert expiry = complete lockout |
| Q23 | app.disable('x-powered-by') or use helmet() which removes it |
| Q26 | Node.js is single-threaded; occupied connections block the event loop's connection pool |
| Q27 | Shield Standard = free L3/L4 auto-protection; Advanced = DDoS response team, cost protection, advanced detection |
| Q30 | server.on('connection') for tracking; server.timeout for timeouts; express.json({ limit: '1mb' }) for body |
| Q34 | L7 flood with valid requests from many IPs passes WAF rate limits but exhausts DB connections or CPU |
← Back to 6.8 — Production Hardening (README)