Security
Security capstone: free-recall review
Retrieval beats re-reading. For each prompt, reconstruct a full answer from memory before opening the model answer — and notice that every one forces you to connect two or more units of the track, because that is where real systems break.
Reconstruct the track’s spine without looking back: defense in depth, AuthN vs AuthZ, how token controls compose, why fast hashes lose, why rotation (not deletion) ends a secret leak, and why your dependencies are your attack surface.
- 01State the central thesis of the whole security track in your own words, using one concrete cross-layer example.
- 02Explain the difference between an OIDC ID token and an OAuth access token, and the validation an API must perform before trusting either.
- 03Walk through the JWT-in-localStorage seam: why a perfectly minted token still gets stolen, and what composing controls looks like.
- 04A breach dumps the users table. Explain why the storage choice made years earlier decides how bad Monday is.
- 05Why is rotating a leaked secret the only real fix, and how does this connect to least privilege and blast radius across the track?
- 06Your application code is flawless. Explain why you can still be fully compromised, and the defenses that address it.
If you reconstructed each answer from memory you hold the track’s spine: defense in depth assumes every control fails, so the breach lives in the seam — AuthN proves who, AuthZ decides what they may touch (A01). Tokens compose: validate the access token (signature, pinned alg, iss/aud/exp), keep it off localStorage, and trade XSS theft for CSRF closed by SameSite plus a token. Passwords need a slow, salted, memory-hard KDF because offline cracking is GPU-fast. A leaked secret ends only at rotation, never deletion. And your dependencies are your real attack surface — scope, pin, lock, and verify provenance. Threat-model the whole flow; least privilege bounds the blast radius when a layer falls.