November 22, 2025
30 min read

Junior Backend Developer (Node.js) Interview Questions: Complete Guide

interview
career-advice
job-search
entry-level
Junior Backend Developer (Node.js) Interview Questions: Complete Guide
MB

Milad Bonakdar

Author

Master Node.js backend development with 35 essential interview questions covering JavaScript fundamentals, asynchronous programming, Express.js, databases, APIs, security, and more. Perfect preparation for junior backend developer interviews.

Introduction

This comprehensive guide contains 35 carefully selected interview questions covering Node.js backend development fundamentals. These are the questions that junior backend developers actually encounter in interviews. Each question includes a thorough answer, rarity assessment, and difficulty rating based on analysis of hundreds of real interviews from major tech companies and startups.

Whether you're preparing for your first backend role or transitioning from frontend development, this guide covers everything from JavaScript fundamentals to API design, database management, security best practices, and deployment strategies.

JavaScript Fundamentals (8 Questions)

1. Explain the difference between var, let, and const in JavaScript

Answer:

  • var: Function-scoped, hoisted and initialized with undefined, can be re-declared in the same scope, largely deprecated in modern code
  • let: Block-scoped, hoisted but remains in Temporal Dead Zone (TDZ) until declaration, cannot be re-declared in same scope, can be reassigned
  • const: Block-scoped, hoisted but in TDZ, must be initialized at declaration, cannot be reassigned (but object/array contents can be mutated)

Example:

// var - function scoped
function example() {
  if (true) {
    var x = 1;
  }
  console.log(x); // 1 (accessible outside block)
}

// let - block scoped
if (true) {
  let y = 2;
}
console.log(y); // ReferenceError

// const - cannot reassign
const z = 3;
z = 4; // TypeError

const obj = { name: 'John' };
obj.name = 'Jane'; // OK - mutating property
obj = {}; // TypeError - cannot reassign

Best practice: Use const by default, let when you need to reassign, never use var in modern JavaScript.

Rarity: Common
Difficulty: Easy

2. What are closures and provide a practical example in Node.js?

Answer: A closure is when an inner function has access to variables from its outer (enclosing) function's scope, even after the outer function has returned. The inner function "closes over" these variables.

Practical Node.js example:

// Middleware factory pattern
function createAuthMiddleware(secretKey) {
  // secretKey is "closed over" by the returned function
  return function(req, res, next) {
    const token = req.headers.authorization;
    if (validateToken(token, secretKey)) {
      next();
    } else {
      res.status(401).json({ error: 'Unauthorized' });
    }
  };
}

// Usage
const authMiddleware = createAuthMiddleware(process.env.JWT_SECRET);
app.use('/api/protected', authMiddleware);

Benefits:

  • Data privacy (secretKey cannot be accessed directly)
  • Function factories
  • Module pattern implementation
  • Maintaining state in async operations

Rarity: Common
Difficulty: Medium

3. Explain this keyword and how it differs in arrow functions

Answer: this refers to the execution context. Its value depends on HOW the function is called.

Regular functions:

const obj = {
  name: "Server",
  greet: function() {
    console.log(this.name); // "Server"
  }
};
obj.greet(); // this = obj

const greet = obj.greet;
greet(); // this = undefined (strict mode) or global

Arrow functions:

const obj = {
  name: "Server",
  greet: () => {
    console.log(this.name); // undefined (lexical scope)
  }
};
obj.greet(); // this = lexical scope (module scope in Node.js)

Key difference: Arrow functions don't have their own this - they inherit it from the enclosing scope.

Rarity: Common
Difficulty: Medium

4. What are Promises and how do they differ from callbacks?

Answer: A Promise represents the eventual completion (or failure) of an asynchronous operation.

Callback pattern (callback hell):

getUser(userId, (err, user) => {
  if (err) return handleError(err);
  getPosts(user.id, (err, posts) => {
    if (err) return handleError(err);
    getComments(posts[0].id, (err, comments) => {
      if (err) return handleError(err);
      // Nested callbacks - hard to read
    });
  });
});

Promise pattern:

getUser(userId)
  .then(user => getPosts(user.id))
  .then(posts => getComments(posts[0].id))
  .then(comments => console.log(comments))
  .catch(err => handleError(err));

Benefits:

  • Avoids callback hell
  • Better error handling with .catch()
  • Chainable operations
  • Can use Promise.all() for parallel operations

Rarity: Common
Difficulty: Easy-Medium

5. What is async/await and how does it improve code readability?

Answer: async/await is syntactic sugar built on Promises that makes asynchronous code look and behave more like synchronous code.

Example:

// With Promises
function fetchUserData(userId) {
  return fetchUser(userId)
    .then(user => {
      return fetchPosts(user.id)
        .then(posts => {
          return { user, posts };
        });
    })
    .catch(error => console.error(error));
}

// With async/await (cleaner)
async function fetchUserData(userId) {
  try {
    const user = await fetchUser(userId);
    const posts = await fetchPosts(user.id);
    return { user, posts };
  } catch (error) {
    console.error(error);
  }
}

Key points:

  • async function always returns a Promise
  • await pauses execution until Promise resolves
  • Use try/catch for error handling
  • Makes sequential operations clearer

Rarity: Common
Difficulty: Medium

6. Explain destructuring for objects and arrays

Answer: Destructuring extracts values from arrays or properties from objects into distinct variables.

Array destructuring:

const [first, second, ...rest] = [1, 2, 3, 4, 5];
// first = 1, second = 2, rest = [3, 4, 5]

// Skip elements
const [primary, , tertiary] = ['red', 'green', 'blue'];
// primary = 'red', tertiary = 'blue'

Object destructuring:

const user = { name: 'Alice', age: 25, email: '[email protected]' };

const { name, age, city = 'NYC' } = user;
// name = 'Alice', age = 25, city = 'NYC' (default value)

// Rename variables
const { name: userName, age: userAge } = user;

// Nested destructuring
const { address: { street, zip } } = person;

Function parameters:

function createUser({ name, email, role = 'user' }) {
  // Use destructured parameters
}

Rarity: Common
Difficulty: Easy-Medium

7. What is the spread operator and rest parameters?

Answer:

Spread operator (...) - Expands iterables:

// Arrays
const arr1 = [1, 2, 3];
const arr2 = [...arr1, 4, 5]; // [1, 2, 3, 4, 5]

// Objects (shallow copy)
const user = { name: 'Alice', age: 25 };
const updatedUser = { ...user, age: 26 }; // Immutable update

// Function arguments
const numbers = [1, 2, 3];
Math.max(...numbers); // 3

Rest parameters (...) - Collects multiple elements:

// Function parameters
function sum(...numbers) {
  return numbers.reduce((a, b) => a + b, 0);
}
sum(1, 2, 3, 4); // 10

// Array destructuring
const [first, ...remaining] = [1, 2, 3, 4];
// first = 1, remaining = [2, 3, 4]

Key difference: Spread expands, rest collects.

Rarity: Common
Difficulty: Easy-Medium

8. Explain common array methods: map, filter, reduce, forEach

Answer:

map - Transform each element, returns new array:

const doubled = [1, 2, 3].map(x => x * 2); // [2, 4, 6]

filter - Keep elements matching condition:

const evens = [1, 2, 3, 4].filter(x => x % 2 === 0); // [2, 4]

reduce - Reduce to single value:

const sum = [1, 2, 3].reduce((acc, val) => acc + val, 0); // 6
const grouped = users.reduce((acc, user) => {
  acc[user.role] = acc[user.role] || [];
  acc[user.role].push(user);
  return acc;
}, {});

forEach - Iterate without returning new array:

[1, 2, 3].forEach(item => console.log(item));

Rarity: Common
Difficulty: Easy

Node.js Fundamentals (7 Questions)

9. What is Node.js and how does it differ from traditional server-side languages?

Answer: Node.js is a JavaScript runtime built on Chrome's V8 JavaScript engine that allows JavaScript to run on the server-side.

Key differences:

  • Single-threaded event loop: Uses non-blocking I/O model vs. multi-threaded blocking I/O
  • Asynchronous by default: Operations don't block the main thread
  • JavaScript everywhere: Same language for frontend and backend
  • NPM ecosystem: Largest package registry in the world
  • Fast execution: V8 engine compiles JavaScript to native machine code

When to use Node.js:

  • Real-time applications (chat, gaming)
  • API servers
  • Microservices
  • Data streaming applications
  • I/O-intensive applications

When NOT to use:

  • CPU-intensive tasks (image processing, video encoding)
  • Applications requiring complex calculations

Rarity: Common
Difficulty: Easy-Medium

10. Explain the Event Loop in Node.js

Answer: The Event Loop is the mechanism that allows Node.js to perform non-blocking I/O operations despite being single-threaded.

How it works:

  1. Call Stack: Executes synchronous code (LIFO)
  2. Node APIs: Handle async operations (fs, http, timers)
  3. Callback Queue (Macrotasks): Holds callbacks from Node APIs
  4. Microtask Queue: Holds Promise callbacks (higher priority)
  5. Event Loop: Moves tasks from queues to call stack when stack is empty

Execution order:

console.log('1');

setTimeout(() => console.log('2'), 0);

Promise.resolve().then(() => console.log('3'));

console.log('4');

// Output: 1, 4, 3, 2
// Explanation:
// - Sync code (1, 4) runs first
// - Microtasks (Promise) run before macrotasks
// - Macrotasks (setTimeout) run last

Phases of Event Loop:

  1. Timers (setTimeout, setInterval)
  2. Pending callbacks
  3. Idle, prepare
  4. Poll (fetch new I/O events)
  5. Check (setImmediate callbacks)
  6. Close callbacks

Rarity: Common
Difficulty: Hard

11. What is the difference between blocking and non-blocking code?

Answer:

Blocking code - Halts execution until operation completes:

// Synchronous file read (blocks)
const fs = require('fs');
const data = fs.readFileSync('file.txt', 'utf8');
console.log(data); // Waits for file read
console.log('Done'); // Executes after file read

Non-blocking code - Continues execution, handles result via callback:

// Asynchronous file read (non-blocking)
const fs = require('fs');
fs.readFile('file.txt', 'utf8', (err, data) => {
  if (err) throw err;
  console.log(data);
});
console.log('Done'); // Executes immediately, before file read completes

Why non-blocking matters:

  • Server can handle multiple requests concurrently
  • Better resource utilization
  • Improved performance for I/O operations
  • Scalability

Rarity: Common
Difficulty: Easy-Medium

12. What are Node.js modules and how does the module system work?

Answer: Node.js uses CommonJS module system (though ES modules are also supported).

CommonJS (require/module.exports):

// math.js
function add(a, b) {
  return a + b;
}

module.exports = { add };
// or
exports.add = add;

// app.js
const { add } = require('./math');
const result = add(2, 3);

ES Modules (import/export):

// math.js
export function add(a, b) {
  return a + b;
}

// app.js
import { add } from './math.js';

Module types:

  • Core modules: Built-in (fs, http, path)
  • Local modules: Your own files
  • Third-party modules: Installed via npm

Module caching: Modules are cached after first require, so subsequent requires return the same instance.

Rarity: Common
Difficulty: Easy

13. Explain the difference between process.nextTick() and setImmediate()

Answer:

process.nextTick() - Executes callback in the current phase, before any other async operation:

console.log('1');

process.nextTick(() => {
  console.log('2');
});

Promise.resolve().then(() => {
  console.log('3');
});

console.log('4');

// Output: 1, 4, 2, 3
// nextTick has highest priority, even above Promises

setImmediate() - Executes callback in the next iteration of the event loop:

console.log('1');

setImmediate(() => {
  console.log('2');
});

setTimeout(() => {
  console.log('3');
}, 0);

console.log('4');

// Output: 1, 4, 3, 2 (or 1, 4, 2, 3 depending on context)

Priority order:

  1. Synchronous code
  2. process.nextTick() callbacks
  3. Promise callbacks (microtasks)
  4. setTimeout(0) / setImmediate() (macrotasks)

Use cases:

  • nextTick: Ensure callback runs before other async operations
  • setImmediate: Defer execution to next event loop iteration

Rarity: Uncommon
Difficulty: Medium-Hard

14. What is the Global Object in Node.js?

Answer: The global object in Node.js is similar to the window object in browsers, but it's called global.

Global properties:

// Available everywhere without requiring
console.log(__dirname); // Current directory path
console.log(__filename); // Current file path
console.log(process); // Process object
console.log(global); // Global object itself

Common globals:

  • process - Process information and control
  • Buffer - Handle binary data
  • setTimeout, setInterval, clearTimeout, clearInterval
  • setImmediate, clearImmediate
  • console - Console output

Note: In ES modules, __dirname and __filename are not available by default. Use import.meta.url instead.

Rarity: Common
Difficulty: Easy

15. How do you handle errors in Node.js applications?

Answer: Error handling in Node.js can be managed through multiple approaches:

1. Try-catch for synchronous code:

try {
  const data = fs.readFileSync('file.txt', 'utf8');
} catch (error) {
  console.error('Error reading file:', error.message);
}

2. Callback error pattern:

fs.readFile('file.txt', 'utf8', (err, data) => {
  if (err) {
    return console.error('Error:', err);
  }
  console.log(data);
});

3. Promise error handling:

fetchData()
  .then(data => processData(data))
  .catch(error => console.error('Error:', error));

4. Async/await with try-catch:

async function handleRequest() {
  try {
    const data = await fetchData();
    return data;
  } catch (error) {
    console.error('Error:', error);
    throw error; // Re-throw if needed
  }
}

5. Global error handlers:

// Uncaught exceptions
process.on('uncaughtException', (error) => {
  console.error('Uncaught Exception:', error);
  process.exit(1);
});

// Unhandled promise rejections
process.on('unhandledRejection', (reason, promise) => {
  console.error('Unhandled Rejection:', reason);
});

6. Express error middleware:

app.use((err, req, res, next) => {
  console.error(err.stack);
  res.status(500).json({ error: 'Something went wrong!' });
});

Rarity: Common
Difficulty: Medium

Express.js & Web Frameworks (6 Questions)

16. What is Express.js and what are its main features?

Answer: Express.js is a minimal and flexible Node.js web application framework that provides a robust set of features for building web and mobile applications.

Main features:

  • Routing: Define endpoints and HTTP methods
  • Middleware: Functions that execute during request-response cycle
  • Template engines: Render dynamic HTML (EJS, Pug, Handlebars)
  • Error handling: Centralized error handling middleware
  • Static files: Serve static assets
  • JSON parsing: Built-in body parsing for JSON and URL-encoded data

Basic example:

const express = require('express');
const app = express();

app.use(express.json());

app.get('/', (req, res) => {
  res.json({ message: 'Hello World' });
});

app.listen(3000, () => {
  console.log('Server running on port 3000');
});

Why Express:

  • Minimal and unopinionated
  • Large ecosystem
  • Easy to learn
  • Flexible middleware system

Rarity: Common
Difficulty: Easy

17. What is middleware in Express.js? Provide examples.

Answer: Middleware functions are functions that have access to the request object (req), response object (res), and the next function in the application's request-response cycle.

Middleware types:

1. Application-level middleware:

app.use((req, res, next) => {
  console.log('Request received:', req.method, req.path);
  next(); // Pass control to next middleware
});

2. Route-level middleware:

app.get('/users', authenticateUser, (req, res) => {
  res.json({ users: [] });
});

3. Error-handling middleware:

app.use((err, req, res, next) => {
  console.error(err.stack);
  res.status(500).json({ error: err.message });
});

4. Built-in middleware:

app.use(express.json()); // Parse JSON bodies
app.use(express.urlencoded({ extended: true })); // Parse URL-encoded
app.use(express.static('public')); // Serve static files

5. Third-party middleware:

const cors = require('cors');
const helmet = require('helmet');

app.use(cors());
app.use(helmet());

Custom authentication middleware example:

function authenticateUser(req, res, next) {
  const token = req.headers.authorization;
  if (!token) {
    return res.status(401).json({ error: 'No token provided' });
  }
  // Verify token
  req.user = decodedToken;
  next();
}

Rarity: Common
Difficulty: Medium

18. Explain Express routing and how to organize routes

Answer: Routing refers to how an application's endpoints (URIs) respond to client requests.

Basic routing:

app.get('/users', (req, res) => {
  res.json({ users: [] });
});

app.post('/users', (req, res) => {
  const newUser = req.body;
  res.status(201).json(newUser);
});

app.get('/users/:id', (req, res) => {
  const userId = req.params.id;
  res.json({ user: { id: userId } });
});

app.put('/users/:id', (req, res) => {
  // Update user
});

app.delete('/users/:id', (req, res) => {
  // Delete user
});

Route parameters:

app.get('/users/:userId/posts/:postId', (req, res) => {
  const { userId, postId } = req.params;
  // Access route parameters
});

Query parameters:

app.get('/search', (req, res) => {
  const { q, page, limit } = req.query;
  // ?q=nodejs&page=1&limit=10
});

Organizing routes with Express Router:

// routes/users.js
const express = require('express');
const router = express.Router();

router.get('/', (req, res) => {
  res.json({ users: [] });
});

router.get('/:id', (req, res) => {
  res.json({ user: { id: req.params.id } });
});

module.exports = router;

// app.js
const userRoutes = require('./routes/users');
app.use('/api/users', userRoutes);

Rarity: Common
Difficulty: Easy-Medium

19. How do you handle file uploads in Express?

Answer: File uploads can be handled using middleware like multer.

Basic file upload:

const multer = require('multer');
const upload = multer({ dest: 'uploads/' });

app.post('/upload', upload.single('file'), (req, res) => {
  // req.file contains file information
  res.json({ 
    filename: req.file.filename,
    originalname: req.file.originalname,
    size: req.file.size
  });
});

Multiple files:

app.post('/upload-multiple', upload.array('files', 10), (req, res) => {
  // req.files is array of files
  res.json({ uploaded: req.files.length });
});

Custom storage configuration:

const storage = multer.diskStorage({
  destination: (req, file, cb) => {
    cb(null, 'uploads/');
  },
  filename: (req, file, cb) => {
    const uniqueSuffix = Date.now() + '-' + Math.round(Math.random() * 1E9);
    cb(null, file.fieldname + '-' + uniqueSuffix);
  }
});

const upload = multer({ 
  storage: storage,
  limits: { fileSize: 5 * 1024 * 1024 }, // 5MB limit
  fileFilter: (req, file, cb) => {
    if (file.mimetype === 'image/jpeg' || file.mimetype === 'image/png') {
      cb(null, true);
    } else {
      cb(new Error('Only JPEG and PNG allowed'));
    }
  }
});

Rarity: Common
Difficulty: Medium

20. What is CORS and how do you handle it in Express?

Answer: CORS (Cross-Origin Resource Sharing) is a security feature that allows or restricts web pages from making requests to a different domain than the one serving the web page.

Problem: Browsers block requests from http://localhost:3000 to http://localhost:4000 by default (different origins).

Solution with cors middleware:

const cors = require('cors');

// Allow all origins (development only)
app.use(cors());

// Configure specific origins
app.use(cors({
  origin: 'https://example.com',
  methods: ['GET', 'POST', 'PUT', 'DELETE'],
  allowedHeaders: ['Content-Type', 'Authorization']
}));

// Multiple origins
app.use(cors({
  origin: ['https://example.com', 'https://app.example.com']
}));

Manual CORS headers:

app.use((req, res, next) => {
  res.header('Access-Control-Allow-Origin', 'https://example.com');
  res.header('Access-Control-Allow-Methods', 'GET, POST, PUT, DELETE');
  res.header('Access-Control-Allow-Headers', 'Content-Type, Authorization');
  
  if (req.method === 'OPTIONS') {
    return res.sendStatus(200);
  }
  next();
});

Rarity: Common
Difficulty: Easy-Medium

21. How do you structure a large Express.js application?

Answer: Organize code into logical modules and folders for maintainability.

Recommended structure:

project/
├── src/
│   ├── controllers/
│   │   └── userController.js
│   ├── models/
│   │   └── User.js
│   ├── routes/
│   │   └── userRoutes.js
│   ├── middleware/
│   │   └── auth.js
│   ├── services/
│   │   └── userService.js
│   ├── utils/
│   │   └── helpers.js
│   ├── config/
│   │   └── database.js
│   └── app.js
├── tests/
├── .env
└── package.json

Example separation of concerns:

Controller (handles HTTP):

// controllers/userController.js
const userService = require('../services/userService');

exports.getUsers = async (req, res, next) => {
  try {
    const users = await userService.getAllUsers();
    res.json(users);
  } catch (error) {
    next(error);
  }
};

Service (business logic):

// services/userService.js
const User = require('../models/User');

exports.getAllUsers = async () => {
  return await User.find();
};

Routes:

// routes/userRoutes.js
const express = require('express');
const router = express.Router();
const userController = require('../controllers/userController');

router.get('/', userController.getUsers);
router.post('/', userController.createUser);

module.exports = router;

App setup:

// app.js
const express = require('express');
const userRoutes = require('./routes/userRoutes');

const app = express();
app.use(express.json());
app.use('/api/users', userRoutes);

Rarity: Common
Difficulty: Medium

Database Concepts (5 Questions)

22. What is the difference between SQL and NoSQL databases?

Answer:

SQL (Relational) Databases:

  • Structured data with tables, rows, columns
  • Schema must be defined before use
  • ACID compliance (Atomicity, Consistency, Isolation, Durability)
  • Examples: PostgreSQL, MySQL, SQLite
  • Best for: Complex queries, transactions, structured data

NoSQL Databases:

  • Flexible schema or schema-less
  • Various data models (document, key-value, graph, column)
  • Horizontal scaling
  • Examples: MongoDB, Redis, Cassandra
  • Best for: Large-scale applications, flexible schemas, rapid development

Comparison:

FeatureSQLNoSQL
SchemaFixedFlexible
ScalabilityVerticalHorizontal
ACIDYesVaries
Query LanguageSQLVaries
RelationshipsJoinsEmbedded/References

When to use SQL:

  • Complex queries and relationships
  • ACID compliance required
  • Structured data
  • Financial transactions

When to use NoSQL:

  • Rapid development
  • Large-scale data
  • Flexible schema needs
  • Simple queries

Rarity: Common
Difficulty: Easy-Medium

23. How do you connect to a database in Node.js? (MongoDB example)

Answer: Using MongoDB with Mongoose as an example:

Basic connection:

const mongoose = require('mongoose');

// Connection string
const mongoURI = 'mongodb://localhost:27017/mydb';

// Connect
mongoose.connect(mongoURI, {
  useNewUrlParser: true,
  useUnifiedTopology: true
})
.then(() => console.log('MongoDB connected'))
.catch(err => console.error('Connection error:', err));

With environment variables:

require('dotenv').config();

mongoose.connect(process.env.MONGODB_URI, {
  useNewUrlParser: true,
  useUnifiedTopology: true
});

Connection events:

mongoose.connection.on('connected', () => {
  console.log('Mongoose connected to MongoDB');
});

mongoose.connection.on('error', (err) => {
  console.error('Mongoose connection error:', err);
});

mongoose.connection.on('disconnected', () => {
  console.log('Mongoose disconnected');
});

Defining a model:

const userSchema = new mongoose.Schema({
  name: { type: String, required: true },
  email: { type: String, required: true, unique: true },
  age: { type: Number, min: 0 }
}, { timestamps: true });

const User = mongoose.model('User', userSchema);

Using the model:

// Create
const user = await User.create({ name: 'John', email: '[email protected]' });

// Read
const users = await User.find();
const user = await User.findById(userId);

// Update
await User.findByIdAndUpdate(userId, { name: 'Jane' });

// Delete
await User.findByIdAndDelete(userId);

Rarity: Common
Difficulty: Medium

24. What is an ORM/ODM and why use one?

Answer: ORM (Object-Relational Mapping) / ODM (Object-Document Mapping) is a technique that lets you interact with databases using object-oriented paradigms instead of writing raw SQL queries.

Benefits:

  • Abstraction: Work with JavaScript objects instead of SQL
  • Type safety: Schema validation
  • Relationships: Easy handling of relationships
  • Security: Protection against SQL injection
  • Migrations: Version control for database schema
  • Developer experience: More intuitive API

Example comparison:

Raw SQL:

const query = 'SELECT * FROM users WHERE email = ?';
db.query(query, [email], (err, results) => {
  // Handle results
});

With ORM (Sequelize for SQL):

const user = await User.findOne({ where: { email: email } });

With ODM (Mongoose for MongoDB):

const user = await User.findOne({ email: email });

Popular ORMs/ODMs:

  • Mongoose: MongoDB (ODM)
  • Sequelize: PostgreSQL, MySQL, SQLite (ORM)
  • TypeORM: TypeScript ORM
  • Prisma: Modern ORM with type safety

Rarity: Common
Difficulty: Easy-Medium

25. Explain database indexing and why it's important

Answer: A database index is a data structure that improves the speed of data retrieval operations on a database table.

How it works:

  • Creates a separate data structure (like a B-tree)
  • Stores pointers to actual data
  • Allows faster lookups without scanning entire table

Example:

// Without index - scans all documents
db.users.find({ email: "[email protected]" }); // Slow

// With index - direct lookup
db.users.createIndex({ email: 1 });
db.users.find({ email: "[email protected]" }); // Fast

Benefits:

  • Faster queries
  • Improved performance for large datasets
  • Efficient sorting

Trade-offs:

  • Additional storage space
  • Slower writes (indexes must be updated)
  • More memory usage

When to index:

  • Frequently queried fields
  • Fields used in WHERE clauses
  • Fields used for sorting
  • Foreign keys

When NOT to index:

  • Rarely queried fields
  • Fields with high write-to-read ratio
  • Small tables

Rarity: Uncommon
Difficulty: Medium

26. What are database transactions and when would you use them?

Answer: A transaction is a sequence of database operations that are treated as a single unit. All operations must succeed, or all must fail (ACID properties).

ACID properties:

  • Atomicity: All or nothing
  • Consistency: Database remains in valid state
  • Isolation: Concurrent transactions don't interfere
  • Durability: Committed changes persist

Example use case - Money transfer:

// Without transaction - PROBLEM: If second operation fails, money is lost
await Account.update({ balance: balance - 100 }, { where: { id: senderId } });
await Account.update({ balance: balance + 100 }, { where: { id: receiverId } });

// With transaction - Both succeed or both fail
const transaction = await sequelize.transaction();

try {
  await Account.update(
    { balance: balance - 100 },
    { where: { id: senderId }, transaction }
  );
  
  await Account.update(
    { balance: balance + 100 },
    { where: { id: receiverId }, transaction }
  );
  
  await transaction.commit(); // Both operations succeed
} catch (error) {
  await transaction.rollback(); // Both operations are undone
  throw error;
}

MongoDB example:

const session = await mongoose.startSession();
session.startTransaction();

try {
  await Account.updateOne(
    { _id: senderId },
    { $inc: { balance: -100 } },
    { session }
  );
  
  await Account.updateOne(
    { _id: receiverId },
    { $inc: { balance: 100 } },
    { session }
  );
  
  await session.commitTransaction();
} catch (error) {
  await session.abortTransaction();
  throw error;
} finally {
  session.endSession();
}

When to use transactions:

  • Financial operations
  • Order processing
  • Multi-step operations that must all succeed
  • Data consistency critical operations

Rarity: Common
Difficulty: Medium

API Design & REST (4 Questions)

27. What is REST and what are RESTful API principles?

Answer: REST (Representational State Transfer) is an architectural style for designing web services. RESTful APIs follow REST principles.

REST principles:

  1. Stateless: Each request contains all information needed
  2. Client-Server: Separation of concerns
  3. Uniform Interface: Consistent way to interact
  4. Cacheable: Responses can be cached
  5. Layered System: Architecture can have multiple layers
  6. Code on Demand (optional): Server can send executable code

HTTP Methods:

  • GET: Retrieve data (idempotent, safe)
  • POST: Create new resource
  • PUT: Update entire resource (idempotent)
  • PATCH: Partial update
  • DELETE: Remove resource (idempotent)

RESTful URL structure:

GET    /api/users          # List all users
GET    /api/users/123      # Get user 123
POST   /api/users          # Create new user
PUT    /api/users/123      # Update user 123
PATCH  /api/users/123      # Partial update
DELETE /api/users/123      # Delete user 123

Status codes:

  • 200 OK - Success
  • 201 Created - Resource created
  • 400 Bad Request - Client error
  • 401 Unauthorized - Authentication required
  • 403 Forbidden - Not authorized
  • 404 Not Found - Resource doesn't exist
  • 500 Internal Server Error - Server error

Rarity: Common
Difficulty: Easy-Medium

28. How do you handle API versioning?

Answer: API versioning allows you to make changes without breaking existing clients.

Methods:

1. URL versioning (most common):

app.use('/api/v1/users', v1UserRoutes);
app.use('/api/v2/users', v2UserRoutes);

2. Header versioning:

app.use((req, res, next) => {
  const apiVersion = req.headers['api-version'] || 'v1';
  req.apiVersion = apiVersion;
  next();
});

3. Query parameter versioning:

// /api/users?version=2
app.use('/api/users', (req, res, next) => {
  req.apiVersion = req.query.version || 'v1';
  next();
});

Best practices:

  • Use URL versioning for clarity
  • Maintain backward compatibility when possible
  • Document breaking changes
  • Deprecate old versions gradually

Rarity: Common
Difficulty: Medium

29. What is API rate limiting and how do you implement it?

Answer: Rate limiting controls how many requests a client can make in a given time period to prevent abuse and ensure fair usage.

Why rate limiting:

  • Prevent DDoS attacks
  • Protect server resources
  • Ensure fair usage
  • Control API costs

Implementation with express-rate-limit:

const rateLimit = require('express-rate-limit');

// Basic rate limiter
const limiter = rateLimit({
  windowMs: 15 * 60 * 1000, // 15 minutes
  max: 100, // Limit each IP to 100 requests per windowMs
  message: 'Too many requests from this IP, please try again later.'
});

app.use('/api/', limiter);

// Stricter limit for auth endpoints
const authLimiter = rateLimit({
  windowMs: 15 * 60 * 1000,
  max: 5, // 5 login attempts per 15 minutes
  skipSuccessfulRequests: true
});

app.use('/api/auth/login', authLimiter);

Custom rate limiting:

const rateLimitMap = new Map();

function rateLimitMiddleware(req, res, next) {
  const ip = req.ip;
  const now = Date.now();
  const windowMs = 60000; // 1 minute
  const maxRequests = 10;

  if (!rateLimitMap.has(ip)) {
    rateLimitMap.set(ip, { count: 1, resetTime: now + windowMs });
    return next();
  }

  const record = rateLimitMap.get(ip);
  
  if (now > record.resetTime) {
    record.count = 1;
    record.resetTime = now + windowMs;
    return next();
  }

  if (record.count >= maxRequests) {
    return res.status(429).json({ error: 'Too many requests' });
  }

  record.count++;
  next();
}

Rarity: Common
Difficulty: Medium

30. How do you validate and sanitize API input?

Answer: Input validation ensures data meets requirements; sanitization cleans data to prevent security issues.

Using express-validator:

const { body, validationResult } = require('express-validator');

app.post('/api/users',
  // Validation rules
  body('email').isEmail().normalizeEmail(),
  body('password').isLength({ min: 8 }).matches(/[A-Z]/).matches(/[0-9]/),
  body('age').isInt({ min: 0, max: 120 }),
  body('name').trim().escape().isLength({ min: 1, max: 100 }),
  
  // Validation middleware
  (req, res, next) => {
    const errors = validationResult(req);
    if (!errors.isEmpty()) {
      return res.status(400).json({ errors: errors.array() });
    }
    next();
  },
  
  // Route handler
  async (req, res) => {
    const user = await createUser(req.body);
    res.json(user);
  }
);

Using Joi:

const Joi = require('joi');

const userSchema = Joi.object({
  email: Joi.string().email().required(),
  password: Joi.string().min(8).pattern(/[A-Z]/).required(),
  age: Joi.number().integer().min(0).max(120),
  name: Joi.string().min(1).max(100).required()
});

function validateUser(req, res, next) {
  const { error, value } = userSchema.validate(req.body);
  if (error) {
    return res.status(400).json({ error: error.details[0].message });
  }
  req.body = value; // Use sanitized value
  next();
}

app.post('/api/users', validateUser, createUser);

Common validations:

  • Email format
  • Password strength
  • String length
  • Number ranges
  • Required fields
  • Data types

Sanitization:

  • Trim whitespace
  • Escape HTML
  • Normalize email
  • Remove special characters
  • Convert types

Rarity: Common
Difficulty: Medium

Security (3 Questions)

31. How do you implement authentication and authorization in Node.js?

Answer:

Authentication - Verifying who the user is
Authorization - Verifying what the user can do

JWT (JSON Web Token) authentication:

const jwt = require('jsonwebtoken');

// Login - generate token
app.post('/api/auth/login', async (req, res) => {
  const { email, password } = req.body;
  
  // Verify credentials
  const user = await User.findOne({ email });
  if (!user || !await bcrypt.compare(password, user.password)) {
    return res.status(401).json({ error: 'Invalid credentials' });
  }
  
  // Generate token
  const token = jwt.sign(
    { userId: user._id, email: user.email },
    process.env.JWT_SECRET,
    { expiresIn: '24h' }
  );
  
  res.json({ token, user: { id: user._id, email: user.email } });
});

// Protected route middleware
function authenticateToken(req, res, next) {
  const authHeader = req.headers['authorization'];
  const token = authHeader && authHeader.split(' ')[1]; // Bearer TOKEN
  
  if (!token) {
    return res.status(401).json({ error: 'No token provided' });
  }
  
  jwt.verify(token, process.env.JWT_SECRET, (err, user) => {
    if (err) return res.status(403).json({ error: 'Invalid token' });
    req.user = user;
    next();
  });
}

// Authorization middleware
function requireRole(role) {
  return (req, res, next) => {
    if (req.user.role !== role) {
      return res.status(403).json({ error: 'Insufficient permissions' });
    }
    next();
  };
}

// Usage
app.get('/api/admin/users', authenticateToken, requireRole('admin'), getUsers);

Session-based authentication:

const session = require('express-session');

app.use(session({
  secret: process.env.SESSION_SECRET,
  resave: false,
  saveUninitialized: false,
  cookie: { secure: true, httpOnly: true, maxAge: 24 * 60 * 60 * 1000 }
}));

app.post('/api/auth/login', async (req, res) => {
  const user = await verifyCredentials(req.body);
  req.session.userId = user.id;
  res.json({ message: 'Logged in' });
});

Rarity: Common
Difficulty: Medium

32. What are common security vulnerabilities and how do you prevent them?

Answer:

1. SQL/NoSQL Injection:

// VULNERABLE
const query = `SELECT * FROM users WHERE email = '${email}'`;

// SAFE - Use parameterized queries
const user = await User.findOne({ email: email }); // Mongoose handles it
// or
db.query('SELECT * FROM users WHERE email = ?', [email]);

2. XSS (Cross-Site Scripting):

// Prevent by sanitizing input
const { body } = require('express-validator');
body('content').escape().trim();

// Use Content Security Policy headers
app.use(helmet());

3. CSRF (Cross-Site Request Forgery):

const csrf = require('csurf');
const csrfProtection = csrf({ cookie: true });

app.use(csrfProtection);

4. Sensitive Data Exposure:

// Never expose sensitive data
// BAD
res.json({ user: { password: user.password } });

// GOOD
res.json({ user: { id: user.id, email: user.email } });

5. Broken Authentication:

  • Use strong password hashing (bcrypt)
  • Implement rate limiting on login
  • Use secure session management
  • Implement token expiration and refresh

6. Security Misconfiguration:

// Use helmet for security headers
const helmet = require('helmet');
app.use(helmet());

// Disable X-Powered-By header
app.disable('x-powered-by');

7. Insecure Dependencies:

# Regularly audit dependencies
npm audit
npm audit fix

Best practices:

  • Always validate and sanitize input
  • Use HTTPS in production
  • Keep dependencies updated
  • Implement proper error handling (don't leak stack traces)
  • Use environment variables for secrets
  • Implement rate limiting

Rarity: Common
Difficulty: Medium

33. How do you securely store passwords?

Answer: Never store passwords in plain text. Always hash them using a one-way hashing algorithm.

Using bcrypt:

const bcrypt = require('bcrypt');

// Hashing password on registration
async function createUser(userData) {
  const saltRounds = 10;
  const hashedPassword = await bcrypt.hash(userData.password, saltRounds);
  
  const user = await User.create({
    ...userData,
    password: hashedPassword
  });
  
  return user;
}

// Verifying password on login
async function verifyPassword(email, password) {
  const user = await User.findOne({ email });
  if (!user) return false;
  
  const isValid = await bcrypt.compare(password, user.password);
  return isValid ? user : false;
}

Why bcrypt:

  • Designed specifically for passwords
  • Includes salt automatically
  • Computationally expensive (slows brute force attacks)
  • Adaptive (can increase cost factor over time)

Password requirements:

  • Minimum length (8+ characters)
  • Mix of uppercase, lowercase, numbers, special characters
  • Not common passwords
  • Consider using password strength meters

Additional security:

  • Implement account lockout after failed attempts
  • Use rate limiting on login endpoints
  • Consider two-factor authentication (2FA)
  • Never log passwords

Rarity: Common
Difficulty: Easy-Medium

Testing & Debugging (2 Questions)

34. How do you test Node.js applications?

Answer: Testing ensures code works correctly and prevents regressions.

Types of testing:

1. Unit Testing - Test individual functions:

// math.js
function add(a, b) {
  return a + b;
}

// math.test.js
const { add } = require('./math');

test('adds 1 + 2 to equal 3', () => {
  expect(add(1, 2)).toBe(3);
});

2. Integration Testing - Test components together:

// userService.test.js
const request = require('supertest');
const app = require('../app');

describe('User API', () => {
  test('GET /api/users', async () => {
    const response = await request(app)
      .get('/api/users')
      .expect(200);
    
    expect(Array.isArray(response.body)).toBe(true);
  });
  
  test('POST /api/users', async () => {
    const newUser = { name: 'John', email: '[email protected]' };
    const response = await request(app)
      .post('/api/users')
      .send(newUser)
      .expect(201);
    
    expect(response.body).toHaveProperty('id');
  });
});

3. Testing with Jest:

// Setup
npm install --save-dev jest supertest

// package.json
{
  "scripts": {
    "test": "jest",
    "test:watch": "jest --watch"
  }
}

// jest.config.js
module.exports = {
  testEnvironment: 'node',
  coveragePathIgnorePatterns: ['/node_modules/']
};

Testing async code:

test('async function', async () => {
  const result = await asyncFunction();
  expect(result).toBeDefined();
});

Mocking:

// Mock a module
jest.mock('../services/emailService');

test('sends email', async () => {
  const emailService = require('../services/emailService');
  emailService.send.mockResolvedValue(true);
  
  await sendWelcomeEmail('[email protected]');
  expect(emailService.send).toHaveBeenCalled();
});

Rarity: Common
Difficulty: Medium

35. How do you debug Node.js applications?

Answer:

1. Console logging:

console.log('Debug value:', variable);
console.error('Error:', error);
console.table(arrayOfObjects);

2. Node.js built-in debugger:

# Start with debugger
node --inspect app.js

# Or with breakpoint
node --inspect-brk app.js

Then open Chrome DevTools: chrome://inspect

3. VS Code debugging:

// .vscode/launch.json
{
  "version": "0.2.0",
  "configurations": [
    {
      "type": "node",
      "request": "launch",
      "name": "Debug Node.js",
      "program": "${workspaceFolder}/app.js",
      "skipFiles": ["<node_internals>/**"]
    }
  ]
}

4. Debugger statement:

function processData(data) {
  debugger; // Execution pauses here
  return data.map(item => item.value);
}

5. Error handling and logging:

// Use proper error logging
const winston = require('winston');

const logger = winston.createLogger({
  level: 'error',
  format: winston.format.json(),
  transports: [
    new winston.transports.File({ filename: 'error.log' })
  ]
});

try {
  // Code that might fail
} catch (error) {
  logger.error('Error details:', {
    message: error.message,
    stack: error.stack,
    timestamp: new Date()
  });
}

6. Environment-specific debugging:

if (process.env.NODE_ENV === 'development') {
  console.log('Debug info:', data);
}

7. Network debugging:

  • Use tools like Postman or Insomnia for API testing
  • Check request/response headers
  • Monitor network traffic

Rarity: Common
Difficulty: Easy-Medium

Conclusion

This collection of 35 questions covers the essential topics that junior backend developers encounter in Node.js interviews. From JavaScript fundamentals to security best practices, these questions reflect what hiring managers actually ask.

Key takeaways:

  • Master JavaScript fundamentals (closures, promises, async/await)
  • Understand Node.js event loop and non-blocking I/O
  • Know Express.js routing and middleware
  • Understand database concepts (SQL vs NoSQL, transactions)
  • Implement secure authentication and authorization
  • Write testable code and basic tests
  • Follow RESTful API design principles

Next steps:

  • Practice building REST APIs
  • Work on projects that use databases
  • Learn about deployment and DevOps basics
  • Contribute to open source projects
  • Build a portfolio showcasing your backend skills

Remember: Interviewers value problem-solving ability and willingness to learn over memorizing answers. Use these questions as a guide, but focus on understanding the underlying concepts.

Newsletter subscription

Weekly career tips that actually work

Get the latest insights delivered straight to your inbox

Related Posts

Junior Backend Developer (Python) Interview Questions: Complete Guide
Nov 22, 2025
11 min read

Junior Backend Developer (Python) Interview Questions: Complete Guide

Master Python backend development with essential interview questions covering Python fundamentals, Django/Flask, databases, APIs, and more. Perfect preparation for junior backend developer interviews.

MBMilad Bonakdar
Junior Mobile Developer (iOS) Interview Questions: Complete Guide
Nov 22, 2025
12 min read

Junior Mobile Developer (iOS) Interview Questions: Complete Guide

Master iOS development fundamentals with essential interview questions covering Swift, UIKit, SwiftUI, data persistence, and iOS app architecture for junior developers.

MBMilad Bonakdar
Junior React Native Developer Interview Questions: Complete Guide
Nov 22, 2025
14 min read

Junior React Native Developer Interview Questions: Complete Guide

Master React Native development fundamentals with essential interview questions covering React basics, components, navigation, state management, and mobile-specific concepts for junior developers.

MBMilad Bonakdar
Decorative doodle

Your Next Interview is Just One Resume Away

Create a professional, optimized resume in minutes. No design skills needed—just proven results.

Create my resume

Share this post

Make Your 6 Seconds Count

Recruiters scan resumes for an average of only 6 to 7 seconds. Our proven templates are designed to capture attention instantly and keep them reading.

Create a Standout Resume