Senior Backend Developer (Python) Interview Questions: Complete Guide

Introduction

This comprehensive guide contains 30 essential interview questions covering advanced Python backend development. These questions are designed to help senior backend developers prepare for interviews by covering key concepts in advanced Python, system design, database optimization, and security. Each question includes a detailed answer, rarity assessment, and difficulty rating.

As a senior developer, you are expected to not only know the "how" but also the "why" and the trade-offs involved in your technical decisions.

Advanced Python Concepts (8 Questions)

1. How does Python's memory management work, and what is the role of the Garbage Collector?

Answer: Python uses a private heap to manage memory, where all objects and data structures are stored. The programmer cannot access this heap directly; it is managed by the Python memory manager.

• Reference Counting: The primary mechanism. Each object has a reference count. When it drops to zero, the memory is deallocated.
• Garbage Collector (GC): Handles cyclic references that reference counting cannot catch. It runs periodically to find and clean up these cycles.
• Generational GC: Python's GC divides objects into three generations (0, 1, 2). New objects start in generation 0. If they survive a collection, they move to the next generation. Older generations are collected less frequently to improve performance.

Rarity: Common Difficulty: Hard

2. Explain the Global Interpreter Lock (GIL) and its impact on concurrency. How do you bypass it?

Answer: The GIL is a mutex that protects access to Python objects, preventing multiple native threads from executing Python bytecodes simultaneously. This makes CPython thread-safe but limits CPU-bound programs to a single core.

• Impact: Multi-threading is effective for I/O-bound tasks (waiting for network/disk) but not for CPU-bound tasks (heavy calculation).
• Bypassing the GIL:
  1. Multiprocessing: Use the multiprocessing module to create separate processes, each with its own Python interpreter and memory space.
  2. C Extensions: Write performance-critical code in C/C++ and release the GIL while it runs.
  3. Alternative Interpreters: Use Jython or IronPython (which don't have a GIL), though CPython is the standard.

Rarity: Very Common Difficulty: Hard

3. What are Metaclasses in Python and when should you use them?

Answer: A metaclass is "the class of a class". Just as a class defines the behavior of an instance, a metaclass defines the behavior of a class. In Python, classes are objects too, and they are instances of type (the default metaclass).

• Usage: You can intercept class creation to modify the class automatically.
• Use Cases:
  • Registering classes automatically (e.g., for plugins).
  • Enforcing coding standards (e.g., ensuring all classes have docstrings).
  • Singleton pattern implementation.
  • ORM frameworks (like Django) use them to map class attributes to database fields.

Example:

class Meta(type):
    def __new__(cls, name, bases, dct):
        x = super().__new__(cls, name, bases, dct)
        x.attr = 100
        return x

class MyClass(metaclass=Meta):
    pass

print(MyClass.attr) # 100

Rarity: Uncommon Difficulty: Hard

4. Explain the difference between __new__ and __init__.

Answer:

• __new__: A static method responsible for creating a new instance of a class. It is the first step in instance creation. It returns the new instance. You rarely override it unless you are subclassing immutable types (like str, int, tuple) or implementing a Singleton.
• __init__: An instance method responsible for initializing the created instance. It is called after __new__. It does not return anything.

Rarity: Medium Difficulty: Medium

5. How does asyncio work in Python? Explain the Event Loop.

Answer: asyncio is a library to write concurrent code using the async/await syntax. It uses a single-threaded, cooperative multitasking model.

• Event Loop: The core of asyncio. It runs asynchronous tasks and callbacks, performs network IO operations, and runs subprocesses. It switches between tasks when they are waiting for I/O (using await), allowing other tasks to run in the meantime.
• Coroutines: Functions defined with async def. They can be paused and resumed.

Rarity: Common Difficulty: Hard

6. What are Python Decorators and how can you create a decorator that accepts arguments?

Answer: Decorators are functions that modify the behavior of other functions or classes. To accept arguments, you need a three-level nested function structure.

Example:

def repeat(num_times):
    def decorator_repeat(func):
        def wrapper(*args, **kwargs):
            for _ in range(num_times):
                result = func(*args, **kwargs)
            return result
        return wrapper
    return decorator_repeat

@repeat(num_times=3)
def greet(name):
    print(f"Hello {name}")

greet("World")

Rarity: Medium Difficulty: Medium

7. Explain the concept of Context Managers and the with statement.

Answer: Context managers allow you to allocate and release resources precisely when you want to. The most common usage is the with statement.

• Mechanism: They implement __enter__ and __exit__ methods.
  • __enter__: Sets up the context and returns the resource.
  • __exit__: Cleans up the resource (closes file, releases lock) even if an exception occurs.
• contextlib: The @contextmanager decorator allows you to create context managers using generators.

Rarity: Common Difficulty: Easy

8. What is the difference between @staticmethod and @classmethod?

Answer:

• @staticmethod: Does not receive an implicit first argument (neither self nor cls). It behaves like a regular function but belongs to the class's namespace. Used for utility functions that don't need access to class or instance state.
• @classmethod: Receives the class (cls) as the first implicit argument. It can access class state and modify it. Commonly used for factory methods that create instances of the class in different ways.

Rarity: Common Difficulty: Easy

System Design & Architecture (8 Questions)

9. How would you design a URL Shortener (like bit.ly)?

Answer: This is a classic system design question.

• Requirements: Shorten long URLs, redirect short URLs to original, high availability, low latency.
• Database: Key-Value store (NoSQL) like DynamoDB or Redis is suitable for fast lookups. Relational DB is also fine but might need scaling.
• Algorithm:
  • Base62 Encoding: Convert a unique ID (auto-incrementing integer) to Base62 (a-z, A-Z, 0-9).
  • Hashing: MD5/SHA256 of the URL, take first 7 chars (risk of collision).
• Scaling:
  • Caching: Redis/Memcached to cache popular redirects (80/20 rule).
  • Load Balancing: Distribute traffic across multiple web servers.
  • Database Sharding: Partition data based on the short URL prefix.

Rarity: Very Common Difficulty: Hard

10. Explain the CAP Theorem.

Answer: In a distributed data store, you can only guarantee two out of the following three consistency, availability, and partition tolerance:

• Consistency (C): Every read receives the most recent write or an error.
• Availability (A): Every request receives a (non-error) response, without the guarantee that it contains the most recent write.
• Partition Tolerance (P): The system continues to operate despite an arbitrary number of messages being dropped (or delayed) by the network between nodes.
• Reality: In a distributed system, P is mandatory. You must choose between CP (Consistency over Availability) and AP (Availability over Consistency).

Rarity: Common Difficulty: Medium

11. Microservices vs. Monolithic Architecture: When to choose which?

Answer:

• Monolith: Single codebase, single deployment unit.
  • Pros: Simple to develop/test/deploy initially, easier debugging, no network latency between components.
  • Cons: Hard to scale specific parts, tight coupling, technology lock-in, long build times.
  • Use Case: Early-stage startups, simple applications, small teams.
• Microservices: Collection of small, independent services communicating via APIs.
  • Pros: Independent scaling, technology agnostic per service, fault isolation, easier for large teams to work in parallel.
  • Cons: Complex operations (deployment, monitoring), network latency, data consistency challenges (distributed transactions).
  • Use Case: Large, complex systems, rapidly scaling teams, need for independent scaling.

Rarity: Common Difficulty: Medium

12. What is Load Balancing and what are the different algorithms?

Answer: Load balancing distributes incoming network traffic across multiple servers to ensure no single server bears too much load.

• Algorithms:
  • Round Robin: Distributes requests sequentially.
  • Least Connections: Sends request to the server with the fewest active connections.
  • IP Hash: Uses the client's IP to determine which server receives the request (useful for session persistence).
• Types:
  • L4 (Transport Layer): Based on IP and Port (faster).
  • L7 (Application Layer): Based on content (URL, cookies, headers) (smarter).

Rarity: Common Difficulty: Medium

13. How do you handle Caching in a backend system?

Answer: Caching stores copies of data in a temporary storage location for faster access.

• Layers:
  • Client-side: Browser caching.
  • CDN: Caches static assets closer to the user.
  • Load Balancer/Reverse Proxy: Varnish, Nginx.
  • Application: In-memory (local) or Distributed (Redis/Memcached).
  • Database: Query cache.
• Strategies:
  • Cache-Aside (Lazy Loading): App checks cache; if miss, reads DB and updates cache.
  • Write-Through: App writes to cache and DB synchronously.
  • Write-Back: App writes to cache; cache writes to DB asynchronously (risk of data loss).
• Eviction: LRU (Least Recently Used), LFU (Least Frequently Used), TTL (Time To Live).

Rarity: Common Difficulty: Hard

14. What is Database Sharding?

Answer: Sharding is a method of splitting and storing a single logical dataset in multiple databases. It is a form of horizontal scaling.

• Horizontal vs. Vertical: Vertical = bigger machine; Horizontal = more machines.
• Sharding Key: The logic used to distribute data (e.g., UserID % NumberOfShards).
• Challenges:
  • Joins: Cross-shard joins are expensive or impossible.
  • Transactions: Distributed transactions are complex (Two-Phase Commit).
  • Rebalancing: Moving data when adding new shards is difficult.

Rarity: Medium Difficulty: Hard

15. Explain the concept of Idempotency in REST APIs.

Answer: An idempotent operation is one that can be applied multiple times without changing the result beyond the initial application.

• Safe Methods: GET, HEAD, OPTIONS (don't modify state).
• Idempotent Methods: PUT, DELETE. Calling DELETE on a resource 10 times has the same effect as calling it once (the resource is gone).
• Non-Idempotent: POST. Calling POST 10 times might create 10 resources.
• Implementation: Use an idempotency key (unique ID) in the request header. The server checks if it has already processed this ID.

Rarity: Medium Difficulty: Medium

16. What is a Reverse Proxy and why use it?

Answer: A reverse proxy sits in front of one or more web servers and forwards client requests to them.

• Benefits:
  • Load Balancing: Distributing traffic.
  • Security: Hides the identity/IP of backend servers; can handle SSL termination.
  • Caching: Caching static content.
  • Compression: Compressing responses (gzip) to save bandwidth.
• Examples: Nginx, HAProxy.

Rarity: Common Difficulty: Easy

Database & Optimization (7 Questions)

17. Explain ACID vs. BASE consistency models.

Answer:

• ACID (Relational): Atomicity, Consistency, Isolation, Durability. Focuses on strong consistency. Transactions are all-or-nothing.
• BASE (NoSQL):
  • Basically Available: The system guarantees availability.
  • Soft state: The state of the system may change over time, even without input.
  • Eventual consistency: The system will eventually become consistent once it stops receiving input.
• Trade-off: ACID provides safety and consistency; BASE provides availability and scalability.

Rarity: Medium Difficulty: Medium

18. How do you optimize a slow SQL query?

Answer:

1. Analyze: Use EXPLAIN or EXPLAIN ANALYZE to understand the query execution plan.
2. Indexing: Ensure columns used in WHERE, JOIN, and ORDER BY clauses are indexed. Avoid over-indexing (slows down writes).
3. Select only what you need: Avoid SELECT *.
4. Avoid N+1 problem: Use JOINs or eager loading (in ORMs) instead of executing a query for each row in a loop.
5. Denormalization: If joins are too expensive, consider duplicating data (trade-off: data consistency).
6. Partitioning: Split large tables into smaller pieces.

Rarity: Very Common Difficulty: Medium

19. What are the different types of Database Indexes?

Answer:

• B-Tree: The default and most common. Good for range queries and equality checks.
• Hash Index: Good for equality checks only (key = value). Very fast but doesn't support range queries.
• GiST / GIN: Used for complex data types like full-text search, geometric data, or JSONB (in PostgreSQL).
• Clustered vs. Non-Clustered:
  • Clustered: The data rows are stored physically in the order of the index. Only one per table (usually PK).
  • Non-Clustered: A separate structure that points to the data rows.

Rarity: Medium Difficulty: Hard

20. Explain the N+1 Query Problem and how to fix it.

Answer: The N+1 problem occurs when your code executes N additional query statements to fetch the same data that could have been retrieved when executing the primary query.

• Scenario: You fetch a list of 10 Authors (1 query). Then, for each author, you fetch their Books (10 queries). Total = 11 queries.
• Fix:
  • SQL: Use a JOIN to fetch authors and books in a single query.
  • ORM (Django): Use select_related (for foreign keys/one-to-one) or prefetch_related (for many-to-many/reverse foreign keys).

Rarity: Very Common Difficulty: Medium

21. Redis vs. Memcached: Which one to choose?

Answer:

• Memcached: Simple, volatile, multi-threaded. Good for simple key-value caching (HTML fragments, session data).
• Redis: Advanced key-value store.
  • Data Structures: Supports lists, sets, sorted sets, hashes, bitmaps, hyperloglogs.
  • Persistence: Can save data to disk (RDB, AOF).
  • Replication: Built-in master-slave replication.
  • Pub/Sub: Supports message brokering.
• Choice: Use Redis if you need complex data structures, persistence, or sorting. Use Memcached for simple, high-throughput caching if you need multi-threading.

Rarity: Medium Difficulty: Medium

22. What is Database Normalization?

Answer: Normalization is the process of organizing data in a database to reduce redundancy and improve data integrity.

• 1NF: Atomic values (no lists in cells), unique rows.
• 2NF: 1NF + no partial dependency (all non-key attributes depend on the whole primary key).
• 3NF: 2NF + no transitive dependency (non-key attributes depend only on the primary key).
• Trade-off: Higher normalization means more tables and more joins (slower reads). Denormalization is often used for read-heavy systems.

Rarity: Common Difficulty: Easy

23. How does PostgreSQL handle concurrency (MVCC)?

Answer: PostgreSQL uses Multi-Version Concurrency Control (MVCC).

• Mechanism: When a row is updated, Postgres doesn't overwrite the old data. Instead, it creates a new version of the row.
• Readers: Readers see a consistent snapshot of the database as it was when their transaction started. They don't block writers.
• Writers: Writers create new versions. They block other writers on the same row but don't block readers.
• Vacuuming: Old versions (dead tuples) that are no longer visible to any transaction need to be cleaned up by the VACUUM process to reclaim space.

Rarity: Uncommon Difficulty: Hard

Security & DevOps (7 Questions)

24. Explain OAuth 2.0 and its flow.

Answer: OAuth 2.0 is an authorization framework that enables applications to obtain limited access to user accounts on an HTTP service (like Google, Facebook) without exposing the user's password.

• Roles: Resource Owner (User), Client (App), Authorization Server, Resource Server (API).
• Flow (Authorization Code Grant):
  1. User clicks "Login with Google".
  2. User is redirected to Google's auth server.
  3. User approves access.
  4. Google redirects back to App with an "Authorization Code".
  5. App exchanges the code for an "Access Token" (back-channel).
  6. App uses Access Token to access the API.

Rarity: Common Difficulty: Hard

25. What is JWT (JSON Web Token) and how is it different from Session Auth?

Answer:

• Session Auth: Server creates a session, stores it in DB/Cache, and sends a Session ID (cookie) to the client. Stateful.
• JWT: Stateless. The server generates a token containing the user's identity and signs it with a secret key. The client stores the token and sends it with every request. The server verifies the signature. No DB lookup needed.
• Pros of JWT: Scalable (stateless), good for microservices, mobile-friendly.
• Cons of JWT: Hard to revoke (need blacklisting/short expiry), token size is larger.

Rarity: Very Common Difficulty: Medium

26. What are the OWASP Top 10 security risks? Name a few.

Answer: A standard awareness document for developers and web application security.

1. Injection: SQL, NoSQL, OS injection.
2. Broken Authentication: Weak passwords, session hijacking.
3. Sensitive Data Exposure: Not encrypting data in transit/rest.
4. XML External Entities (XXE): Attacks against XML parsers.
5. Broken Access Control: Users acting outside of their intended permissions.
6. Security Misconfiguration: Default accounts, verbose error messages.
7. Cross-Site Scripting (XSS): Injecting malicious scripts.

Rarity: Common Difficulty: Medium

27. What is CI/CD?

Answer:

• Continuous Integration (CI): Developers frequently merge code changes into a central repository. Automated builds and tests run to verify the changes. Goal: Detect errors quickly.
• Continuous Deployment (CD): Automatically deploying code to production after passing CI.
• Continuous Delivery: Automatically preparing the code for release, but manual approval might be needed for the final push.

Rarity: Common Difficulty: Easy

28. Explain Docker vs. Virtual Machines.

Answer:

• Virtual Machines (VM): Virtualize the hardware. Each VM has a full OS (Guest OS), kernel, and apps. Heavyweight, slow boot.
• Docker (Containers): Virtualize the OS. Containers share the host OS kernel but have isolated user spaces (bins/libs). Lightweight, fast boot, portable.

Rarity: Common Difficulty: Easy

29. What is Kubernetes?

Answer: Kubernetes (K8s) is an open-source container orchestration platform. It automates the deployment, scaling, and management of containerized applications.

• Features:
  • Service Discovery & Load Balancing: Exposes containers.
  • Self-healing: Restarts failed containers.
  • Automated Rollouts/Rollbacks: Updates apps without downtime.
  • Secret & Configuration Management: Manages sensitive data.

Rarity: Medium Difficulty: Medium

30. How do you secure a Python web application?

Answer:

1. Input Validation: Sanitize all inputs (forms, API bodies, query params).
2. SQL Injection: Use ORMs or parameterized queries. Never string concatenation.
3. XSS: Escape user output in templates (Jinja2 does this by default).
4. CSRF: Use CSRF tokens for state-changing requests.
5. Dependencies: Keep libraries updated (use pip-audit or Snyk).
6. HTTPS: Enforce SSL/TLS.
7. Headers: Set security headers (HSTS, X-Frame-Options, CSP).
8. Secrets: Never commit secrets to Git. Use environment variables.

Rarity: Common Difficulty: Medium