Auth & Security — Chapter Quiz

Question 1

1

How should you store passwords?

APlain text behind TLSBSHA-256 hashedCbcrypt or argon2 (slow, salted KDFs)DBase64 encoded

Always use a slow, salted KDF. Fast hashes (sha256, md5) are brute-forceable on GPUs.

Question 2

2

Which cookie flags should be on every auth cookie?

AhttpOnly, secure, sameSite: \"lax\"BJust httpOnlyCJust secureDNone

HttpOnly (XSS protection) + Secure (HTTPS only) + SameSite=Lax (CSRF protection) is the modern minimum.

Question 3

3

JWTs are encrypted by default.

TTrueFFalse

JWTs are **signed**, not encrypted. The payload is base64- encoded but readable. Don't put secrets in the payload.

Question 4

4

What does Helmet do?

ACORSBSets ~12 security headers (CSP, HSTS, X-Content-Type-Options, etc.)CRate limitingDValidates input

One line, twelve headers. Should be the first middleware in almost every production Express app.

Question 5

5

Which protects against CSRF?

ASameSite cookies + CSRF tokens for state-changing requestsBCORSCHelmet aloneDrate-limit

SameSite=Lax stops most CSRF on its own. For belt-and-braces, add tokens on POST/PUT/DELETE.

Question 6

6

Compare signatures with crypto.timingSafeEqual instead of === to avoid ___ attacks.

Timing attacks: === short-circuits, leaking info about how many bytes match. timingSafeEqual runs in constant time.

Question 7

7

Why apply tighter rate limits on login routes?

APerformanceBTo make brute-force password guessing impracticalCCSRFDNo reason

5 attempts per 15 minutes is enough to neutralize brute force. Tighter limits on auth, looser on read endpoints.

Question 8

8

When should you use a hosted auth provider (Clerk, Auth0, Supabase Auth)?

Select all that apply.

AYou want to ship fasterBYou need MFA, password reset, OAuth without writing the flowsCCompliance (SOC2) matters and you want helpDYou enjoy debugging auth bugs

Hosted auth saves weeks of work. The cost is a vendor relationship — usually worth it for any serious app.

Test what you learned.