Chapter quiz · Auth & Security

Test what you learned.

8 questions on Auth & Security. Pass 70% to clear the chapter.

Quiz

Auth & Security — Chapter Quiz

Eight questions on sessions vs JWT, app.keys for signed cookies, cookie flags, koa-jwt, helmet headers, CSRF/SameSite, rate limiting, and password hashing.

0/ 9

Question 1
1
In Koa, what must you set before ctx.cookies.set('sid', value, { signed: true }) works?
Aapp.secretBapp.keysCapp.cookieSecretDctx.cookieKeys
app.keys is an array of secret strings backed by Keygrip. Koa signs the cookie value with the first key and automatically rotates verification to older keys, making revocation easy.
Question 2
2
After adding koa-jwt middleware, where is the decoded JWT payload available in a route handler?
Actx.userBctx.state.userCctx.request.userDctx.jwt
koa-jwt stores the decoded payload on ctx.state.user by default (configurable via the key option). ctx.state is Koa's recommended namespace for middleware-to-handler data.
Question 3
3
Which combination of cookie flags provides the best baseline security for a session cookie?
AhttpOnly: true, secure: true, sameSite: \"lax\"BJust httpOnly: trueCNo flags — defaults are safeDsecure: true only
httpOnly blocks JavaScript access (XSS protection). secure restricts the cookie to HTTPS. sameSite: "lax" prevents the cookie from being sent on cross-site POST requests (CSRF protection).
Question 4
4
What is the primary advantage of JWTs over server-side sessions for a horizontally scaled API?
AJWTs are encryptedBNo shared session store is required — any node can verify the tokenCJWTs never expireDJWTs are smaller than cookies
Because JWTs are self-contained and verified with a shared secret or public key, any server instance can validate them without querying a central session store, which simplifies horizontal scaling.
Question 5
5
Why should you use bcrypt or argon2 instead of SHA-256 for password hashing?
ASHA-256 is not available in Node.jsBbcrypt/argon2 are intentionally slow and salted, making GPU brute-force attacks impracticalCbcrypt/argon2 produce shorter hashesDSHA-256 outputs are too long for storage
SHA-256 is a fast general-purpose hash — a GPU can compute billions per second. bcrypt and argon2 are tunable KDFs designed to be slow and memory-hard, drastically reducing brute-force viability.
Question 6
6
Setting sameSite: 'strict' on a cookie fully replaces the need for CSRF tokens in all scenarios.
TTrueFFalse
SameSite=Strict stops cookies from being sent on any cross-site request, blocking most CSRF. However, some edge cases (old browsers, subdomain attacks) still warrant CSRF tokens for belt-and-braces protection on state-changing endpoints.
Question 7
7
Apply koa-helmet middleware to automatically set security headers including Content-Security-Policy and ___.
koa-helmet sets ~12 headers by default, including Strict-Transport-Security (HSTS), X-Content-Type-Options, X-Frame-Options, and Content-Security-Policy.
Question 8
8
Which measures defend against brute-force login attacks?
Select all that apply.
ARate limiting the /login route (e.g. 5 attempts per 15 minutes per IP)BLocking accounts after N consecutive failuresCUsing plain crypto.createHash(\"sha256\") for passwordsDAdding exponential back-off delays after failed attempts
Rate limiting, account lockout, and back-off delays all raise the cost of brute-force attacks. Using a fast hash like SHA-256 instead of bcrypt/argon2 makes brute force easier, not harder.