1. What is the primary goal of secure coding?
A) To make applications run faster
B) To protect applications from security vulnerabilities
C) To improve application UI design
D) To increase software development speed
β
Answer: B) To protect applications from security vulnerabilities
π Explanation: Secure coding aims to prevent security vulnerabilities by following best practices, writing robust code, and reducing attack vectors.
2. What is the best way to prevent SQL injection attacks?
A) Using string concatenation for queries
B) Using prepared statements and parameterized queries
C) Relying on client-side validation
D) Hiding error messages from users
β
Answer: B) Using prepared statements and parameterized queries
π Explanation: Prepared statements with parameterized queries prevent SQL injection by ensuring user input is treated as data rather than executable SQL code.
3. Which of the following is a common cause of buffer overflow vulnerabilities?
A) Using secure coding frameworks
B) Insufficient memory allocation for input
C) Using prepared statements
D) Enforcing strong password policies
β
Answer: B) Insufficient memory allocation for input
π Explanation: Buffer overflows occur when a program writes more data than allocated, leading to memory corruption and potential exploitation.
4. What is Cross-Site Scripting (XSS)?
A) A technique to speed up website performance
B) A method to execute malicious scripts in a userβs browser
C) A secure coding practice
D) A method to encrypt user credentials
β
Answer: B) A method to execute malicious scripts in a userβs browser
π Explanation: XSS occurs when an attacker injects malicious scripts into a web application, which are then executed in users’ browsers.
5. How can you prevent Cross-Site Request Forgery (CSRF) attacks?
A) By using CAPTCHA
B) By implementing CSRF tokens
C) By blocking IP addresses
D) By enabling auto-login
β
Answer: B) By implementing CSRF tokens
π Explanation: CSRF tokens are unique, unpredictable values attached to form submissions, preventing unauthorized actions on behalf of users.
6. What is the best way to handle user authentication securely?
A) Storing passwords in plain text
B) Using strong hashing algorithms like bcrypt or Argon2
C) Sending passwords over HTTP
D) Hardcoding credentials in source code
β
Answer: B) Using strong hashing algorithms like bcrypt or Argon2
π Explanation: Secure password storage involves hashing passwords with strong algorithms to protect them even if the database is compromised.
7. Which HTTP header helps mitigate Clickjacking attacks?
A) X-Frame-Options
B) Content-Type
C) Referrer-Policy
D) Cache-Control
β
Answer: A) X-Frame-Options
π Explanation: The X-Frame-Options header prevents web pages from being embedded in iframes, reducing the risk of Clickjacking attacks.
8. Why is input validation critical in secure coding?
A) It improves the websiteβs loading speed
B) It ensures user inputs do not contain malicious data
C) It helps with UI design
D) It speeds up database queries
β
Answer: B) It ensures user inputs do not contain malicious data
π Explanation: Proper input validation prevents attacks like SQL Injection, XSS, and command injection by filtering or sanitizing user input.
9. What is a secure way to manage API keys in an application?
A) Storing them in environment variables
B) Hardcoding them in source code
C) Committing them to a public GitHub repository
D) Sending them in GET requests
β
Answer: A) Storing them in environment variables
π Explanation: API keys should be stored securely in environment variables or secret management tools, never hardcoded or exposed.
10. What is the purpose of HTTPS in web security?
A) To make websites load faster
B) To encrypt data between the client and server
C) To reduce bandwidth usage
D) To improve SEO rankings
β
Answer: B) To encrypt data between the client and server
π Explanation: HTTPS protects data in transit by encrypting it, preventing attackers from intercepting sensitive information.
11. Which of the following is a secure way to handle file uploads?
A) Allowing all file types
B) Storing uploaded files in a public directory
C) Validating file types and scanning for malware
D) Giving execute permissions to uploaded files
β
Answer: C) Validating file types and scanning for malware
π Explanation: Uploaded files should be strictly validated and scanned for malware to prevent RCE (Remote Code Execution) attacks.
12. What is Least Privilege in security?
A) Giving users access to everything
B) Providing only the necessary permissions required for a task
C) Using weak authentication methods
D) Disabling authentication
β
Answer: B) Providing only the necessary permissions required for a task
π Explanation: The Principle of Least Privilege (PoLP) minimizes security risks by limiting user permissions to only what is necessary.
13. Which security header helps prevent content injection attacks?
A) X-Frame-Options
B) Content Security Policy (CSP)
C) X-XSS-Protection
D) Cache-Control
β
Answer: B) Content Security Policy (CSP)
π Explanation: CSP restricts the sources from which scripts, styles, and other resources can be loaded, preventing XSS and content injection attacks.
14. What is an effective way to prevent session hijacking?
A) Using HTTPS and Secure Cookies
B) Using weak session tokens
C) Storing session IDs in local storage
D) Reusing session tokens
β
Answer: A) Using HTTPS and Secure Cookies
π Explanation: Secure cookies and HTTPS help protect session tokens from being intercepted by attackers.
15. Why should error messages be carefully handled in secure applications?
A) To provide attackers with detailed system information
B) To prevent information leakage
C) To show users internal system logs
D) To improve system performance
β
Answer: B) To prevent information leakage
π Explanation: Detailed error messages should not expose sensitive system details, which could help attackers exploit vulnerabilities.
16. What is the best way to secure database connections in a web application?
A) Hardcoding database credentials in the source code
B) Using parameterized queries and environment variables
C) Disabling database authentication
D) Storing credentials in public repositories
β
Answer: B) Using parameterized queries and environment variables
π Explanation: Parameterized queries prevent SQL Injection, and credentials should never be stored in source code.
17. What is an SSRF (Server-Side Request Forgery) attack?
A) When an attacker injects JavaScript into a website
B) When an attacker tricks a server into making requests on their behalf
C) When an attacker intercepts a user’s session
D) When a server fails to encrypt data
β
Answer: B) When an attacker tricks a server into making requests on their behalf
π Explanation: SSRF allows attackers to bypass firewall protections and access internal systems via server requests.
18. What is an effective way to prevent brute force attacks?
A) Implementing account lockouts after failed attempts
B) Allowing unlimited login attempts
C) Disabling authentication logs
D) Storing passwords in plaintext
β
Answer: A) Implementing account lockouts after failed attempts
π Explanation: Rate limiting and account lockouts reduce the risk of brute-force attacks.
19. What should you avoid using in password storage?
A) Bcrypt
B) MD5
C) Argon2
D) PBKDF2
β
Answer: B) MD5
π Explanation: MD5 is weak and easily cracked. Use bcrypt, Argon2, or PBKDF2 instead.
20. What is a major risk of using eval() in code?
A) It slows down the program
B) It introduces code injection vulnerabilities
C) It improves code security
D) It increases application performance
β
Answer: B) It introduces code injection vulnerabilities
π Explanation: eval() executes arbitrary code, making it highly vulnerable to injection attacks.
21. What is a secure way to store user credentials in a database?
A) Encrypt passwords with AES
B) Hash passwords with bcrypt, Argon2, or PBKDF2
C) Store passwords in plaintext for easy retrieval
D) Use base64 encoding for password storage
β
Answer: B) Hash passwords with bcrypt, Argon2, or PBKDF2
π Explanation: Secure password storage requires hashing, not encryption or encoding. Bcrypt, Argon2, and PBKDF2 provide strong protection against brute-force attacks.
22. Why should you avoid using hardcoded secrets in source code?
A) It makes debugging more difficult
B) It exposes sensitive data if the code is leaked
C) It slows down application performance
D) It increases code complexity
β
Answer: B) It exposes sensitive data if the code is leaked
π Explanation: Hardcoded secrets (API keys, database credentials) can be easily exposed if the code is leaked or pushed to a public repository.
23. Which of the following helps prevent race conditions in multi-threaded applications?
A) Using eval() for code execution
B) Implementing proper locking mechanisms (mutex, semaphore)
C) Allowing multiple threads to access shared resources without synchronization
D) Storing data in plaintext files
β
Answer: B) Implementing proper locking mechanisms (mutex, semaphore)
π Explanation: Race conditions occur when multiple threads access shared resources without proper synchronization, leading to inconsistent behavior.
24. What is the primary purpose of the HttpOnly flag in cookies?
A) To prevent cookies from being accessed via JavaScript
B) To encrypt cookie data
C) To make cookies expire faster
D) To allow cookies to be shared across domains
β
Answer: A) To prevent cookies from being accessed via JavaScript
π Explanation: The HttpOnly flag prevents client-side scripts from accessing cookies, reducing the risk of XSS-based session hijacking.
25. Which security issue arises from improper XML parsing?
A) Clickjacking
B) SQL Injection
C) XML External Entity (XXE) Injection
D) XSS
β
Answer: C) XML External Entity (XXE) Injection
π Explanation: XXE attacks occur when an application improperly processes XML input, allowing attackers to access files or execute commands.
26. What is the purpose of the Content-Security-Policy (CSP) header?
A) It prevents brute-force attacks
B) It restricts sources from which content (scripts, styles) can be loaded
C) It forces users to update their passwords regularly
D) It encrypts HTTP traffic
β
Answer: B) It restricts sources from which content (scripts, styles) can be loaded
π Explanation: CSP helps prevent XSS by restricting scripts, fonts, and images to trusted sources.
27. Which security measure can help prevent phishing attacks?
A) Using strong passwords
B) Implementing Multi-Factor Authentication (MFA)
C) Disabling JavaScript
D) Hiding login forms
β
Answer: B) Implementing Multi-Factor Authentication (MFA)
π Explanation: MFA adds an extra layer of security, preventing unauthorized access even if credentials are stolen.
28. What is the safest way to manage user session tokens?
A) Store session tokens in local storage
B) Store session tokens in cookies with Secure and HttpOnly flags
C) Expose session tokens in URL parameters
D) Keep session tokens active indefinitely
β
Answer: B) Store session tokens in cookies with Secure and HttpOnly flags
π Explanation: Cookies with Secure and HttpOnly flags prevent JavaScript access and ensure tokens are only sent over HTTPS.
29. What is directory traversal attack?
A) An attack where a hacker injects SQL queries into user input fields
B) An attack that allows attackers to read arbitrary files on the server
C) A technique used to bypass CAPTCHA challenges
D) A method of encrypting sensitive data
β
Answer: B) An attack that allows attackers to read arbitrary files on the server
π Explanation: Directory traversal (path traversal) exploits improperly sanitized file paths, allowing access to sensitive files (/etc/passwd, config.php).
30. How can you prevent session fixation attacks?
A) Allowing long session lifetimes
B) Regenerating session IDs after login
C) Disabling cookies
D) Using base64 encoding for session tokens
β
Answer: B) Regenerating session IDs after login
π Explanation: Session fixation attacks exploit predictable session IDs. Regenerating the session ID after authentication prevents attackers from reusing stolen session identifiers.
31. What is a primary risk of using third-party JavaScript libraries?
A) They can make your website slow
B) They can introduce supply chain attacks
C) They require manual updates
D) They do not work on mobile devices
β
Answer: B) They can introduce supply chain attacks
π Explanation: Malicious or compromised third-party scripts can introduce backdoors or XSS vulnerabilities in your application.
32. What is a proper way to restrict API access?
A) Implementing API key-based authentication with rate limiting
B) Exposing all API endpoints publicly
C) Hardcoding API keys in JavaScript files
D) Using weak hashing algorithms for API authentication
β
Answer: A) Implementing API key-based authentication with rate limiting
π Explanation: API security involves authentication, authorization, and rate limiting to prevent abuse.
33. Why should eval() be avoided in JavaScript?
A) It improves performance
B) It introduces security risks like code injection
C) It enhances code readability
D) It is necessary for modern JavaScript frameworks
β
Answer: B) It introduces security risks like code injection
π Explanation: eval() executes arbitrary code, making it highly dangerous and susceptible to injection attacks.
34. What is an example of an Insecure Direct Object Reference (IDOR)?
A) A user can access another user’s files by modifying a URL parameter
B) A website allows login with weak passwords
C) A server exposes error messages
D) A hacker sends phishing emails
β
Answer: A) A user can access another user’s files by modifying a URL parameter
π Explanation: IDOR occurs when objects (files, user IDs) are exposed without proper authorization checks.
35. How can you prevent command injection vulnerabilities?
A) Avoiding user input in system commands or sanitizing input
B) Allowing admin users to run any command
C) Running commands as root user
D) Relying on firewall protections
β
Answer: A) Avoiding user input in system commands or sanitizing input
π Explanation: Command injection allows attackers to execute system commands. Sanitizing input and using parameterized execution prevents this.
36. What is a common issue with CORS (Cross-Origin Resource Sharing)?
A) It blocks all API requests
B) It allows unauthorized access to APIs if misconfigured
C) It encrypts all responses
D) It speeds up web applications
β
Answer: B) It allows unauthorized access to APIs if misconfigured
π Explanation: Misconfigured CORS policies can expose sensitive API data to unauthorized domains.
37. Which of the following is a sign of an insecure deserialization vulnerability?
A) Accepting untrusted serialized data and executing it
B) Using strong passwords
C) Encrypting database entries
D) Implementing MFA
β
Answer: A) Accepting untrusted serialized data and executing it
π Explanation: Insecure deserialization allows attackers to manipulate serialized data, leading to Remote Code Execution (RCE).
38. What is the main security risk of storing sensitive data in client-side storage (localStorage/sessionStorage)?
A) Data is lost when the browser is closed
B) Data is accessible to JavaScript and vulnerable to XSS attacks
C) It slows down the application
D) It encrypts the data automatically
β
Answer: B) Data is accessible to JavaScript and vulnerable to XSS attacks
π Explanation: localStorage/sessionStorage are accessible via JavaScript, making them vulnerable to Cross-Site Scripting (XSS) attacks.
39. Which principle is important for securing microservices architecture?
A) Monolithic design
B) Least Privilege and Zero Trust
C) Hardcoding credentials in microservices
D) Allowing open API access
β
Answer: B) Least Privilege and Zero Trust
π Explanation: Zero Trust ensures every request is authenticated and Least Privilege restricts access to the minimum required for operations.
40. What is the best practice for securing JWT (JSON Web Tokens)?
A) Store JWTs in localStorage for easy access
B) Use short-lived JWTs and refresh tokens securely
C) Share JWTs across different users for efficiency
D) Allow JWTs to be used indefinitely
β
Answer: B) Use short-lived JWTs and refresh tokens securely
π Explanation: Short-lived tokens reduce the risk of token theft. Refresh tokens should be stored securely and validated properly.
41. What is a key risk when using third-party authentication providers (OAuth, SSO)?
A) Users cannot reset their passwords
B) If compromised, attackers can gain access to multiple applications
C) It slows down the login process
D) It increases password strength
β
Answer: B) If compromised, attackers can gain access to multiple applications
π Explanation: If a third-party authentication provider is hacked, attackers can compromise all linked applications.
42. What is an SSRF (Server-Side Request Forgery) vulnerability?
A) A way to inject SQL commands into a server
B) A vulnerability that allows attackers to make unauthorized requests from the server
C) A brute-force attack against user credentials
D) A method for bypassing firewalls
β
Answer: B) A vulnerability that allows attackers to make unauthorized requests from the server
π Explanation: SSRF allows attackers to trick a server into making requests to internal or external resources, which can expose sensitive data.
43. Why should you avoid using GET requests to send sensitive data?
A) GET requests are slower than POST requests
B) GET requests are stored in browser history and logs
C) GET requests cannot send large data
D) GET requests require more bandwidth
β
Answer: B) GET requests are stored in browser history and logs
π Explanation: Sensitive data in GET requests can be stored in browser history, server logs, and referer headers, leading to leaks.
44. What is the security risk of allowing unrestricted file uploads?
A) It can crash the server
B) Attackers can upload and execute malicious files
C) It increases storage costs
D) It can slow down database queries
β
Answer: B) Attackers can upload and execute malicious files
π Explanation: Unrestricted file uploads allow attackers to upload malicious scripts, leading to Remote Code Execution (RCE).
45. What is the purpose of a Web Application Firewall (WAF)?
A) To block brute-force attacks only
B) To filter and monitor HTTP traffic for threats
C) To encrypt database connections
D) To prevent users from accessing websites
β
Answer: B) To filter and monitor HTTP traffic for threats
π Explanation: WAFs detect and block web-based attacks such as XSS, SQLi, and CSRF.
46. What is a key security risk in improper CORS (Cross-Origin Resource Sharing) configuration?
A) It can make the website slower
B) It allows unauthorized third-party domains to access your resources
C) It prevents users from logging in
D) It blocks all JavaScript execution
β
Answer: B) It allows unauthorized third-party domains to access your resources
π Explanation: Misconfigured CORS policies can allow malicious domains to access sensitive API data.
47. What is the best way to prevent brute force attacks on login pages?
A) Implementing account lockouts and CAPTCHA
B) Using HTTP instead of HTTPS
C) Allowing unlimited login attempts
D) Hardcoding passwords in scripts
β
Answer: A) Implementing account lockouts and CAPTCHA
π Explanation: Account lockouts, CAPTCHA, and rate limiting prevent automated brute-force attacks.
48. Which security issue is addressed by HSTS (HTTP Strict Transport Security)?
A) Clickjacking
B) Downgrade attacks (Man-in-the-Middle forcing HTTP)
C) SQL Injection
D) CSRF
β
Answer: B) Downgrade attacks (Man-in-the-Middle forcing HTTP)
π Explanation: HSTS forces HTTPS connections, preventing attackers from downgrading secure HTTPS traffic to HTTP.
49. What is the primary risk of using outdated libraries or dependencies?
A) The application may crash
B) Performance issues
C) Exposure to known security vulnerabilities
D) Increased loading time
β
Answer: C) Exposure to known security vulnerabilities
π Explanation: Outdated dependencies may contain known vulnerabilities that attackers can exploit.
50. Why should secrets (e.g., API keys, database passwords) be stored in environment variables instead of source code?
A) It makes the application load faster
B) It reduces the risk of accidental exposure in repositories
C) It helps with API performance
D) It prevents unauthorized changes to API keys
β
Answer: B) It reduces the risk of accidental exposure in repositories
π Explanation: Environment variables keep secrets out of source code, preventing leaks in public repositories.
51. What is a secure way to handle forgotten passwords?
A) Sending passwords via email
B) Using password hints
C) Implementing a secure password reset token with expiration
D) Allowing users to reset passwords without authentication
β
Answer: C) Implementing a secure password reset token with expiration
π Explanation: Password reset tokens should be unique, expire quickly, and not be predictable.
52. What is a common risk when exposing detailed error messages?
A) They slow down the website
B) They expose internal system information to attackers
C) They make debugging harder
D) They consume more server storage
β
Answer: B) They expose internal system information to attackers
π Explanation: Detailed error messages can reveal stack traces, database queries, and system paths, which attackers can exploit.
53. What is the risk of using default credentials (e.g., admin/admin)?
A) It makes authentication faster
B) Attackers can easily guess them and gain access
C) It improves usability
D) It simplifies password management
β
Answer: B) Attackers can easily guess them and gain access
π Explanation: Default credentials are easily guessed and can lead to full system compromise.
54. Why should developers sanitize user input?
A) To improve website speed
B) To prevent injection attacks (SQLi, XSS, etc.)
C) To simplify debugging
D) To enable caching
β
Answer: B) To prevent injection attacks (SQLi, XSS, etc.)
π Explanation: Input sanitization prevents malicious payloads from being executed.
55. Why should developers avoid storing plaintext passwords in databases?
A) It increases database performance
B) It makes password retrieval easier for users
C) It allows attackers to access all user accounts if compromised
D) It helps with password synchronization across systems
β
Answer: C) It allows attackers to access all user accounts if compromised
π Explanation: Storing passwords in plaintext exposes all credentials if the database is breached. Always hash passwords before storing them.
56. What is the purpose of multi-factor authentication (MFA)?
A) To make logging in more complex
B) To provide additional security beyond passwords
C) To replace the need for passwords
D) To prevent account lockouts
β
Answer: B) To provide additional security beyond passwords
π Explanation: MFA adds an extra layer of security by requiring a second factor, like a one-time code or biometric verification.
57. What is the recommended way to validate user input?
A) Only validate input on the client-side
B) Use server-side validation along with client-side validation
C) Allow all input and filter it later
D) Trust user input without validation
β
Answer: B) Use server-side validation along with client-side validation
π Explanation: Client-side validation improves UX, but server-side validation is required to prevent malicious data from bypassing checks.
58. What is a potential risk when using regex for input validation?
A) Regex validation increases database performance
B) Poorly written regex patterns can lead to Regular Expression Denial of Service (ReDoS)
C) Regex ensures 100% security
D) Regex slows down login attempts
β
Answer: B) Poorly written regex patterns can lead to Regular Expression Denial of Service (ReDoS)
π Explanation: Complex regex patterns can be exploited to consume CPU resources, leading to denial-of-service attacks.
59. Why is session timeout important in web applications?
A) It improves database performance
B) It prevents unauthorized access when users leave their sessions open
C) It increases session persistence
D) It makes logging in easier
β
Answer: B) It prevents unauthorized access when users leave their sessions open
π Explanation: Session timeouts reduce security risks by logging users out after inactivity, preventing session hijacking.
60. What is the role of a security audit in software development?
A) To find and fix security vulnerabilities before deployment
B) To speed up software development
C) To remove redundant code
D) To improve code readability
β
Answer: A) To find and fix security vulnerabilities before deployment
π Explanation: Security audits identify vulnerabilities in code, configurations, and infrastructure, reducing the risk of cyberattacks.
61. What is a primary security risk of using outdated SSL/TLS versions?
A) They increase website loading time
B) They may have known vulnerabilities that attackers can exploit
C) They improve backward compatibility
D) They allow faster encryption
β
Answer: B) They may have known vulnerabilities that attackers can exploit
π Explanation: Older TLS versions (like TLS 1.0 and 1.1) have security flaws that allow attackers to decrypt sensitive data.
62. Why should a web application restrict the number of failed login attempts?
A) To prevent brute-force attacks
B) To increase the complexity of login forms
C) To improve caching performance
D) To reduce server logs
β
Answer: A) To prevent brute-force attacks
π Explanation: Limiting login attempts prevents attackers from repeatedly trying passwords in brute-force attacks.
63. What is the best way to handle user-uploaded files securely?
A) Store them in a public directory without validation
B) Scan files for malware, validate file types, and store them outside the web root
C) Allow users to execute uploaded scripts
D) Trust user input and accept all file types
β
Answer: B) Scan files for malware, validate file types, and store them outside the web root
π Explanation: Uploaded files should be restricted, scanned for malware, and stored securely to prevent Remote Code Execution (RCE).
64. Which security mechanism helps protect against brute-force attacks on API endpoints?
A) Using HTTP instead of HTTPS
B) Implementing rate limiting and API key validation
C) Removing authentication requirements
D) Allowing unlimited API requests
β
Answer: B) Implementing rate limiting and API key validation
π Explanation: Rate limiting prevents excessive API requests while API key validation ensures only authorized users can access endpoints.
65. What is the impact of failing to properly escape special characters in database queries?
A) It makes queries more efficient
B) It can lead to SQL Injection attacks
C) It speeds up database performance
D) It improves user experience
β
Answer: B) It can lead to SQL Injection attacks
π Explanation: Failing to escape special characters allows attackers to inject malicious SQL queries, leading to data breaches.
66. Why is it important to set secure flags on cookies?
A) It improves cookie performance
B) It ensures cookies are only sent over HTTPS and not accessible by JavaScript
C) It allows cookies to persist longer
D) It makes cookies more readable
β
Answer: B) It ensures cookies are only sent over HTTPS and not accessible by JavaScript
π Explanation: Secure and HttpOnly flags protect cookies from network interception and XSS-based theft.
67. Why is it dangerous to return detailed stack traces in production?
A) It makes debugging harder
B) It exposes internal application details to attackers
C) It speeds up error reporting
D) It improves code readability
β
Answer: B) It exposes internal application details to attackers
π Explanation: Stack traces reveal sensitive details like file paths, database queries, and frameworks, which attackers can exploit.
68. Why should developers use dependency scanning tools in software development?
A) To check for outdated packages that may have vulnerabilities
B) To remove unnecessary dependencies
C) To improve software installation speed
D) To reduce software size
β
Answer: A) To check for outdated packages that may have vulnerabilities
π Explanation: Dependency scanning tools identify vulnerable third-party libraries that could introduce security risks.
69. What is a security risk of using predictable session IDs?
A) They improve session performance
B) Attackers can guess session IDs and hijack user sessions
C) They allow sessions to persist longer
D) They improve authentication speed
β
Answer: B) Attackers can guess session IDs and hijack user sessions
π Explanation: Predictable session IDs allow attackers to impersonate users by hijacking active sessions.
70. What is the purpose of implementing a Content Security Policy (CSP) in web applications?
A) To prevent SQL Injection attacks
B) To restrict the sources from which scripts, styles, and images can be loaded
C) To improve server performance
D) To prevent network-level attacks
β
Answer: B) To restrict the sources from which scripts, styles, and images can be loaded
π Explanation: CSP helps prevent XSS by blocking unauthorized script execution from untrusted sources.
71. Why should you avoid using wildcard characters (*) in CORS policies?
A) It improves security by allowing all origins
B) It ensures that only one specific domain is allowed
C) It can expose APIs to unauthorized cross-origin requests
D) It speeds up API responses
β
Answer: C) It can expose APIs to unauthorized cross-origin requests
π Explanation: Using * in CORS policies allows any domain to access the API, increasing the risk of data exposure.
72. What is a primary risk of exposing detailed error messages in API responses?
A) Attackers can gather sensitive information about the system
B) It improves user experience
C) It helps developers debug faster in production
D) It enhances database performance
β
Answer: A) Attackers can gather sensitive information about the system
π Explanation: Detailed error messages can reveal database structures, file paths, and stack traces, which attackers can exploit.
73. What is a secure way to implement password recovery functionality?
A) Send the user their password via email
B) Use a secure, time-limited password reset token
C) Allow users to reset passwords without authentication
D) Store a plaintext copy of the user’s password
β
Answer: B) Use a secure, time-limited password reset token
π Explanation: Password reset tokens should be unique, expire quickly, and not be predictable to prevent account takeover attacks.
74. What is a major risk of not logging security-related events?
A) It prevents application crashes
B) It makes debugging easier
C) Security breaches might go undetected
D) It improves application speed
β
Answer: C) Security breaches might go undetected
π Explanation: Insufficient logging and monitoring allow attacks to go unnoticed, increasing the risk of prolonged unauthorized access.
75. Why should application logs never store full credit card details?
A) It improves application performance
B) It violates compliance regulations like PCI-DSS
C) Logs can become too large
D) It makes transactions slower
β
Answer: B) It violates compliance regulations like PCI-DSS
π Explanation: Storing full credit card details violates PCI-DSS compliance and increases the risk of financial fraud.
76. What is the security risk of using default configurations in web servers or databases?
A) It makes setup easier
B) It allows attackers to exploit well-known default settings
C) It reduces system complexity
D) It speeds up deployment
β
Answer: B) It allows attackers to exploit well-known default settings
π Explanation: Default settings (e.g., default admin credentials, open ports) can be easily exploited if not properly configured.
77. What is the best way to secure sensitive data in transit?
A) Use HTTPS with TLS encryption
B) Store all data in plaintext
C) Send sensitive data via GET requests
D) Use base64 encoding
β
Answer: A) Use HTTPS with TLS encryption
π Explanation: TLS encryption ensures that data transmitted between clients and servers remains confidential and secure.
78. Why is dependency management important in secure coding?
A) It helps prevent using libraries with known vulnerabilities
B) It speeds up code compilation
C) It makes the code more readable
D) It improves runtime performance
β
Answer: A) It helps prevent using libraries with known vulnerabilities
π Explanation: Regular dependency updates and vulnerability scanning help prevent attackers from exploiting outdated, vulnerable libraries.
79. What is a key principle of Zero Trust security?
A) Trust every request from internal networks
B) Never trust, always verify
C) Allow users to authenticate once and remain logged in permanently
D) Only focus on perimeter security
β
Answer: B) Never trust, always verify
π Explanation: Zero Trust security assumes that every request could be malicious and requires verification before granting access.
80. What is a major benefit of Role-Based Access Control (RBAC)?
A) Users can access everything without restrictions
B) It restricts access based on user roles and permissions
C) It improves application speed
D) It simplifies user authentication
β
Answer: B) It restricts access based on user roles and permissions
π Explanation: RBAC ensures users only have access to resources needed for their role, reducing the risk of unauthorized access.
81. How does a Content Security Policy (CSP) help prevent XSS attacks?
A) It blocks all external scripts
B) It allows only whitelisted scripts and resources to be executed
C) It encrypts the webpage source code
D) It restricts users from submitting forms
β
Answer: B) It allows only whitelisted scripts and resources to be executed
π Explanation: CSP prevents XSS by restricting which scripts, styles, and resources can be loaded, blocking malicious content injection.
82. Why should you avoid storing API keys in frontend code?
A) It makes the code difficult to read
B) Attackers can extract API keys from client-side JavaScript
C) It reduces application performance
D) API keys are not needed for security
β
Answer: B) Attackers can extract API keys from client-side JavaScript
π Explanation: API keys should be stored securely on the server, not in client-side code, where they can be easily stolen.
83. What is the main advantage of using OAuth for authentication?
A) Users can log in without a password
B) It allows users to authenticate using third-party providers securely
C) It eliminates the need for encryption
D) It speeds up database queries
β
Answer: B) It allows users to authenticate using third-party providers securely
π Explanation: OAuth allows users to authenticate via services like Google or Facebook, reducing the risk of password theft.
84. Why should database queries be parameterized?
A) To improve query execution speed
B) To prevent SQL Injection attacks
C) To reduce database storage size
D) To allow dynamic table creation
β
Answer: B) To prevent SQL Injection attacks
π Explanation: Parameterized queries ensure user input is treated as data, not executable code, preventing SQL Injection.
85. What is a security risk of allowing unlimited API requests?
A) It improves user experience
B) It exposes APIs to DDoS attacks and abuse
C) It helps cache responses
D) It makes APIs load faster
β
Answer: B) It exposes APIs to DDoS attacks and abuse
π Explanation: Rate limiting is necessary to prevent API abuse and protect against DoS attacks.
86. What is the risk of exposing the server signature in HTTP responses?
A) Attackers can identify server software and exploit known vulnerabilities
B) It speeds up web page rendering
C) It improves caching efficiency
D) It prevents browser errors
β
Answer: A) Attackers can identify server software and exploit known vulnerabilities
π Explanation: Hiding server version details prevents attackers from identifying and exploiting known weaknesses.
87. How can developers protect against XML External Entity (XXE) attacks?
A) Disable external entity parsing in XML processors
B) Use JSON instead of XML
C) Allow all XML inputs
D) Store XML data in plaintext
β
Answer: A) Disable external entity parsing in XML processors
π Explanation: XXE attacks exploit insecure XML parsers. Disabling external entity loading prevents these attacks.
88. What is the main security concern with open redirects?
A) They allow attackers to redirect users to phishing sites
B) They improve website performance
C) They help SEO rankings
D) They allow faster website navigation
β
Answer: A) They allow attackers to redirect users to phishing sites
π Explanation: Open redirects can be exploited in phishing attacks, leading users to malicious websites.
89. Why should authentication tokens be stored securely?
A) To improve app performance
B) To prevent token theft and session hijacking
C) To make debugging easier
D) To speed up API calls
β
Answer: B) To prevent token theft and session hijacking
π Explanation: Authentication tokens should be stored securely to prevent account hijacking.
91. What is the primary purpose of using a Web Application Firewall (WAF)?
A) To block all incoming traffic
B) To monitor and filter HTTP traffic to prevent attacks
C) To encrypt database queries
D) To remove unused JavaScript files
β
Answer: B) To monitor and filter HTTP traffic to prevent attacks
π Explanation: WAFs detect and block web-based attacks like SQL Injection, XSS, and CSRF, helping secure web applications.
92. Why should developers avoid using weak cryptographic algorithms like MD5 and SHA-1?
A) They make encryption faster
B) They are susceptible to collisions and brute-force attacks
C) They use too much memory
D) They improve database performance
β
Answer: B) They are susceptible to collisions and brute-force attacks
π Explanation: MD5 and SHA-1 are weak and vulnerable to hash collisions, making them unsuitable for secure applications.
93. What is a key advantage of using a password manager?
A) It helps store and generate strong, unique passwords securely
B) It eliminates the need for passwords
C) It speeds up website authentication
D) It allows users to use the same password for multiple accounts
β
Answer: A) It helps store and generate strong, unique passwords securely
π Explanation: Password managers reduce password reuse and weak password usage by generating and storing secure credentials.
94. What is a major risk of allowing users to set very short or weak passwords?
A) It improves user experience
B) It increases the risk of brute-force and credential stuffing attacks
C) It reduces the complexity of authentication systems
D) It makes password recovery easier
β
Answer: B) It increases the risk of brute-force and credential stuffing attacks
π Explanation: Weak passwords are easier to guess, making them vulnerable to brute-force attacks.
95. Why is it important to use a secure random number generator for cryptographic operations?
A) To ensure randomness is predictable
B) To generate strong encryption keys and tokens
C) To improve CPU performance
D) To make debugging easier
β
Answer: B) To generate strong encryption keys and tokens
π Explanation: Secure random number generators ensure that encryption keys and session tokens are unpredictable, reducing security risks.
96. What is an effective way to prevent user enumeration attacks?
A) Returning the same error message for incorrect username and password
B) Allowing unlimited login attempts
C) Displaying detailed error messages
D) Storing passwords in plaintext
β
Answer: A) Returning the same error message for incorrect username and password
π Explanation: User enumeration attacks exploit differences in login error messages to determine valid usernames.
97. What is the purpose of implementing a security-first development approach?
A) To ensure security is considered at every stage of the software development lifecycle
B) To slow down the development process
C) To reduce code readability
D) To avoid testing application security
β
Answer: A) To ensure security is considered at every stage of the software development lifecycle
π Explanation: A security-first approach integrates security measures throughout the software development lifecycle (SDLC), reducing vulnerabilities.
98. Why should API responses avoid exposing sensitive system details?
A) To prevent attackers from gathering useful information
B) To improve API speed
C) To reduce storage usage
D) To improve application logging
β
Answer: A) To prevent attackers from gathering useful information
π Explanation: Exposing system details in API responses (e.g., software versions, database structures) can help attackers craft targeted attacks.
99. What is the role of security headers in web applications?
A) To make pages load faster
B) To enforce security policies in web browsers
C) To remove JavaScript dependencies
D) To optimize database queries
β
Answer: B) To enforce security policies in web browsers
π Explanation: Security headers like CSP, HSTS, and X-Frame-Options help prevent XSS, Clickjacking, and protocol downgrade attacks.
100. Why should developers avoid using eval() in JavaScript?
A) It improves performance
B) It introduces security risks like code injection
C) It enhances debugging
D) It helps with dynamic scripting
β
Answer: B) It introduces security risks like code injection
π Explanation: eval() executes arbitrary code, making it highly vulnerable to XSS and code injection attacks.
101. What is the impact of insufficient logging and monitoring in an application?
A) Security incidents may go unnoticed
B) It reduces storage space
C) It speeds up application performance
D) It improves user experience
β
Answer: A) Security incidents may go unnoticed
π Explanation: Proper logging and monitoring help detect and respond to security threats, preventing prolonged breaches.
102. Why should secrets be stored in a secrets management system instead of source code?
A) To protect sensitive credentials from unauthorized access
B) To improve application performance
C) To reduce compilation time
D) To avoid the use of encryption
β
Answer: A) To protect sensitive credentials from unauthorized access
π Explanation: Secrets management systems securely store API keys, database passwords, and encryption keys, preventing unauthorized access.
103. How does HTTP Host Header Injection work?
A) It allows attackers to modify the request headers to manipulate application behavior
B) It increases application speed
C) It blocks network traffic
D) It enables secure communication
β
Answer: A) It allows attackers to modify the request headers to manipulate application behavior
π Explanation: Host Header Injection exploits improperly validated headers to perform cache poisoning, phishing, or SSRF attacks.
104. Why should sensitive files like .env and config.json be restricted from public access?
A) They contain sensitive information like API keys and database credentials
B) They slow down page loading speed
C) They make websites crash
D) They are not used in production
β
Answer: A) They contain sensitive information like API keys and database credentials
π Explanation: Publicly exposing configuration files can lead to security breaches, as they often contain secrets and credentials.
105. What is the purpose of a secure software development lifecycle (SDLC)?
A) To integrate security at every phase of software development
B) To reduce software performance issues
C) To avoid writing security documentation
D) To eliminate the need for encryption
β
Answer: A) To integrate security at every phase of software development
π Explanation: A secure SDLC ensures security practices are followed during design, development, testing, and deployment.
106. How does token-based authentication improve security?
A) It allows users to authenticate once and use the token for multiple requests
B) It replaces encryption
C) It increases network traffic
D) It reduces authentication security
β
Answer: A) It allows users to authenticate once and use the token for multiple requests
π Explanation: Tokens (like JWTs) eliminate the need to send credentials repeatedly, reducing the risk of credential theft.
107. What is an advantage of using rate limiting on authentication endpoints?
A) It prevents brute-force attacks
B) It increases login speed
C) It removes the need for passwords
D) It improves API documentation
β
Answer: A) It prevents brute-force attacks
π Explanation: Rate limiting restricts the number of authentication attempts, preventing automated attacks.
108. What is the main purpose of implementing the X-Content-Type-Options: nosniff security header?
A) To prevent browsers from guessing the MIME type of a file
B) To speed up content delivery
C) To allow all file types to be executed
D) To enable automatic content compression
β
Answer: A) To prevent browsers from guessing the MIME type of a file
π Explanation: The X-Content-Type-Options: nosniff header prevents MIME-type sniffing, reducing the risk of content-type confusion attacks.
109. Why is it important to regenerate session IDs after login?
A) To ensure old session tokens are invalidated and prevent session fixation attacks
B) To increase application speed
C) To reduce the size of session cookies
D) To make debugging easier
β
Answer: A) To ensure old session tokens are invalidated and prevent session fixation attacks
π Explanation: Regenerating session IDs after authentication prevents attackers from fixating a session ID before login.
110. What is a key reason to use HTTP Strict Transport Security (HSTS)?
A) To enforce HTTPS connections and prevent protocol downgrade attacks
B) To allow HTTP traffic when HTTPS is unavailable
C) To encrypt data in the database
D) To improve browser caching
β
Answer: A) To enforce HTTPS connections and prevent protocol downgrade attacks
π Explanation: HSTS ensures that browsers only communicate over HTTPS, protecting against MITM attacks and protocol downgrades.
111. What is the primary risk of allowing autocomplete on password fields in login forms?
A) It slows down the login process
B) It can allow an attacker to extract stored credentials from the browser
C) It improves user experience
D) It prevents brute-force attacks
β
Answer: B) It can allow an attacker to extract stored credentials from the browser
π Explanation: Autocomplete should be disabled (autocomplete="off") for sensitive fields to prevent credential theft from compromised browsers.
112. Why should Cross-Origin Resource Sharing (CORS) be configured properly?
A) To improve website loading speed
B) To prevent unauthorized third-party domains from accessing your resources
C) To allow unrestricted data sharing across domains
D) To enhance search engine rankings
β
Answer: B) To prevent unauthorized third-party domains from accessing your resources
π Explanation: Misconfigured CORS can expose sensitive data, allowing malicious sites to access API responses.
113. What is the best way to protect an application against brute-force login attacks?
A) Implementing CAPTCHA and account lockout mechanisms
B) Allowing unlimited login attempts
C) Using weak hashing algorithms
D) Hiding the login page
β
Answer: A) Implementing CAPTCHA and account lockout mechanisms
π Explanation: CAPTCHA, rate limiting, and account lockouts help prevent brute-force attacks.
114. Why should you avoid storing passwords using reversible encryption?
A) It makes password recovery harder
B) If compromised, attackers can decrypt and recover all stored passwords
C) It speeds up authentication
D) It prevents users from changing passwords
β
Answer: B) If compromised, attackers can decrypt and recover all stored passwords
π Explanation: Passwords should always be hashed (not encrypted) using strong, non-reversible algorithms like bcrypt, Argon2, or PBKDF2.
115. What is the main advantage of using a security-focused code review process?
A) It helps detect security vulnerabilities before deployment
B) It reduces application size
C) It makes the code easier to read
D) It improves page load times
β
Answer: A) It helps detect security vulnerabilities before deployment
π Explanation: Code reviews allow security flaws (e.g., insecure input handling, weak authentication) to be identified early.
116. What is a primary security concern when using iframe embedding?
A) It can be used for Clickjacking attacks
B) It improves website performance
C) It allows users to load dynamic content
D) It increases API efficiency
β
Answer: A) It can be used for Clickjacking attacks
π Explanation: Attackers can use hidden iframes to trick users into clicking on malicious content, also known as Clickjacking.
117. What is the recommended way to handle user sessions securely?
A) Use short-lived session tokens and refresh tokens securely
B) Store session tokens in local storage
C) Allow sessions to last indefinitely
D) Encode session tokens using Base64
β
Answer: A) Use short-lived session tokens and refresh tokens securely
π Explanation: Short-lived session tokens reduce security risks, and refresh tokens should be stored securely and not accessible to JavaScript.
118. Why is it dangerous to execute system commands with user input?
A) It can lead to command injection attacks
B) It improves application performance
C) It reduces the need for authentication
D) It simplifies debugging
β
Answer: A) It can lead to command injection attacks
π Explanation: Executing system commands with unsanitized user input can lead to Remote Code Execution (RCE) and full system compromise.
119. What is the primary risk of exposing the .git directory in a web application?
A) Attackers can access version control history and extract sensitive files
B) It improves application security
C) It prevents XSS attacks
D) It speeds up website deployment
β
Answer: A) Attackers can access version control history and extract sensitive files
π Explanation: Exposing .git allows attackers to retrieve source code, including API keys, credentials, and business logic.
120. Why should developers avoid logging sensitive user data such as passwords and credit card details?
A) It improves application performance
B) It reduces compliance risks and prevents data leaks
C) It speeds up debugging
D) It allows administrators to easily access user credentials
β
Answer: B) It reduces compliance risks and prevents data leaks
π Explanation: Logging sensitive data increases security risks and may violate compliance standards like PCI-DSS and GDPR.
121. Why is it recommended to use a salt when hashing passwords?
A) To increase the length of the password
B) To make hash values unique and prevent rainbow table attacks
C) To speed up hashing operations
D) To allow users to recover forgotten passwords
β
Answer: B) To make hash values unique and prevent rainbow table attacks
π Explanation: Salting ensures that even identical passwords produce different hash values, making precomputed attacks (rainbow tables) ineffective.
122. What is a key advantage of using Transport Layer Security (TLS) over Secure Sockets Layer (SSL)?
A) TLS is faster than SSL
B) TLS is more secure and SSL is outdated
C) TLS does not require encryption
D) TLS can only be used for email security
β
Answer: B) TLS is more secure and SSL is outdated
π Explanation: SSL has known vulnerabilities, and TLS (especially TLS 1.2 and 1.3) provides stronger encryption and improved security mechanisms.
123. What is the main risk of improper JSON Web Token (JWT) implementation?
A) JWTs can be decoded without encryption
B) Weakly signed or unsigned JWTs can be modified by attackers
C) JWTs are too large to be used efficiently
D) JWTs cannot be used for authentication
β
Answer: B) Weakly signed or unsigned JWTs can be modified by attackers
π Explanation: JWTs should always be signed and validated properly to prevent attackers from forging tokens and gaining unauthorized access.
124. What is the purpose of using the Secure flag in cookies?
A) To ensure cookies are only sent over HTTPS
B) To allow cookies to persist indefinitely
C) To prevent cookies from expiring
D) To disable JavaScript execution
β
Answer: A) To ensure cookies are only sent over HTTPS
π Explanation: The Secure flag prevents cookies from being transmitted over unencrypted HTTP connections, reducing man-in-the-middle (MITM) risks.
125. What is the risk of exposing an API without authentication?
A) Unauthorized users can exploit the API and extract sensitive data
B) The API will load slower
C) Users will be required to use stronger passwords
D) It will improve API efficiency
β
Answer: A) Unauthorized users can exploit the API and extract sensitive data
π Explanation: Public APIs without authentication can be abused, leading to data breaches, account takeovers, and API abuse.
126. Why should unused or deprecated API endpoints be removed from production?
A) To prevent attackers from exploiting legacy vulnerabilities
B) To improve the APIβs response time
C) To allow new features to be added faster
D) To reduce the size of API documentation
β
Answer: A) To prevent attackers from exploiting legacy vulnerabilities
π Explanation: Old API endpoints may contain security flaws that can be exploited, making it crucial to remove them or properly restrict access.
127. What is a major security risk of allowing user-generated HTML content in a web application?
A) It can lead to Cross-Site Scripting (XSS) attacks
B) It increases the websiteβs load time
C) It makes debugging more difficult
D) It improves SEO rankings
β
Answer: A) It can lead to Cross-Site Scripting (XSS) attacks
π Explanation: Allowing user-generated HTML without sanitization can result in XSS, where attackers inject malicious scripts into web pages.
128. What is the impact of failing to validate file extensions when handling file uploads?
A) Attackers may upload malicious scripts or executables
B) The uploaded files will not be indexed by search engines
C) The server will automatically delete invalid files
D) It will improve file upload speed
β
Answer: A) Attackers may upload malicious scripts or executables
π Explanation: Allowing unrestricted file uploads can lead to remote code execution (RCE) if attackers upload and execute malicious scripts.
129. What is the purpose of using rate limiting on an API?
A) To prevent abuse, DDoS attacks, and excessive requests from a single source
B) To increase API latency
C) To prevent users from logging in too frequently
D) To disable authentication for trusted users
β
Answer: A) To prevent abuse, DDoS attacks, and excessive requests from a single source
π Explanation: Rate limiting prevents API abuse by restricting the number of requests allowed from a single IP or user in a given timeframe.
130. Why should developers avoid using default credentials in production systems?
A) Default credentials are commonly known and can be exploited by attackers
B) They improve authentication speed
C) They make debugging easier
D) They enhance system performance
β
Answer: A) Default credentials are commonly known and can be exploited by attackers
π Explanation: Attackers often exploit default admin credentials, making it critical to change them before deploying systems to production.
131. How can developers prevent DOM-based Cross-Site Scripting (XSS) attacks?
A) Sanitize and validate all user input before using it in the DOM
B) Allow users to enter JavaScript code
C) Disable HTML escaping in user input
D) Store user-generated content in local storage
β
Answer: A) Sanitize and validate all user input before using it in the DOM
π Explanation: DOM-based XSS occurs when user input is directly inserted into the DOM without proper validation, allowing malicious scripts to execute.
132. What is a major risk of not enforcing password complexity requirements?
A) Users may forget their passwords more often
B) Attackers can easily guess weak passwords using brute-force attacks
C) It increases server storage requirements
D) It makes user authentication faster
β
Answer: B) Attackers can easily guess weak passwords using brute-force attacks
π Explanation: Weak passwords are easy targets for brute-force and credential stuffing attacks, making complexity requirements essential.
133. Why is it important to limit user permissions based on their role (Principle of Least Privilege)?
A) To minimize the potential damage if an account is compromised
B) To allow users to access everything they need instantly
C) To improve application speed
D) To simplify the user interface
β
Answer: A) To minimize the potential damage if an account is compromised
π Explanation: The Principle of Least Privilege (PoLP) ensures users have only the minimum permissions required, reducing the impact of a breach.
134. What is a major risk of exposing detailed error messages in production?
A) Attackers can gather system information and exploit vulnerabilities
B) It improves debugging for users
C) It speeds up website performance
D) It reduces server load
β
Answer: A) Attackers can gather system information and exploit vulnerabilities
π Explanation: Detailed error messages reveal sensitive details, such as database queries, file paths, and software versions, which attackers can exploit.
135. Why should session cookies have the HttpOnly flag enabled?
A) To prevent client-side JavaScript from accessing session cookies
B) To allow cookies to persist across multiple browsers
C) To enable caching of session data
D) To increase cookie expiration time
β
Answer: A) To prevent client-side JavaScript from accessing session cookies
π Explanation: The HttpOnly flag helps prevent session hijacking by blocking JavaScript access, reducing XSS-related risks.
136. What is the primary risk of hardcoding API keys in source code?
A) API keys can be exposed in public repositories, leading to unauthorized access
B) It improves application performance
C) It allows APIs to be accessed more quickly
D) It simplifies authentication
β
Answer: A) API keys can be exposed in public repositories, leading to unauthorized access
π Explanation: Hardcoded API keys can be leaked via public repositories (e.g., GitHub), allowing attackers to abuse APIs and compromise systems.
137. Why is it important to enforce HTTPS on all pages of a web application?
A) It encrypts data in transit, preventing man-in-the-middle (MITM) attacks
B) It increases website loading speed
C) It improves SEO rankings only
D) It prevents server crashes
β
Answer: A) It encrypts data in transit, preventing man-in-the-middle (MITM) attacks
π Explanation: Enforcing HTTPS ensures that data transmitted between the client and server is encrypted, reducing the risk of MITM attacks.
138. What is a common attack vector for Server-Side Request Forgery (SSRF)?
A) Allowing unvalidated user input to control internal server requests
B) Encrypting user credentials
C) Implementing API rate limiting
D) Enforcing strong password policies
β
Answer: A) Allowing unvalidated user input to control internal server requests
π Explanation: SSRF occurs when attackers manipulate server-side requests to access internal systems, often exploiting open redirect or misconfigured API calls.
139. Why should developers implement Content Security Policy (CSP) in web applications?
A) To prevent unauthorized script execution and mitigate XSS attacks
B) To encrypt all website data
C) To allow cross-origin data sharing
D) To increase JavaScript performance
β
Answer: A) To prevent unauthorized script execution and mitigate XSS attacks
π Explanation: CSP restricts which scripts, styles, and resources can be loaded, preventing XSS and data injection attacks.
140. What is a key security measure to protect against phishing attacks?
A) Implementing Multi-Factor Authentication (MFA)
B) Using weak password policies
C) Allowing users to disable CAPTCHA
D) Allowing login without authentication
β
Answer: A) Implementing Multi-Factor Authentication (MFA)
π Explanation: MFA adds an extra layer of security that prevents attackers from accessing accounts even if login credentials are stolen.
141. Why should applications avoid using static encryption keys?
A) Static keys can be reused by attackers if leaked
B) Static keys improve encryption speed
C) Static keys make debugging easier
D) Static keys increase performance
β
Answer: A) Static keys can be reused by attackers if leaked
π Explanation: Encryption keys should be rotated periodically to prevent key reuse and unauthorized access in case of compromise.
142. What is a secure method for storing API keys in a production environment?
A) Using environment variables or a secrets management tool
B) Hardcoding them in source code
C) Storing them in a publicly accessible database
D) Including them in front-end JavaScript
β
Answer: A) Using environment variables or a secrets management tool
π Explanation: API keys should never be hardcoded in the source code. Instead, they should be stored in environment variables or secure vaults.
143. Why is it important to sanitize user input before using it in SQL queries?
A) To prevent SQL Injection attacks
B) To speed up database queries
C) To reduce server storage
D) To optimize query execution time
β
Answer: A) To prevent SQL Injection attacks
π Explanation: SQL Injection attacks occur when unvalidated user input is executed as a database query, allowing attackers to manipulate or access sensitive data.
144. What is a primary risk of using weak or default cryptographic keys?
A) They can be easily guessed or brute-forced
B) They improve encryption speed
C) They make key rotation unnecessary
D) They enhance system performance
β
Answer: A) They can be easily guessed or brute-forced
π Explanation: Weak cryptographic keys can be cracked using brute-force attacks, compromising encrypted data.
145. How can developers prevent directory traversal attacks?
A) Validating and sanitizing file paths before accessing files
B) Allowing users to enter full file paths
C) Storing all files in the same directory
D) Disabling file uploads
β
Answer: A) Validating and sanitizing file paths before accessing files
π Explanation: Directory traversal attacks exploit improper file path validation, allowing attackers to access restricted system files.
146. What is an effective way to prevent privilege escalation vulnerabilities?
A) Enforcing the Principle of Least Privilege (PoLP)
B) Allowing all users to access administrative functions
C) Using shared admin accounts
D) Storing passwords in plaintext
β
Answer: A) Enforcing the Principle of Least Privilege (PoLP)
π Explanation: PoLP ensures that users only have the necessary access rights, preventing unauthorized privilege escalation.
147. What is the best way to protect sensitive data stored in a database?
A) Encrypting sensitive fields using strong encryption algorithms
B) Storing all data in plaintext
C) Allowing public access to the database
D) Removing authentication from database queries
β
Answer: A) Encrypting sensitive fields using strong encryption algorithms
π Explanation: Encryption ensures that even if a database is compromised, sensitive data remains protected.
148. Why should session timeouts be enforced in web applications?
A) To prevent unauthorized access if a user leaves their session open
B) To make users log in repeatedly for no reason
C) To improve application performance
D) To reduce network traffic
β
Answer: A) To prevent unauthorized access if a user leaves their session open
π Explanation: Session timeouts log users out after inactivity, reducing the risk of session hijacking.
149. What is the risk of using GET requests to send sensitive data in URLs?
A) The data can be logged in browser history and server logs
B) It improves request speed
C) It ensures security
D) It encrypts data automatically
β
Answer: A) The data can be logged in browser history and server logs
π Explanation: GET requests expose sensitive data in URLs, which can be stored in logs, browser history, and referrer headers.
150. What is the purpose of implementing an intrusion detection system (IDS)?
A) To detect and respond to security threats in real time
B) To improve application speed
C) To remove unused dependencies
D) To enhance database indexing
β
Answer: A) To detect and respond to security threats in real time
π Explanation: An IDS monitors network and system activity for suspicious behavior, helping detect and mitigate security threats.
151. Why should developers implement logging and monitoring in web applications?
A) To detect and respond to security incidents in real time
B) To slow down database queries
C) To increase CPU usage
D) To prevent users from accessing application logs
β
Answer: A) To detect and respond to security incidents in real time
π Explanation: Logging and monitoring allow security teams to detect suspicious activity, investigate breaches, and respond quickly to attacks.
152. What is a major risk of hardcoding credentials in source code?
A) It makes the code more readable
B) It allows attackers to extract credentials from public repositories
C) It speeds up application deployment
D) It improves security
β
Answer: B) It allows attackers to extract credentials from public repositories
π Explanation: Hardcoded credentials in source code can be easily exposed if the code is leaked or stored in public repositories.
153. Why is it important to enforce session expiration for authenticated users?
A) To prevent long-term session hijacking risks
B) To slow down user interactions
C) To improve server performance
D) To make password management easier
β
Answer: A) To prevent long-term session hijacking risks
π Explanation: Automatic session expiration helps prevent attackers from reusing stolen session tokens to maintain unauthorized access.
154. What is the purpose of security headers like X-Frame-Options and Content-Security-Policy (CSP)?
A) To protect against Clickjacking and XSS attacks
B) To increase page loading speed
C) To improve search engine rankings
D) To disable JavaScript execution
β
Answer: A) To protect against Clickjacking and XSS attacks
π Explanation: Security headers prevent malicious activities such as Clickjacking, XSS, and content injection attacks.
155. What is the best way to secure API rate limiting?
A) Implement rate limiting based on IP, user authentication, or API key
B) Allow unlimited requests per second
C) Block all requests after the first failed attempt
D) Store API rate limits in cookies
β
Answer: A) Implement rate limiting based on IP, user authentication, or API key
π Explanation: Rate limiting prevents abuse of API endpoints and defends against brute-force attacks and DDoS attacks.
156. What is a security risk of using weak encryption algorithms?
A) They can be cracked by attackers, exposing sensitive data
B) They speed up data processing
C) They reduce database storage requirements
D) They improve application usability
β
Answer: A) They can be cracked by attackers, exposing sensitive data
π Explanation: Weak encryption algorithms (e.g., MD5, DES) are vulnerable to brute-force and cryptographic attacks, making them insecure for sensitive data.
157. Why should developers disable verbose error messages in production?
A) To prevent attackers from gaining insights into system configurations
B) To improve database indexing
C) To make debugging easier
D) To prevent users from reporting issues
β
Answer: A) To prevent attackers from gaining insights into system configurations
π Explanation: Detailed error messages can expose database structures, frameworks, and sensitive system details, which attackers can exploit.
158. What is a secure way to store user authentication tokens?
A) Store them in HTTP-only, Secure cookies
B) Store them in local storage
C) Expose them in URL parameters
D) Save them in JavaScript variables
β
Answer: A) Store them in HTTP-only, Secure cookies
π Explanation: HTTP-only, Secure cookies prevent JavaScript from accessing tokens, reducing the risk of XSS attacks.
159. Why is Multi-Factor Authentication (MFA) important?
A) It adds an extra layer of security by requiring more than just a password
B) It allows users to log in without a password
C) It improves server response times
D) It encrypts user credentials
β
Answer: A) It adds an extra layer of security by requiring more than just a password
π Explanation: MFA helps prevent unauthorized access even if a password is compromised, by adding another layer of authentication.
160. What is the purpose of implementing Subresource Integrity (SRI) for third-party scripts?
A) To ensure external scripts have not been tampered with
B) To speed up script execution
C) To block all external scripts
D) To improve website analytics
β
Answer: A) To ensure external scripts have not been tampered with
π Explanation: SRI ensures that externally loaded resources (e.g., scripts, stylesheets) have not been modified by attackers.
161. What is a key method to prevent SSRF (Server-Side Request Forgery) attacks?
A) Restrict outgoing network requests to trusted domains
B) Allow all external requests
C) Use only GET requests for internal APIs
D) Store user input in local storage
β
Answer: A) Restrict outgoing network requests to trusted domains
π Explanation: SSRF attacks trick a server into making unauthorized requests, so restricting external requests prevents data leaks and abuse.
162. What is the benefit of applying the “Principle of Least Privilege” in application security?
A) It minimizes the risk of privilege escalation attacks
B) It makes all users administrators
C) It reduces application logging requirements
D) It improves website speed
β
Answer: A) It minimizes the risk of privilege escalation attacks
π Explanation: The Principle of Least Privilege ensures users have only the necessary permissions, reducing security risks.
163. Why is it important to implement proper access controls on cloud storage services (e.g., S3, Azure Blob Storage)?
A) To prevent unauthorized access to sensitive files
B) To improve database indexing
C) To allow public access for easier file sharing
D) To speed up application response times
β
Answer: A) To prevent unauthorized access to sensitive files
π Explanation: Misconfigured cloud storage permissions can expose sensitive data to unauthorized users or the public internet.
164. What is a security risk of allowing unrestricted user file uploads?
A) Attackers can upload malicious scripts and execute them on the server
B) Users will store too many files
C) The website will load faster
D) It improves server security
β
Answer: A) Attackers can upload malicious scripts and execute them on the server
π Explanation: Unrestricted file uploads can lead to Remote Code Execution (RCE) and server takeovers.
165. Why should sensitive user data be encrypted before storing it in a database?
A) To prevent unauthorized access if the database is compromised
B) To improve database query speeds
C) To make data retrieval easier
D) To reduce API request size
β
Answer: A) To prevent unauthorized access if the database is compromised
π Explanation: Encrypting sensitive data adds an extra layer of protection, ensuring data remains secure even if breached.
166. What is the best way to handle expired JWTs?
A) Implement refresh tokens to re-authenticate users securely
B) Allow JWTs to be used indefinitely
C) Store JWTs in local storage
D) Expose JWTs in API response headers
β
Answer: A) Implement refresh tokens to re-authenticate users securely
π Explanation: Refresh tokens allow users to request new JWTs without re-entering credentials, improving security and usability.
167. Why is it important to implement account lockout mechanisms?
A) To prevent brute-force attacks by limiting login attempts
B) To make logging in more complex
C) To reduce the need for strong passwords
D) To prevent password resets
β
Answer: A) To prevent brute-force attacks by limiting login attempts
π Explanation: Account lockouts help stop brute-force attacks by temporarily disabling accounts after multiple failed login attempts.
168. What is the purpose of using X-XSS-Protection in security headers?
A) To enable the browserβs built-in XSS filtering mechanisms
B) To block all JavaScript execution
C) To improve website speed
D) To encrypt cookies
β
Answer: A) To enable the browserβs built-in XSS filtering mechanisms
π Explanation: The X-XSS-Protection header prevents reflected XSS attacks by stopping malicious script execution.
169. What is a primary security concern when using WebSockets?
A) WebSockets allow bidirectional communication, which can be exploited if not properly secured
B) WebSockets increase application response time
C) WebSockets always encrypt data
D) WebSockets improve security by default
β
Answer: A) WebSockets allow bidirectional communication, which can be exploited if not properly secured
π Explanation: WebSockets can be vulnerable to attacks like Cross-Site WebSocket Hijacking if authentication and validation are not properly implemented.
170. Why should developers implement Content Security Policy (CSP) in their web applications?
A) To prevent unauthorized scripts from executing
B) To speed up web application performance
C) To store passwords securely
D) To disable authentication mechanisms
β
Answer: A) To prevent unauthorized scripts from executing
π Explanation: CSP restricts script sources, preventing XSS attacks by blocking untrusted scripts.
171. What is a security risk of allowing users to input unescaped HTML into a web application?
A) It can lead to Cross-Site Scripting (XSS) attacks
B) It increases API response time
C) It improves website performance
D) It prevents SQL Injection
β
Answer: A) It can lead to Cross-Site Scripting (XSS) attacks
π Explanation: Unescaped HTML input can allow attackers to inject malicious scripts, which execute when viewed by other users.
172. What is the purpose of implementing security logging and auditing?
A) To detect and investigate security incidents
B) To slow down server response times
C) To make application code more complex
D) To reduce storage usage
β
Answer: A) To detect and investigate security incidents
π Explanation: Logging and auditing help detect security breaches, allowing teams to investigate and respond to threats effectively.
173. What is an effective way to prevent data exposure through browser caching?
A) Using Cache-Control: no-store, no-cache headers for sensitive data
B) Storing session tokens in local storage
C) Allowing all API responses to be cached indefinitely
D) Disabling SSL/TLS
β
Answer: A) Using Cache-Control: no-store, no-cache headers for sensitive data
π Explanation: Sensitive data should not be cached, as it can be retrieved from a user’s browser even after they log out.
174. Why is it important to hash API keys before storing them?
A) To prevent unauthorized access if the database is compromised
B) To make API calls faster
C) To allow easy retrieval of the original API keys
D) To improve authentication speed
β
Answer: A) To prevent unauthorized access if the database is compromised
π Explanation: Hashing API keys ensures they cannot be retrieved in plaintext, even if the database is breached.
175. What is a key security risk of using third-party authentication services (OAuth, SSO)?
A) If compromised, attackers can gain access to multiple linked applications
B) It requires users to remember multiple passwords
C) It slows down the authentication process
D) It eliminates the need for encryption
β
Answer: A) If compromised, attackers can gain access to multiple linked applications
π Explanation: OAuth and SSO improve convenience, but if the provider is hacked, all linked applications become vulnerable.
176. Why should developers avoid using wildcard characters in database queries?
A) They can lead to SQL Injection attacks if user input is not properly sanitized
B) They improve query execution speed
C) They increase application performance
D) They make debugging easier
β
Answer: A) They can lead to SQL Injection attacks if user input is not properly sanitized
π Explanation: Wildcard characters (*) in unsanitized queries can expose sensitive data, making SQL Injection attacks easier.
177. Why should applications implement password complexity policies?
A) To reduce the risk of brute-force and dictionary attacks
B) To make users change passwords frequently
C) To increase application size
D) To improve database performance
β
Answer: A) To reduce the risk of brute-force and dictionary attacks
π Explanation: Complex passwords with a mix of uppercase, lowercase, numbers, and special characters are harder to guess.
178. Why is it important to validate file MIME types when handling file uploads?
A) To prevent attackers from uploading disguised executable files
B) To improve upload speed
C) To allow any type of file to be uploaded
D) To reduce server storage
β
Answer: A) To prevent attackers from uploading disguised executable files
π Explanation: Validating MIME types prevents users from uploading executable files disguised as harmless formats (e.g., .jpg, .txt).
179. Why should authentication cookies have the SameSite attribute enabled?
A) To protect against Cross-Site Request Forgery (CSRF) attacks
B) To increase cookie expiration time
C) To disable JavaScript execution
D) To improve server response times
β
Answer: A) To protect against Cross-Site Request Forgery (CSRF) attacks
π Explanation: The SameSite attribute ensures cookies are only sent with requests from the same origin, reducing CSRF risks.
180. What is a major benefit of using access control lists (ACLs)?
A) They allow administrators to define granular permissions for users and systems
B) They make authentication unnecessary
C) They speed up file downloads
D) They eliminate the need for encryption
β
Answer: A) They allow administrators to define granular permissions for users and systems
π Explanation: ACLs allow fine-grained control over who can access specific resources, improving security and access management.
181. What is a major risk of failing to implement logging for failed authentication attempts?
A) Attackers can perform brute-force attacks without detection
B) It speeds up authentication processing
C) It prevents system crashes
D) It allows users to reset their passwords more easily
β
Answer: A) Attackers can perform brute-force attacks without detection
π Explanation: Without logging failed authentication attempts, administrators cannot detect brute-force attacks, allowing attackers to guess passwords unnoticed.
182. Why should developers avoid using innerHTML to insert user-generated content in JavaScript?
A) It can lead to Cross-Site Scripting (XSS) vulnerabilities
B) It improves website speed
C) It enhances database security
D) It reduces memory usage
β
Answer: A) It can lead to Cross-Site Scripting (XSS) vulnerabilities
π Explanation: Using innerHTML with user input allows attackers to inject malicious scripts, which execute in the browser.
183. What is a secure way to store API credentials on a client-side application?
A) Never store API credentials on the client-side; use a backend server
B) Store them in local storage
C) Store them in a cookie without security flags
D) Hardcode them in JavaScript files
β
Answer: A) Never store API credentials on the client-side; use a backend server
π Explanation: API credentials should be stored securely on a backend server, as client-side storage can be easily accessed by attackers.
184. Why should applications use prepared statements in database queries?
A) To prevent SQL Injection attacks by separating data from code
B) To improve database indexing
C) To increase query execution speed
D) To make SQL queries shorter
β
Answer: A) To prevent SQL Injection attacks by separating data from code
π Explanation: Prepared statements prevent SQL Injection by ensuring user input is treated strictly as data, not executable code.
185. What is a key security concern with allowing cross-origin requests in web applications?
A) It can expose sensitive data to unauthorized external domains
B) It speeds up API responses
C) It increases website performance
D) It allows users to log in faster
β
Answer: A) It can expose sensitive data to unauthorized external domains
π Explanation: Poorly configured CORS policies can allow malicious websites to access user data and API responses.
186. Why is it important to verify user input on both client-side and server-side?
A) Client-side validation improves user experience, but server-side validation ensures security
B) Client-side validation is enough for security
C) Server-side validation is not needed if JavaScript is used
D) Only numeric inputs need to be validated
β
Answer: A) Client-side validation improves user experience, but server-side validation ensures security
π Explanation: Client-side validation helps with usability, but server-side validation prevents attacks like SQL Injection and XSS.
187. What is the risk of not restricting file upload locations on a server?
A) Attackers can upload and execute malicious scripts
B) It slows down the server
C) It improves website performance
D) It makes debugging easier
β
Answer: A) Attackers can upload and execute malicious scripts
π Explanation: Allowing unrestricted file uploads without validation can lead to Remote Code Execution (RCE) vulnerabilities.
188. What is a secure way to handle password reset links?
A) Use one-time, time-limited reset tokens
B) Store passwords in plaintext for easy recovery
C) Send passwords via email
D) Allow users to reset passwords without authentication
β
Answer: A) Use one-time, time-limited reset tokens
π Explanation: Password reset links should use unique, time-limited tokens to prevent unauthorized access.
189. Why should developers avoid relying solely on security through obscurity?
A) Obfuscating security mechanisms does not protect against real attacks
B) It speeds up application processing
C) It prevents users from accessing logs
D) It eliminates the need for encryption
β
Answer: A) Obfuscating security mechanisms does not protect against real attacks
π Explanation: Security through obscurity is not a substitute for strong security controls, as attackers can still analyze and exploit weaknesses.
190. What is the benefit of using a security-aware software development lifecycle (SDLC)?
A) Security is integrated at every stage, reducing vulnerabilities before deployment
B) It makes applications run slower
C) It reduces the need for penetration testing
D) It increases the complexity of user interfaces
β
Answer: A) Security is integrated at every stage, reducing vulnerabilities before deployment
π Explanation: A security-aware SDLC ensures that security is considered from design to deployment, minimizing risks early in development.
191. Why should applications use token-based authentication (e.g., JWT) instead of session-based authentication?
A) Tokens can be used across multiple domains without requiring session storage
B) Tokens are stored in plaintext for easy access
C) Tokens never expire
D) Tokens are only valid for one session
β
Answer: A) Tokens can be used across multiple domains without requiring session storage
π Explanation: Token-based authentication (e.g., JWT) is stateless and does not require session management, making it scalable.
192. What is a security risk of allowing overly permissive Access-Control-Allow-Origin (CORS) settings?
A) Unauthorized third-party websites can read sensitive data from your APIs
B) It increases website performance
C) It prevents API abuse
D) It improves authentication speed
β
Answer: A) Unauthorized third-party websites can read sensitive data from your APIs
π Explanation: Poorly configured CORS policies allow malicious sites to access sensitive user data via API calls.
193. Why should session cookies have the HttpOnly and Secure flags enabled?
A) To prevent JavaScript access and ensure cookies are only transmitted over HTTPS
B) To allow cookies to be shared across different browsers
C) To enable faster authentication
D) To prevent users from logging out
β
Answer: A) To prevent JavaScript access and ensure cookies are only transmitted over HTTPS
π Explanation: These flags prevent session hijacking via XSS and MITM attacks by restricting cookie access.
194. Why is it important to validate JSON and XML input before processing it?
A) To prevent XML External Entity (XXE) and injection attacks
B) To improve performance
C) To allow all data formats
D) To speed up request handling
β
Answer: A) To prevent XML External Entity (XXE) and injection attacks
π Explanation: Malformed or malicious JSON/XML input can lead to XXE or injection vulnerabilities if not validated.
195. What is the risk of storing passwords using SHA-1 hashing?
A) SHA-1 is weak and can be cracked using modern computing power
B) SHA-1 is too slow
C) SHA-1 makes authentication faster
D) SHA-1 uses too much memory
β
Answer: A) SHA-1 is weak and can be cracked using modern computing power
π Explanation: SHA-1 has known cryptographic weaknesses and should be replaced with stronger hashing algorithms like bcrypt or Argon2.
196. What is a key security benefit of using rate limiting on login endpoints?
A) It prevents brute-force attacks
B) It makes login pages load faster
C) It disables authentication tokens
D) It removes the need for user passwords
β
Answer: A) It prevents brute-force attacks
π Explanation: Rate limiting prevents attackers from repeatedly guessing passwords by restricting the number of attempts.
197. Why should sensitive data be encrypted at rest?
A) To protect data from unauthorized access in case of a database breach
B) To improve database query speed
C) To make data retrieval faster
D) To increase database storage efficiency
β
Answer: A) To protect data from unauthorized access in case of a database breach
π Explanation: Encryption at rest ensures that even if the database is compromised, attackers cannot easily access the stored data.
198. What is a common security issue when using default configurations in software and databases?
A) Attackers can exploit well-known default settings and credentials
B) It improves system performance
C) It simplifies debugging
D) It makes software updates faster
β
Answer: A) Attackers can exploit well-known default settings and credentials
π Explanation: Default configurations often contain weak credentials or open ports, making them an easy target for attackers.
199. Why is it important to use environment variables for storing API keys and secrets?
A) To prevent credentials from being exposed in source code repositories
B) To make API calls faster
C) To allow hardcoded credentials in public repositories
D) To enable anonymous authentication
β
Answer: A) To prevent credentials from being exposed in source code repositories
π Explanation: Storing API keys and secrets in environment variables keeps them out of source code, reducing the risk of accidental exposure.
200. What is the risk of not validating redirect URLs in web applications?
A) Attackers can exploit Open Redirect vulnerabilities to conduct phishing attacks
B) It improves website navigation
C) It speeds up page loading
D) It helps users find relevant pages
β
Answer: A) Attackers can exploit Open Redirect vulnerabilities to conduct phishing attacks
π Explanation: Open Redirect vulnerabilities allow attackers to redirect users to malicious websites, tricking them into entering sensitive data.
201. Why should access tokens (e.g., JWTs) have expiration times?
A) To limit the duration an attacker can use a stolen token
B) To make authentication faster
C) To store user passwords
D) To prevent session tracking
β
Answer: A) To limit the duration an attacker can use a stolen token
π Explanation: Tokens should expire within a reasonable time to reduce security risks if they are compromised.
202. What is a key risk of using unrestricted eval() in JavaScript?
A) It allows attackers to execute arbitrary code
B) It improves code readability
C) It speeds up script execution
D) It makes debugging easier
β
Answer: A) It allows attackers to execute arbitrary code
π Explanation: eval() executes any input as JavaScript, making it a prime target for code injection attacks.
203. Why should error messages be generic for end users but detailed in logs?
A) To prevent attackers from gathering information about system vulnerabilities while allowing developers to debug issues
B) To slow down debugging
C) To make the website load faster
D) To prevent application crashes
β
Answer: A) To prevent attackers from gathering information about system vulnerabilities while allowing developers to debug issues
π Explanation: Detailed error messages can expose sensitive system information, so user-facing messages should be generic while logs should contain detailed information for debugging.
204. What is a major risk of exposing server banners and software version information in HTTP headers?
A) Attackers can use this information to exploit known vulnerabilities
B) It slows down network requests
C) It improves website performance
D) It enhances user authentication
β
Answer: A) Attackers can use this information to exploit known vulnerabilities
π Explanation: Exposing software versions (e.g., Apache, Nginx, PHP versions) helps attackers identify vulnerabilities that can be exploited.
205. Why should password hints and security questions be avoided or used cautiously?
A) They can be guessed easily, allowing attackers to bypass authentication
B) They make password recovery easier for attackers
C) They increase system complexity
D) They improve database indexing
β
Answer: A) They can be guessed easily, allowing attackers to bypass authentication
π Explanation: Security questions and password hints often rely on publicly available or easy-to-guess information, making accounts vulnerable.