HireHireInterview Quizzes › Full Stack Developer

Full Stack Developer Interview Questions

Think you're ready? These are the questions that actually decide Full Stack Developer interviews. Warm up on Easy — then face the Hard round, where 95% of candidates crumble. 30 questions across 3 levels, instant score, completely free.

30Questions
3Difficulty levels
95%Fail the hard round
FreeInstant score
Easy
Warm-up · 10 Qs
Medium
Practical · 10 Qs
Hard
Brutal · 10 Qs
⚡ Take the Full Stack Developer quiz — get your score →

The Full Stack Developer interview questions

Below are the real questions, grouped by difficulty. Expand any one to reveal the correct answer and why — or take the timed quiz for a score you can share. Can you clear the Hard round?

Easy round 10 questions

In a REST API, which HTTP status code should a server return when a request succeeds and a new resource is created?
  • A. 200 OK
  • B. 201 Created ✓
  • C. 204 No Content
  • D. 302 Found
Correct answer: B. 201 Created specifically indicates that the request succeeded and led to the creation of a new resource.
In SQL, which JOIN returns all rows from the left table and only matching rows from the right table (with NULLs where there is no match)?
  • A. INNER JOIN
  • B. LEFT OUTER JOIN ✓
  • C. CROSS JOIN
  • D. RIGHT OUTER JOIN
Correct answer: B. A LEFT OUTER JOIN returns every row from the left table plus matched right-table columns, filling unmatched right-side values with NULL.
In JavaScript, what does the '===' operator do that '==' does not?
  • A. Compares values without type coercion ✓
  • B. Performs type coercion before comparing
  • C. Compares only object references
  • D. Checks only for null and undefined
Correct answer: A. The strict equality operator '===' compares both value and type without performing type coercion, unlike '=='.
In React, what is the main purpose of the 'key' prop when rendering a list of elements?
  • A. To style each list item uniquely
  • B. To help React identify which items changed, were added, or removed ✓
  • C. To set the tab order for accessibility
  • D. To pass data from parent to child components
Correct answer: B. Keys give list elements a stable identity so React can efficiently determine which items changed, were added, or removed during reconciliation.
A web app served from https://app.example.com fails to call an API at https://api.example.com and the browser console shows a CORS error. What must be fixed?
  • A. Add an index on the API database table
  • B. Configure the API server to send the appropriate Access-Control-Allow-Origin header ✓
  • C. Switch the front end from React to plain HTML
  • D. Increase the server's request timeout
Correct answer: B. CORS is enforced by the browser and resolved by the server returning an Access-Control-Allow-Origin header permitting the requesting origin.
Which technique most directly prevents SQL injection when running queries with user-supplied input?
  • A. Escaping HTML output
  • B. Using parameterized queries / prepared statements ✓
  • C. Enabling HTTPS on the server
  • D. Minifying the JavaScript bundle
Correct answer: B. Parameterized queries separate SQL code from user data so input can never be interpreted as executable SQL.
In Git, which command creates a new branch and switches to it in one step?
  • A. git branch new-feature
  • B. git checkout -b new-feature ✓
  • C. git merge new-feature
  • D. git clone new-feature
Correct answer: B. 'git checkout -b new-feature' creates the branch and immediately switches the working tree to it.
In Node.js/Express, what is the primary role of middleware functions?
  • A. To compile TypeScript to JavaScript
  • B. To process requests and responses in the pipeline, often calling next() to pass control ✓
  • C. To manage database schema migrations
  • D. To render server-side CSS
Correct answer: B. Middleware functions sit in the request-response cycle, can inspect or modify req/res, and call next() to pass control to the next handler.
Which HTTP method is idempotent, meaning multiple identical requests have the same effect as a single one?
  • A. POST
  • B. PUT ✓
  • C. PATCH
  • D. CONNECT
Correct answer: B. PUT is idempotent because sending the same full-resource update repeatedly leaves the resource in the same final state.
In CSS, which 'position' value positions an element relative to its nearest positioned ancestor?
  • A. static
  • B. relative
  • C. absolute ✓
  • D. sticky
Correct answer: C. position: absolute takes the element out of flow and positions it relative to its nearest ancestor with a non-static position.

Medium round 10 questions

In a REST API, which HTTP status code is most appropriate to return when a client submits a request to create a resource but omits a required field?
  • A. 200 OK
  • B. 400 Bad Request ✓
  • C. 404 Not Found
  • D. 500 Internal Server Error
Correct answer: B. A missing required field is a client-side input error, so 400 Bad Request is the correct response.
You have a JavaScript array of user objects and need a new array containing only the users where isActive is true. Which method is the idiomatic choice?
  • A. Array.prototype.map()
  • B. Array.prototype.filter() ✓
  • C. Array.prototype.forEach()
  • D. Array.prototype.reduce()
Correct answer: B. filter() returns a new array containing only elements that satisfy the predicate, which matches selecting active users.
In Git, you committed to your local branch but want to combine the last 3 commits into one before pushing. Which command is designed for this?
  • A. git merge --squash HEAD~3
  • B. git rebase -i HEAD~3 ✓
  • C. git reset --hard HEAD~3
  • D. git cherry-pick HEAD~3
Correct answer: B. An interactive rebase (git rebase -i) lets you squash multiple commits into one before pushing.
A SQL query joining orders and customers is slow because it filters on orders.customer_id. What is the most common first optimization?
  • A. Add an index on orders.customer_id ✓
  • B. Replace the INNER JOIN with a LEFT JOIN
  • C. Add DISTINCT to the SELECT clause
  • D. Increase the database connection pool size
Correct answer: A. Indexing the column used in the join/filter condition is the standard first step to speed up such queries.
In React, you get the warning "Each child in a list should have a unique key prop." What is the best value to use for the key?
  • A. The array index of each item
  • B. A stable unique ID from the data (e.g. item.id) ✓
  • C. Math.random() generated per render
  • D. The item's display text
Correct answer: B. A stable unique ID lets React correctly track items across renders, avoiding the reconciliation bugs that index or random keys cause.
Your frontend at https://app.example.com calls an API at https://api.example.com and the browser blocks it with a CORS error. Where must this be fixed?
  • A. In the frontend by disabling the browser's same-origin policy
  • B. On the API server by sending appropriate Access-Control-Allow-Origin headers ✓
  • C. By moving the fetch call into a try/catch block
  • D. By changing the request from GET to POST
Correct answer: B. CORS is enforced by the browser but controlled by the server's response headers, so the API must send the correct Access-Control-Allow-Origin header.
In an Express.js app, which is the correct signature for an error-handling middleware function?
  • A. (req, res) => {}
  • B. (req, res, next) => {}
  • C. (err, req, res, next) => {} ✓
  • D. (next, err, req, res) => {}
Correct answer: C. Express identifies error-handling middleware specifically by its four arguments (err, req, res, next).
You need to store a user's password in the database. What is the correct approach?
  • A. Encrypt it with AES so it can be decrypted at login
  • B. Store it in plain text but restrict database access
  • C. Hash it with a slow algorithm like bcrypt plus a salt ✓
  • D. Base64-encode it before storing
Correct answer: C. Passwords should be one-way hashed with a slow, salted algorithm like bcrypt so they can never be recovered even if the database leaks.
Given `console.log(typeof null)` in JavaScript, what is printed?
  • A. "null"
  • B. "object" ✓
  • C. "undefined"
  • D. "boolean"
Correct answer: B. Due to a long-standing quirk in JavaScript, typeof null returns the string "object".
In an async JavaScript function, you await a fetch call that may reject. What is the standard way to handle the potential failure?
  • A. Wrap the await in a try/catch block ✓
  • B. Add .then() after the await keyword
  • C. Use a for loop to retry until it succeeds
  • D. Check if the returned value is undefined
Correct answer: A. In async/await code, a rejected promise throws, so a try/catch block is the idiomatic way to handle the error.

Hard round 10 questions

A Node.js HTTP service degrades over hours: heap grows steadily, RSS climbs, and GC pauses lengthen until it OOMs. You take two `--inspect` heap snapshots 10 minutes apart under load and diff them. The 'Comparison' view shows a large positive delta on `(closure)` and `Array` retained by a single `Map` in a module-level variable used for request de-duplication keyed by request id. What is the correct root-cause conclusion and fix?
  • A. The V8 old-space is simply too small; raise `--max-old-space-size` and the leak resolves itself
  • B. Entries are inserted into the Map but never deleted, so it grows unbounded; bound it with a TTL/LRU eviction (or WeakMap keyed by an object) so entries are reclaimable ✓
  • C. GC is failing because closures cannot be collected in V8; rewrite the code to avoid all closures
  • D. The snapshots are misleading because heap snapshots include unreachable objects; ignore them and profile CPU instead
Correct answer: B. A module-scoped Map holding entries that are never evicted is a classic unbounded-cache leak, and bounding it with TTL/LRU (or a WeakMap) restores reclaimability.
You run this in Node.js: ```js setTimeout(() => console.log('A'), 0); setImmediate(() => console.log('B')); Promise.resolve().then(() => console.log('C')); process.nextTick(() => console.log('D')); ``` Assuming this is the top-level script (not inside an I/O callback), which single output ordering is guaranteed?
  • A. A B C D
  • B. D C A B ✓
  • C. D C B A
  • D. C D A B
Correct answer: B. After the sync script, microtasks drain first with nextTick (D) before promises (C), then the timers vs immediate order from the main module is deterministic here with the timer (A) firing before immediate (B).
A read-heavy product page reads from Redis with cache-aside. A popular key expires and thousands of concurrent requests miss simultaneously, all hammering the database and causing a latency spike. Which combination most directly prevents this specific thundering-herd/stampede without serving arbitrarily stale data forever?
  • A. Increase the TTL to 24 hours so the key rarely expires
  • B. Use a per-key mutex/lock (single-flight) so only one request recomputes while others wait, plus early/probabilistic recomputation before expiry ✓
  • C. Switch from cache-aside to write-back caching so writes populate the cache
  • D. Disable Redis eviction and add more read replicas to the database
Correct answer: B. Single-flight locking collapses concurrent misses into one recompute, and probabilistic early recomputation refreshes hot keys before they expire, together eliminating the stampede.
During a cross-region network partition, an e-commerce cart service must never lose items a user already added, yet remain usable (accept new adds) in each region even though regions cannot sync. Which data model choice best satisfies both goals, and what is the accepted trade-off?
  • A. Strong single-leader consistency: reject writes in the non-leader region during the partition to guarantee correctness
  • B. Model the cart as a state-based CRDT (e.g., OR-Set) so both regions accept writes and merge conflict-free on heal, accepting temporary divergence ✓
  • C. Use a distributed lock per cart across regions so only one region can mutate it at a time
  • D. Store the cart only client-side until the partition heals, then upload
Correct answer: B. An OR-Set CRDT lets both regions accept adds during the partition and merge without losing items on heal, trading away immediate cross-region consistency (temporary divergence) for availability and no-loss.
A mobile client that updates slowly hits your GraphQL API. You must rename the field `User.fullName` to `User.displayName` and change its formatting, without breaking old app versions still requesting `fullName`. What is the safest evolution strategy?
  • A. Bump the schema to v2 at a new endpoint `/graphql/v2` and force clients to migrate immediately
  • B. Add `displayName` as a new field, keep `fullName` resolving the old value, mark `fullName` with `@deprecated(reason: ...)`, and remove it only after telemetry shows old clients are gone ✓
  • C. Change `fullName`'s resolver to return the new format, since GraphQL fields are not version-locked
  • D. Make `fullName` non-nullable and add `displayName`, so clients are forced to adopt the new field
Correct answer: B. GraphQL evolves additively: add the new field, keep the old one working, deprecate it, and remove only after telemetry confirms no clients depend on it.
This React component re-renders and the expensive child re-renders on every keystroke even though its props look stable: ```jsx function Parent(){ const [q,setQ]=useState(''); const onSelect = () => doThing(); return <><input value={q} onChange={e=>setQ(e.target.value)} /> <ExpensiveChild onSelect={onSelect} /></>; } const ExpensiveChild = React.memo(function C({onSelect}){ /*...*/ }); ``` Why does `React.memo` fail to prevent the child's re-render, and what is the correct fix?
  • A. `React.memo` only works on class components; convert ExpensiveChild to a class
  • B. `onSelect` is a new function identity on every Parent render, breaking memo's shallow prop equality; wrap it in `useCallback` with a stable dependency list ✓
  • C. State updates always bypass memoization; move `q` into a ref instead of state
  • D. memo needs a custom comparator for all props; the default never compares functions
Correct answer: B. A fresh `onSelect` closure is created each render so memo's shallow compare sees a changed prop; `useCallback` stabilizes its identity.
An event-driven pipeline uses at-least-once delivery from a queue: a consumer charges a payment then publishes a 'charged' event. On redelivery (e.g., after a consumer crash before ack), you must avoid double-charging. Which design gives you effective exactly-once *processing* semantics?
  • A. Switch the broker to exactly-once delivery mode, which guarantees the handler runs once
  • B. Make the charge operation idempotent using a unique idempotency key persisted transactionally (dedup table) so redeliveries are no-ops ✓
  • C. Acknowledge the message before processing so it is never redelivered
  • D. Increase the visibility timeout so the message is never redelivered during processing
Correct answer: B. At-least-once delivery is unavoidable across crashes, so idempotency via a transactionally-persisted idempotency key makes redeliveries safe no-ops, yielding effective exactly-once processing.
A Postgres query `SELECT * FROM orders WHERE customer_id = $1 AND status = 'shipped' ORDER BY created_at DESC LIMIT 20;` is slow. `EXPLAIN ANALYZE` shows a Seq Scan + Sort. Which index best serves this query, letting Postgres avoid the sort and satisfy the filter efficiently?
  • A. `CREATE INDEX ON orders (created_at);`
  • B. `CREATE INDEX ON orders (customer_id, status, created_at DESC);` ✓
  • C. `CREATE INDEX ON orders (status);` plus `CREATE INDEX ON orders (customer_id);`
  • D. `CREATE INDEX ON orders (created_at, status, customer_id);`
Correct answer: B. A composite index with the equality columns first (customer_id, status) then created_at DESC matches the filter and provides pre-sorted rows so Postgres can skip the sort and stop at LIMIT.
You are decomposing a monolith and split 'Orders' and 'Inventory' into separate services with their own databases. A place-order operation must reserve inventory and create an order atomically, but you can no longer use a single ACID transaction across both DBs. Which pattern correctly handles this with well-defined failure semantics?
  • A. Two-phase commit (2PC) coordinated by the API gateway across both service databases
  • B. A saga: a sequence of local transactions with compensating actions (e.g., release reservation) triggered when a later step fails ✓
  • C. Wrap both service calls in a distributed database transaction using `SERIALIZABLE` isolation
  • D. Have Orders synchronously call Inventory and roll back Orders' DB if Inventory throws
Correct answer: B. Across independent service databases you use a saga of local transactions with compensating actions, which provides eventual consistency and defined rollback semantics without a cross-service ACID transaction.
You must build a JWT-based auth system where access tokens are stateless but you also need the ability to revoke a compromised session before its expiry. What is the standard architecture that preserves statelessness for the common path while enabling revocation?
  • A. Make access tokens long-lived and delete them from the client on logout
  • B. Use short-lived access tokens (stateless, checked by signature) plus long-lived refresh tokens tracked server-side, so revoking the refresh token/session stops renewal ✓
  • C. Store every access token in the database and query it on each request
  • D. Encrypt the JWT payload so it cannot be reused after logout
Correct answer: B. Short-lived stateless access tokens keep the hot path stateless, while server-side-tracked refresh tokens provide a revocation point that cuts off renewal for a compromised session.

Prep for another role

Questions are original, written and independently verified for HireHire's role interview quizzes. They reflect the kind of knowledge Full Stack Developer interviews test, not any specific company's questions. HireHire maps live tech & IT jobs across India, updated regularly. Last updated: July 2026.