Backend Developer Interview Questions & Answers Guide (2026)

What to look for: Real stories on injection, broken access control, SSRF, or auth misconfigs. Should distinguish authentication from authorization. Red flag: recites list without examples.

What to look for: ORM lazy loading, solutions: eager load / JOIN, DataLoader batching (GraphQL), or a rewrite. Has used query log, APM, or test assertions to detect it.

What to look for: Vault / AWS Secrets Manager / Doppler, rotation, least-privilege IAM, no plaintext in Git history, awareness of how to recover from a leaked secret (rotate, then audit access logs).

What to look for: Client-generated idempotency key, a store (Redis or DB table) that maps key -> response with TTL, transactional handling so the write and the key land together, and a plan for partial failures. Red flag: "we just deduplicate by amount and user".

What to look for: EXPLAIN ANALYZE first, check for seq scans, stale statistics (ANALYZE), index bloat, plan cache regression, parameter sniffing, row count growth, or a missing index on a new filter. Should mention pg_stat_statements.

What to look for: URL versioning vs header versioning trade-offs, additive-only changes to v1, deprecation windows, telemetry to see who is still on old versions, and a policy for when to retire a version.

What to look for: gRPC for internal, typed contracts, bidirectional streaming, low latency. REST for external/public. GraphQL for client-driven shape. No dogma. Talks about tooling cost.

What to look for: At-least-once delivery is expected in most queues; the fix is idempotent handlers, not "turn off retries". Check visibility timeout, handler time, dead-letter behavior. Add an idempotency key or dedupe table.

What to look for: Staleness tolerance, write amplification cost, cache invalidation complexity, consistency requirements. Good answers measure before adding cache.

What to look for: Specific narrative, owns the failure, describes both proximate and systemic cause, ships a concrete guardrail (alert, test, policy) not a vague "we will be more careful".

What to look for: Read Committed (default) vs Repeatable Read vs Serializable, phantom reads, SSI serialization failures, retry loops on 40001 errors. Good answer cites a real case where they needed Repeatable Read or Serializable for a correctness bug.

What to look for: DB transaction when the contention is on a single table and you need ACID; distributed lock when coordinating work across services or over a resource that is not in the DB. Should acknowledge Redlock correctness debates and fencing tokens.

What to look for: Add nullable, dual-write from app, batched backfill with throttling, verify, add NOT NULL via validated check constraint, drop temporary. Mentions pg_repack/gh-ost-style tools and rollback plan.

What to look for: Per-IP + per-account, sliding window in Redis, progressive backoff, captcha at a threshold, account-lockout alerts, distinguish password guessing from enumeration.

What to look for: Heap profiling, leak detection, streaming vs buffering, connection pool sizing, container memory limits vs process limits, GC tuning. Should mention specific tools (pprof, clinic.js, VisualVM).

1. Tell me about a time you pushed back on a product decision because of a data-model or scale concern.

What to look for: Brought evidence (query plans, load test, capacity math), proposed alternatives, landed on a decision without ego. Not obstructionist.

2. Describe the worst production incident you caused or led response on. What did you learn?

What to look for: Owns the failure, describes root cause precisely, talks about follow-up guardrails. Avoids blame.

3. How do you write a PR description for a migration that touches a hot production table?

What to look for: Risk section, rollback plan, monitoring window, communicates blast radius, asks for a specific reviewer, includes the EXPLAIN.

4. Walk me through how you onboard yourself into an unfamiliar backend codebase.

What to look for: Reads README, runs it locally, traces one request end-to-end, draws a dependency graph, opens small PRs early to validate understanding.

5. When have you said no to a deadline, and how did you frame the conversation?

What to look for: Offers a scope/quality/date trade-off rather than "no". Communicates early. Shows data.

6. Tell me about a technical decision you made that turned out wrong. How did you unwind it?

What to look for: Shows self-awareness. Describes reversibility thinking, the exit plan, and what they would do differently.

7. How do you keep a junior engineer from shipping a migration that could take the site down?

What to look for: Pre-merge checklist, paired runbook review, staging rehearsal, treating their mistake as a process failure to fix, not a person to blame.

1. How do you feel about carrying a pager for services you own?

What to look for: Accepts it as part of ownership, has done it before, has opinions on paging thresholds and alert fatigue.

2. Our stack is NestJS + Postgres + Redis on AWS ECS. Any of that unfamiliar, and how would you ramp up?

What to look for: Honest gap assessment + concrete ramp plan (docs, small PR, pair session). Fakery is a red flag.

3. How do you operate with only 4 hours of timezone overlap with your US team?

What to look for: Long-form PR descriptions, batched Slack threads, Loom walkthroughs for complex reviews, protects overlap for blocking discussions.

4. What is your philosophy on tests — fast unit vs slow integration vs contract?

What to look for: Has a real opinion grounded in cost-vs-confidence, not dogma. Knows when to reach for Testcontainers, mocks, or contract tests.

5. Where do you sit on pragmatism vs purism when deadlines hit?

What to look for: Pragmatism with an explicit follow-up ticket for the debt; purism where it matters (security, data integrity).