Interview guide
Full Stack Developer Interview Questions & Answers Guide (2026)
A hiring-manager’s interview kit for full stack developers — with specific “what to look for” notes on every answer, red flags to watch, and a practical test.
Key facts
- Role
- Full Stack Developer
- Technical questions
- 15
- Behavioral
- 7
- Role-fit
- 5
- Red flags
- 8
- Practical test
- Included
How to use this guide
Pick 4-6 technical questions across difficulties, 2-3 behavioral, and 1-2 role-fit for a 45-minute interview. For senior roles, weight harder technical and role-fit higher. Always close with the practical test so you are hiring on evidence, not impressions. The “what to look for” notes are a scoring rubric: strong answers touch most points, weak answers miss them or replace them with platitudes.
Technical questions — Easy
1. What is the N+1 query problem? Show me how to spot it from the frontend side.
EasyWhat to look for: Sees list page slow, opens network tab, sees many duplicate API calls, or a single slow API call wrapping many DB reads. Fix: eager load, batched endpoint, or DataLoader.
2. How do you manage environment config for local, preview, staging, and production?
EasyWhat to look for: Secrets manager for prod, .env.local for dev, preview envs get their own isolated DB, no production secrets in PR preview. Typed env var parsing at boot.
Technical questions — Medium
1. How do you design an API contract between frontend and backend so the two do not drift in production?
MediumWhat to look for: Typed contracts via tRPC, GraphQL codegen, or OpenAPI + generated clients. Contract tests in CI. Versioning strategy. Adds types to the same monorepo or publishes a shared package.
2. Explain how session cookies vs JWT auth differ and when you would pick each for a new app.
MediumWhat to look for: Server-side sessions for revocability and simplicity; JWT for stateless scale or cross-domain. Discusses refresh rotation, httpOnly/SameSite cookies, CSRF implications, token size cost.
3. A page is slow. How do you decide if it is a frontend, network, or backend problem?
MediumWhat to look for: Chrome DevTools Network tab TTFB vs content download vs render. Server-Timing headers, APM traces, backend logs. Methodical — not "add Redis".
4. Explain optimistic updates from the client side and what the server should do to support them safely.
MediumWhat to look for: TanStack Query onMutate / rollback, client-generated IDs, server idempotency keys, reconciliation on server response. Race condition awareness.
5. A feature requires a long-running job (report generation, data export). How do you design the UX and backend?
MediumWhat to look for: Accept the request, return 202 with a job ID, worker processes async, client polls or subscribes via SSE/WebSocket, notification on completion, retry semantics, failure UX.
6. Walk me through setting up CI that runs frontend + backend + DB integration tests on every PR without flaking.
MediumWhat to look for: Service containers or Testcontainers for Postgres, parallel test sharding, Playwright in headless with retries off by default (fix the flakes), proper seeding, caching of node_modules.
7. What is CSRF and why is it still relevant if we use JWTs?
MediumWhat to look for: CSRF applies if you store auth in cookies (including JWT-in-cookie). SameSite, double-submit tokens, custom header strategy. Not relevant if using Authorization header + localStorage (but that has XSS trade-offs).
8. Tell me about an end-to-end production bug you debugged that required looking at frontend state, API calls, and database rows. What was the causal chain?
MediumWhat to look for: Real story with a trace through all three layers. Demonstrates they actually own end-to-end rather than stopping at "not my layer".
Technical questions — Hard
1. A user reports that a button click sometimes creates two database rows. Walk me through diagnosing this end-to-end.
HardWhat to look for: Considers double-click, retries on flaky network, useEffect firing twice, race conditions in optimistic updates, and missing idempotency on the server. Good candidates instrument with correlation IDs and reproduce in staging.
2. You need to add a new non-null column to a 50M-row Postgres table without downtime, and the frontend starts sending the new value on day zero. Walk me through it.
HardWhat to look for: Add nullable, deploy backend that reads old-or-new, frontend starts sending, backfill in batches, flip NOT NULL. Coordinated release. Rollback plan. Considers ORM migration tooling.
3. How do you handle a Stripe webhook that must be idempotent and secure end-to-end?
HardWhat to look for: Signature verification, event.id dedupe table, 2xx fast then async processing, retry-safe handler. Also handles the frontend confirmation step correctly.
4. You need to upload a 2 GB file from the browser to S3. Walk me through the architecture.
HardWhat to look for: Signed URLs for direct-to-S3, multipart upload, resumable uploads, progress on the client, webhook or head-check for completion. Does not proxy 2 GB through the API server.
5. How do you handle schema evolution when mobile clients cannot be force-upgraded?
HardWhat to look for: Additive-only changes for a deprecation window, versioned endpoints, feature flags, telemetry on version adoption, a policy for when an old version can finally be retired.
Behavioral questions
1. Tell me about a feature where the frontend and backend could not agree on the contract. How did you resolve it?
What to look for: Wrote a spec, did a whiteboard session, prototyped both sides quickly, owned the meeting. Not a turf war.
2. Describe a production incident where the fix required changes on both sides. How did you coordinate the release?
What to look for: Feature flag, staggered deploy (backend first, backward-compatible), rollback plan, comms. Understands deploy ordering.
3. Walk me through how you onboard into an unfamiliar full-stack codebase.
What to look for: Reads README, runs locally, traces one user flow end-to-end through client + API + DB, small PR early, asks to pair.
4. When have you disagreed with a backend-only or frontend-only teammate? How did it land?
What to look for: Respects specialists, brings data, avoids the "I can do both so I am right" trap. Humble about depth gaps.
5. What is the most complex feature you have shipped solo end-to-end, and why was it hard?
What to look for: Specific dimensions of difficulty. Owned all layers including tests, deploy, monitoring. Shows taste and scope.
6. How do you decide when a feature needs a specialist (dedicated backend or frontend) vs when you ship it solo?
What to look for: Self-aware about depth gaps (perf work, complex data modeling, intricate animations). Asks for help rather than faking it.
7. Describe a time you shipped the wrong architecture and had to unwind it. What did reversibility cost you?
What to look for: Shows reversibility thinking. Talks about what signals they watch to notice a bad choice early.
Role-fit questions
1. Are you comfortable owning deploys and on-call for features you ship, not just writing the code?
What to look for: Yes, with opinions on alerting thresholds, runbooks, and blameless postmortems. Red flag: expects "throw over the wall" ops handoff.
2. Our stack is Next.js + NestJS + Postgres + Prisma on AWS. Any gaps, and how would you ramp?
What to look for: Honest gap assessment with a ramp plan. Real candidates admit depth gaps.
3. Which layer do you enjoy most, and which do you lean on others for?
What to look for: Self-aware. Most full-stack devs have a stronger side — the good ones admit it and invest in the weaker side deliberately.
4. How do you handle 4 hours of overlap with a US team?
What to look for: Protects overlap for blocking discussions (contracts, incident triage), long-form async for the rest.
5. Pragmatism vs purism on deadlines — where do you sit?
What to look for: Pragmatism with a follow-up ticket for debt. Purism on security and data integrity.
Red flags
Any one of these alone is usually reason to pass, especially combined with weak answers elsewhere.
- • Says "I am full-stack" but cannot write a SQL query more complex than SELECT * FROM users.
- • Has never read a query plan or does not know what an N+1 is from the client side.
- • Cannot explain the CSRF story for their last project.
- • Deploys frontend and backend in the wrong order and has never thought about it.
- • Treats authentication and authorization as the same thing.
- • Cannot describe an end-to-end trace of a real production bug.
- • Ships without tests on either side and calls it "prototyping".
- • Stops debugging at "works on my machine" or "must be an infra issue".
Practical test
6-hour take-home: build a mini task-tracker end-to-end. Next.js frontend with a typed API (tRPC, GraphQL, or OpenAPI-generated), Postgres schema with reversible migrations, auth via session cookies, one background job (daily digest), a GitHub Actions pipeline with preview deploy, and at least one Playwright E2E test. Include a brief ADR on your frontend/backend contract choice and deployment strategy. We grade on: end-to-end correctness (30%), contract design (20%), data model + migrations (20%), tests + CI (15%), ADR quality (15%).
Scoring rubric
Score each answer 1-4: (1) Misses most of the rubric or gives platitudes; (2) Hits some points but cannot go deep when pressed; (3) Covers the rubric and can defend the answer under follow-ups; (4) Adds unprompted nuance, trade-offs, or real examples beyond the rubric. Hire at an average of 3.0+ across technical, behavioral, and role-fit, with zero red flags, and a pass on the practical test.
Related
Written by Syed Ali
Founder, Remoteria
Syed Ali founded Remoteria after a decade building distributed teams across 4 continents. He has helped 500+ companies source, vet, onboard, and scale pre-vetted offshore talent in engineering, design, marketing, and operations.
- • 10+ years building distributed remote teams
- • 500+ successful offshore placements across US, UK, EU, and APAC
- • Specialist in offshore vetting and cross-timezone team integration
Last updated: April 12, 2026