API Security Beginner Quiz

30 questions on API Security Tutorial.

Question 1: Why is HTTPS essential for API security?

A. It makes the API respond faster
B. It provides a visual lock icon in the browser
C. It encrypts data transferred between the client and server, preventing Man-in-the-Middle (MitM) attacks — (correct answer)
D. It compresses JSON payloads

Explanation: HTTPS uses TLS (Transport Layer Security) to encrypt all HTTP requests and responses, ensuring that intercepted traffic cannot be read or tampered with by hackers.

Question 2: What is the fundamental difference between Authentication and Authorization?

A. They are identical concepts
B. Authentication verifies WHO the user is; Authorization verifies WHAT the user is allowed to do — (correct answer)
C. Authentication is for APIs; Authorization is for databases
D. Authorization verifies WHO the user is; Authentication verifies WHAT the user is allowed to do

Explanation: Logging in with a password is Authentication. Attempting to delete an admin record and being denied because you are a standard user is an Authorization check.

Question 3: What is an API Key?

A. A physical USB hardware device
B. A long, generated string passed by the client to identify the calling project or developer, often used to track and control usage — (correct answer)
C. A cryptographic password hash
D. A database primary key

Explanation: API keys (e.g., ?api_key=abcdef12345) are simple tokens used to authenticate the application calling the API, though they are generally less secure than OAuth for user-level authentication.

Question 4: What does JWT stand for?

A. Java Web Toolkit
B. JavaScript Web Token
C. JSON Web Token — (correct answer)
D. JSON Wireless Transmission

Explanation: JSON Web Token (JWT) is an open standard that defines a compact and self-contained way for securely transmitting information between parties as a JSON object.

Question 5: Which of the following is true about a standard JWT?

A. It is heavily encrypted and cannot be decoded by the client
B. It is Base64 encoded and can be easily decoded and read by anyone, but it cannot be modified without invalidating the cryptographic signature — (correct answer)
C. It hides passwords inside the token securely
D. It never expires

Explanation: JWTs consist of three parts: Header, Payload, and Signature. The payload is easily decoded. However, modifying the payload invalidates the signature, preventing tampering. Sensitive data (like passwords) should NEVER be stored in a JWT.

Question 6: Which HTTP header is standard for transmitting Bearer tokens (like JWTs)?

A. Security-Token
B. Authorization — (correct answer)
C. API-Key
D. Bearer-Auth

Explanation: The standard approach for sending a JWT is using the Authorization header with the Bearer scheme: Authorization: Bearer <token>.

Question 7: What is OAuth 2.0?

A. A database management software
B. A secure video streaming protocol
C. An industry-standard authorization framework that enables third-party applications to obtain limited access to an HTTP service — (correct answer)
D. A hashing algorithm

Explanation: OAuth 2.0 allows users to grant websites or applications access to their information on other websites (like "Log in with Google") without giving them the actual passwords.

Question 8: What is API Rate Limiting?

A. Limiting the file size of database uploads
B. Controlling the number of requests a client can make to an API within a specific timeframe to prevent abuse and DDoS attacks — (correct answer)
C. Limiting the speed of the server CPU
D. Restricting API access to certain countries

Explanation: Rate limiting protects backend systems from being overwhelmed by too many requests (either malicious brute-force attacks or accidental loops) and typically returns a 429 Too Many Requests status.

Question 9: What does CORS stand for?

A. Cross-Origin Resource Sharing — (correct answer)
B. Cryptographic Object Relational Security
C. Centralized Online Routing System
D. Client-Oriented Request Signature

Explanation: CORS is a browser security feature that prevents a malicious website from making background API requests to a different domain unless the API server explicitly permits that domain using CORS headers.

Question 10: What is an SQL Injection (SQLi) attack?

A. Injecting CSS into the frontend
B. Inserting malicious SQL queries via client input data to bypass security, read hidden data, or destroy the database — (correct answer)
C. Crashing the server by sending huge payloads
D. Intercepting network traffic

Explanation: SQL Injection occurs when user input is directly concatenated into a database query. Using Parameterized Queries or Prepared Statements entirely neutralizes this threat.

Question 11: How should API endpoints handle user input payloads to maintain security?

A. Trust the frontend validation
B. Validate and sanitize all incoming data on the server-side before processing it — (correct answer)
C. Store all raw input directly in the database
D. Execute it as JavaScript

Explanation: Frontend validation can be easily bypassed using tools like Postman. Servers must strictly validate types, lengths, and formats (using tools like Joi or Zod) to prevent malicious data injection.

Question 12: What is the principle of "Least Privilege"?

A. Giving all users admin access for simplicity
B. Ensuring that a user, application, or service has only the minimum permissions necessary to perform its intended function — (correct answer)
C. Providing open access to all APIs internally
D. Reusing the same API key everywhere

Explanation: Least privilege minimizes the potential attack surface. If an API key only needs to read public posts, it should absolutely not have permissions to delete users.

Question 13: What is a Refresh Token in the context of OAuth / JWT?

A. A token used to force the browser to reload the page
B. A long-lived token used to securely request a new, short-lived Access Token when the current Access Token expires, without requiring the user to log in again — (correct answer)
C. A database reset command
D. A UI styling variable

Explanation: Access tokens are kept short-lived (e.g., 15 minutes) for security. If stolen, they expire quickly. Refresh tokens are stored securely and used periodically to fetch new access tokens.

Question 14: Why is it dangerous to hardcode API keys or secrets in frontend JavaScript code?

A. It slows down the browser compilation
B. Anyone can inspect the browser's source code or network tab, extract the secret, and impersonate the application — (correct answer)
C. JavaScript cannot read strings
D. It causes CORS errors

Explanation: Frontend code is entirely public. Sensitive keys (like AWS credentials, database passwords, or private API keys) must be stored securely on the backend server using environment variables.

Question 15: What is XSS (Cross-Site Scripting)?

A. A server overload attack
B. An attack where a malicious script is injected into an otherwise trusted website, executing in the browsers of victim users — (correct answer)
C. A database corruption technique
D. A password brute-forcing tool

Explanation: If an API returns user-generated content (like a comment) that contains <script>alert('Hack')</script> and the frontend renders it as raw HTML, the script executes, potentially stealing cookies.

Question 16: What HTTP header should a server return to enable strict transport security, forcing browsers to only interact with the API via HTTPS?

A. Content-Security-Policy (CSP)
B. Strict-Transport-Security (HSTS) — (correct answer)
C. X-Frame-Options
D. Secure-HTTP-Only

Explanation: HSTS (HTTP Strict Transport Security) is a response header that informs browsers that the site should only be accessed using HTTPS, preventing protocol downgrade attacks.

Question 17: What is BOLA (Broken Object Level Authorization), previously known as IDOR?

A. A vulnerability where an API does not verify if the currently authenticated user actually has permission to access the specific object ID requested — (correct answer)
B. An encryption failure
C. A routing crash
D. A CSS injection

Explanation: If User A requests /api/invoices/100, the API must check if Invoice 100 belongs to User A. If it only checks that User A is logged in, User A can steal User B's invoice. This is BOLA.

Question 18: What is the best way to securely store user passwords in a database?

A. Plain text for easy recovery
B. Base64 encoding
C. Hashing the passwords using a strong, slow algorithm (like bcrypt or Argon2) with a unique salt — (correct answer)
D. Encrypting them with AES-256

Explanation: Hashing is a one-way mathematical function. Even if the database is stolen, hackers cannot easily reverse bcrypt hashes to find the original passwords. A salt prevents rainbow table attacks.

Question 19: What is a CSRF (Cross-Site Request Forgery) attack?

A. Forging SSL certificates
B. Tricking an authenticated user's browser into executing an unwanted action on a trusted site where they are currently logged in — (correct answer)
C. Injecting SQL commands
D. Scanning ports

Explanation: CSRF exploits the fact that browsers automatically attach session cookies to requests. Anti-CSRF tokens or SameSite cookie attributes are used to mitigate this.

Question 20: How can you protect your API endpoints from Brute Force password attacks?

A. Disable the database
B. Implement Account Lockout policies, Rate Limiting, and CAPTCHA integrations on authentication routes — (correct answer)
C. Use GET requests for passwords
D. Remove error messages entirely

Explanation: Brute force attacks attempt thousands of password guesses. Rate limiting slows them down, while account lockouts (e.g., locking the account after 5 failed attempts) stop them completely.

Question 21: Why is it important to disable detailed error messages (like stack traces) in production APIs?

A. To save bandwidth
B. Detailed stack traces reveal underlying architecture, library versions, and file paths, providing attackers with blueprints to find exploits — (correct answer)
C. To prevent the server from crashing
D. It is not important

Explanation: Production APIs should return generic error messages (e.g., "Internal Server Error"). The detailed stack traces should be logged internally to secure server logs, not sent to the client.

Question 22: What is the purpose of the `HttpOnly` flag on a browser cookie?

A. It encrypts the cookie data
B. It prevents client-side JavaScript from reading the cookie, severely mitigating the risk of XSS attacks stealing the token — (correct answer)
C. It forces the cookie to only work on HTTP, not HTTPS
D. It deletes the cookie on browser close

Explanation: When storing sensitive tokens in cookies, HttpOnly ensures that document.cookie in JS cannot access it. The browser still automatically sends the cookie with HTTP requests to the server.

Question 23: Which header is used by API servers to mitigate Clickjacking attacks by preventing the API/site from being rendered inside an iframe?

A. X-Content-Type-Options
B. X-Frame-Options (or CSP frame-ancestors) — (correct answer)
C. Strict-Transport-Security
D. CORS

Explanation: Clickjacking tricks users into clicking transparent iframe buttons. Setting X-Frame-Options: DENY ensures your application cannot be embedded inside malicious sites.

Question 24: What does Mass Assignment vulnerability refer to in REST APIs?

A. Assigning too many servers to a cluster
B. Automatically binding raw client JSON data directly to a database model without filtering, allowing attackers to overwrite restricted fields (like isAdmin: true) — (correct answer)
C. Sending massive payloads
D. Creating too many user accounts

Explanation: If a backend framework blindly updates all provided JSON fields into the database table, an attacker can append "isAdmin": true to a profile update request and elevate their privileges.

Question 25: Which organization publishes the industry-standard "Top 10" list of the most critical web and API security risks?

A. W3C
B. IEEE
C. OWASP (Open Worldwide Application Security Project) — (correct answer)
D. IETF

Explanation: OWASP provides comprehensive guidelines, including the OWASP API Security Top 10, outlining risks like Broken Object Level Authorization, Lack of Resources & Rate Limiting, and Mass Assignment.

Question 26: What is a JWT Signature composed of?

A. A random UUID
B. A cryptographic hash created by combining the encoded Header, the encoded Payload, and a secret key known only to the server — (correct answer)
C. The user's password
D. The SSL certificate

Explanation: The signature ensures integrity. If an attacker modifies the payload (e.g., changing their user ID), the signature validation will fail on the server because the attacker doesn't possess the secret key to re-sign it.

Question 27: When building an API, what does "Zero Trust" architecture imply?

A. Trusting internal networks implicitly
B. Assuming that no user or system is trusted by default, regardless of whether they are inside or outside the corporate network, requiring continuous verification — (correct answer)
C. Banning all third-party integrations
D. Trusting no open-source software

Explanation: Zero Trust means strict identity verification and least-privilege access are enforced for every single request, even if the request originates from another internal microservice.

Question 28: What is the purpose of API Gateway in a microservices architecture?

A. To render HTML templates
B. To act as a secure single entry point for all API traffic, centralizing rate limiting, SSL termination, authentication, and routing — (correct answer)
C. To store database records
D. To run frontend JavaScript

Explanation: Instead of every microservice handling its own security protocols, an API Gateway intercepts external requests, handles security verifications (like JWT checks and Rate Limiting), and routes traffic internally.

Question 29: What is the risk of excessive data exposure in REST APIs?

A. High server memory usage
B. Returning full database records to the client (including sensitive data like SSNs or hashed passwords) and relying on the frontend to filter what is displayed — (correct answer)
C. Returning too many HTTP status codes
D. Compiling data too quickly

Explanation: APIs must only return the exact data required by the UI. Relying on frontend code to hide sensitive backend data is a critical vulnerability, as attackers can inspect the raw JSON response.

Question 30: How does a Replay Attack work against an API, and how can it be mitigated?

A. Playing a video payload on the server
B. An attacker intercepts a valid API request and fraudulently repeats it later. Mitigated by using short-lived tokens, timestamps, or single-use nonces in requests. — (correct answer)
C. Attacking the server with repeated ping requests. Mitigated by firewalls.
D. Sending SQL multiple times. Mitigated by parameterization.

Explanation: In a replay attack, a hacker captures a valid encrypted packet (like a bank transfer) and resends it. Using unique transaction nonces ensures the server rejects identical, repeated payloads.

API Security Beginner Quiz

Test your knowledge with interactive questions.

Ready to test your skills?

You are about to start a comprehensive quiz containing questions covering API Security Tutorial. You have 30 minutes to complete it.

Discussion (0)

Comments are reviewed before appearing.

No comments yet — be the first!

Featured

Browse All 21+ Subject Areas

Popular Topics

More Topics

Quick Links

Featured

Visual Algorithm Labs

Sorting Algorithms

Data Structures

Featured

Frontend Dev

Career Paths

Skill Tracks

Featured

The Future of Web Architecture in 2026

Categories

Community

Practice Quizzes

API Security Beginner Quiz

Ready to test your skills?

Correct!

Incorrect

Explanation

Quiz Navigator /

Current Score

Discussion (0)

Send Feedback / Bug

Feedback Submitted!