Full Stack Developer
Updated for 2026: Full Stack Developer interview questions and answers covering core skills, tools, and best practices for roles in the US, Europe & Canada.
What does a Full Stack Developer do and how is it different from a specialist role?
A Full Stack Developer works across the frontend, backend, and often deployment. **Typical responsibilities:** - Build UI and client-side state - Design APIs and backend services - Model data and work with databases - Debug end-to-end issues and ship features Specialists (frontend-only or backend-only) go deeper in one area. Full stack roles emphasize breadth and the ability to make trade-offs across the entire system.
How would you build a CRUD application end-to-end (UI, API, database)?
An end-to-end CRUD app needs consistent models and contracts. **Steps:** - Define entities and validation rules - Design REST/GraphQL endpoints and error formats - Create database schema + migrations - Build UI forms and list views - Add auth/authz if needed - Implement pagination and search - Add tests (unit + integration + critical E2E) **Interview tip:** emphasize clean API contracts, validation, and observability for production support.
How do you design a secure authentication flow for a full stack app?
A secure auth flow covers login, session management, and authorization. **Common approach:** - Use secure sessions (httpOnly cookies) or JWT access+refresh tokens - Add MFA for sensitive apps - Enforce authorization on the server for every request - Protect against XSS/CSRF (CSP, SameSite, CSRF tokens) Also implement audit logs, rate limiting on login, and safe password storage (Argon2/bcrypt).
SSR vs SPA: how do you decide for a full stack product?
Choose based on SEO, performance, and product needs. **SSR/SSG:** better for SEO and fast first content for marketing/content pages. **SPA:** good for app-like dashboards where SEO is less important. Many products use a hybrid: SSR/SSG for public pages and SPA-style interactions behind auth. The goal is the best UX with manageable infrastructure.
Why are API contracts important and how do you keep frontend and backend in sync?
API contracts prevent integration bugs. **Common strategies:** - OpenAPI/Swagger specs for REST - GraphQL schema as the contract - Shared types generated from schema - Contract tests in CI Keep versioning and deprecations explicit, and use consistent error shapes so the frontend can handle failures reliably.
How do you manage environment configuration for a full stack app (dev/staging/prod)?
Configuration should be external to code and safe. **Best practices:** - Use environment variables for secrets and endpoints - Separate config per environment - Validate config at startup - Never commit secrets - Use secret managers in production Also ensure the frontend build/runtime receives only non-sensitive config; secrets must remain server-side.
Monorepo vs multirepo: which is better for full stack teams?
Both work; it depends on scale and tooling. **Monorepo pros:** shared code, single CI, easier refactors. **Cons:** tooling complexity, slower pipelines if not optimized. **Multirepo pros:** independent releases, clearer boundaries. **Cons:** harder cross-repo changes, versioning shared libs. A common approach is monorepo with strong tooling (workspace, caching) and clear ownership boundaries.
How do you design a database schema that supports both product features and performance?
Start from the domain model and access patterns. **Steps:** - Identify entities, relationships, and constraints - Normalize first for correctness - Add indexes for hot queries - Denormalize only when measured - Plan migrations and avoid breaking changes **Full stack angle:** align UI needs (filters, sorts) with backend query patterns to avoid expensive scans and N+1 issues.
How do you implement pagination end-to-end (API + UI) without breaking UX?
Pagination needs consistent API responses and stable UI state. **Backend:** choose cursor pagination for large datasets; return `items` + `nextCursor`. **Frontend:** preserve scroll position, show loading states, and avoid duplicate items. Also handle filters/sorts by resetting cursor correctly and reflecting state in the URL for shareability.
How do you use a CDN and caching to improve full stack performance?
CDNs cache static assets near users. **Strategy:** - Cache static assets aggressively (hashed filenames) - Use HTTP caching headers (`Cache-Control`, `ETag`) - Cache SSR/HTML selectively when safe - Add API caching where appropriate (Redis) **Interview tip:** explain cache invalidation via content hashing for assets and careful TTL for dynamic data.
How do you design file storage for uploads (S3-style) with secure access?
A robust design uses object storage + secure URLs. **Approach:** - Upload directly to object storage using pre-signed URLs - Store metadata in DB (owner, path, mime, size) - Serve via CDN - Enforce authorization (private buckets, signed URLs) - Validate file type/size and scan if needed This avoids overloading app servers and scales well.
How do you implement search in a full stack application?
Search design depends on complexity. **Options:** - Simple: SQL LIKE + indexes (small datasets) - Better: full-text search (Postgres FTS) - Advanced: dedicated search engine (Elasticsearch/OpenSearch) Design for relevance, typo tolerance, filters, and pagination. Cache popular queries and monitor latency.
How do you add real-time updates to a full stack app?
Real-time updates can use SSE or WebSockets. **Design steps:** - Choose protocol (SSE for server push; WebSockets for bi-directional) - Authorize connections - Scale with a pub/sub layer (Redis, Kafka) - Handle reconnects and message ordering Start simple and scale only when traffic requires it.
What work should be moved to background jobs in a full stack app?
Move tasks that are slow, unreliable, or non-critical to background jobs. Examples: - Emails and notifications - Video/image processing - Analytics/event ingestion - Report generation Keep request paths fast and predictable. Ensure jobs are idempotent and observable (retries, DLQs, dashboards).
How do you integrate payments safely in a full stack product?
Payments require correctness, security, and auditability. **Key practices:** - Use a trusted provider and hosted payment UI where possible - Never store raw card data (PCI) - Use idempotency keys for charge requests - Verify webhooks and handle retries - Maintain an order/payment state machine **Interview tip:** explain reconciliation and safe handling of asynchronous webhook events.
How do you protect a full stack app from bots and abusive traffic?
Protection is layered. **Common controls:** - Rate limiting per IP/user - CAPTCHA for suspicious flows - WAF rules and bot detection - Abuse monitoring (signup/login anomalies) - Caching and CDN shielding Also design endpoints to be cheap (avoid heavy DB work) and make writes idempotent to handle retries safely.
What does observability look like for a full stack application?
Observability combines logs, metrics, and traces across client and server. **Full stack view:** - Frontend: error tracking, performance (Web Vitals), user journeys - Backend: structured logs, latency/error metrics, distributed tracing Use correlation IDs across requests and add dashboards for critical flows (login, checkout, search).
How do you debug a production issue end-to-end?
A structured approach reduces downtime. **Steps:** - Reproduce or narrow scope (affected users, endpoints) - Check dashboards (latency, errors, deploy markers) - Follow traces/logs with correlation IDs - Validate recent changes and feature flags - Mitigate (rollback/disable flag) before deep fix Document the root cause and add tests/alerts to prevent regressions.
How do you improve performance across both frontend and backend?
Performance is end-to-end. **Frontend:** reduce JS, optimize images, improve Web Vitals. **Backend:** optimize queries, cache hot reads, tune concurrency, reduce payload sizes. **Network:** use CDN, compression, HTTP/2/3, keep APIs lean. Measure first (RUM + APM) and optimize the biggest bottleneck, not the easiest change.
What’s a practical security checklist for full stack applications?
A practical checklist includes: - Input validation + output encoding - Secure auth (MFA, safe sessions/tokens) - Authorization checks on every endpoint - CSRF/XSS protections (SameSite, CSP) - Rate limiting and abuse detection - Secure secrets management - Logging without sensitive data Security is a process: monitor, patch, and review regularly.
How do you deploy a full stack application to production safely?
Safe deployments reduce risk. **Approach:** - Automated CI pipeline with tests - Build artifacts and immutable deploys - Use environment config + secret manager - Canary/blue-green rollouts - Monitor metrics and rollback quickly Also plan DB migrations carefully (expand/contract) to avoid downtime.
What should a good full stack CI/CD pipeline include?
A good CI/CD pipeline provides fast feedback and safe releases. **Include:** - Linting and type checks - Unit + integration tests - Build + security scanning - Staging deploys and smoke tests - Production deploy with canary Also add caching to speed builds and make failures actionable with clear logs.
How do feature flags help full stack delivery and what are common pitfalls?
Feature flags enable incremental delivery. **Benefits:** safer releases, targeted rollouts, instant rollback. **Pitfalls:** flag debt (never removing old flags), inconsistent behavior across services, and security (server must enforce privileged flags). A good practice is to track flags and schedule cleanup once a feature is stable.
How do you design consistent API error responses that the frontend can handle?
Consistent errors improve UX and reduce bugs. **Design:** - Use a stable error shape (code, message, details) - Map validation errors per field - Use HTTP status codes correctly - Include correlation IDs for support Avoid leaking sensitive server details. Frontend can then show helpful messages and retries reliably.
What is a good testing strategy for full stack applications?
Use a layered strategy: - Unit tests for business logic - Integration tests for API + DB - E2E tests for critical user journeys Keep E2E small to reduce flakiness. Use fixtures, deterministic test data, and run fast checks on PRs with a broader suite nightly.
When does GraphQL make sense in a full stack product?
GraphQL is valuable when clients need flexible data shapes. **Good fits:** complex UIs with many related entities, multiple clients (web/mobile), and rapid iteration. **Costs:** schema design, caching strategy, N+1 resolvers (needs dataloaders), and operational complexity. Use it when the flexibility reduces overall product complexity—not just because it’s trendy.
Why do you need runtime validation if you already use TypeScript?
TypeScript types don’t exist at runtime. APIs and user input can still be invalid. Runtime validation ensures: - Safe parsing of untrusted data - Better error messages - Consistent schemas between client and server Use schema validators to validate requests/responses and keep types in sync via inference or codegen.
How do you evolve schemas and migrate data safely while shipping features?
Schema changes must remain compatible during deployment. **Process:** - Make backward-compatible schema changes first - Deploy code that supports old + new - Backfill data in batches - Switch reads/writes - Remove old fields later Coordinate UI and API changes via feature flags and staged rollouts to avoid breaking clients.
How would you migrate a monolith to microservices without breaking users?
A safe migration is incremental. **Steps:** - Identify clear domain boundaries (bounded contexts) - Extract one service at a time (strangler pattern) - Keep API contracts stable; use a gateway if needed - Handle data ownership carefully (avoid shared DB long-term) - Add observability early (tracing/logs) Microservices only help if the team can operate them reliably (deployments, monitoring, incident response).
What changes when you deploy a full stack application to multiple regions?
Multi-region improves latency and resilience but adds complexity. **Key challenges:** - Data replication and consistency - Global routing and failover - Session/state handling - Observability across regions A common approach is active-active for stateless services + active-passive for stateful systems, with clear failover runbooks and regular disaster recovery testing.