Cover both sides: "Frontend: CSP headers block inline scripts, I never use innerHTML with user data. Backend: parameterised queries prevent injection, npm audit runs in CI, and I use helmet for security headers."
Frontend: XSS (sanitise user input, Content Security Policy, avoid innerHTML), CSRF (SameSite cookies, CSRF tokens), clickjacking (X-Frame-Options), sensitive data exposure in client bundles. Backend/Node.js: injection (parameterised queries), dependency vulnerabilities (npm audit), prototype pollution, SSRF, and insecure deserialization. Strong candidates discuss security headers, npm audit in CI, and the principle of least privilege for API tokens.
Critical for any JavaScript developer. Candidates who only think about one side (frontend or backend) have blind spots. Those who mention CSP, npm audit, and prototype pollution demonstrate comprehensive security awareness.