URL Versioning: /v1/users, /v2/users (most common, clear and cacheable)

Header Versioning: Accept: application/vnd.api+json;version=1

Query Parameter: /users?version=1 (simple but can clutter URLs)

Strategy: Maintain 2-3 versions maximum, deprecate gracefully with clear timelines.

Token Bucket: Refill tokens at fixed rate, consume on requests

Sliding Window: Track requests in rolling time window

Fixed Window: Simple counter reset at intervals

Headers: Include X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Reset

CORS (Cross-Origin Resource Sharing): Mechanism allowing web pages to access resources from different domains.

Same-Origin Policy: Browsers block cross-origin requests by default for security

Preflight Request: OPTIONS request for complex requests (POST with JSON)

Offset-based: ?page=2&limit=20 (simple but inefficient for large datasets)

Cursor-based: ?after=eyJpZCI6MTIzfQ&limit=20 (better performance, consistent results)

Headers: Include Link header for navigation (GitHub style)

Webhooks: HTTP callbacks triggered by events, enabling real-time communication

Security measures:

• HTTPS only
• Signature verification (HMAC-SHA256)
• Timestamp validation (prevent replay attacks)
• IP whitelisting when possible

Normalization: Reducing data redundancy by organizing into separate tables

• 1NF: Atomic values, no repeating groups
• 2NF: No partial dependencies on composite keys
• 3NF: No transitive dependencies

When to denormalize: Read-heavy workloads, complex joins affecting performance, data warehousing scenarios

Trade-offs: Normalization reduces storage and update complexity; denormalization improves read performance

1. Analyze query execution plan (EXPLAIN in PostgreSQL/MySQL)
2. Add appropriate indexes on WHERE, JOIN, ORDER BY columns
3. Avoid SELECT * - only fetch needed columns
4. Optimize WHERE clauses - put most selective conditions first
5. Consider query restructuring - break complex queries into simpler ones
6. Use query caching for repeated queries

ACID Properties:

• Atomicity: All operations succeed or all fail (no partial updates)
• Consistency: Database remains in valid state after transaction
• Isolation: Concurrent transactions don't interfere with each other
• Durability: Committed changes persist even after system failure

Connection pooling: Reuse database connections to reduce overhead

Benefits: Faster response times, reduced resource usage, better concurrency control

Configuration considerations:

• Pool size: Balance between resource usage and concurrency
• Connection timeout: How long to wait for available connection
• Idle timeout: When to close unused connections
• Health checks: Validate connections before use

Indexes: Data structures that improve query performance by creating shortcuts to data

Types:

• B-tree: Default, good for equality and range queries
• Hash: Fast for equality lookups only
• Bitmap: Efficient for low-cardinality data
• Partial: Index subset of rows based on condition

Trade-offs: Faster reads vs slower writes, additional storage overhead

Best practices: Index frequently queried columns, avoid over-indexing, monitor index usage

Safe migration practices:

1. Backward compatibility: New code works with old schema
2. Forward compatibility: Old code works with new schema
3. Incremental changes: Small, reversible migrations
4. Test on staging: Identical environment testing
5. Rollback plan: Always have a rollback strategy
6. Zero-downtime: Avoid locking operations during peak hours

Sharding: Horizontal partitioning of data across multiple databases

When to shard: Single database can't handle load, data size exceeds single machine capacity

Sharding strategies:

• Range-based: Partition by data range (user_id 1-1000, 1001-2000)
• Hash-based: Use hash function on key (user_id % 4)
• Directory-based: Lookup service maps keys to shards

Challenges: Cross-shard queries, rebalancing, increased complexity

Alternatives: Read replicas, vertical partitioning, caching layers

CAP Theorem: You can only guarantee 2 of 3 properties in distributed systems:

• Consistency: All nodes see same data at same time
• Availability: System remains operational
• Partition tolerance: System continues despite network failures

Real-world examples:

• CA: Traditional RDBMS (not partition tolerant)
• CP: MongoDB, Redis (sacrifice availability for consistency)
• AP: DynamoDB, Cassandra (eventual consistency)

Practical implication: In network partitions, choose consistency or availability

Backup strategies:

• Full backups: Complete database snapshot (weekly)
• Incremental: Only changed data since last backup (daily)
• Point-in-time: Transaction log backups for specific recovery points
• Hot vs Cold: Online backups vs offline with downtime

3-2-1 Rule: 3 copies of data, 2 different media types, 1 offsite

Recovery considerations: RTO (Recovery Time Objective), RPO (Recovery Point Objective)

Testing: Regularly test backup restoration process

"There are only two hard things in Computer Science: cache invalidation and naming things"

Strategies:

• TTL (Time To Live): Automatic expiration after fixed time
• Event-based: Invalidate on data updates (pub/sub pattern)
• Tag-based: Group related cache entries with tags
• Manual: Explicit invalidation in business logic

Distributed caching patterns:

• Shared Cache: Single cache cluster accessed by all app instances
• Replicated Cache: Each app instance has copy of cache data
• Partitioned Cache: Cache data distributed across multiple nodes

Consistent hashing: Distribute keys evenly, minimize rehashing when nodes change

Challenges: Network latency, cache coherency, failover handling

CDN (Content Delivery Network): Geographically distributed servers that cache content closer to users

Benefits:

• • Reduced latency (geographic proximity)
• • Lower bandwidth costs
• • Improved availability and redundancy
• • DDoS protection
• • Reduced origin server load

Best practices:

• • Set appropriate cache headers (Cache-Control, ETag)
• • Use versioned URLs for cache busting
• • Optimize cache hit ratio
• • Monitor cache performance metrics

Key metrics:

• Latency: Response time (p50, p95, p99 percentiles)
• Throughput: Requests per second
• Error rate: Percentage of failed requests
• Resource utilization: CPU, memory, database connections

Optimization techniques:

• • Database query optimization
• • Implement caching layers
• • Use compression (gzip)
• • Connection pooling
• • Async processing for heavy operations
• • Load balancing and horizontal scaling

Common causes:

• Unclosed resources: Database connections, file handles, HTTP connections
• Event listeners: Not removing event handlers
• Global variables: Accumulating data in global scope
• Circular references: Objects referencing each other
• Caches without limits: Unbounded cache growth

Detection: Memory monitoring, profiling tools, heap dumps

JWT Security best practices:

• Short expiration times: 15-30 minutes for access tokens
• Use refresh tokens: Longer-lived, revocable tokens
• Strong secret keys: Use cryptographically secure random keys
• HTTPS only: Never send JWTs over HTTP
• Secure storage: HttpOnly cookies, not localStorage
• Validate claims: Check issuer, audience, expiration

Prevention techniques:

• Parameterized queries: Use prepared statements with parameters
• Stored procedures: When properly implemented
• Input validation: Whitelist allowed characters
• Principle of least privilege: Database user with minimal permissions
• Escape special characters: When parameterized queries aren't possible

Password hashing best practices:

• Use bcrypt, scrypt, or Argon2: Slow hashing algorithms with salt
• Never store plaintext: Hash passwords before storage
• Unique salts: Different salt per password
• High work factor: Adjust cost parameter for security vs performance
• Password policies: Minimum length, complexity requirements

CORS (Cross-Origin Resource Sharing): Browser security feature that restricts cross-origin HTTP requests

Secure configuration:

• Specific origins: Never use * in production
• Limit methods: Only allow necessary HTTP methods
• Control headers: Restrict allowed and exposed headers
• Credentials handling: Be careful with Access-Control-Allow-Credentials

RBAC Components:

• Users: Individual accounts
• Roles: Groups of permissions (admin, editor, viewer)
• Permissions: Specific actions (read, write, delete)
• Resources: Objects being protected

Best practices: Principle of least privilege, role hierarchies, audit logs

Microservices: Architectural pattern where applications are built as independent, loosely coupled services

Benefits:

• • Independent deployment and scaling
• • Technology diversity
• • Team autonomy
• • Fault isolation

Challenges:

• • Distributed system complexity
• • Network latency and reliability
• • Data consistency
• • Monitoring and debugging

When to use: Large teams, complex domains, need for different scaling patterns. Start with monolith for small teams/simple domains.

Synchronous communication:

• REST APIs: HTTP-based, stateless, widely supported
• GraphQL: Single endpoint, flexible queries
• gRPC: High-performance, type-safe, HTTP/2

Asynchronous communication:

• Message queues: RabbitMQ, Apache Kafka, AWS SQS
• Event streaming: Pub/sub patterns, event sourcing
• Service mesh: Istio, Linkerd for service-to-service communication

Best practices: Circuit breakers, retries with backoff, timeouts, idempotency

Circuit Breaker: Design pattern that prevents cascading failures in distributed systems

States:

• Closed: Normal operation, requests pass through
• Open: Failures detected, requests fail fast
• Half-Open: Limited requests to test if service recovered

Benefits: Prevents cascade failures, improves system resilience, provides fallback mechanisms

Two-Phase Commit (2PC): Coordinator ensures all participants commit or abort

• • Phase 1: Vote to commit/abort
• • Phase 2: Commit or abort based on votes
• • Problems: Blocking protocol, single point of failure

Saga Pattern (Preferred): Sequence of local transactions with compensating actions

• Choreography: Events trigger next steps
• Orchestration: Central coordinator manages flow

Eventual Consistency: Accept temporary inconsistency for better availability

Message Queues: Asynchronous communication mechanism between services

Benefits:

• • Decoupling of services
• • Reliability (persistence, acknowledgments)
• • Scalability (handle traffic spikes)
• • Fault tolerance

Use cases:

• • Background job processing
• • Event-driven architecture
• • Load balancing across workers
• • Handling traffic spikes

Popular solutions: RabbitMQ (feature-rich), Apache Kafka (high-throughput), AWS SQS (managed), Redis Pub/Sub (simple)

Service Discovery: Mechanism for services to find and communicate with each other

Patterns:

• Client-side discovery: Client queries service registry (Eureka, Consul)
• Server-side discovery: Load balancer handles discovery (AWS ELB, Kubernetes)

Service Registry: Database of available service instances

• • Health checks
• • Load balancing
• • Failover handling

Scalability principles:

Architecture patterns:

• • Microservices for independent scaling
• • Event-driven architecture
• • CQRS (Command Query Responsibility Segregation)
• • Data partitioning strategies

Monitoring & reliability: Comprehensive logging, metrics, alerting, circuit breakers, graceful degradation