Express.js Interview Questions 2026, 30 Q&A on Middleware, Routing, and Security

By Aditya SharmaPublished 8 Jun 2026Claim-verifiedSpot an error? Corrections open

9 min read

Interview Questions

Updated: 8 Jun 2026

Aditya's Edit

PapersAdda 2026 Placement Cycle

By Aditya Sharma·Founder & Editor, PapersAdda

What changed in 2026 drives

Mass-recruiter offer letters are flatter for 2026 batch - the 4-5 LPA ASE band has barely budged in three years while inflation eats real wages. Premium tracks (Digital, Pro, Elite, Specialist) are still where the differential lives, and they are entirely test-driven. If you are aiming higher than the default offer, the coding round is not optional pageantry - it is the entire interview.

What I'd actually study for this

01Two solid coding-round answers (1 medium-hard DSA each, with edge-case discussion) > five half-baked ones
02One real project you can defend end-to-end - file paths, design decisions, and what you would change
03One DBMS schema you actually built (not a textbook ER diagram), with at least 3 join-heavy queries written from memory
04Three behavioural STAR stories: failure recovered, conflict handled, ownership taken

Where most candidates trip up

The single biggest mistake is treating company-specific guides as primary prep and DSA as secondary. It is the opposite. Mass recruiters use the test as a filter, but premium tracks at every IT services company use coding to allocate offer band. Spend 70% of prep time on DSA + system fundamentals, 20% on company-specific patterns, 10% on HR rehearsal. Reverse that ratio and you collect the default offer.

Editorial commentary by Aditya Sharma · written for PapersAdda · not generated, not aggregated.

Express remains the default web framework Node interviewers reach for, and candidates report it shows up in most backend rounds. The questions cluster around middleware, the request-response cycle, routing, error handling, and production security. This guide compiles 30 questions from candidate-reported rounds and public preparation resources, each with code and the trade-off being tested.

The core idea: Express is a thin layer over Node's HTTP server. Everything is middleware: routing, parsing, auth, errors. Master middleware ordering and you master Express.

Fundamentals (Q1 to Q12)

Q1. What is Express.js?

Q2. What is middleware in Express?

app.use((req, res, next) => {
  req.requestTime = Date.now();
  next();
});

Q3. What are the types of middleware?

Type	Example
Application-level	`app.use(...)`
Router-level	`router.use(...)`
Built-in	`express.json()`, `express.static()`
Third-party	`helmet`, `cors`, `morgan`
Error-handling	`(err, req, res, next) => {}`

Q4. Why does middleware order matter?

Q5. What is `next()` and what happens if you forget it?

Q6. How does routing work in Express?

app.get('/users/:id', (req, res) => res.json({ id: req.params.id }));
app.post('/users', (req, res) => res.status(201).json(req.body));

Routes match by method and path; :param captures path segments into req.params, query strings populate req.query.

Q7. What is an Express Router?

const router = express.Router();
router.get('/', list);
app.use('/products', router);

Q8. How do you serve static files?

Q9. How do you parse request bodies?

Q10. What is the difference between `app.use` and `app.get`?

Q11. How do you handle query parameters and path parameters?

Q12. What status codes should an API return?

Code	Meaning
200 / 201	OK / Created
204	No content
400	Bad request (validation)
401 / 403	Unauthenticated / forbidden
404	Not found
429	Too many requests
500	Server error

Error Handling and Async (Q13 to Q21)

Q13. How does error-handling middleware work?

app.use((err, req, res, next) => {
  console.error(err);
  res.status(err.status || 500).json({ error: err.message });
});

Q14. How do you handle errors in async route handlers?

const wrap = fn => (req, res, next) => Promise.resolve(fn(req, res, next)).catch(next);
app.get('/x', wrap(async (req, res) => { const d = await load(); res.json(d); }));

Express 5 forwards rejected promises to error middleware automatically. Candidates report this version difference is a common question.

Q15. What is the difference between operational and programmer errors?

Q16. How do you implement a 404 handler?

app.use((req, res) => res.status(404).json({ error: 'Not found' }));

Q17. How do you validate request input?

Q18. How do you structure a scalable Express app?

Q19. How do you handle CORS?

Q20. How do you implement authentication middleware?

function auth(req, res, next) {
  const token = req.headers.authorization?.split(' ')[1];
  if (!token) return res.status(401).json({ error: 'No token' });
  try { req.user = verify(token); next(); }
  catch { res.status(401).json({ error: 'Invalid token' }); }
}

Q21. Scenario: req.body is undefined in a POST route. Diagnose.

Security and Performance (Q22 to Q30)

Q22. What security middleware should every Express app use?

Q23. How do you prevent injection attacks?

Q24. How do you implement rate limiting?

Q25. How do you compress responses?

Q26. How do you handle file uploads safely?

Q27. How do you log requests in production?

Q28. How do you cache responses in Express?

Q29. Scenario: an Express API slows under load. Walk through diagnosis.

Q30. How do you write tests for Express routes?

const res = await request(app).get('/users/1');
expect(res.status).toBe(200);

Express Mock Test, 2026 Edition

5 original questions calibrated to the 2026 Express batch by Aditya Sharma, from candidate-reported patterns.

Question 1

Error-handling middleware is identified by:

a) being first b) having four arguments (err, req, res, next) c) a special name d) app.error

Solution: The four-argument signature marks it as error middleware. Answer: (b)

Question 2

req.body is undefined in a POST. The likely cause:

a) wrong port b) missing or misordered express.json() c) bad route name d) CORS

Solution: The JSON parser is missing or runs after the route. Answer: (b)

Question 3

In Express 4, async handler errors are:

a) auto-caught b) not auto-caught; wrap with a helper c) ignored d) fatal

Solution: Wrap async handlers; Express 5 forwards them automatically. Answer: (b)

Question 4

An in-memory rate limiter breaks under clustering because:

a) it is slow b) each process counts separately c) Redis is required d) it leaks

Solution: Counts must be shared; use Redis across instances. Answer: (b)

Question 5

Middleware runs in:

a) random order b) registration order, top to bottom c) reverse order d) alphabetical

Solution: Order of registration determines execution order. Answer: (b)

FAQ, Express.js Interview Questions

Q: Express or a newer framework for 2026? Express is still the safe default and most-tested. Confirm the company's stack on the official careers page; some use Fastify or NestJS (which builds on Express).

Q: How deep is security tested? Candidate-reported rounds expect helmet, CORS, rate limiting, validation, and injection prevention at minimum.

Q: Do freshers need error middleware? Yes, the four-argument signature and 404 handler are common fresher questions.

Q: What is the most-missed Express concept? Middleware ordering and async error handling, per candidate-reported feedback.