OpenJS Foundation Express Practice Exam, Exams of Technology

This exam evaluates backend development proficiency using Express.js. It covers routing architecture, middleware design patterns, error handling, request lifecycle, template engines, REST API design, session management, security considerations (CORS, CSRF, rate limiting), deployment strategies, and testing frameworks. Candidates build and optimize Express APIs, debug middleware, and architect scalable server-side solutions.

Typology: Exams

2025/2026

Available from 01/12/2026

shilpi-jain-1
shilpi-jain-1 🇮🇳

4.2

(5)

29K documents

1 / 88

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
OpenJS Foundation Express Practice Exam
**Question 1. Which of the following code snippets correctly creates an Express server that
listens on port 3000?**
A) `http.createServer(app).listen(3000);`
B) `const app = require('express')(); app.listen(3000);`
C) `require('express')().listen(80);`
D) `app.use(express()).listen(3000);`
Answer: B
Explanation: `require('express')()` returns an Express application instance. Calling `.listen(3000)`
on that instance starts the server on port 3000.
**Question 2. In Express, which middleware function is used to serve static files from a
directory named “public”?**
A) `app.use(express.static('public'));`
B) `app.use('/static', express());`
C) `app.static('public');`
D) `app.use(static('public'));`
Answer: A
Explanation: `express.static` is the builtin middleware for serving static assets. It takes the
directory path as an argument.
**Question 3. When using a template engine such as Pug with Express, which line registers the
engine?**
A) `app.set('view engine', 'pug');`
B) `app.use('pug');`
C) `app.engine('pug', pug.renderFile);`
D) `app.render('pug');`
Answer: A
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e
pf1f
pf20
pf21
pf22
pf23
pf24
pf25
pf26
pf27
pf28
pf29
pf2a
pf2b
pf2c
pf2d
pf2e
pf2f
pf30
pf31
pf32
pf33
pf34
pf35
pf36
pf37
pf38
pf39
pf3a
pf3b
pf3c
pf3d
pf3e
pf3f
pf40
pf41
pf42
pf43
pf44
pf45
pf46
pf47
pf48
pf49
pf4a
pf4b
pf4c
pf4d
pf4e
pf4f
pf50
pf51
pf52
pf53
pf54
pf55
pf56
pf57
pf58

Partial preview of the text

Download OpenJS Foundation Express Practice Exam and more Exams Technology in PDF only on Docsity!

Question 1. Which of the following code snippets correctly creates an Express server that listens on port 3000? A) http.createServer(app).listen(3000); B) const app = require('express')(); app.listen(3000); C) require('express')().listen(80); D) app.use(express()).listen(3000); Answer: B Explanation: require('express')() returns an Express application instance. Calling .listen(3000) on that instance starts the server on port 3000. Question 2. In Express, which middleware function is used to serve static files from a directory named “public”? A) app.use(express.static('public')); B) app.use('/static', express()); C) app.static('public'); D) app.use(static('public')); Answer: A Explanation: express.static is the built‑in middleware for serving static assets. It takes the directory path as an argument. Question 3. When using a template engine such as Pug with Express, which line registers the engine? A) app.set('view engine', 'pug'); B) app.use('pug'); C) app.engine('pug', pug.renderFile); D) app.render('pug'); Answer: A

Explanation: Setting the view engine property tells Express which engine to use for rendering view files. Question 4. Which HTTP status code should be returned after successfully creating a new resource via a POST request? A) 200 B) 201 C) 202 D) 204 Answer: B Explanation: 201 Created indicates that the request has resulted in a new resource being created. Question 5. Which Express method is appropriate for handling a partial update of a resource? A) app.put B) app.patch C) app.post D) app.delete Answer: B Explanation: PATCH is defined for partial modifications, whereas PUT expects the full resource representation. Question 6. To automatically parse incoming JSON payloads, which middleware should be added to an Express app? A) app.use(express.urlencoded({ extended: true })); B) app.use(express.json()); C) app.use(bodyParser.text());

C) Secure HTTP headers D) Rate limiting Answer: C Explanation: Helmet sets various security‑related HTTP headers such as CSP, HSTS, and X‑Frame‑Options. Question 10. Which of the following options correctly limits a client to 100 requests per hour using the express-rate-limit package? A) app.use(rateLimit({ windowMs: 60 * 60 * 1000, max: 100 })); B) app.use(rateLimit({ windowSec: 3600, limit: 100 })); C) app.use(limit({ time: 3600000, requests: 100 })); D) app.use(rateLimiter({ hour: 100 })); Answer: A Explanation: windowMs defines the time window in milliseconds and max defines the request limit. Question 11. Which of the following statements about Express error‑handling middleware is true? A) It must have three parameters: err, req, res. B) It must be placed before any route definitions. C) It must have four parameters: err, req, res, next. D) It can only handle synchronous errors. Answer: C Explanation: Express identifies error‑handling middleware by the presence of four arguments. Question 12. In a production environment, which Express setting should be disabled to avoid leaking stack traces to clients?

A) app.set('trust proxy', true); B) app.set('x-powered-by', false); C) app.set('env', 'development'); D) app.disable('view cache'); Answer: C Explanation: When process.env.NODE_ENV is 'development', Express includes detailed error information in responses. Question 13. Which npm command installs Express as a production dependency and adds it to package.json? A) npm install express --save-dev B) npm install express --save C) npm add express D) npm install express - D Answer: B Explanation: --save (default in npm 5+) adds the package to the dependencies section. Question 14. When using the axios library inside an Express route, which syntax correctly awaits the response from a GET request to https://api.example.com/data? A) const data = await axios.get('https://api.example.com/data'); B) axios.get('https://api.example.com/data').then(data => {}); C) const { data } = await axios('https://api.example.com/data'); D) const response = await axios.get('https://api.example.com/data'); const data = response.body; Answer: A Explanation: axios.get returns a promise that resolves to a response object; awaiting it yields the full response.

Explanation: All listed headers instruct browsers and proxies not to cache the response. Question 18. Which of the following is a correct way to define a route that responds to both GET and POST requests on /submit? A) app.all('/submit', handler); B) app.route('/submit').get(handler).post(handler); C) app.use('/submit', handler); D) Both A and B are correct. Answer: D Explanation: app.all matches any HTTP method, while app.route can chain specific methods. Question 19. When validating incoming data with Joi, which schema enforces that the field email must be a valid email address? A) Joi.string().email() B) Joi.email() C) Joi.string().isEmail() D) Joi.object({ email: Joi.email() }) Answer: A Explanation: Joi.string().email() validates that the string conforms to email format. Question 20. In an Express application, which environment variable is commonly used to set the listening port? A) PORT B) EXPRESS_PORT C) SERVER_PORT D) APP_PORT Answer: A

Explanation: The de‑facto standard for Node.js apps is the PORT environment variable. Question 21. Which of the following statements about middleware order in Express is true? A) Middleware defined after a route will never run for that route. B) All middleware runs before any route handlers, regardless of order. C) Middleware order does not affect request handling. D) Only error‑handling middleware is order‑sensitive. Answer: A Explanation: Express processes middleware and routes in the order they are added. Middleware placed after a matching route will not be reached for that request. Question 22. What does the next('route') call do inside a route handler? A) Passes control to the next middleware in the stack. B) Skips remaining handlers for the current route and proceeds to the next matching route. C) Triggers an error with the message “route”. D) Ends the response and sends a 404. Answer: B Explanation: next('route') tells Express to skip the rest of the current route’s handlers and continue searching for the next route that matches. Question 23. Which of the following is the most secure way to store a secret JWT signing key in an Express project? A) Hard‑code it in a source file. B) Store it in a .env file and load with dotenv. C) Place it in package.json under a custom field. D) Keep it in a global variable in app.js. Answer: B

Explanation: 404 Not Found signals that the requested resource could not be found. Question 27. Which Express method would you use to mount a router at the path /api/v1? A) app.use('/api/v1', router); B) app.mount('/api/v1', router); C) router.use('/api/v1'); D) app.route('/api/v1', router); Answer: A Explanation: app.use attaches middleware or routers to a specific base path. Question 28. How can you send a JSON response with a custom status code of 202 from an Express handler? A) res.status(202).json({ message: 'Accepted' }); B) res.json(202, { message: 'Accepted' }); C) res.sendStatus(202).json({ message: 'Accepted' }); D) res.setStatus(202).send({ message: 'Accepted' }); Answer: A Explanation: res.status(code).json(obj) sets the status and sends JSON. Question 29. When working with the undici client library, which method initiates a GET request? A) undici.get(url) B) undici.request(url, { method: 'GET' }) C) undici.fetch(url) D) undici.request(url) Answer: B

Explanation: undici.request accepts an options object where the HTTP method is specified. Question 30. Which of the following best prevents HTTP Parameter Pollution attacks in an Express app? A) Using helmet B) Validating that each query parameter appears only once C) Enabling CORS D) Setting trust proxy to true Answer: B Explanation: Parameter pollution occurs when duplicate query keys are sent; validation that each key appears only once mitigates it. Question 31. What is the effect of calling app.set('trust proxy', 1); in an Express application? A) Disables proxy support. B) Tells Express that the first proxy in the chain is trusted for IP address extraction. C) Enables HTTPS enforcement automatically. D) Limits the number of proxies to one. Answer: B Explanation: The setting informs Express how many hops to trust when reading the X‑Forwarded‑For header. Question 32. Which HTTP header does the helmet middleware set to protect against click‑jacking? A) X-Content-Type-Options B) X-Frame-Options C) X-XSS-Protection

D) Calling next('route') skips remaining handlers for the current route. Answer: C Explanation: An error‑handling middleware is identified by having four parameters (err, req, res, next), not by omitting next. Question 36. Which of the following is the recommended way to compress HTTP responses in an Express app? A) app.use(compression()); B) app.use(gzip()); C) app.use(zlib()); D) app.use(compress()); Answer: A Explanation: The compression package provides gzip/deflate compression middleware. Question 37. When using express-validator, which method checks that the field age is an integer greater than 0? A) check('age').isInt({ min: 1 }) B) body('age').isNumeric().gt(0) C) param('age').isPositive() D) query('age').isInt({ gt: 0 }) Answer: A Explanation: isInt({ min: 1 }) validates that the value is an integer ≥ 1. Question 38. Which HTTP method is idempotent but not safe, and is commonly used for updating a resource entirely? A) GET B) POST

C) PUT

D) PATCH

Answer: C Explanation: PUT is idempotent (multiple identical requests have the same effect) but not safe because it modifies state. Question 39. Which of the following correctly disables the X-Powered-By header in an Express app? A) app.disable('x-powered-by'); B) app.set('x-powered-by', false); C) app.use(helmet.hidePoweredBy()); D) Both B and C are correct. Answer: D Explanation: Setting the property to false or using Helmet’s hidePoweredBy both remove the header. Question 40. To stream a large JSON file to the client without loading it entirely into memory, which pattern should be used? A) res.sendFile('large.json'); B) fs.createReadStream('large.json').pipe(res); C) res.json(largeObject); D) res.write(JSON.stringify(largeObject)); Answer: B Explanation: createReadStream streams the file directly to the response, conserving memory. Question 41. Which of the following is a correct way to mount a sub‑application at /admin that has its own router?

Question 44. Which of the following is the most appropriate HTTP status code to indicate that the client must authenticate before accessing a protected resource? A) 401 B) 403 C) 407 D) 400 Answer: A Explanation: 401 Unauthorized signals that authentication is required (often with a WWW- Authenticate header). Question 45. Which of the following code snippets correctly adds a custom middleware that logs the request method and URL, then passes control onward? A) app.use((req, res, next) => { console.log(req.method, req.url); next(); }); B) app.use((req, res) => { console.log(req.method, req.url); }); C) app.use((req, res, next) => { console.log(req.method, req.url); }); D) app.use((req, res) => { console.log(req.method, req.url); next(); }); Answer: A Explanation: The middleware must accept next and call it to continue the request chain. Question 46. When using express.Router(), what is the default value of mergeParams? A) true B) false C) null D) undefined Answer: B Explanation: By default, route parameters defined on the parent router are not merged into the child router’s req.params.

Question 47. Which of the following statements about the res.redirect() method is true? A) It always sends a 301 status code. B) It can accept either a URL string or a status code and URL. C) It automatically converts the URL to absolute form. D) It cannot be used after res.send(). Answer: B Explanation: res.redirect([status,] path) allows specifying a custom status (e.g., 302) or using the default 302. Question 48. Which of the following best describes the purpose of the csurf middleware? A) Prevents cross‑site scripting. B) Provides CSRF token generation and validation. C) Sets secure cookies. D) Limits request rate. Answer: B Explanation: csurf implements Cross‑Site Request Forgery protection by generating/verifying tokens. Question 49. In an Express route, which method sends a file for download with a custom filename “report.pdf”? A) res.download('path/to/report.pdf', 'report.pdf'); B) res.sendFile('path/to/report.pdf', { filename: 'report.pdf' }); C) res.attachment('report.pdf').sendFile('path/to/report.pdf'); D) res.file('path/to/report.pdf', { name: 'report.pdf' }); Answer: A Explanation: res.download sets appropriate headers and allows specifying a fallback filename.

Answer: A Explanation: cookie.maxAge sets the lifetime (in milliseconds) of the session cookie. Question 53. Which of the following correctly sets up a global error‑handling middleware that logs the error and returns a JSON error message? A) app.use((err, req, res, next) => { console.error(err); res.status(500).json({ error: err.message }); }); B) app.use((req, res, err) => { console.error(err); res.status(500).send(err.message); }); C) app.use((err, req, res) => { console.error(err); res.status(500).json({ error: err.message }); }); D) app.use((err, req, res, next) => { console.error(err); next(); }); Answer: A Explanation: The error‑handling function must have four arguments; logging then responding is typical. Question 54. Which of the following is a valid way to make an Express app listen on a Unix socket file named app.sock? A) app.listen('/tmp/app.sock'); B) app.listen(3000, '/tmp/app.sock'); C) app.listen({ path: '/tmp/app.sock' }); D) app.listen(0, '/tmp/app.sock'); Answer: A Explanation: Providing a string path to app.listen causes Node to bind to that Unix domain socket. Question 55. Which of the following correctly enables parsing of URL‑encoded bodies with extended syntax? A) app.use(express.urlencoded({ extended: true })); B) app.use(express.urlencoded({ extended: false }));

C) app.use(bodyParser.urlencoded({ extended: true })); D) Both A and C are correct. Answer: D Explanation: Both express.urlencoded (built‑in) and bodyParser.urlencoded (deprecated) accept the extended option. Question 56. In a production Express environment, which of the following practices helps prevent memory leaks caused by unreferenced timers? A) Using setInterval without clearing it. B) Storing timers in a global array. C) Ensuring all timers are cleared with clearTimeout/clearInterval when no longer needed. D) Relying on Node.js to garbage‑collect timers automatically. Answer: C Explanation: Explicitly clearing timers prevents them from keeping references that would otherwise be eligible for garbage collection. Question 57. Which of the following is the best way to expose a health‑check endpoint that returns { status: "ok" }? A) app.get('/health', (req, res) => res.json({ status: 'ok' })); B) app.use('/health', (req, res) => { res.send('ok'); }); C) app.all('/health', (req, res) => res.sendStatus(200)); D) app.post('/health', (req, res) => res.end('ok')); Answer: A Explanation: A GET endpoint returning JSON is conventional for health checks. Question 58. Which of the following correctly configures Express to trust the first two proxies in a chain?