Code Room
On-callHard
Question
A bug-bounty report comes in: your OAuth callback page, after exchanging the code, briefly renders the access token in a URL query parameter (…/welcome?access_token=…) before a client-side redirect strips it. That page embeds third-party analytics and an ad pixel. Because the token is in the URL, it leaks to those third parties via the Referer header, and it's been recorded in your CDN access logs and the analytics vendor for months. The tokens are bearer tokens valid for 1 hour with a 30-day refresh token. You're the on-call security engineer. Triage and respond.
What a strong answer looks like
Stop the bleeding first (mitigate), then form hypotheses from real signals. Separate root cause from symptom, communicate status as you go, and close with what prevents a repeat.
Learn the concepts
Loading whiteboard…
Run or narrate your approach, then ask the coach.