Hiring Senior React/Next.js Engineers: Cloud-Native Guide

Hiring Senior React/Next.js Engineers: Questions and Tasks That Reveal True Expertise

Great resumes rarely expose great React/Next.js engineers; rigorous, scenario-driven evaluation does. Use this guide to surface architectural judgment, code quality, and product sense for enterprise-grade builds, including cloud-native applications and Custom dashboard and admin portal development.

What you must assess

Architecture: SSR/SSG/ISR trade-offs, App Router vs Pages, data fetching strategies, and boundaries between frontend, BFF, and APIs.
Performance: React concurrency, memoization, streaming, image optimization, and Core Web Vitals budgets.
TypeScript: types as contracts, discriminated unions, generics, and incremental typing for legacy code.
State and data: React Query/SWR, server actions, cache invalidation, optimistic updates, and websocket events.
Security: XSS/CSRF, session hardening, OAuth/OIDC, and Enterprise mobile app security considerations for shared components and tokens.
Reliability: error boundaries, retries/backoff, feature flags, and graceful degradation.
Testing: Playwright/Cypress, React Testing Library, contract tests for APIs, and visual regression.
DX and CI/CD: linting, codegen, Turborepo, story-driven development, and preview environments.
Observability: web vitals, RUM, logs/traces, and feature-level analytics.

High-signal interview questions

When would you choose SSR over ISR for a pricing page with frequent micro-updates and personalized discounts? Explain cache keys, revalidation, and stale-while-revalidate semantics.
Describe your strategy to migrate a large Pages Router app to the App Router without downtime. How do you split routes, share layouts, and phase data fetching?
Design a secure session model for SSO on a multi-tenant admin portal. Cover token storage, rotation, tenant isolation, and protection against confused-deputy problems.
How do you implement streaming server components with suspense boundaries for a dashboard that mixes slow analytics and fast notifications?
Give a concrete example of reducing TTFB and LCP by 30% on Next.js. Which metrics, tools, and code changes delivered the win?
Walk through your approach to building accessible, keyboard-first data grids with virtualization, selection, and inline editing.
Explain a time you deleted code to make the system faster or safer. What guardrails kept it maintainable?

Targeted take-home task (6-8 hours)

Scope a realistic, auditable build. Candidates should deliver a repo, decisions doc, and short Loom or README walkthrough.

Detailed view of smartphone displaying multiple app icons on screen, highlighting technology use. — Photo by ready made on Pexels

Build a Custom dashboard and admin portal development proof: Next.js App Router, TypeScript, Tailwind or CSS Modules, and React Query.
Data: Mock a "Projects" service with Next.js Route Handlers and seed JSON. Include filtering, sorting, and infinite scroll.
Auth: Email + magic link plus optional SSO stub. Demonstrate multi-tenant RBAC with admin, manager, and viewer roles; include a simple policy engine.
Security: Implement CSRF protection for mutations, content-security-policy headers, secure cookies, and output encoding to prevent XSS. Discuss Enterprise mobile app security parallels for token handling when components are shared with React Native.
Performance: Set a 2.0s LCP budget on mid-tier mobile. Use image optimization, route-level streaming, and partial hydration. Provide a performance report before/after.
Reliability: Add error boundaries, server-side input validation with Zod, and retries with exponential backoff. Include feature flags for one risky feature.
Observability: Add simple logging, browser timing marks, and a custom Web Vitals collector endpoint. Show a trace of a slow page.
Edge and cloud-native applications: Put an API route on the edge runtime, demonstrate caching, and document how this would scale across regions.

Live pairing prompts

Refactor a gnarly useEffect into server actions plus a tiny client component. Require type-safe mutations and optimistic UI.
Harden a vulnerable file upload flow. Add content-type validation, size limits, signed URLs, and server-side virus scanning hooks.
Instrument a regresssing LCP in real time and propose a fix while narrating trade-offs.

Red flags and signal amplifiers

Red flags: Reliance on client-heavy patterns, vague answers about caching, no opinion on API contracts, dismisses accessibility, or treats security as an afterthought.
Signal amplifiers: Explains failure modes, writes small composable components, uses types as design, quantifies impact, and asks sharp product questions.

Evaluation rubric

Architecture and correctness (30%): sound route/data strategy, clear boundaries, safe concurrency.
Performance and UX (20%): measurable wins against stated budgets.
Security and privacy (20%): robust auth, safe storage, headers, and threat modeling.
Testing and maintainability (20%): coverage where it counts, contracts, stories, and CI discipline.
Communication (10%): crisp decisions doc, trade-off narration, and proactive risk notes.

Real-world scenario prompts

Your exec team wants real-time financial dashboards for 200k tenants. Ask: what data should stream vs poll, how to shard caches, and which parts run at the edge. Then justify the plan in one page.

Detailed close-up view of a smartphone screen displaying various popular social media app icons. — Photo by Mateusz Dach on Pexels

Compliance requires audit trails. Add append-only logs to every admin action, surface them in the UI, and export to an external SIEM. Measure cost and latency overhead.