Http Protocol¶
22 cards — 🟢 5 easy | 🟡 7 medium | 🔴 3 hard
🟢 Easy (5)¶
1. What is HTTP and how does it enable web communication?
Show answer
A request/response application protocol used by browsers, APIs, and many other systems for network communication. It is stateless — each request is independent with no built-in memory of previous requests. State is layered on top via cookies, sessions, or tokens. HTTP/1.1 introduced persistent connections; HTTP/2 added multiplexing; HTTP/3 uses QUIC over UDP.2. What are the main parts of a URL?
Show answer
Scheme (protocol), host, port, path, query string, and fragment.Example: https://example.com:443/path?x=1#frag. The port defaults to 80 for HTTP and 443 for HTTPS. The query string passes key-value parameters. The fragment (#frag) is client-side only and never sent to the server. URL-encoding (%20 for space) handles special characters.
3. What are the components of an HTTP request?
Show answer
Method (GET, POST, PUT, DELETE, etc.), path, HTTP version, headers (Host, Content-Type, Authorization, etc.), and an optional body. The Host header is mandatory in HTTP/1.1 — it enables virtual hosting (multiple sites on one IP). Headers carry metadata; the body carries payload data for methods like POST and PUT.4. What do the HTTP status code classes mean?
Show answer
2xx = success (200 OK, 201 Created, 204 No Content). 3xx = redirect (301 Moved Permanently, 302 Found). 4xx = client error (400 Bad Request, 401 Unauthorized, 403 Forbidden, 404 Not Found). 5xx = server error (500 Internal Server Error, 502 Bad Gateway, 503 Service Unavailable). Monitoring 5xx rate is a key SRE metric.5. What is HTTPS and how does it differ from HTTP?
Show answer
HTTP carried over TLS (Transport Layer Security). It encrypts the communication in transit and verifies server identity via certificates. Without HTTPS, data (including passwords and cookies) travels in plaintext and can be intercepted. Modern browsers mark HTTP sites as "Not Secure." Let's Encrypt provides free TLS certificates, making HTTPS the baseline expectation.🟡 Medium (7)¶
1. Which part of a URL is NOT sent to the server in an HTTP request?
Show answer
The fragment (the part after #). It is handled entirely client-side for in-page navigation. The server never sees it, which means server-side logs will not contain fragment data. This is important for security — never put sensitive data in fragments assuming the server will process it. SPAs use fragments (or the History API) for client-side routing.2. What is the difference between GET and POST?
Show answer
GET requests a resource and should be safe and idempotent — no side effects, cacheable, bookmarkable. POST submits data for processing and may have side effects (create/update). GET parameters go in the URL query string (visible, limited size); POST data goes in the body (not visible in URL, no size limit). Browsers warn before resubmitting POST but not GET.3. What are HTTP cookies used for?
Show answer
Storing scoped name/value data on the client that the browser automatically sends back with subsequent requests to the same domain. Used for sessions, preferences, and tracking. Set via Set-Cookie header in responses, sent via Cookie header in requests. Cookies have size limits (~4KB) and should not store sensitive data in plaintext.4. Name four important cookie attributes.
Show answer
Secure (sent only over HTTPS — prevents interception), HttpOnly (inaccessible to JavaScript — mitigates XSS), SameSite (restricts cross-site sending — mitigates CSRF, values: Strict/Lax/None), and Expires/Max-Age (lifetime — session cookies expire when browser closes, persistent cookies at the set time). A production cookie should have all four configured.5. What does the Location header in an HTTP response indicate?
Show answer
It specifies the URL to redirect the client to. Used with 3xx status codes (301, 302, 307, 308). The browser automatically follows the redirect.Gotcha: redirect chains (A->B->C->D) add latency — each hop is a full round trip. Too many redirects also cause "redirect loop" errors. Always set Location to the final canonical URL when possible.
6. What is CORS and what problem does it solve?
Show answer
Cross-Origin Resource Sharing. Browsers enforce same-origin policy by default, blocking JavaScript from making requests to a different domain. CORS lets servers declare which origins may access their resources via Access-Control-Allow-Origin headers. Preflight requests (OPTIONS) check permissions for non-simple requests. Misconfigured CORS (Allow-Origin: *) can be a security risk for authenticated APIs.7. How can you inspect HTTP request/response details from the command line?
Show answer
curl -v shows the full request and response including headers and TLS negotiation. curl -I sends a HEAD request showing only response headers. curl -o /dev/null -w "%{http_code} %{time_total}s" URL shows status code and timing without body output. Browser devtools Network tab shows full details with waterfall timing. For APIs, httpie (http GET url) provides a more readable output than curl.🔴 Hard (3)¶
1. What are the key HTTP headers for caching?
Show answer
Cache-Control (directives: max-age, no-cache, no-store, public/private), ETag (content hash for validation), Last-Modified (timestamp). Conditional requests use If-None-Match (ETag) and If-Modified-Since (timestamp) — server responds 304 Not Modified if content unchanged, saving bandwidth.Gotcha: no-cache still caches but always revalidates; no-store truly prevents caching.
2. What is the difference between 301, 302, 307, and 308 redirects?
Show answer
301 = permanent, browsers may change method to GET (unsafe for POST). 302 = temporary, browsers may change method to GET. 307 = temporary, must preserve method and body (safe for POST). 308 = permanent, must preserve method and body. Use 301/308 for permanent URL moves (SEO transfer). Use 307 for temporary redirects of API endpoints to preserve POST data.3. Name three important HTTP security headers.