web apps midterm 1

Question 1

What does HTTP stand for?

Answer 1

Hypertext Transfer Protocol — stateless application-level protocol.

Question 2

Difference between HTTP/1.1, HTTP/2, HTTP/3?

Answer 2

1.1 = text, one request per connection; 2 = binary, multiplexing, header compression; 3 = like 2 but over QUIC/UDP.

Question 3

Safe & cacheable HTTP method?

Answer 3

GET.

Question 4

HTTP method used for actions, not cacheable, can cause side effects?

Answer 4

POST.

Question 5

URL components?

Answer 5

scheme://authority/path?query#fragment

Question 6

Is HTTP stateful or stateless?

Answer 6

Stateless — each request is independent.

Question 7

What does the Host header specify?

Answer 7

Requested domain/authority.

Question 8

What does the Accept header specify?

Answer 8

Content types the client prefers (e.g., text/html).

Question 9

What does the Content-Type header specify?

Answer 9

MIME type of body (e.g., application/json).

Question 10

What does the Set-Cookie header do?

Answer 10

Server asks client to store cookie.

Question 11

Cache-Control: no-store means?

Answer 11

Don’t cache response anywhere.

Question 12

What does the User-Agent header contain?

Answer 12

Client software info (browser name/version).

Question 13

Accept-Encoding header means?

Answer 13

Compression formats client supports (e.g., gzip).

Question 14

What is the ETag header?

Answer 14

Identifier for resource version (used with caching).

Question 15

What does the Location header do?

Answer 15

New URL for redirects.

Question 16

What does the Referer header show?

Answer 16

URL of page that triggered the request.

Question 17

Difference between If-Modified-Since and If-None-Match?

Answer 17

IMS = date/time check, INM = ETag check for cache validation.

Question 18

What does Connection: keep-alive mean?

Answer 18

Persistent HTTP/1.1 connection reused for multiple requests.

Question 19

HTTP status 200?

Answer 19

OK — request successful.

Question 20

HTTP status 301 vs 302 vs 303?

Answer 20

301 = moved permanently, 302 = temporary redirect, 303 = see other (GET next).

Question 21

HTTP status 304?

Answer 21

Not Modified — use cached copy.

Question 22

HTTP status 400 / 403 / 404 / 500?

Answer 22

Bad request / Forbidden / Not found / Server error.

Question 23

Purpose of cookies?

Answer 23

Maintain state across stateless HTTP requests.

Question 24

Secure cookie attribute?

Answer 24

Send cookie only over HTTPS.

Question 25

HttpOnly cookie attribute?

Answer 25

JS cannot access cookie (mitigates XSS).

Question 26

SameSite=Strict means?

Answer 26

Only send cookie on same-site requests.

Question 27

What is a session token?

Answer 27

Random ID identifying a logged-in user session.

Question 28

Max-Age vs Expires in cookies?

Answer 28

Max-Age = lifetime in seconds; Expires = exact date/time.

Question 29

Path attribute in a cookie?

Answer 29

Restricts cookie to matching URL path.

Question 30

Domain attribute in a cookie?

Answer 30

Specifies which hosts can receive the cookie.

Question 31

SameSite=None requires what?

Answer 31

Secure attribute and HTTPS.

Question 32

Goal of TLS?

Answer 32

Confidentiality, integrity, server authentication.

Question 33

TLS Handshake phases?

Answer 33

Negotiation → Key exchange (ephemeral keys + HKDF) → Authentication (certificates).

Question 34

What does the TLS record protocol do?

Answer 34

Encrypt + authenticate application data.

Question 35

What is PKI?

Answer 35

Public Key Infrastructure — validates server certs via chain of trust.

Question 36

What is forward secrecy in TLS?

Answer 36

Compromise of long-term keys doesn’t reveal past session keys (ephemeral keys).

Question 37

How does TLS detect message tampering?

Answer 37

Authenticated encryption & sequence numbers.

Question 38

What does a TLS certificate include?

Answer 38

Public key, domain names, validity dates, CA signature.

Question 39

Who are root certificate authorities?

Answer 39

Trusted organizations pre-installed in browsers/OS.

Question 40

What is a session ticket in TLS?

Answer 40

Token allowing faster session resumption.

Question 41

SQL injection example?

Answer 41

' OR 1=1 -- bypasses WHERE clause.

Question 42

Defense against SQL injection?

Answer 42

Prepared statements / parameterized queries.

Question 43

What is second-order SQL injection?

Answer 43

Malicious input stored in DB is later used in a vulnerable query.

Question 44

What is a UNION SQLi attack?

Answer 44

Append UNION SELECT ... to extract other tables’ data.

Question 45

XSS types?

Answer 45

Reflected, Stored, DOM-based.

Question 46

Defense against XSS?

Answer 46

Escape/encode output, validate input, Content Security Policy.

Question 47

What is a CSRF attack?

Answer 47

Forces a logged-in user to unknowingly submit a request.

Question 48

CSRF prevention?

Answer 48

Tokens in forms, SameSite cookies.

Question 49

HSTS header does what?

Answer 49

Strict-Transport-Security: max-age=... forces HTTPS.

Question 50

Strong password storage best practice?

Answer 50

Salt + slow hash (bcrypt/scrypt/Argon2).

Question 51

MVC: Model?

Answer 51

Data & business logic (SQLAlchemy models).

Question 52

MVC: View?

Answer 52

Jinja HTML templates shown to user.

Question 53

MVC: Controller?

Answer 53

Flask routes handling HTTP requests & returning responses.

Question 54

Flask decorator @bp.route("/path") does what?

Answer 54

Maps URL to controller function.

Question 55

How to read form data in Flask?

Answer 55

request.form.get("field_name")

Question 56

What does render_template() do?

Answer 56

Renders a Jinja HTML file with passed variables.

Question 57

Purpose of db.session.commit()?

Answer 57

Saves changes to the database.

Question 58

How to fetch one row by primary key in SQLAlchemy?

Answer 58

db.session.get(Model, id) or db.get_or_404(Model, id).

Question 59

What is a relationship in SQLAlchemy?

Answer 59

Python-level link between tables (e.g., User.posts).

Question 60

Why use ORM instead of raw SQL?

Answer 60

Safer, more readable, avoids SQL injection.

Question 61

What is in the Flask request object?

Answer 61

Data about current HTTP request (headers, form, JSON, etc.).

Question 62

What happens if a controller aborts with 404?

Answer 62

Returns an HTTP 404 Not Found response.

Question 63

Block vs inline HTML elements?

Answer 63

Block starts new line (div, p); inline flows (span, em).

Question 64

does what?

Answer 64

Jumps to element with matching id in same page.

Question 65

does what?

Answer 65

Sends hidden data to server.

Question 66

CSS selector div > p selects?

Answer 66

p elements that are direct children of a div.

Question 67

CSS selector p + span selects?

Answer 67

span immediately after a p.

Question 68

CSS units em vs rem?

Answer 68

em = relative to parent font size; rem = relative to root font size.

Question 69

How to include external CSS?