Web Architecture

Question 1

What is architecture

Answer 1

High-level design of components and their interaction. Draw as building blocks (paper/whiteboard)

Question 2

What is implementation?

Answer 2

Made concrete with languages, tools and frameworks. Consider practical low-level details (security, scalability etc)

Question 3

Vulnerabilities due to poor architecture

Answer 3

• Lack of encryption
• Vulnerable to DoS
• Race condition
• Unintended access

Question 4

Vulnerabilities due to poor implementation

Answer 4

• Buffer overflow
• Unvalidated input
• Code injection

Question 5

Difference between vulnerability fixes for architecture and implementation

Answer 5

Architecture - mostly unfixable, requires rebuild
Implementation - mostly fixable depending on language + off-shelf components

Question 6

Web Application Architecture

Answer 6

• User communicates with web server via HTTP
• Web server serves HTML and runs server-side scripting
• Database runs SQL
• Web server communicates with other services via HTTP

Question 7

HTML

Answer 7

Defines structure and display. Actual page content

Question 8

HTTP

Answer 8

Protocol for exchanging info (independent of page design)
Web server requests

Question 9

TCP/IP

Answer 9

Handles connectivity (ports)

Question 10

What does PHP do?

Answer 10

Generates dynamic pages. Input is processed and output as pure HTML. It runs on the server and the browser only sees HTML.

Question 11

What are HTTP Headers?

Answer 11

Key-value pairs sent with HTTP requests and responses, providing metadata about the message. Enable structured, efficient, and secure web communication between server and client.

Question 12

Content-Security-Policy (CSP)

Answer 12

allows you to restrict which resources (such as JavaScript, CSS, Images etc.) can be loaded, prevents xss

Question 13

X-Frame-Options

Answer 13

Defines whether the browser should allow iframes, mitigates clickjacking

Question 14

Referrer-Policy

Answer 14

Controls privacy, controls the amount of referrer information sent w/in subsequent request

Question 15

Strict-Transport-Security (HSTS)

Answer 15

Defines whether browser requests HTTPS only

Question 16

Cross-Origin Resource Sharing (CORS)

Answer 16

From the server, a website loads different elements from different origins. This defines which domains the browser can accept resources from

Question 17

Why are cookies needed?

Answer 17

HTTP is stateless, each client-server request-response cycle is independent, server does not retain any information about past interactions. Cookies track sessions

Question 18

Cookies

Answer 18

Files that store information about your session. Created by Netscape as way to store items in shopping carts.

Question 19

Session cookies

Answer 19

Temporary text files stored on device by websites during visit, enabling site to remember information like login status or items in shopping cart

Question 20

Persistent cookies

Answer 20

Long-term tracking. Last forever until deleted or the expiration date. Store information like user preferences.

Question 21

First-Party Cookies

Answer 21

set/read by the visited site

Question 22

Third-party cookies

Answer 22

Cookies set by a domain different from the one you are directly visiting, e.g., advertisers, analytics services. Enable tracking across sites. (Being phased out)

Question 23

Cookie Risks

Answer 23

Session hijacking. Cookie is intercepted and stolen, leading to impersonation.

Question 24

Cookie Attributes

Answer 24

Secure, HttpOnly, SameSite, expiry, domain