These questions cover the 18 sections of the HTTP Fundamentals overview and are organized by topic clusters. No answers are provided — the goal is to test your understanding of HTTP concepts and their practical implications, not to memorize facts.
The questions mix conceptual understanding, scenario-based judgment, and common misconceptions.
Cluster 1: Protocol Fundamentals (Sections 1–3)
A colleague says "HTTP remembers your previous requests so it can personalize the page for you." What is wrong with this statement? How does the web actually achieve personalization if HTTP is stateless?
HTTP/2 and HTTP/3 improved performance dramatically, yet the request-response semantics (methods, headers, status codes) are identical to HTTP/1.1. Why is this important for web developers? What would change in your code if you switched from HTTP/1.1 to HTTP/2?
Name the three parts of an HTTP request and the three parts of an HTTP response. Which part is optional in each, and when is it present?
Put these steps in order when a browser loads https://example.com/page for the first time: TLS handshake, browser renders HTML, DNS lookup, HTTP request sent, TCP three-way handshake, HTTP response received. Which of these steps are skipped on the second request to the same server?
Cluster 2: Message Structure (Sections 4–5)
Given the request line POST /api/books HTTP/1.1, identify its three components. Why is the HTTP version included — what happens if the client and server support different versions?
What role does the blank line (CRLF) play between headers and body? What happens if it is missing from a request?
A 404 response can return HTML (for browsers) or JSON (for APIs). What header determines how the client interprets the body? Why are the status code and body format independent of each other?
Why is the Host header required in HTTP/1.1 but was not present in HTTP/1.0? What practical problem does it solve for web servers?
Cluster 3: Methods, Safety & Status Codes (Sections 6–8)
Compare PUT and PATCH. A developer uses PUT to update only a user's email address, sending {"email": "new@example.com"}. Why might this cause a bug? What would happen to the user's name and other fields?
A developer creates this API endpoint: GET /api/users/5/delete. Name at least three things wrong with this design, referencing the concepts of safety and idempotency.
Explain the difference between 401 Unauthorized and 403 Forbidden. What would be a more accurate name for 401? If a user is logged in but tries to access another user's profile, which status code should be returned?
A POST request to a payment API times out, and the client automatically retries. The customer is charged twice. What property of POST explains why this happened? How do payment APIs solve this problem?
A developer uses 301 Moved Permanently to redirect a POST form submission to a new URL. Users report that the form data disappears after the redirect. What is happening, and which status code should be used instead?
The Referer header is misspelled in the HTTP specification. Why hasn't it been corrected since 1996? How does the newer Referrer-Policy header make this inconsistency permanent?
A client sends Accept: text/html, application/json;q=0.9, text/plain;q=0.5. Explain what the q values mean. In what order does the client prefer these formats? Why must the server include a Vary: Accept header in its response?
Compare the three request body formats: form-encoded, multipart, and JSON. Which one supports file uploads? Which one supports nested data structures? When building an API consumed by JavaScript fetch(), which format would you choose and why?
A developer puts a user's API token in the query string: GET /api/data?token=secret123. List at least four places where this token is now exposed. What HTTP mechanism should be used instead?
Cluster 5: Caching & State (Sections 12–13)
Cache-Control: no-cache does NOT mean "don't cache." Explain what no-cache actually does. What directive would you use if you truly want no caching at all?
Trace the 304 Not Modified flow for a CSS file: the browser makes a first request and receives the file with an ETag. Describe step-by-step what happens on the second request after the max-age expires. What headers does the browser send, and what does the server respond with?
Explain the difference between public and private in Cache-Control. Why would you use private for a user's dashboard page but public for a product image?
A developer stores the user's full profile (name, email, role) directly in a cookie instead of using a session ID. Name at least three security risks with this approach. How does a session ID solve these problems?
Compare the three SameSite cookie values: Strict, Lax, and None. A banking app wants maximum protection against CSRF attacks, but users complain that clicking a link to the bank from an email always requires re-login. Which SameSite value is causing this, and what compromise would you suggest?
Cluster 6: CORS & Authentication (Sections 14–15)
Two URLs have the same origin only if they share the same scheme, host, and port. Determine whether each pair is same-origin: (a) https://app.com/a and https://app.com/b, (b) https://app.com and https://api.app.com, (c) https://app.com and http://app.com.
A developer's React app on localhost:3000 makes a fetch() call to their API on localhost:8080. The request works in Postman but fails in the browser with a CORS error. Why does Postman work but the browser doesn't? What must the API server add to its responses?
Explain why a PUT request with Content-Type: application/json triggers a CORS preflight, but a GET request with no custom headers does not. What exactly happens during the preflight, and what headers must the server include in the preflight response?
Compare Basic Auth and Bearer tokens. Why is Basic Auth described as "encoding, not encryption"? If you intercept a Basic Auth header like Authorization: Basic dXNlcjpwYXNz, can you recover the credentials? What makes HTTPS essential for both approaches?
Name the six security headers discussed in the overview and briefly describe what each one protects against. Which one prevents your page from being embedded in an iframe? Which one forces all future connections to use HTTPS?
Explain the three guarantees that HTTPS/TLS provides: encryption, integrity, and authentication. A colleague says "this site has HTTPS, so it must be safe." Why is this statement misleading? What does HTTPS actually guarantee?
In a curl -v output, lines starting with > represent the request and lines starting with < represent the response. Given the output > GET /api/users HTTP/2 and < HTTP/2 200, identify the method, path, protocol version, and status code. Why is curl -v more informative than using a browser for debugging HTTP?
You are debugging a web application and suspect a redirect loop. Describe how you would use both the browser DevTools Network tab (with "Preserve log" enabled) and curl -v -L to diagnose the problem. What information does each tool provide that the other does not?