Interview

10 HTTP Protocol Interview Questions and Answers

Prepare for technical interviews with a comprehensive guide on HTTP protocol, featuring common questions and detailed answers.

Interview Insights
Published Sep 2, 2024

The HTTP protocol is the foundation of data communication on the web. It enables the transfer of hypertext documents and is essential for the functioning of web browsers, servers, and APIs. Understanding HTTP is crucial for anyone involved in web development, network administration, or cybersecurity, as it underpins the vast majority of internet traffic.

This article offers a curated selection of interview questions designed to test and expand your knowledge of the HTTP protocol. By reviewing these questions and their detailed answers, you will be better prepared to demonstrate your expertise and problem-solving abilities in technical interviews.

HTTP Protocol Interview Questions and Answers

1. Write a simple HTTP GET request using Python’s requests library.

To perform an HTTP GET request using Python’s requests library, you first need to install the library if you haven’t already. The requests library is a simple and elegant HTTP library for Python, which makes it easy to send HTTP requests and handle responses.

Here is a basic example of how to perform an HTTP GET request:

import requests

response = requests.get('https://api.example.com/data')
if response.status_code == 200:
    print(response.json())
else:
    print('Failed to retrieve data')

In this example, the requests.get function sends an HTTP GET request to the specified URL. The response object contains the server’s response to the HTTP request. We then check if the status code of the response is 200 (which means the request was successful) and print the JSON content of the response. If the request fails, we print an error message.

2. What are the different HTTP methods, and when would you use each?

HTTP methods are a set of request methods to indicate the desired action to be performed for a given resource. The primary HTTP methods are:

  • GET: Used to request data from a specified resource. It is a read-only operation and does not alter the state of the resource.
  • POST: Used to submit data to be processed to a specified resource. This method often results in a change in state or side effects on the server.
  • PUT: Used to update a current resource with new data. If the resource does not exist, PUT can create it.
  • DELETE: Used to delete a specified resource.
  • HEAD: Similar to GET, but it transfers the status line and header section only. It is useful for checking what a GET request will return before actually making the GET request.
  • OPTIONS: Used to describe the communication options for the target resource. It is often used to check the capabilities of a web server.
  • PATCH: Used to apply partial modifications to a resource. It is more efficient than PUT when updating only part of a resource.

3. What is CORS (Cross-Origin Resource Sharing), and how does it work?

CORS (Cross-Origin Resource Sharing) is a security feature implemented by web browsers to control how resources on a web page can be requested from another domain outside the domain from which the resource originated. This is important for preventing malicious websites from making unauthorized requests to a different domain.

When a web page makes a request to a different domain (cross-origin request), the browser sends an HTTP request with an Origin header. The server then responds with specific headers that indicate whether the request is allowed. The key headers involved in CORS are:

  • Access-Control-Allow-Origin: Specifies which origins are permitted to access the resource.
  • Access-Control-Allow-Methods: Lists the HTTP methods that are allowed for cross-origin requests.
  • Access-Control-Allow-Headers: Lists the headers that can be used in the actual request.

For example, a server might include the following headers in its response to allow cross-origin requests from a specific domain:

Access-Control-Allow-Origin: https://example.com
Access-Control-Allow-Methods: GET, POST, PUT
Access-Control-Allow-Headers: Content-Type

4. Implement a basic HTTP server in Node.js that responds with “Hello, World!” to any GET request.

To implement a basic HTTP server in Node.js that responds with “Hello, World!” to any GET request, you can use the built-in ‘http’ module. This module provides the necessary functions to create an HTTP server and handle incoming requests.

const http = require('http');

const server = http.createServer((req, res) => {
    if (req.method === 'GET') {
        res.writeHead(200, { 'Content-Type': 'text/plain' });
        res.end('Hello, World!');
    } else {
        res.writeHead(405, { 'Content-Type': 'text/plain' });
        res.end('Method Not Allowed');
    }
});

const PORT = 3000;
server.listen(PORT, () => {
    console.log(`Server is listening on port ${PORT}`);
});

5. How would you implement rate limiting for an HTTP API? Provide a high-level algorithm or pseudocode.

Rate limiting can be implemented using various algorithms such as the Token Bucket, Leaky Bucket, Fixed Window, or Sliding Window Log. Here, we will discuss the Token Bucket algorithm, which is widely used due to its flexibility and efficiency.

The Token Bucket algorithm works by maintaining a bucket that holds a certain number of tokens. Each token represents a request that can be processed. Tokens are added to the bucket at a fixed rate, and each incoming request consumes a token. If the bucket is empty, the request is denied or delayed.

Here is a high-level pseudocode for implementing rate limiting using the Token Bucket algorithm:

class TokenBucket:
    def __init__(self, capacity, refill_rate):
        self.capacity = capacity
        self.tokens = capacity
        self.refill_rate = refill_rate
        self.last_refill_timestamp = current_time()

    def allow_request(self):
        current_timestamp = current_time()
        elapsed_time = current_timestamp - self.last_refill_timestamp
        self.tokens += elapsed_time * self.refill_rate
        self.tokens = min(self.tokens, self.capacity)
        self.last_refill_timestamp = current_timestamp

        if self.tokens >= 1:
            self.tokens -= 1
            return True
        else:
            return False

# Example usage
bucket = TokenBucket(capacity=10, refill_rate=1)  # 10 tokens, 1 token per second

if bucket.allow_request():
    # Process the request
    pass
else:
    # Deny or delay the request
    pass

6. Discuss the implications of HTTP caching and how it can be controlled via headers.

HTTP caching is a mechanism that allows web resources to be stored temporarily on a client or intermediary server to reduce the need for repeated requests to the origin server. This can significantly improve web performance by reducing latency and bandwidth usage. However, improper caching can lead to stale data being served, which can be problematic for dynamic content.

HTTP caching can be controlled via several headers:

  • Cache-Control: This header provides the most granular control over caching. It can specify directives such as max-age (the maximum amount of time a resource is considered fresh), no-cache (forces revalidation with the server), and no-store (prevents caching altogether).
  • Expires: This header specifies an absolute date and time after which the resource is considered stale. It is less flexible than Cache-Control but still widely used.
  • ETag: This header provides a unique identifier for a specific version of a resource. When a client has a cached version, it can use the ETag to check with the server if the resource has changed.
  • Last-Modified: This header indicates the last time the resource was modified. Clients can use this information to make conditional requests, asking the server if the resource has been updated since the specified date.

7. Write a middleware function in Express.js to log all incoming HTTP requests.

Middleware in Express.js is a function that has access to the request object (req), the response object (res), and the next middleware function in the application’s request-response cycle. Middleware functions can perform various tasks such as executing code, modifying the request and response objects, ending the request-response cycle, and calling the next middleware function.

To log all incoming HTTP requests, you can create a middleware function that captures the request details and logs them. This middleware function can then be used in your Express.js application.

const express = require('express');
const app = express();

const requestLogger = (req, res, next) => {
    console.log(`${req.method} ${req.url}`);
    next();
};

app.use(requestLogger);

app.get('/', (req, res) => {
    res.send('Hello, world!');
});

app.listen(3000, () => {
    console.log('Server is running on port 3000');
});

8. Describe the key features and improvements introduced in HTTP/3.

HTTP/3 is the latest version of the Hypertext Transfer Protocol (HTTP) and introduces several key features and improvements over its predecessors, HTTP/1.1 and HTTP/2. The most significant change in HTTP/3 is the use of QUIC (Quick UDP Internet Connections) as the transport protocol instead of TCP (Transmission Control Protocol).

Key Features and Improvements:

  • QUIC Protocol: HTTP/3 uses QUIC, which is built on top of UDP (User Datagram Protocol). QUIC provides faster connection establishment and improved performance, especially in environments with high latency and packet loss.
  • Reduced Latency: QUIC allows for 0-RTT (Zero Round Trip Time) connection establishment, meaning that data can be sent immediately without waiting for a handshake, significantly reducing latency.
  • Improved Multiplexing: Unlike HTTP/2, which uses a single TCP connection for multiplexing multiple streams, HTTP/3’s QUIC protocol allows for independent streams. This means that packet loss in one stream does not affect others, improving overall performance.
  • Enhanced Security: QUIC integrates TLS (Transport Layer Security) 1.3, providing built-in encryption and security features. This ensures that all HTTP/3 connections are secure by default.
  • Connection Migration: QUIC supports connection migration, allowing a connection to continue seamlessly even if the client’s IP address changes, such as when switching from Wi-Fi to mobile data.
  • Header Compression: HTTP/3 continues to use HPACK for header compression, reducing the overhead of HTTP headers and improving efficiency.

9. What are HTTP security headers, and how do they enhance web security? Provide examples.

HTTP security headers are directives used by web servers to communicate security policies to web browsers. These headers help in protecting web applications from common security threats by instructing the browser on how to behave when handling the website’s content.

Some of the key HTTP security headers include:

  • Content-Security-Policy (CSP): This header helps prevent XSS attacks by specifying which dynamic resources are allowed to load. For example, it can restrict the sources from which scripts, styles, and other resources can be loaded.
  • X-Content-Type-Options: This header prevents browsers from interpreting files as a different MIME type than what is specified. It helps in reducing the risk of drive-by downloads and other attacks.
  • X-Frame-Options: This header protects against clickjacking by controlling whether a browser should be allowed to render a page in a