HTTP & Friends Flashcards
What is the main issue with FTP
FTP is outdated, lacks security, and uses multiple connections for control and data transfer, which complicates setups. It also doesn’t encrypt data, making it vulnerable to attacks.
Why was FTP originally designed
FTP was designed to standardize file transfers between systems with different file structures and character sets. It solved issues with inconsistent and incompatible transfer methods before a universal protocol existed.
What is one advantage of FTP
FTP decouples path names, allowing clients to access files without knowing the server’s exact file system layout. This flexibility makes it easier to adapt to different environments and manage files across various systems.
How many connections does FTP require at a minimum
FTP requires a minimum of three connections: one for the control channel to send commands, and two for data transfer (one for uploading and one for downloading). This setup ensures commands and data are managed separately, but it increases complexity compared to protocols that use a single connection.
What is the key difference between FTP and HTTP
FTP requires multiple connections while HTTP uses a single connection
What does the HTTP HEAD method do
It retrieves metadata without downloading the entire file
Why is caching used in HTTP
To serve static content faster and reduce server load
What does the Accept flag in HTTP specify
The Accept flag in HTTP specifies the content types (e.g., text/html, application/json) that the client can process. This helps the server deliver responses in a format the client supports.
What is the purpose of the Content-Length header
The Content-Length header specifies the size of the response body in bytes. This helps the client know when the response ends, ensuring proper parsing of the content.
What is HSTS and why is it important
HSTS (HTTP Strict Transport Security) enforces the use of HTTPS by ensuring all connections to a website are encrypted. It protects users from downgrade attacks and prevents unencrypted connections, improving security against man-in-the-middle attacks.
Why should JSON and POST be used for remote services
To avoid security issues like length extension attacks.
POST allows securely sending data in the request body, and JSON provides a structured format resistant to injection vulnerabilities.
What is the primary role of an HTTP User-Agent
To identify the client software making the request.
This helps the server customise responses based on the client’s capabilities or requirements.
What is the purpose of the ETag header
The ETag header uniquely identifies a resource on the server and checks if it has been modified.
It helps optimise caching by allowing clients to determine whether they need to download the resource again.
What is the difference between GET and POST in HTTP
GET retrieves data while POST sends data to the server
What is HTTP Basic Auth
An insecure method of sending credentials encoded in Base64
Why should HTTPS be used instead of HTTP
To encrypt data and ensure secure communication
What does the Accept-Encoding header indicate
The compression formats the client can handle
Why is Accept-Ranges useful
It allows downloading specific parts of a file
What is the main benefit of keep-alive connections
They enable multiple requests over a single connection improving performance
What is the significance of HTTP status codes
They indicate the result of an HTTP request
What are the categories of HTTP status codes
1xx informational 2xx success 3xx redirection 4xx client error 5xx server error
What is the main issue with HTTP Basic Auth
It sends credentials insecurely without encryption
Why are cookies considered a security risk
They can be abused to store sensitive client-side data
What is the purpose of the Set-Cookie header
To store a key-value pair for future requests to the same domain
Why is caching on inbound servers useful
Improves response times, reduces backend load, scales better for high traffic, and avoids redundant processing of identical requests.
What is the function of proxy_pass in HTTP servers
To route requests to a specified backend server
What is the purpose of the Host header in HTTP
It allows multiple virtual servers to share the same IP address by distinguishing incoming requests based on the Host value
Why should cookies only store a session ID
To avoid exposing sensitive information client-side
What is the purpose of Content-Type in HTTP
To inform the client how to handle the response content
Why should HTTPS always be used when using cookies
To prevent them from being intercepted or altered by plain text attacks
What is HTTP POST used for
To send data to the server typically for updates or changes
Why is using GET for sensitive data discouraged
GET exposes parameters in URLs and logs
What is the role of Accept-Language in HTTP
To specify the client’s preferred (human) language for the response
Why should compressed files be stored directly on the server
To reduce I/O, CPU, and network usage by avoiding the need to compress files on-the-fly, improving performance and resource efficiency
(Pre-compressed files: Use more disk space, save CPU and time. Best for static content.
On-the-fly compression: Saves disk space but uses more CPU and increases latency. Best for dynamic content.)
What is the main issue with legacy FTP implementations
FTP’s reliance on dynamic ports and multiple connections makes it hard to work with firewalls, leading to security and configuration headaches.
(The data connection often uses a random high port, which changes dynamically. Firewalls struggle to predict and allow these connections, making FTP not firewall-friendly.
Plaintext Credentials:
Traditional FTP sends usernames and passwords in plaintext, making it insecure. (This isn’t directly related to the firewall issue but is another reason FTP is considered outdated.)
Complexity:
Maintaining two connections increases network complexity compared to modern protocols like SFTP or HTTPS, which use a single secure channel.)
What is the role of NAT helpers in FTP
To rewrite FTP payloads and create inbound NAT mappings, enabling dynamic data connections through NAT.
Why?
NAT (Network Address Translation) translates private IP addresses in a local network to a public IP for internet access. In FTP, NAT helpers modify the control channel to handle dynamic ports and create temporary rules for data connections, making FTP compatible with NAT.
What is the Accept-Charset header used for
To indicate the preferred character sets for the response
What is the purpose of HTTP DELETE
To remove a specified resource on the server
What does the Strict-Transport-Security header enforce
It ensures only HTTPS connections are allowed for a domain
What is the purpose of a proxy cache in HTTP
To improve performance by storing frequently accessed content
Why is FTP considered inflexible in modern networks
It struggles with NAT firewalls and is simplex
What is a common use case for HTTP HEAD
Checking if a file has changed without downloading it
What is the main difference between HTTP and HTTPS
HTTPS encrypts the connection using TLS
Why is TLS vital in modern networking
It secures data in transit against interception or tampering
What is the main limitation of FTP control connections
FTP control connections are limited because they require NAT helpers to modify payloads and manually adjust NAT settings to handle dynamic ports, which complicates compatibility with firewalls and NAT devices.
(Dynamic Port Assignment:
The FTP server dynamically chooses a random high-numbered port for each data transfer, which isn’t fixed or preconfigured.
NAT Doesn’t Track FTP Behavior:
NAT devices typically translate static ports and IPs. Without additional help (like a NAT helper), they don’t know which dynamic port the FTP server will use, so they can’t set up the necessary mapping automatically.
Firewall Blockage:
Firewalls block traffic on unapproved ports for security. Since the dynamic port is unpredictable, the firewall might block the data connection unless explicitly configured to allow it.)
What is the purpose of the Last-Modified header
To indicate the last time the resource was changed
(used to help with caching and efficiency in web communications, server can avoid resending it, saving bandwidth and time)
Why is the Universal Firewall Bypass Protocol nickname given to HTTP
HTTP is called the Universal Firewall Bypass Protocol because its flexibility allows it to carry various types of traffic, often disguised as legitimate web traffic. This makes it effective for bypassing firewalls and restrictions that permit HTTP/HTTPS traffic by default.
(security concern)
What does the Connection header in HTTP control
Whether the connection can be reused or should be closed.
(Controlling the connection with the Connection header helps balance performance and resource usage, adapting to different needs and network conditions.)
Why should HTTP headers be case-insensitive
To ensure compatibility across implementations
What is the purpose of HTTP DELETE
To remove a resource from the server
Why is gzip compression beneficial for HTTP responses
It reduces bandwidth usage and improves load times
What is the drawback of using cookies for authentication
They can be intercepted and reused if not encrypted
What does the Content-Encoding header specify
The encoding used on the response content
What is the difference between HTTP 1.1 and HTTP 2
HTTP/2 supports multiple streams by allowing multiple requests and responses to occur simultaneously over a single connection using multiplexing. This eliminates delays caused by blocking in HTTP/1.1 and reduces the need for multiple connections, improving efficiency
What is the purpose of caching in HTTP
To reduce server load and improve response times
Why is Base64 encoding used in HTTP Basic Auth
To encode username and password into a single string
What is a potential risk of passing arguments via GET
They are visible in logs and URLs
What is the role of the HTTP Accept header
To indicate acceptable media types for the response
Why are inbound caches used in enterprises
To organise systems and centralise certificate management
(An inbound cache is like a central store for certain data or processes that handle incoming requests. In the context of certificates:
• It helps manage and validate SSL/TLS certificates centrally for a business’s systems. • Instead of every individual system or server repeatedly fetching certificates or handling verification separately, the inbound cache stores them centrally, speeding up operations.)
What is the Accept-Ranges header used for
To enable partial downloads by byte range
What does the Server header in HTTP reveal
The software and version of the web server
What is a common security issue with HTTP Basic Auth
Credentials are sent unencrypted
Why is using HTTPS for all operations recommended
To ensure data integrity and prevent eavesdropping
What is a key difference between FTP and HTTP paths
FTP paths map directly to server file systems, while HTTP paths are abstract and can represent virtual or dynamic resources.
What is the significance of HTTP status code 404
It indicates the requested resource was not found
What does HTTP caching rely on
Headers like Last-Modified and ETag for validation
What is the purpose of HTTP PUT
To upload or replace a resource on the server
Why is NAT problematic for FTP connections
It requires modifying payloads to match IP addresses
(FTP dynamically assigns ports for data transfer, but NAT changes IP addresses, causing mismatches. This forces NAT devices to modify FTP payloads to ensure the correct IP and port mappings.)
What is the function of the Content-Length header
To specify the size of the HTTP response body
What is the main drawback of legacy FTP modes
They are incompatible with modern NAT and firewalls
