Interview Prep Q&A – Web Fundamentals

HTTP Protocol

Q1. What is HTTP and how does it work?
👉 Answer: HTTP (Hypertext Transfer Protocol) is the communication protocol used between clients and servers on the web. It follows a request–response model where the client sends a request (method, headers, body) and the server responds with a status code, headers, and optionally a body.

Q2. Can you explain some common HTTP methods?
👉 Answer:

• GET: Retrieve data.
• POST: Submit new data.
• PUT: Replace an existing resource.
• PATCH: Partially update a resource.
• DELETE: Remove a resource.

Q3. What are some important HTTP status codes you should know?
👉 Answer:

• 200 OK (success)
• 201 Created (resource created)
• 301 Moved Permanently, 302 Found (redirection)
• 400 Bad Request, 401 Unauthorized, 403 Forbidden, 404 Not Found (client errors)
• 500 Internal Server Error, 502 Bad Gateway, 503 Service Unavailable (server errors)

Q4. How is HTTP/2 different from HTTP/1.1?
👉 Answer: HTTP/2 supports multiplexing (multiple requests over a single connection), header compression, and server push, making it faster and more efficient than HTTP/1.1.

TLS/SSL

Q5. What problem does TLS/SSL solve?
👉 Answer: TLS/SSL secures communication by encrypting data, ensuring confidentiality, integrity, and authentication between client and server.

Q6. How does the TLS handshake work in simple terms?
👉 Answer: The client and server agree on encryption algorithms, exchange cryptographic keys, and the server provides a digital certificate to prove its identity. After that, data is transmitted using symmetric encryption for speed.

Security Best Practices

Q7. What are some common web security vulnerabilities?
👉 Answer:

• SQL Injection
• Cross-Site Scripting (XSS)
• Cross-Site Request Forgery (CSRF)
• Weak authentication and session management

Q8. How do you prevent SQL injection?
👉 Answer: By using parameterized queries or prepared statements, never directly concatenating user input into SQL queries.

Q9. How do you protect against XSS?
👉 Answer: Sanitize user inputs and encode outputs (e.g., HTML entity encoding). Using Content Security Policy (CSP) also helps.

Q10. What measures would you take for secure session management?
👉 Answer: Use secure cookies (HttpOnly, Secure, SameSite flags), enforce session timeouts, regenerate session IDs after login, and avoid exposing session tokens in URLs.

Performance & Optimization

Q11. What are some frontend optimization techniques?
👉 Answer: Minifying JS/CSS, compressing and lazy-loading images, using CDNs, enabling caching, and leveraging HTTP/2/3 features.

Q12. What caching strategies do you know?
👉 Answer:

• Browser caching with headers (Cache-Control, ETag).
• CDN caching to serve static assets from edge locations.
• Server-side caching using reverse proxies or distributed caches like Redis.

Q13. How would you optimize backend performance?
👉 Answer: By optimizing database queries with indexes, using caching layers, handling heavy tasks asynchronously (via queues), and scaling horizontally with load balancers.

Q14. How do you measure and monitor performance?
👉 Answer: On the frontend, tools like Google Lighthouse or WebPageTest. On the backend, Application Performance Monitoring (APM) tools like New Relic, Datadog, or Prometheus.

High-Level Wrap-Up

Q15. If asked: "How do you ensure your web app is fast and secure?"
👉 Answer:

• For speed: caching, CDNs, minification, optimized queries, HTTP/2/3.
• For security: HTTPS (TLS), input validation, proper authentication, secure session management, protection against XSS/SQL injection/CSRF.

HTTP Protocol

Q16. What is the difference between PUT and PATCH?
👉 Answer: PUT replaces the entire resource with a new version, while PATCH updates only specific fields of the resource.

Q17. What is idempotency in HTTP methods?
👉 Answer: An operation is idempotent if multiple identical requests result in the same outcome. GET, PUT, and DELETE are idempotent, while POST is not.

Q18. What are HTTP headers, and why are they important?
👉 Answer: Headers carry metadata about the request or response, such as Content-Type, Authorization, Cache-Control, and User-Agent. They’re crucial for security, caching, and content negotiation.

Q19. What is the difference between Authorization and Authentication?
👉 Answer: Authentication verifies who a user is, while authorization determines what they’re allowed to do.

Q20. Can you explain CORS and why it exists?
👉 Answer: CORS (Cross-Origin Resource Sharing) is a mechanism that controls how a browser requests resources from a different domain. It prevents malicious sites from making unauthorized requests on behalf of users.

TLS/SSL

Q21. What is the difference between symmetric and asymmetric encryption?
👉 Answer: Symmetric encryption uses the same key for encryption and decryption (fast), while asymmetric encryption uses a public/private key pair (secure but slower). TLS uses asymmetric during handshake, then switches to symmetric for data transfer.

Q22. What are some common TLS vulnerabilities?
👉 Answer:

• SSLv2/SSLv3 (outdated, insecure).
• Weak ciphers (e.g., RC4).
• Misconfigured certificates (expired, self-signed).
• Lack of HSTS (allows downgrade to HTTP).

Q23. What is HSTS and why is it important?
👉 Answer: HTTP Strict Transport Security forces browsers to only connect via HTTPS, preventing downgrade attacks and cookie hijacking.

Security Best Practices

Q24. What’s the difference between XSS and CSRF?
👉 Answer:

• XSS: Attacker injects malicious scripts into a website, executed by unsuspecting users.
• CSRF: Attacker tricks a logged-in user into performing unintended actions (e.g., submitting a form) without their knowledge.

Q25. What’s the difference between OAuth and JWT?
👉 _Answer:_OAuth is an authorization framework, while JWT (JSON Web Token) is a token format often used in OAuth. JWTs encode claims about a user and can be signed for integrity.

Q26. How would you secure an API?
👉 Answer: Require authentication (OAuth2/JWT), enforce rate limiting, validate inputs, use HTTPS, and implement RBAC/ABAC for access control.

Q27. What are some OWASP Top 10 risks?
👉 Answer: Injection, broken authentication, sensitive data exposure, XML External Entities (XXE), broken access control, security misconfiguration, XSS, insecure deserialization, using vulnerable components, insufficient logging/monitoring.

Performance & Optimization

Q28. How does a CDN improve performance?
👉 Answer: A CDN caches and serves static assets from geographically distributed servers, reducing latency and improving load times.

Q29. What’s the difference between vertical and horizontal scaling?
👉 Answer:

• Vertical scaling: Adding more power (CPU/RAM) to a single server.
• Horizontal scaling: Adding more servers and distributing load.

Q30. What is database indexing, and how does it help performance?
👉 Answer: An index is a data structure that improves query speed by reducing the number of rows scanned. However, it can slow down writes due to index maintenance.

Q31. What’s the difference between strong and weak caching?
👉 Answer:

• Strong caching: Browser can reuse cached response without re-checking (e.g., Cache-Control: max-age).
• Weak caching: Browser must revalidate with the server (e.g., ETag, Last-Modified).

Q32. How do HTTP/2 and HTTP/3 reduce latency compared to HTTP/1.1?
👉 Answer:

• HTTP/2: Multiplexing, header compression, server push.
• HTTP/3: Uses QUIC over UDP, avoids head-of-line blocking, and enables faster connection establishment.

Advanced Concepts

Q33. What is a reverse proxy, and why would you use one?
👉 Answer: A reverse proxy (like Nginx) sits between clients and backend servers, handling caching, load balancing, SSL termination, and request routing.

Q34. How does DNS resolution work?
👉 Answer: The browser queries DNS resolvers, which may query root, TLD, and authoritative servers until the IP address for a domain is returned.

Q35. What is connection pooling, and why is it useful?
👉 Answer: Connection pooling reuses database connections instead of opening new ones for each query, reducing latency and resource usage.

Q36. What is rate limiting, and why is it important?
👉 Answer: Rate limiting restricts how many requests a client can make within a timeframe, protecting against abuse, brute-force attacks, and DDoS.

Q37. How does lazy loading help performance?
👉 Answer: Lazy loading defers the loading of non-critical resources (like images below the fold) until they’re needed, reducing initial page load time.

Scenario-Based Interview Prep – Web Fundamentals
HTTP & Networking

Q38. Your web app’s API responses are slow. How would you troubleshoot?
👉 Answer:

• Check network latency (DNS resolution, TCP handshake, TLS negotiation).
• Use tools like Chrome DevTools or cURL to measure request/response times.
• Inspect server logs for slow database queries or bottlenecks.
• Consider caching responses, using HTTP/2 for multiplexing, and enabling compression (gzip, Brotli).

Q39. A user reports that their browser shows a “Mixed Content” warning. What does this mean and how do you fix it?
👉 Answer:

• Mixed content happens when a secure page (https://) loads resources (images, scripts, CSS) over http://.
• Fix: Ensure all assets are served via HTTPS, update links, and enable Content Security Policy (CSP) to block insecure requests.

Q40. Your site works in HTTP but fails when accessed over HTTPS. How do you debug?
👉 Answer:

• Check that the SSL/TLS certificate is valid and not expired.
• Verify correct server configuration (Nginx/Apache SSL settings).
• Ensure redirects (http:// → https://) are properly set up.
• Use tools like SSL Labs Server Test to check for issues.

Security

Q41. A penetration tester reports an XSS vulnerability on your site. What’s your response?
👉 Answer:

• Identify where user input is reflected back without sanitization.
• Escape or encode output before rendering (e.g., HTML entity encoding).
• Use libraries or frameworks that auto-escape.
• Add a Content Security Policy to limit script execution.

Q42. Your login endpoint is under brute-force attack. What do you do?
👉 Answer:

• Implement rate limiting (e.g., max 5 attempts/min per IP).
• Add CAPTCHA for suspicious behavior.
• Enforce account lockout after repeated failures.
• Monitor logs and block offending IPs with a firewall/WAF.

Q43. Your site must handle sensitive customer data. How do you secure it?
👉 Answer:

• Always use HTTPS (TLS).
• Encrypt sensitive data at rest (AES) and in transit.
• Use strong authentication (multi-factor if possible).
• Apply principle of least privilege for database access.
• Log and monitor access patterns for anomalies.
• Performance & Optimization

Q44. Your homepage takes 5 seconds to load. How would you optimize it?
👉 Answer:

• Run Lighthouse or WebPageTest to identify bottlenecks.
• Compress and optimize images (use WebP/AVIF).
• Minify and bundle JS/CSS.
• Enable lazy loading for below-the-fold content.
• Serve assets from a CDN.
• Use caching headers (Cache-Control, ETag).

Q45. Your API server is experiencing heavy load. What are your options?
👉 Answer:

• Short term: Enable caching, use a CDN for static responses, rate-limit abusive clients.
• Medium term: Optimize database queries, move long tasks to background jobs.
• Long term: Scale horizontally with load balancers, introduce microservices, or use message queues.

Q46. A user in Asia complains your site is slow, but it’s fast in the US. How do you fix this?
👉 Answer:

• Deploy a CDN with edge servers closer to the user.
• Enable DNS-based load balancing to route users to the nearest server.
• Consider deploying infrastructure in multiple regions (multi-region hosting).

Advanced Scenarios

Q47. Your site’s TLS certificate just expired and users are seeing warnings. What do you do?
👉 Answer:

• Immediately renew or replace the certificate.
• Automate renewal (e.g., Let’s Encrypt + Certbot).
• Set up monitoring/alerts for expiring certificates.

Q48. You notice a high number of 500 Internal Server Error responses in logs. How do you debug?
👉 Answer:

• Check error logs for stack traces.
• Identify failing endpoints and look for recent code/config changes.
• Check for database connection limits or third-party API failures.
• Add monitoring/alerting to catch future errors early.

Q49. Your team reports a memory leak in the backend. How do you approach it?
👉 Answer:

• Use profiling tools to track memory usage.
• Identify objects not being freed (e.g., large caches, dangling references).
• Implement proper resource cleanup (close DB connections, file handles).
• Run load tests to validate the fix.

Q50. An e-commerce site is experiencing cart data loss when multiple users log in. What could be wrong?
👉 Answer:

• Possible session management issue: Sessions not isolated properly.
• Cookies might not have SameSite or Secure flags.
• Server might be using in-memory sessions without sticky sessions in load balancing.
• Fix: Use a centralized session store (Redis, DB) and configure session cookies securely.