DEV Community

DevFrontier
DevFrontier

Posted on

Mastering Web Fundamentals: Top Interview Questions and Answers (HTTP, TLS, Security, Performance)

#security #http #tls #webfundamentals

When preparing for a web developer interview, mastering the fundamentals can give you a huge advantage. Topics like HTTP, TLS/SSL, security best practices, and performance optimization often appear in technical interviews, especially for frontend, backend, or full-stack roles.

In this article, we’ll cover the most common interview questions around these topics—with clear, concise answers—so you’ll be ready to impress your interviewer.

🌐 HTTP Protocol

Q: What is the difference between HTTP/1.1, HTTP/2, and HTTP/3?

  • HTTP/1.1: One request per TCP connection (pipelining exists but suffers from head-of-line blocking).
  • HTTP/2: Supports multiplexing multiple requests on one TCP connection, plus header compression.
  • HTTP/3: Uses QUIC (on UDP) to eliminate TCP head-of-line blocking, reducing latency.

Q: Difference between idempotent and safe HTTP methods?

  • Safe: No server-side state change (GET, HEAD, OPTIONS).
  • Idempotent: Multiple identical requests have the same effect (GET, PUT, DELETE).

Q: What is the purpose of the Host header?

  • Identifies which domain the request is for, enabling multiple domains on one IP (virtual hosting).

Q: Difference between PUT and PATCH?

  • PUT: Replaces the entire resource.
  • PATCH: Applies a partial update.

Q: Difference between 301, 302, and 307 redirects?

  • 301: Permanent redirect.
  • 302: Temporary redirect, older browsers often change POST → GET.
  • 307: Temporary redirect, preserves method (POST stays POST).

Q: What are 200, 204, and 304 responses used for?

  • 200 OK: Success with content.
  • 204 No Content: Success without a body.
  • 304 Not Modified: Resource unchanged, client should use cache.

Q: How do ETags and Last-Modified help caching?

  • They let the client validate cached resources with the server. If unchanged, server returns 304 Not Modified, saving bandwidth.

Q: What is CORS and why is it enforced?

  • Cross-Origin Resource Sharing controls which origins can request resources. Prevents malicious sites from making unauthorized API calls using a logged-in user’s credentials.

🔒 TLS/SSL & HTTPS

Q: How does TLS establish a secure connection?

  • Client & server exchange supported ciphers.
  • Server presents a certificate to prove identity.
  • They negotiate a symmetric session key via asymmetric crypto.
  • All future traffic is encrypted with the session key.

Q: Difference between symmetric and asymmetric encryption in TLS?

  • Asymmetric: Used during handshake (public/private key).
  • Symmetric: Used for actual data (faster).

Q: What is the purpose of an SSL/TLS certificate?

  • Binds a domain to a public key and proves ownership, signed by a trusted Certificate Authority.

Q: What is HSTS and why is it important?

  • HTTP Strict Transport Security forces browsers to always use HTTPS, preventing downgrade and SSL stripping attacks.

Q: Why are TLS 1.0/1.1 deprecated?

They use weak ciphers and are vulnerable to known attacks. Modern systems require TLS 1.2+.

Q: Self-signed vs CA-issued certificates?

  • Self-signed: Not trusted by browsers, used only for dev/test.
  • CA-issued: Trusted because the CA is in the browser/OS trust store.

🛡️ Security Best Practices

Q: How do you protect against XSS?

  • Escape user input in HTML.
  • Use CSP (script-src 'self').
  • Avoid dangerous functions like eval().

Q: What are HttpOnly, Secure, and SameSite cookie flags?

  • HttpOnly: JS can’t access cookie.
  • Secure: Sent only via HTTPS.
  • SameSite: Restricts cross-site sending (mitigates CSRF).

Q: How does CSRF work and how to prevent it?

  • Attacker tricks a logged-in user’s browser to make requests.
  • Prevention: SameSite cookies, CSRF tokens, and re-authentication for sensitive actions.

Q: What is a Content Security Policy (CSP)?

  • A header defining allowed sources for scripts, images, etc. Prevents execution of untrusted scripts.

Q: How to protect against SQL injection?

  • Use parameterized queries or ORM. Never concatenate untrusted input directly.

Q: Why use rate limiting?

  • To prevent brute force, API abuse, or DoS attacks.

Q: Authentication vs Authorization?

  • Authentication: Verifying identity (who you are).
  • Authorization: Verifying permissions (what you can do).

Q: Why hash passwords instead of storing plaintext?

  • If breached, plaintext leaks all accounts. Always hash with bcrypt/Argon2 + salt.

Q: Same-Origin Policy vs CORS?

  • Same-Origin Policy: Default browser restriction blocking cross-origin requests.
  • CORS: Server-side mechanism to relax that restriction.

⚡ Performance & Optimization

Q: How does browser caching improve performance?

  • Reduces network requests by storing files locally → faster load times.

Q: Cache-Control: no-cache vs no-store vs max-age?

  • no-cache: Must revalidate before using cached copy.
  • no-store: Never cache (sensitive data).
  • max-age=N: Cache for N seconds without revalidation.

Q: Why use Content-Encoding: gzip/br?

  • Compresses text-based responses to reduce payload size.

Q: How does a CDN improve performance?

  • Caches content globally, serving from the nearest edge server to reduce latency.

Q: Lazy loading vs preloading resources?

  • Lazy load: Load only when needed (e.g., images below fold).
  • Preload: Fetch critical resources early.

Q: How does HTTP/2 multiplexing help?

  • Multiple requests in parallel on a single TCP connection, avoiding head-of-line blocking.

Q: Render-blocking vs non-blocking resources?

  • Render-blocking: Stop rendering until loaded (CSS, synchronous JS).
  • Non-blocking: Loaded asynchronously (defer, async).

Q: What are Core Web Vitals?

  • LCP (Largest Contentful Paint): Measures loading speed.
  • CLS (Cumulative Layout Shift): Measures visual stability.
  • INP (Interaction to Next Paint): Measures responsiveness.

Q: How to optimize large JavaScript bundles?

  • Code splitting, tree shaking, minification, lazy loading, CDN hosting.

🧩 Scenario Questions

Q: Users’ sessions are being hijacked. What could be wrong?

  • Cookies lack Secure/HttpOnly flags.
  • Session token exposed via XSS.
  • No HTTPS → MITM attacks.
  • Session fixation attacks.

Q: The site is slow for overseas users. How do you fix it?

  • Use a CDN.
  • Deploy regional servers.
  • Improve caching and compression.

Q: Client is randomly logged out. Why?

  • Session timeout too short.
  • Load balancer missing sticky sessions.
  • Cookie blocked due to SameSite misconfiguration.

✅** Conclusion**

Interviewers love to test candidates on the fundamentals of web technologies. If you can explain how HTTP works, why TLS matters, how to secure apps, and how to optimize performance, you’ll stand out immediately.

By practicing these Q&A, you’ll not only prepare for interviews but also become a stronger developer with a solid foundation in web engineering.

Top comments (0)