Episode 1 — Fundamentals / 1.4 — Understanding HTTP and HTTPS
1.4 — Exercise Questions: Understanding HTTP & HTTPS
Practice questions for all seven subtopics in Section 1.4. Mix of short-answer, security thinking, and hands-on exercises. Try each without reopening the lesson files first.
How to use this material (instructions)
- Read lessons in order —
README.md, then1.4.a→1.4.g. - Answer closed-book first — write an answer, then compare to the lesson.
- Hands-on — use browser DevTools → Network and
curl -vwhere indicated. - Redo misses — retry wrong questions after sleep (spaced repetition).
- Interview prep — pair with
1.4-Interview-Questions.md.
1.4.a — HTTP & versions (Q1–Q6)
Q1. Define HTTP in one sentence and list the parts of an HTTP request (at least 4 components).
Q2. Compare HTTP/1.1, HTTP/2, and HTTP/3 in terms of: multiplexing, transport (TCP vs QUIC/UDP), and a major pain point each version addresses.
Q3. What does it mean that HTTP is stateless?
Q4. Why can HTTP/2 over TCP still suffer performance issues when packets are lost?
Q5. Hands-on: Load any HTTPS site; in DevTools Network, identify protocol h2, http/1.1, or h3/QUIC if shown.
Q6. What is ALPN used for during TLS negotiation (high level)?
1.4.b — Status codes (Q7–Q12)
Q7. For each family 1xx–5xx, give one phrase describing what the family means.
Q8. When would you return 201 instead of 200 for an API?
Q9. Explain 401 vs 403 (RFC-intent + real-world caveat).
Q10. What does 502 Bad Gateway usually imply in an architecture with Nginx + upstream app?
Q11. What does 304 Not Modified mean for caching?
Q12. Exercise: Write a plausible JSON error body for a 429 response including a retry_after field (field names your choice).
1.4.c — HTTPS vs HTTP (Q13–Q16)
Q13. List three threats that HTTPS mitigates compared to plain HTTP.
Q14. Name two things HTTPS does not magically fix.
Q15. Why do browsers mark HTTP pages as Not secure for password fields?
Q16. Why is Let’s Encrypt historically important for HTTPS adoption?
1.4.d — How HTTPS secures (Q17–Q20)
Q17. List the three security properties TLS provides for HTTPS.
Q18. What is a certificate chain and why does the browser need a trusted anchor?
Q19. What metadata might still leak to a network observer even under HTTPS (examples)?
Q20. Hands-on: Open a site, inspect the TLS certificate in the browser; note issuer, validity dates, and SAN hostnames.
1.4.e — SSL/TLS (Q21–Q24)
Q21. Why should you say TLS instead of SSL in 2026?
Q22. What is TLS 1.3 roughly improving vs older TLS versions (2–4 bullets)?
Q23. What is forward secrecy (high level) and why do interviewers like hearing it?
Q24. What is a cipher suite (one paragraph)?
1.4.f — Proxies (Q25–Q28)
Q25. Contrast forward proxy vs reverse proxy using “who configures it” and “who benefits.”
Q26. Why might TLS be terminated at a reverse proxy?
Q27. Is a CDN edge closer to a forward or reverse proxy? Why?
Q28. Name two risks of corporate HTTPS interception (TLS inspection).
1.4.g — VPN (Q29–Q32)
Q29. Describe the VPN tunnel model in 4 short steps (client → VPN server → internet).
Q30. What does your ISP see with HTTPS without VPN vs with VPN (high level)?
Q31. What is a DNS leak (one sentence) and why does it matter?
Q32. Why might streaming services block known VPN IPs?
Reflection (Q33–Q34)
Q33. Write a 60-second script: “What is HTTPS?” for a non-technical relative.
Q34. Which subtopic (1.4.a–g) needs more study? List 3 concrete follow-ups.
Answer hints (short)
| Q | Hint |
|---|---|
| Q3 | Each request standalone; sessions via cookies/tokens/etc. |
| Q9 | 401 authn; 403 authz — APIs blur this sometimes. |
| Q17 | Confidentiality + integrity + authentication (server) |
| Q25 | Forward = client/org side; reverse = site owner front door |
| Q31 | DNS queries bypass VPN tunnel if misconfigured |