How the Web Works
What is the difference between PUT and PATCH?
PUT will update the entire object while PATCH will update pieces of the object.
What is the difference between GET and POST?
A GET request is an HTTP request that is sent without side effects vs. a POST request that is sent with the intention of changing data on the server in which its sending the request to. A GET request will sent arguments through the query parameter whereas a POST request will do this through the body. You cannot change the URL and send a post request but in GET requests you can.
What is a cookie and what kinds of things are they commonly used for?
A cookie is piece of information which stores the domain, "key", and "value" that gets sent from the server to the client. It allows the client to send back that information to the server so the server can use that information. It allows for a user to go back in to a session to resume where they left off.
What is AJAX? Why would you use it?
AJAX is a set of technologies that allow us to make HTTP requests from the Browser using JavaScript, without the page refreshing. This leads to amazing abilities such as building interactive websites which can load more data without having to refresh the page.
What are some differences between making HTTP requests using AJAX and from the server side using a library like `requests`?
AJAX requests are asynchronous and the server is synchronous. AJAX requests must respect the single origin policy whereas server requests don't. Server requests can help keep private keys secret since they won't be in the client browser with AJAX.
What is an API?
An API is a set of clearly defined methods of communication between various components. For example, we could use the google maps API in our own application to draw a map or to find directions.
What is the difference between authorization and authentication?
Authentication refers to the process of verifying who you are whereas authorization is the process of verifying that you have access to something. For example, you can authenticate someones login and then make sure they have access to their profile by authorization.
What is CORS? How does it work?
CORS stands for Cross Origin Resource Sharing and it is a technology that allows us to bypass the Same Origin Policy. It requires that a response header is sent from a server which specifies which origins are allowed (the header is called Access-Control-Allow-Origin). The browser will check to see if that header is present and if so and if a request is coming from a valid origin - a cross origin request will be allowed.
What is CSRF? What is the purpose of the CSRF token?
CSRF stands for cross-site request forgery. For example, if I made a form that posted to Facebook to delete a user I technically could make that form however it would not work due to CSRF. If however I had a token that could prove I can make the request it would go through. The CSRF token is the item that proves that I am who I say that I am and allows the request to be made.
What is a port?
Every server has 65,535 unique ports that you can talk to. In the analogy of the house, the would refer to the doors of the house. There are many different ways to access a server and the port will identify which method you are trying. Port 80 for example will correspond to an http protocol. If you access port 80 then the server is going to be expecting that protocol when communicating.
What is an HTTP header?
Headers contain information about the data being sent in an HTTP request. Information such as hostname, date, language, cookies, authorization, and more.
What does idempotent mean? Which HTTP verbs are idempotent?
Idempotent means that the side effects will be the same for one or more of the same requests. The idea is that the state changes just once no matter how many times a request is made. GET, PTACH, and DELETE verbs are all idempotent.
What is a resource?
If it similar to an object in an OOP language. A resource is an object with a type, associated data, and a relationship to other resources. The standard methods on the resource are the HTTP verbs.
What is the role of web application framework, like Flask?
It is a set of functions, classes, etc. that help define which requests to respond to as well as how to respond to requests.
What is an IP address?
It is a unique address that points to a computer on the network. It is formatted as four numbers between 0-255 seperated by a period. Since this could lead to issues with availibility of numbers there also a concept of a virtual IP address. For example, the rithm school network would have a globally unique IP address and each computer would have a unique vitual IP address within that network. This will not be globally unique but unique within the network. This still allows for unique identification of a device without a globally unique IP address.
What is JSON?
JSON is a string that looks like a JS object. It is a common data exchange format for sending data between servers and clients. Since everything in HTTP is sent as strings, JSON allows the ability to convert those strings into usable JS objects using JSON.parse and JSON.stringify to convert a JavaScript object to JSON.
What is a JWT?
JWT stands for a JSON Web Token. It is a way to securely transmit information over HTTP. The three parts of the JWT is the header, payload, and signature. The header contains metadata, the payload contains the actual information, and the signature. The signature is generated by signing the header and the payload with a secret key. If any part of the JWT is tampered with, the signature will become invalid.
What are some limitations of AJAX request?
One limitation is that the calls are asynchronous. If you need specific data from a call in order to accomplish something else you will need to be mindful about how you manage async code. This can lead to confusing code if not done correctly. You could potentially have different parts of the page load at different times because of this which could confuse the end user. Another limitation is security. With AJAX, you can't make HTTP requests to all APIs due to security problems (see below answer).
What is one way encryption?
One way encryption means that the result from encryption cannot be decrypted back to the original input.
What is RESTful routing?
RESTful routing is actually designing routes that conform to REST standards around resources. REST itself is an architectural style for designing routes and provides constraints for creating web services. We would use this when designing our routes and making sure that we are using the naming convention for our routes as well as which HTTP verbs to use in our routes. For example, REST would dictate that we name a route /users for adding a user instead of something like /users/add.
What is a hostname?
The hostname is the nickname for the server that a website is hosted on.
What is an HTTP Response Code?
The response code tells you information about how the HTTP request was received. For example, a code of 200 means that the request was received with no problems as successful. 404 is a typical one that means that the location attempting to be found was not found.
What is the signature portion of the JWT? What does it do?
The signature is the result of concatenating the header with the payload then hashing that data with a secret key. The signature portion of the JWT ensures that the token cannot be tampered with. Only the server can create tokens because only the server knows the secret key used in the hash.
How can you implement authentication with a JWT? Describe how it works at a high level.
The user sends a request to create an account or to login. If the login/creating is successful, a JWT is created on the server side using a secret key that only the server knows. The payload in the JWT contains something that will uniquely identify the user (like a user id). The client must save the token somehow. Typical ways to save the token are in local storage or as a cookie. To make an authenticated request, the client must provide the token as specified by the server. Typically the token is sent in a header called Authorization. The server will then verify the token. To verify, the server take the header and payload and tries to sign that data using the secret key. If the signature in the token matches the signature presented, then the token is verified. The server then looks inside the payload of the token to get the unique identifier for the user to figure out which user has been authenticated.
What is the Same Origin Policy?
This is a policy that is specific to the Browser. When you make an HTTP request, that request must come from the same origin as where you are sending the request to. This allows for protection of the end user to make sure that someone can't send any malicious information from another origin to another. The same origin refers to having the same domain, protocol, and/or port.
What is the purpose of `form.hidden_tag()`?
This will render all of the hidden input tags and is commonly used to allow values like the CSRF token to be passed through a hidden field on WTForms.
What are some differences between Web Sockets and HTTP?
Web socket is another communication method other than HTTP. Web socket allows the connection to the server to stay open so that open communication between the client and server can take place. Other than chat systems they are good for any sort of environment in which there are multiple people working together. For example in google docs you can work with another person in the same doc and you can see in real time what they are changing. Web sockets maintain a connection and have much less overhead than HTTP.
When building a JSON API why do you not include routes to render a form that when submitted creates a new user?
When creating an API you are not returning the HTML for the form. You are simply taking in the data provided by the front end, making the user, and then sending back JSON. It is the job of the front end to do send the right data however it pleases (through a form generated on the front end, ajax, etc.).
What is DNS?
When your device is attempting to connect to a website it tries to find the website you are trying to access. First it will try the cache if you visited the site recently, then it will try the router, then the ISP. If the ISP such as Comcast cannot find the website then there is a set of computers whose job it is to find the website which you are looking for. These computer are the DNS servers which attempt to store where the location of websites are. The DNS is like the phonebook of the internet.
If a JWT is intercepted, can the attacker see what's inside the payload?
YES! With a standard HS256 signature, the header and the payload are not encrypted. So an attacker can easily see what's inside both. The signature just ensures that that data cannot be changed. It doesn't ensure that the data is private. So do not put sensitive data inside the JWT.
