📖 4 min read · By ['[“HoangNM105”]']

Questions#

  1. Did you notice how standard HTTP methods like GET, POST, PUT, DELETE are used in the endpoints? Why is this important?

    • A. It makes the API code run faster.

    • B. It allows the server to store more data.

    • C. It provides a predictable and uniform interface for developers.

    • D. It encrypts the user data automatically.

  2. Which of the following HTTP status codes specifically indicates that a resource was successfully created?

    • A. 200 OK

    • B. 201 Created

    • C. 204 No Content

    • D. 302 Found

  3. In the context of REST APIs, what does “Statelessness” mean?

    • A. The server does not remember the client state between requests; each request must contain all necessary info.

    • B. The server never stores data in a database.

    • C. The API does not have a fixed URL structure.

    • D. The client does not need to authenticate after the first login.

  4. What is the primary difference between PUT and PATCH?

    • A. PUT creates a resource, while PATCH deletes it.

    • B. PUT is used for partial updates, while PATCH replaces the entire resource.

    • C. PUT replaces the entire resource, while PATCH performs a partial update.

    • D. PUT is secure, while PATCH is not.

  5. Which component of a JWT ensures that the token has not been tampered with?

    • A. The Header

    • B. The Payload

    • C. The Signature

    • D. The Expiration Claim (exp)

  6. If a JWT is stolen, what is the most effective immediate mitigation if “Refresh Tokens” are NOT used?

    • A. Change the user’s password.

    • B. There is no immediate way to revoke a stateless JWT without server-side tracking (blocklist) or waiting for expiration.

    • C. Delete the user account.

    • D. Change the API URL.

  7. What is the difference between specific 401 Unauthorized and 403 Forbidden status codes?

    • A. They are interchangeable.

    • B. 401 means the server is down, 403 means the database is full.

    • C. 401 indicates missing or invalid authentication credentials; 403 indicates the user is authenticated but lacks permission.

    • D. 401 is for client errors, 403 is for server errors.

  8. Which HTTP method is considered “Idempotent” (safe to retry multiple times without changing the result beyond the initial application)?

    • A. POST

    • B. PUT

    • C. PATCH (usually, but not strictly required)

    • D. All of the above are always idempotent.

  9. Why is it critical to use HTTPS when using Basic Auth or Bearer Tokens (JWT)?

    • A. HTTPS increases the speed of the API.

    • B. HTTPS prevents “Man-in-the-Middle” attacks where the token could be intercepted in plain text.

    • C. HTTPS compresses the JSON response.

    • D. It is not critical; HTTP is fine for internal tools.

  10. How does Rate Limiting protect an API?

    • A. It validates the schema of the JSON body.

    • B. It prevents abuse (DoS/DDoS) and ensures fair usage by limiting requests per client over time.

    • C. It encrypts the database connection.

    • D. It ensures that only admin users can access the API.

  11. When designing a REST API, when should you use Query Parameters (e.g., /users?role=admin) vs Path Parameters (e.g., /users/123)?

    • A. Always use Query Parameters for everything.

    • B. Use Path Parameters for filtering and sorting, and Query Parameters to identify specific resources.

    • C. Use Path Parameters to identify a specific resource, and Query Parameters for filtering, sorting, or pagination.

    • D. Use Path Parameters for secrets (like passwords) and Query Parameters for public data.

  12. What is a “Cross-Origin Resource Sharing” (CORS) error?

    • A. An error when the database and server are on different time zones.

    • B. A browser security feature preventing a web page from making requests to a different domain than the one that served the page.

    • C. An error when two users try to edit the same file at the same time.

    • D. The API server running out of memory.

View Answer Key

  1. C - Uniform Interface is a key REST constraint.

  2. B - 201 is the specific code for creation.

  3. A - Statelessness enables scalability by removing server-side session storage requirements.

  4. C - PUT is full replacement; PATCH is partial modification.

  5. C - The signature is generated using a secret key to verify integrity.

  6. B - Pure stateless JWTs cannot be revoked easily; short expiration or blocklists are needed.

  7. C - 401 = “Who are you?”; 403 = “I know who you are, but you can’t do this.”

  8. B - PUT requests result in the same state regardless of how many times they are sent. POST is NOT idempotent.

  9. B - Tokens are sent in the header; without HTTPS, anyone sniffing the network can read them.

  10. B - Rate limiting restricts volume to prevent overload.

  11. C - Path = Identity; Query = Modifiers/Filters.

  12. B - CORS is a browser-enforced security boundary.