Computer Networks — Quick Summary

Quick revision: every topic, key terms, and mnemonics for Computer Networks.

This is a quick revision doc covering all 42 topics in computer-networks. Open the linked notes if you want depth.

Networking Fundamentals

OSI Model (7 Layers)

What it is. A 7-layer conceptual model that describes how two computers talk on a network. Teaching tool, not a real implementation.

Why it matters. Lets us reason about each layer in isolation — “is this a Layer 2 (switch) or Layer 7 (API) issue?”

Key terms.

Layer 7 Application — what users see. HTTP, DNS, SSH.
Layer 6 Presentation — encoding, encryption, compression. TLS, JPEG.
Layer 5 Session — opens/closes conversations.
Layer 4 Transport — end-to-end delivery, ports. TCP, UDP.
Layer 3 Network — routes between networks. IP, ICMP.
Layer 2 Data Link — frames on a single link. Ethernet, MAC, ARP.
Layer 1 Physical — bits on the wire. Cables, fiber, radio.

Remember. Bottom-up: Please Do Not Throw Sausage Pizza Away (Physical, Data Link, Network, Transport, Session, Presentation, Application). Top-down: All People Seem To Need Data Processing. Pair each layer with a protocol and a device example (router=L3, switch=L2). TLS sits at L6 conceptually but bridges L5/L6/L7.

7. Application — HTTP, DNS, SSH

6. Presentation — TLS, encoding

5. Session — sockets, RPC

4. Transport — TCP, UDP, ports

3. Network — IP, ICMP, routers

2. Data Link — Ethernet, MAC, switches

1. Physical — cables, voltages

TCP/IP Model

What it is. The 4-layer model that the real internet runs on. OSI is the textbook, TCP/IP is reality.

Key terms.

Link Layer — Ethernet, Wi-Fi, ARP. (OSI L1+L2)
Internet Layer — IP, ICMP. (OSI L3)
Transport Layer — TCP, UDP, QUIC. (OSI L4)
Application Layer — HTTP, DNS, SSH, gRPC. (OSI L5+L6+L7)

Remember. TCP/IP folded session + presentation into application. TLS doesn’t fit cleanly anywhere — that’s a known weakness. If asked “which model does the internet use?” answer TCP/IP.

How Data Travels (Encapsulation & Frames)

What it is. Each layer wraps data in its own header going down, unwraps coming up. The Russian doll model.

Key terms.

PDU — Protocol Data Unit. Different name per layer.
Encapsulation / Decapsulation — the wrapping / unwrapping process.
MTU — Maximum Transmission Unit. Ethernet default = 1500 bytes.
Fragmentation (IP layer) vs Segmentation (TCP layer) — different problems.

Remember. PDU mnemonic top-down: Data → Segments → Packets → Frames → Bits. Each header answers a different question: Ethernet=which device on this LAN, IP=which machine on the internet, TCP/UDP=which app on that machine, HTTP=what does the app want. TCP segmentation is normal; IP fragmentation is generally avoided.

IP Addressing (IPv4 & IPv6)

What it is. Unique identifier for a device on a network. IPv4 = 32 bits (~4.3 billion), IPv6 = 128 bits (~340 undecillion).

Key terms.

IPv4 dotted decimal — 192.168.1.10, four 0–255 octets.
Private ranges (RFC 1918) — 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16.
Loopback — 127.0.0.1 (IPv4), ::1 (IPv6).
Link-local — 169.254.x.x (IPv4), fe80::/10 (IPv6).
IPv6 shorthand — drop leading zeros, replace one run of zero-groups with ::.

Remember. IPv4 exhaustion is why IPv6 exists. The three private ranges + 127.0.0.1 = localhost = ::1 are common interview answers.

Subnetting & CIDR

What it is. Splitting an IP block into smaller networks. CIDR notation = “how many bits are network.”

Key terms.

/N prefix — first N bits identify the network.
Subnet mask — binary version of the prefix. /24 = 255.255.255.0.
Network address — host bits all 0. Broadcast — host bits all 1.
Usable hosts — 2^(32 - prefix) - 2 (minus network + broadcast).
Longest prefix match — most specific route wins in routing tables.

Remember. /24 = 254 hosts, /30 = 2 hosts (point-to-point). Reflex: /24 → 255.255.255.0. /31 is special (RFC 3021) — 2 usable hosts on point-to-point.

MAC Addresses & ARP

What it is. MAC = 48-bit hardware address baked into a NIC. ARP maps IP → MAC on the local LAN.

Key terms.

OUI — first 3 bytes, identifies the vendor.
Broadcast MAC — FF:FF:FF:FF:FF:FF.
ARP cache — local IP→MAC lookup, expires in minutes.
Gratuitous ARP — announces own IP/MAC, used for failover and conflict detection.
NDP — IPv6’s ARP replacement, runs over ICMPv6.

Remember. IP stays the same end-to-end; MAC changes every hop. Talking to a host on a different subnet? Destination MAC = the gateway’s MAC, not the final host’s. ARP has no auth → ARP spoofing is the classic LAN MITM.

Ports & Sockets

What it is. Port = 16-bit (0–65535) number identifying a process. Socket = IP + port.

Key terms.

Well-known ports — 0–1023 (need root).
Ephemeral ports — 49152–65535 (used for outbound connections).
5-tuple — protocol, src IP, src port, dst IP, dst port. Uniquely identifies a TCP connection.
LISTENING vs ESTABLISHED — server states.

Remember. Common ports: 22 SSH, 25 SMTP, 53 DNS, 80 HTTP, 443 HTTPS, 587/465 SMTPS, 993 IMAPS, 3306 MySQL, 5432 Postgres, 6379 Redis, 27017 Mongo. The 5-tuple is how a server handles thousands of clients on the same port — each connection has a unique combo.

Transport Layer

TCP vs UDP

What it is. Two transport protocols. TCP = reliable phone call. UDP = postcard.

Key terms.

TCP — connection-oriented, reliable, ordered, ~20-byte header.
UDP — connectionless, unreliable, unordered, 8-byte header.
QUIC — runs on UDP but adds reliability + ordering in user space (HTTP/3).

Remember. TCP for HTTP/SSH/email/DBs (every byte matters). UDP for DNS/VoIP/games/streaming (speed > completeness). “Real-time” or “low latency” → UDP. “File”, “in order” → TCP. Modern HTTPS often runs on UDP via QUIC.

TCP 3-Way Handshake

What it is. Three-message setup before data flows: SYN, SYN-ACK, ACK.

Key terms.

SYN — client says “let’s connect, my seq=X.”
SYN-ACK — server says “ok, my seq=Y, ack X+1.”
ACK — client says “ack Y+1.” Now ESTABLISHED.
ISN — Initial Sequence Number, picked pseudo-randomly for security.
SYN cookies — defense against SYN flood (no state until ACK).
TFO — TCP Fast Open, includes data in SYN on repeat visits.

Remember. Three messages because both sides need to confirm they can hear each other. Costs 1 RTT before any data flows — that’s why TLS 1.3 0-RTT and QUIC matter. The handshake itself doesn’t carry app data.

TCP Connection Termination (4-Way)

What it is. Closing takes four messages because TCP is full-duplex — each direction closed independently.

Key terms.

FIN, ACK, FIN, ACK — the four messages.
Active closer — calls close() first, ends in TIME_WAIT.
Passive closer — goes through CLOSE_WAIT → LAST_ACK → CLOSED.
TIME_WAIT — wait 2×MSL (~30–120s) to absorb lost ACKs and kill ghost packets.
RST — reset, the impolite hard hangup.
Half-close — shutdown(SHUT_WR), stop sending but keep reading.

Remember. Open = 3 messages, close = 4 messages. TIME_WAIT exists for two reasons: (1) handle a lost final ACK, (2) prevent old packets from showing up in a new connection with the same 5-tuple. Busy proxies tune tcp_tw_reuse=1 to recycle.

Reliable Delivery & Sequence Numbers

What it is. TCP’s reliability comes from sequence numbers + ACKs + retransmits.

Key terms.

Sequence number — every byte numbered.
Cumulative ACK — ack=N means “got everything up to N-1.”
Fast retransmit — 3 duplicate ACKs → resend immediately.
RTO — Retransmission Timeout, doubles on each retry.
SACK — Selective ACK, says “I have bytes 2000–2500 too.”
Checksum — 16-bit, detects corruption.

Remember. Every reliability feature is built on numbered bytes + cumulative ACKs + retransmits. App never sees out-of-order data — TCP buffers and reorders. Head-of-line blocking is why real-time apps avoid TCP.

Flow Control & Sliding Window

What it is. Receiver tells sender how much it can buffer. Sender never exceeds that window.

Key terms.

rwnd (receive window) — advertised by receiver in every ACK.
Sliding window — ACKs slide it right, freeing send room.
Zero-window probe — 1-byte probe to recover if a window update was lost.
Window scaling — RFC 7323, multiplies advertised window by 2^N.
BDP (Bandwidth-Delay Product) — bandwidth × RTT, the right window size.

Remember. Flow control = protect the receiver. Congestion control = protect the network. Sender uses min(rwnd, cwnd). A 0-window stall looks like a dead connection but the socket is still ESTABLISHED.

Congestion Control (Slow Start, AIMD)

What it is. TCP probes how fast the network can go and backs off on loss.

Key terms.

cwnd — congestion window (sender-side).
Slow Start — cwnd doubles every RTT until ssthresh.
AIMD — Additive Increase (+1 per RTT), Multiplicative Decrease (cwnd /= 2 on loss).
Fast Retransmit — resend on 3 dup ACKs without waiting for RTO.
Fast Recovery — after fast retransmit, set ssthresh = cwnd/2, don’t restart from 1.
CUBIC — Linux default. BBR — Google’s, models BW+RTT, doesn’t use loss as signal.
ECN — Explicit Congestion Notification, routers mark instead of drop.

Remember. The four phases: Slow Start, Congestion Avoidance, Fast Retransmit, Fast Recovery. AIMD = Additive Increase, Multiplicative Decrease. Sketch the sawtooth: ramp up exponentially, then linear-up + halve-on-loss forever. TCP can crawl on lossy links because every loss halves cwnd.

Network Layer & Routing

IP Routing & Routers

What it is. Routers forward IP packets between networks using a routing table.

Key terms.

Routing table — list of (prefix → next-hop, interface) rules.
Default gateway — 0.0.0.0/0 route, used when nothing else matches.
Longest prefix match — most specific route wins.
TTL — decremented per hop. TTL=0 → drop + ICMP Time Exceeded.
Routing vs Forwarding — building the table vs the per-packet decision.
ECMP — Equal-Cost Multi-Path load balancing.

Remember. Longest prefix match + default gateway are the two phrases interviewers love. IP src/dst stay constant end-to-end, MAC changes every hop. “I can ping local but not internet” = gateway misconfigured.

Routing Algorithms (Distance Vector, Link State)

What it is. Routers learn paths from each other. Two main families plus BGP.

Key terms.

Distance Vector / RIP — Bellman-Ford. Slow, count-to-infinity loops, capped at 15.
Link State / OSPF — Dijkstra. Each router has full topology. Fast, scales.
IS-IS — older link-state cousin of OSPF, used by big ISPs.
BGP (Path Vector) — between Autonomous Systems, runs the internet, TCP port 179.
IGP vs EGP — interior (within an AS) vs exterior (BGP).

Remember. RIP = distance vector = Bellman-Ford = small networks. OSPF = link state = Dijkstra = enterprise IGP. BGP = path vector = the internet’s glue. BGP misconfigs cause famous outages (Facebook 2021, Pakistan/YouTube 2008).

NAT (Network Address Translation)

What it is. Many private IPs share one public IP by rewriting source IP+port.

Key terms.

PAT / NAPT / NAT overload — what home routers do (port-based).
NAT table — (public_port → private_ip:private_port + remote).
Port forwarding — manual rule to expose internal services.
Hairpinning / NAT loopback — accessing your own public IP from inside the LAN.
CGNAT — ISP-level NAT, often on 100.64.0.0/10 (RFC 6598).
NAT types — full-cone, restricted-cone, port-restricted-cone, symmetric (worst for P2P).

Remember. NAT exists for IPv4 exhaustion. Side effect: breaks end-to-end connectivity, hard for P2P apps (need STUN/TURN). NAT is not a firewall even though it acts firewall-ish.

ICMP, ping & traceroute

What it is. ICMP is the network’s signalling protocol. ping uses Echo Request/Reply; traceroute abuses TTL.

Key terms.

Echo Request (8) / Echo Reply (0) — what ping sends.
Time Exceeded (11) — what routers send when TTL hits 0.
Destination Unreachable (3) — sub-codes for net/host/port.
mtr — traceroute + ping, continuous, shows per-hop loss.
ICMPv6 — runs Neighbor Discovery + Path MTU; can’t block it.

Remember. ping = ICMP echo round-trip. traceroute = clever TTL abuse — send TTL=1, 2, 3… and read the Time Exceeded replies. * * * hops usually mean ICMP is silently rate-limited, not that the path is broken.

VPN Basics

What it is. Encrypted tunnel between two points. Wraps inner packet inside outer encrypted packet.

Key terms.

Tunneling — packet-in-packet.
Client-to-site vs site-to-site topologies.
IPsec — L3, kernel-level standard. NAT-tricky, IKE for keys.
OpenVPN — user-space, TLS-based, mature but heavy.
WireGuard — ~4000 LoC, UDP, modern crypto (Curve25519, ChaCha20).
Split tunnel — only some routes go through VPN.
Tailscale / ZeroTier — mesh VPNs with auto NAT traversal.

Remember. Three sentences: tunneling + encryption + routing. Modern default = WireGuard. VPN doesn’t make you anonymous — it shifts trust from ISP to provider.

Application Layer Protocols

HTTP Basics (Methods, Status Codes, Headers)

What it is. The language browsers and servers speak. Client requests, server responds.

Key terms.

Methods — GET (read), POST (create/action), PUT (replace), PATCH (partial), DELETE, HEAD, OPTIONS.
Idempotent — same effect 1x or 100x. GET, HEAD, PUT, DELETE = yes. POST = no.
Common headers — Host, User-Agent, Authorization, Content-Type, Accept, Cache-Control, Set-Cookie, Location.

Remember. Status code mnemonic: 1 = hold on, 2 = here you go, 3 = look elsewhere, 4 = your fault, 5 = my fault. Memorize categories + famous codes (200, 301, 304, 400, 401, 403, 404, 429, 500, 502, 503, 504). Idempotency = the interview hook for safe retries.

Cheatsheet — HTTP Status Codes

Range	Meaning	Examples
1xx	Informational	100 Continue, 101 Switching Protocols
2xx	Success	200 OK, 201 Created, 204 No Content
3xx	Redirection	301 Moved, 302 Found, 304 Not Modified
4xx	Client error	400 Bad Request, 401, 403, 404, 429 Too Many
5xx	Server error	500, 502 Bad Gateway, 503, 504 Gateway Timeout

HTTP/1.0 vs 1.1 vs 2 vs 3 (QUIC)

What it is. HTTP evolved to fix bottlenecks at each level.

Key terms.

HTTP/1.0 — one TCP connection per request. Painful.
HTTP/1.1 — keep-alive, but head-of-line at app layer. Browsers opened 6 conns/domain.
HTTP/2 — binary, stream multiplexing on one TCP, HPACK header compression. Still has TCP-level HOL blocking.
HTTP/3 — runs on QUIC over UDP. Independent streams, no HOL. TLS 1.3 baked in. Connection migration via connection ID.

Remember. Head-of-line blocking moved up the stack and finally got solved. 1.1 → request-level. 2 → TCP-level. 3 → QUIC fixes it.

DNS Deep Dive (Recursive vs Iterative, Records)

What it is. Phonebook of the internet. Names → IPs.

Key terms.

Stub resolver (OS) → Recursive resolver (1.1.1.1) → Root → TLD → Authoritative.
Recursive query — “give me the answer.” Iterative — “ask this other server.”
Records — A (IPv4), AAAA (IPv6), CNAME (alias), MX (mail), TXT (SPF/DKIM), NS, PTR (reverse), SRV.
TTL — caching duration. Caching at every layer (browser, OS, recursive).
DoH / DoT — DNS over HTTPS / TLS for privacy.

Remember. Browser → resolver hop is recursive. Resolver → root → TLD → authoritative is iterative. DNS change “propagation delay” = old caches still alive.

DHCP

What it is. Auto-assigns IP + gateway + DNS to devices joining a network.

Key terms.

DORA — Discover, Offer, Request, Acknowledge.
Discover — broadcast from 0.0.0.0.
Lease — IP is yours for N hours. Renew at 50%, rebind at 87.5%.
UDP ports 67 (server) / 68 (client).

Remember. Just DORA + ports 67/68. Broadcast because client has no IP yet. DHCP also hands out subnet mask, default gateway, DNS servers, NTP.

SMTP, IMAP & POP3

What it is. Three email protocols. SMTP sends, IMAP/POP3 receive.

Key terms.

SMTP — port 25 (server-to-server), 587 (submission, STARTTLS), 465 (implicit TLS).
IMAP — sync from server. Port 143, 993 (TLS).
POP3 — download and delete. Port 110, 995 (TLS).
MX record — DNS record pointing to a domain’s mail server.

Remember. SMTP = send, IMAP = sync, POP3 = download+delete. Use IMAP if multi-device. Memorize secure ports: 587, 993, 995.

FTP & SFTP

What it is. File transfer. FTP plaintext, SFTP runs over SSH.

Key terms.

FTP — control port 21, data port 20 (active) or random (passive).
Active mode — server initiates data conn; breaks through NAT.
Passive mode (PASV) — client initiates both; NAT-friendly. Default.
FTPS ≠ SFTP. FTPS = FTP + TLS (port 990/21). SFTP = subsystem of SSH (port 22).

Remember. Plain FTP is plaintext — never use it. Pick SFTP — single connection, encrypted, no active/passive mess.

SSH

What it is. Encrypted remote shell + tunneling Swiss army knife. Port 22.

Key terms.

Key pair — private (~/.ssh/id_ed25519), public (authorized_keys).
known_hosts — Trust on First Use, prevents MITM.
-L local forward, -R remote forward, -D SOCKS proxy.
ssh-agent — caches passphrase per session.
~/.ssh/config — host shortcuts.

ssh-keygen -t ed25519 -C "manish@laptop"
ssh-copy-id manish@server.example.com
ssh -L 5432:localhost:5432 manish@server   # tunnel DB

Remember. Three security layers: transport (DH key exchange), authentication (host key + user key), channels (multiplexed sessions). Port forwarding is SSH’s superpower.

Web & Real-Time Communication

REST API Networking

What it is. REST = stateless HTTP-style API. Idempotency and caching are the network angle.

Key terms.

Stateless — every request stands alone, easy to scale.
Idempotent — GET/HEAD/OPTIONS/PUT/DELETE yes; POST no by default.
Idempotency-Key — Stripe-style header to make POST safe to retry.
Cache-Control — public, private, no-cache, no-store, max-age=N.
ETag / If-None-Match — fingerprint-based revalidation → 304 Not Modified.
Last-Modified / If-Modified-Since — timestamp-based.

Remember. Retry only idempotent methods automatically. Make POST idempotent at the app layer with an idempotency key.

WebSockets

What it is. Full-duplex persistent channel over a single TCP connection.

Key terms.

HTTP Upgrade handshake — Connection: Upgrade, Upgrade: websocket, server replies 101 Switching Protocols.
Frames — opcode + length + (mask) + payload.
ws:// plaintext, wss:// over TLS.
Ping/Pong — built-in keepalive.
No auto-reconnect — write your own with backoff.

Remember. “HTTP is a letter, WebSocket is a phone line.” Mention 101 Switching Protocols for credit. Scale needs sticky connections + pub/sub (Redis/NATS).

Server-Sent Events (SSE)

What it is. One-way server → client streaming over plain HTTP.

Key terms.

Content-Type: text/event-stream — the magic header.
Event format — data: ... lines, blank line ends event.
EventSource — browser API, auto-reconnect built in.
Last-Event-ID — resume after reconnect.

Remember. SSE is “a long-lived HTTP response with text/event-stream.” Use SSE when only the server pushes; WebSockets when both directions talk. Disable proxy buffering (X-Accel-Buffering: no).

Long Polling vs Short Polling

What it is. HTTP-only ways to fake real-time.

Key terms.

Short polling — client asks every N seconds. Wasteful.
Long polling — server holds the request until data ready or timeout.
Cursor — since=lastId to avoid losing messages.

Remember. Short = simple but wasteful. Long = near-real-time but needs an async server. Always use a cursor + backoff on errors.

gRPC & HTTP/2 Streams

What it is. Protobuf RPC over HTTP/2 streams.

Key terms.

Protobuf — binary, schema in .proto, codegen for client+server stubs.
Four call types — Unary, Server-streaming, Client-streaming, Bidirectional.
gRPC-Web — proxy-based browser support (browsers can’t speak raw gRPC).
Trailers — carry the gRPC status code.

Remember. gRPC for backend-to-backend (schema, perf, streaming). REST/GraphQL for client-to-backend (browser-friendly, cacheable). Protobuf field numbers are forever — never renumber.

CORS Deep Dive

What it is. Browser mechanism that controls cross-origin reads from JavaScript.

Key terms.

Same origin = scheme + host + port.
Simple request — GET/HEAD/POST with safe content-type and headers. No preflight.
Preflight — OPTIONS request to check Allow-Method/Allow-Headers first.
Access-Control-Allow-Origin — exact match or * (no * with credentials).
Vary: Origin — required when origin is dynamic (otherwise CDN poisoning).
Access-Control-Max-Age — cache preflight.

Remember. CORS protects users, not servers. Server processed the request normally — browser blocked the response. Authorization triggers preflight. * + credentials = forbidden.

Network Security

SSL/TLS Handshake

What it is. How client and server agree on a shared key before encrypted data flows.

Key terms.

TLS 1.2 — 2-RTT. ClientHello → ServerHello+Cert+KeyEx → ClientKeyEx+Finished → Finished.
TLS 1.3 — 1-RTT. KeyShare in ClientHello. Cert encrypted. 0-RTT on resumption.
Session resumption (PSK) — skip handshake on reconnect.
Three guarantees — encryption, authentication, integrity.

Remember. Asymmetric crypto (slow) only to agree on the symmetric key. After that, all data uses symmetric (fast). TLS 1.3 cut it from 2-RTT to 1-RTT (or 0-RTT for repeat visits).

Symmetric vs Asymmetric Encryption

What it is. Two crypto flavors. TLS uses both — hybrid.

Key terms.

Symmetric — one shared key. AES, ChaCha20. Fast.
Asymmetric — public + private key pair. RSA, ECC, Ed25519. Slow.
Digital signature — sign with private, verify with public.

Remember. Symmetric is ~1000x faster. Asymmetric solves the key-distribution problem. TLS = use asymmetric to safely deliver a symmetric key, then symmetric for the rest.

Certificates & PKI

What it is. A cert proves “this public key belongs to bank.com.” PKI is the trust system.

Key terms.

X.509 — cert format. Subject, Issuer, public key, SANs, validity, signature.
CN vs SAN — modern browsers ignore CN, use SAN only.
Chain of trust — leaf cert → intermediate CA → root CA in browser store.
Self-signed vs CA-signed.
Let’s Encrypt — free, ACME protocol, 90-day certs, auto-renew.
OCSP / OCSP Stapling — revocation check; stapling avoids client→CA round-trip.

Remember. Always use SANs, never just CN. Auto-renew or you’ll outage. ACME + certbot + cert-manager are the modern toolchain.

Common Attacks (DDoS, MITM, Spoofing, Replay)

What it is. Classic network attacks every backend dev should know.

Key terms.

DDoS — volumetric (L3/4), protocol (SYN flood), application (L7). Defense: scrubbing, SYN cookies, rate limit, WAF.
MITM — sit between parties. Defense: HTTPS, HSTS, cert pinning.
ARP Spoofing — fake LAN identity. Defense: Dynamic ARP Inspection.
DNS Spoofing / Cache Poisoning — Kaminsky attack. Defense: DNSSEC, DoH/DoT.
Replay — resend captured encrypted msg. Defense: nonces, timestamps, sequence numbers.

Remember. For each attack: what it does, what layer it hits, one defense. “Use HTTPS” is not the answer to everything.

Firewalls (Stateful vs Stateless)

What it is. Decides which packets pass. Three flavors.

Key terms.

Stateless — packet filter. Fast, low memory. Can’t tell reply from attack.
Stateful — connection tracking via conntrack. Smart, uses memory per conn.
WAF (L7) — reads HTTP, stops SQLi/XSS/path traversal.
Default-deny — always preferred for production.
AWS Security Group = stateful. NACL = stateless.

Remember. Real prod stack uses all three layers. SYN floods exhaust the conntrack table — fix with SYN cookies, not by going stateless.

HTTP Security Headers (HSTS, CSP, etc.)

What it is. Response headers that harden a web app.

Key terms.

HSTS — Strict-Transport-Security always-HTTPS, optional preload.
CSP — Content-Security-Policy, whitelist of script/style/img sources.
X-Content-Type-Options: nosniff — trust the Content-Type.
X-Frame-Options: DENY — anti-clickjacking. Modern: frame-ancestors.
Referrer-Policy: strict-origin-when-cross-origin — sane default.
Permissions-Policy — disable camera/mic/geolocation by default.

Remember. HSTS → SSL stripping. CSP → XSS. X-Frame-Options → clickjacking. Roll out CSP in report-only mode first. Use always in nginx so headers stick on errors too.

Performance, Scaling & Debugging

Latency vs Bandwidth vs Throughput

What it is. Three terms that get mixed up.

Key terms.

Latency — time for one packet A→B. Milliseconds.
Bandwidth — theoretical max capacity. Bits/sec.
Throughput — actual observed rate. ≤ bandwidth.
RTT — round-trip time, what ping measures.
BDP — bandwidth × RTT. Window must ≥ BDP to fill the pipe.

Remember. Highway analogy: bandwidth = lanes, latency = drive time, throughput = cars/min that arrive. For most user-facing workloads, lower latency wins. Bandwidth helps bulk transfers. Long fat pipe problem: 1 Gbps + 200 ms RTT + 64 KB window → ~2.5 Mbps actual.

CDN & Edge Networks

What it is. Globally distributed reverse proxies that cache content near users.

Key terms.

PoP — Point of Presence, a CDN data center.
Anycast — same IP announced from many PoPs; BGP picks shortest path.
Cache hit / miss — served from edge vs fetched from origin.
Origin shielding — designate one regional PoP as parent to collapse origin requests.
Pull vs Push — CDN fetches on miss vs we upload ahead of time.
Signed URLs — time-limited cryptographic auth at the edge.
Versioned URLs beat cache purge.

Remember. Anycast is the magic. Cache hit ratio target: 95%+ for static. Use hashed filenames (app.a8f3.js) over purge APIs.

Load Balancing (L4 vs L7)

What it is. Spreads traffic across servers. Two types based on layer.

Key terms.

L4 — TCP/UDP only. Sees IP+port. Very fast. Pass-through TLS. AWS NLB, HAProxy TCP.
L7 — HTTP-aware. Reads headers/URL/cookies. Terminates TLS. AWS ALB, NGINX, Envoy.
Algorithms — Round Robin, Least Connections, IP Hash, Weighted, Least Response Time, Power of Two Choices.
Health checks — L4 = TCP connect, L7 = HTTP /healthz.

Remember. L4 fast but blind. L7 smart but slower. AWS: ALB = L7, NLB = L4. Real stacks layer them: NLB → ALB → backends.

Forward vs Reverse Proxy

What it is. Both proxy traffic. Different sides hide.

Key terms.

Forward proxy — works for client, hides client from server. VPNs, Tor, corporate proxy.
Reverse proxy — works for server, hides backend from client. NGINX, Cloudflare, ALB.
CDN = globally distributed reverse proxy.

Remember. “Proxy to access blocked sites” = forward. “Nginx in front of my app” = reverse. Forward serves the client; reverse serves the server.

Network Debugging Toolkit

What it is. CLI tools for “why can’t I reach this server?” investigations.

Key terms.

ping / mtr — reachability + RTT + per-hop loss.
traceroute — path discovery.
dig / nslookup — DNS resolution. dig +trace for full chain.
ss / netstat — listening sockets, established conns.
lsof -i :PORT — who owns this port.
tcpdump — raw packet capture, save .pcap for Wireshark.
curl -v — full HTTP debug; -w for timing breakdown.
openssl s_client — TLS handshake + cert inspection.
DevTools Network tab — frontend’s first stop.

Remember. Debug top-down: DevTools/curl → DNS (dig) → ping/mtr → ss/lsof on the server → tcpdump if needed. curl -w timing tells you whether DNS, TCP, TLS, or the server is slow.