Exam Center

AI-Generated Content

This exam was created by a large language model. Please use it with caution, as inaccuracies may be present. Always verify critical information.

Define the Same-Origin Policy (SOP) and explain its primary significance in web security.

Which of the following pairs represents a 'same origin' scenario?

Select one option

http://example.com/page1 and https://example.com/page2 (different protocol)

http://example.com:8080/page and http://example.com/page (different port)

http://example.com/path1 and http://sub.example.com/path2 (different host/subdomain)

http://example.com/path1 and http://example.com/path2 (same protocol, host, port)

Which of the following pairs represents a 'cross-origin' scenario?

Select one option

http://api.example.com and http://api.example.com/v1 (same origin)

http://www.example.com and https://www.example.com (different protocol)

http://example.com:80 and http://example.com (same origin, 80 is default for http)

https://myapp.com and https://myapp.com/api (same origin)

Explain why Cross-Origin Resource Sharing (CORS) was introduced and how it works as a security mechanism to relax the Same-Origin Policy.

Describe the role of preflight requests in CORS. What HTTP method is typically used for a preflight request, and what information does it convey?

Explain the purpose of the Access-Control-Allow-Origin header and provide an example value that would allow a frontend application running on http://localhost:3000 to access an API.

Explain the purpose of the Access-Control-Allow-Methods header and provide an example value to permit GET and POST requests from a cross-origin frontend.

Explain the purpose of the Access-Control-Allow-Headers header and provide an example value to allow custom headers X-Auth-Token and Content-Type.

Explain the purpose of the Access-Control-Expose-Headers header and provide an example value to make X-Custom-Header accessible to a frontend script.

10.

Explain the purpose of the Access-Control-Max-Age header and provide an example value to cache preflight results for 10 minutes.

11.

Explain the purpose of the Vary header in the context of CORS and provide an example value.

12.

Explain why Access-Control-Allow-Origin: * should generally be avoided in production environments and what security risks it poses.

13.

Describe the best practice for setting the Access-Control-Allow-Origin header in production environments, especially when dealing with multiple legitimate origins.