The OSI model divides network communication into 7 layers, each with specific protocols and responsibilities
Networking Cheat Sheet
Visual Overview: OSI Model Layers
OSI Model
| Layer | Name | Function | Protocols | Units |
|---|---|---|---|---|
| 7 | Application | User services, APIs | HTTP, HTTPS, FTP, SMTP, DNS, SSH | Data |
| 6 | Presentation | Encryption, compression | SSL/TLS, JPEG, MPEG | Data |
| 5 | Session | Connection management | RPC, PPTP | Data |
| 4 | Transport | End-to-end delivery | TCP, UDP, SCTP | Segment |
| 3 | Network | Routing, logical addressing | IP (IPv4, IPv6), ICMP, IGMP | Packet |
| 2 | Data Link | Physical addressing, MAC | Ethernet, WiFi (802.11), PPP | Frame |
| 1 | Physical | Electrical signals | Copper cables, fiber, radio waves | Bit |
TCP vs UDP
| Feature | TCP | UDP |
|---|---|---|
| Connection | Connection-oriented (3-way handshake) | Connectionless |
| Reliability | Reliable (guaranteed delivery) | Unreliable (best effort) |
| Ordering | In-order delivery | No ordering guarantee |
| Speed | Slower (acknowledgments) | Faster (no overhead) |
| Overhead | High (20 bytes header) | Low (8 bytes header) |
| Use Cases | Email, web, file transfer, SSH | Video streaming, VoIP, gaming, DNS |
| Port Range | 0-65535 | 0-65535 |
TCP Handshake (3-way): SYN → SYN-ACK → ACK
TCP Termination: FIN → ACK → FIN → ACK
HTTP Methods & Status Codes
// HTTP Methods (REST verbs)
GET - Retrieve resource (safe, idempotent)
POST - Create resource (not idempotent)
PUT - Replace entire resource (idempotent)
PATCH - Partial update (may not be idempotent)
DELETE - Remove resource (idempotent)
HEAD - Like GET but no body (safe, idempotent)
OPTIONS - Describe communication options
// HTTP Status Codes
1xx: Informational
100 Continue
101 Switching Protocols
2xx: Success
200 OK - Request succeeded
201 Created - Resource created
202 Accepted - Request accepted (async)
204 No Content - Success, no body
3xx: Redirection
301 Moved Permanently
302 Found (temporary redirect)
304 Not Modified (use cache)
307 Temporary Redirect
4xx: Client Error
400 Bad Request - Malformed request
401 Unauthorized - Authentication required
403 Forbidden - No permission
404 Not Found - Resource doesn't exist
405 Method Not Allowed
409 Conflict - Duplicate
429 Too Many Requests (rate limited)
5xx: Server Error
500 Internal Server Error
502 Bad Gateway
503 Service Unavailable
504 Gateway Timeout
// Common patterns
GET /users - List users
GET /users/123 - Get user 123
POST /users - Create user
PUT /users/123 - Replace user 123
PATCH /users/123 - Update user 123
DELETE /users/123 - Delete user 123
DNS & URL Structure
// URL Structure
https://user:pass@example.com:8080/path?query=value#fragment
| | | | | | |
| | | | | | Fragment (internal link)
| | | | | Query string (parameters)
| | | | Path
| | | Port (default: 80 http, 443 https)
| | Domain/Host
| Credentials (deprecated)
Protocol
// DNS (Domain Name System)
Converts domain names to IP addresses
example.com → 93.184.216.34
DNS Record Types:
A - IPv4 address (32 bits)
AAAA - IPv6 address (128 bits)
CNAME - Canonical name (alias)
MX - Mail exchange
NS - Nameserver
TXT - Text records (SPF, DKIM)
SOA - Start of authority
// DNS Resolution
1. Browser checks cache
2. Query recursive resolver (ISP)
3. Resolver queries root nameserver
4. Root directs to TLD (.com, .org)
5. TLD directs to authoritative nameserver
6. Authoritative returns IP
// IP Address Basics
IPv4: 32 bits, 4 octets (0.0.0.0 to 255.255.255.255)
IPv6: 128 bits, 8 groups (2001:db8::1)
Subnet Mask: /24 means first 24 bits are network
10.0.0.0/8: Class A (10.0.0.0 to 10.255.255.255)
// Ports (well-known)
80 HTTP
443 HTTPS
22 SSH
21 FTP
25 SMTP
3306 MySQL
5432 PostgreSQL
6379 Redis
27017 MongoDB
REST vs GraphQL
| Aspect | REST | GraphQL |
|---|---|---|
| Structure | Multiple endpoints | Single endpoint |
| Data fetching | Fixed response (over/under-fetching) | Exact fields (precise) |
| HTTP methods | GET, POST, PUT, DELETE | POST (mostly) |
| Versioning | v1, v2, v3 in URL | No versioning needed |
| Caching | Built-in (HTTP cache) | More complex |
| Learning curve | Easy | Steeper |
| Best for | Simple CRUD APIs | Complex data graphs |
REST Example: GET /api/users/123 returns all user fields
GraphQL Example: Query asks for specific fields: name, email
Security Basics
// HTTPS (HTTP + TLS)
Encrypts data in transit
SSL/TLS certificates (Secure Socket Layer / Transport Layer Security)
Public key encryption
// Authentication Methods
Basic Auth: Username:Password in header (unsafe, use HTTPS)
Bearer Token: Authorization: Bearer token123
API Key: API-Key: key123
OAuth 2.0: Delegate auth to provider (Google, GitHub)
JWT: JSON Web Token (self-contained)
// CORS (Cross-Origin Resource Sharing)
Browser security: prevents requests from other domains
Server allows certain origins with headers:
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET, POST
// Common vulnerabilities (OWASP Top 10)
1. Injection (SQL, NoSQL, Command)
2. Broken Authentication
3. Sensitive Data Exposure
4. XML External Entities (XXE)
5. Broken Access Control
6. Security Misconfiguration
7. XSS (Cross-Site Scripting)
8. Insecure Deserialization
9. Using Components with Known Vulnerabilities
10. Insufficient Logging & Monitoring
// Headers for security
Content-Security-Policy: Prevent XSS
X-Frame-Options: Prevent clickjacking
Strict-Transport-Security: Force HTTPS
X-Content-Type-Options: Prevent MIME sniffing