RFC 7541 Quiz

Q1: What is the main purpose of HPACK in HTTP/2

Multiple Choice

A. Encrypt headers end to end B. Reduce header size using compression with indexed representations C. Guarantee server authenticity without TLS

**Explanation:** **Terms:** header compression, static table, dynamic table, indexing **Correct (B):** HPACK compresses header fields, often by referring to entries in a static or dynamic table **Options:** - A (incorrect): Encryption is provided by TLS, not HPACK - B (correct): This is the core design goal - C (incorrect): Authenticity is not guaranteed by HPACK **Related:** HTTP/3 uses QPACK instead of HPACK because transport properties differ

Q2: Which table is shared state that changes over time on a connection

Multiple Choice

A. The static table B. The DNS cache C. The dynamic table

**Explanation:** **Terms:** dynamic table, connection state **Correct (C):** The dynamic table is updated by header blocks as requests and responses flow **Options:** - A (incorrect): The static table is fixed by the specification - B (incorrect): Unrelated to HPACK - C (correct): The dynamic table evolves per connection **Related:** Wrong dynamic table state leads to decompression failures and protocol errors

Q3: Which header values are commonly treated as sensitive and should avoid indexing (select all)

Multi-Select

A. Authorization B. Accept C. Cookie D. Set-Cookie

**Explanation:** **Terms:** sensitive header field, never indexed, side channel **Correct (A,C,D):** Credentials and session identifiers are high value targets and can amplify compression side channels **Options:** - A (correct): Often contains secrets - B (incorrect): Usually low sensitivity - C (correct): Often contains session identifiers - D (correct): Often sets session identifiers **Related:** Compression plus attacker influence can leak information, so treat secrets carefully

Q4: What limits the maximum size of the HPACK dynamic table for a peer

Multiple Choice

A. A negotiated setting for header table size B. The HTTP status code C. The URI scheme

**Explanation:** **Terms:** SETTINGS, dynamic table size **Correct (A):** Peers advertise limits and the encoder must respect them **Options:** - A (correct): This prevents unbounded memory usage - B (incorrect): Unrelated - C (incorrect): Unrelated **Related:** Encoders can also send dynamic table size updates within header blocks

Q5: HPACK can encode strings with which common prefix free coding (one word)

Short Text

**Explanation:** **Terms:** Huffman coding **Correct:** Huffman **Related:** HPACK defines a specific Huffman code table for efficiency

Q6: A classic risk when compressing secrets together with attacker influenced data is

Multiple Choice

A. Increased DNS TTL B. Loss of TLS authentication C. Side channel leakage via compression behavior

**Explanation:** **Terms:** compression side channel, attacker chosen input **Correct (C):** Size and compression ratio can leak information about secrets in some threat models **Options:** - A (incorrect): Unrelated - B (incorrect): TLS authentication is separate - C (correct): This is a known category of risk **Related:** Treat cookies and credentials as sensitive and consider never indexed encodings

HPACK (HTTP/2 Header Compression)

References (URLs)

Q1: What is the main purpose of HPACK in HTTP/2

Q2: Which table is shared state that changes over time on a connection

Q3: Which header values are commonly treated as sensitive and should avoid indexing (select all)

Q4: What limits the maximum size of the HPACK dynamic table for a peer

Q5: HPACK can encode strings with which common prefix free coding (one word)

Q6: A classic risk when compressing secrets together with attacker influenced data is