Name Faheyan Nomani

Unit Title Coding and Website

Development
Unit Level 3
Unit Reference Number R/618/6091
2. Understanding web
architecture and
components.
By Faheyan
2.1 Explain the web architecture and components which
enable internet and web functionality.
Introduction: Web architecture forms the foundational
framework that allows users to access, share, and interact
with information and applications across the internet. It
comprises a series of protocols, components, and systems
working together to facilitate the smooth exchange of data
between servers and clients. Understanding these
components such as web servers, clients, protocols, DNS, and
CDNs provides insight into how web content is delivered and
how users interact with online services and resources.
Component Detail
 Description: At the heart of web
Client-Server Model
architecture is the client-server model, a
framework where clients (users' devices)
request information, and servers (remote
computers) respond with the requested data.

Functionality: When a user enters a URL

into their web browser, a request is sent
from the client to the server hosting the
website. The server processes this request
and sends the relevant content back to the
client’s browser to display the webpage.
 (Wikipedia, 2024 & Quora, 2017)
Component Details
 Web Server Description: A web server is software or
hardware that stores and delivers web
content, such as HTML files, images, and
videos, to users’ browsers upon request.

Functionality: Web servers, such as

Apache, Nginx, and Microsoft IIS, handle
multiple client requests, ensuring data is
sent precisely and efficiently. They use
protocols like HTTP and HTTPS to transfer
data securely.
 (Gillis, 2020 & Wikipedia, 2024)
Component Details
 Internet Protocols Description: Internet Protocols are a set of
rules that govern how data is transmitted
over the internet and other networks. They
ensure that devices can communicate
reliably and securely.

Hypertext Transfer Protocol (HTTP/HTTPS):

The protocol that controls data transit
between the client and server is called
HTTP. A secure variant of HTTP that encrypts
data to prevent interception is called HTTPS.

Transmission Control Protocol/Internet

Protocol (TCP/IP): TCP/IP provides reliable
transmission of data over the internet. TCP
breaks data into packets, which are
transmitted to the destination and
reassembled in the correct order.

FileTransfer Protocol (FTP): FTP is used to

transfer files between computers over a
network and is commonly used for
uploading files to a web server.

 (Cloudfare, no date &

GeeksforGeeks, 2024)
Component Details
 Domain Name System Description: DNS is a hierarchical
(DNS) system that translates human-
friendly domain names (like
www.example.com) into IP
addresses, which computers use
to identify each other.

Functionality:When a user
enters a website address, DNS
servers resolve the domain name
to the corresponding IP address,
allowing the browser to locate the
correct web server.
 (Cloudflare, no date &
Wikipedia, 2024)
Component Details
 Application Description: APIs allow different
software applications to communicate
Programming with each other and enable
Interfaces (APIs) functionalities like retrieving data,
making service requests, and updating
resources.

Functionality: Web applications

commonly use RESTful APIs, which
allow data exchange in a standardized
format (often JSON or XML) over HTTP.
APIs are critical for enabling services
like social media integration and third-
party login options.

 (Ibm, 2024 & Wikipedia, 2024)

Component Details
 Content Delivery Description: A CDN is a
Network (CDN) distributed network of servers
that delivers web content
based on a user’s geographic
location.

Functionality: By caching
content across multiple
servers worldwide, CDNs can
reduce the distance data must
travel, improving load times
and therefore minimizing
server strain.
 (Cloudfare, no date &
Wikipedia, 2024)
Conclusion: The components of web architecture—such as
the client-server model, DNS, protocols, web servers, and
CDNs—enable the smooth functionality of the internet,
allowing users worldwide to access and interact with web
resources. Each component plays a crucial role in ensuring
that content is delivered efficiently, securely, and accurately,
forming the backbone of our modern digital landscape. By
understanding web architecture, we gain insight into how the
internet operates and supports a wide range of applications
and services that we rely on every day.
References:
1. Wikipedia contributors (2024) Client–server model - Wikipedia.
https://en.wikipedia.org/wiki/Client%E2%80%93server_model
2. MDN (2024) Introduction to client-side frameworks - Learn web development |
https://developer.mozilla.org/en-US/docs/Learn/Tools_and_testing/Client-side_JavaScript_frame
works/Introduction

3. Quora (2017)
https://www.quora.com/What-is-the-difference-between-server-side-client-side-and-browser-sid
e

4. Wikipedia contributors (2024) Web browser. https://en.wikipedia.org/wiki/Web_browser

5. Wikipedia contributors (2024) Web server. https://en.wikipedia.org/wiki/Web_server
6. Gillis, A.S. (2020) web server. https://www.techtarget.com/whatis/definition/Web-server
7. Wikipedia contributors (2024) Domain Name System.
https://en.wikipedia.org/wiki/Domain_Name_System
8. Cloudflare (no date) What is DNS? | How DNS works
https://www.cloudflare.com/learning/dns/what-is-dns/
9. Cloudflare (no date) What is the Internet Protocol (IP)?
https://www.cloudflare.com/learning/network-layer/internet-protocol/
10. GeeksforGeeks (2024) HTTP full form. https://www.geeksforgeeks.org/http-full-form/
11. GeeksforGeeks (2024) TCP/IP model. https://www.geeksforgeeks.org/tcp-ip-model/
12. GeeksforGeeks (2024) File Transfer Protocol (FTP) in Application layer.
https://www.geeksforgeeks.org/file-transfer-protocol-ftp-in-application-layer/
2.2 Discuss the security risks and protection
mechanisms involved in website performance.
Introduction: Website performance is a crucial factor for user satisfaction and
engagement, but it is increasingly vulnerable to security threats that can degrade
speed, accessibility, and reliability. Security risks like DDoS attacks, malware
injection, and cross-site scripting (XSS) not only compromise data but can severely
impact a website’s functionality and load times. Protecting website performance
requires a comprehensive approach that incorporates both proactive and reactive
measures. This discussion explores common security risks affecting website
performance and examines protection mechanisms to mitigate these threats.
 Key Threats to
Website Performance
DDoS Attacks: Overloading servers with traffic.
SQL Injection: Exploiting database vulnerabilities.
Cross-Site Scripting (XSS): Injecting malicious scripts.
Phishing Attacks and Social Engineering Attacks: Impersonating
websites to steal user data.
Malware: Infecting websites to harm users or systems.
Poor Authentication and Session Management: Weak Security or
authentication system that can easily be cracked
Insufficient Encryption of Data: Not enough or lack of encryption of
data that can easily be intercepted and stolen
 Details & Protection
Risk Mechanisms
 Distributed Denial of Service Risk: DDoS attacks flood a website with
excessive requests, overwhelming the
(DDoS) Attacks server, and causing downtime. They can
significantly slow down a website, leading to
poor performance and unavailability for
legitimate users.

Protection Mechanisms:

Web Application Firewalls (WAFs) filter out

malicious traffic before it reaches the server.

Rate Limiting controls the number of

requests a user can make in a given time
frame.

Content Delivery Networks (CDNs) can

distribute traffic across multiple servers to
absorb excess load.

 (Fortinet, no date & BSI, no date)

Risk Details & Protection Mechanisms
 Malware Injection Risk: Attackers can insert malicious code
into a website’s scripts or database through
vulnerabilities, impacting website
performance by running unauthorized
processes, redirecting traffic, or collecting
sensitive data.

Protection Mechanisms:

Regular Software Updates ensure that the

latest security patches are applied.

Input Validation and Sanitization prevent

code injection by filtering and escaping user
inputs.

File Integrity Monitoring detects changes in

critical files, alerting administrators to
potential malicious modifications.

 (Wikipedia, 2024 & Mirza, 2023 &

Rapid7, no date)
Risk Details & Protection Mechanisms
 Cross-Site Scripting (XSS) Risk: XSS attacks inject malicious scripts
into a website, impacting performance and
potentially stealing user data or infecting
visitors’ devices. An XSS attack can slow
down web applications by executing
unwanted scripts.

Protection Mechanisms:

Content Security Policy (CSP) restricts

which sources of content the browser can
execute.

Input Validation and Escaping sanitize user

inputs, preventing malicious scripts from
executing.

Secure Cookie Flags ensure cookies are

accessible only over HTTPS and prevent
access through client-side scripts.

 (Wikipedia, 2024 & Portswigger, no

date)
Risk Details & Protection Mechanisms
 SQL Injection Risk: SQL injection attacks allow attackers
to manipulate or access the website’s
database. This can lead to data breaches,
unauthorized data access, or even deletion
of critical data, affecting website speed and
reliability.

Protection Mechanisms:

Parameterized Queries and Prepared

Statements ensure that SQL commands are
executed safely without tampering.

Database Access Controls restrict user

permissions to minimize the impact of
successful injections.

Regular Security Audits of database and

application code help identify and mitigate
vulnerabilities.

 (Wikipedia, 2024 & Kime, 2023)

Risk Details & Protection Mechanisms
 Risk: Phishing attacks trick users into
Phishing
divulging sensitive information or clicking
on malicious links, potentially resulting in
data breaches or DDoS if users unknowingly
download harmful scripts.

Protection Mechanisms:

Email Filtering and Spam Protection help

prevent phishing emails from reaching
users.

User Education and Awareness programs

teach users how to identify and avoid
phishing attempts.

Multi-Factor Authentication adds an extra

layer of security even if credentials are
compromised.

 (Ibm, 2024 & Ooc.gov, no date)

Risk Details & Protection Mechanisms
 Poor Authentication and Session Risk: Weak authentication systems can
Management lead to unauthorized access, allowing
attackers to disrupt website performance or
steal sensitive data.

Protection Mechanisms:

Multi-FactorAuthentication (MFA) requires

multiple forms of verification, making
unauthorized access more difficult.

Session Timeout and Expiration Policies

protect against session hijacking.

Secure Password Storage using hashing

algorithms like bcrypt or Argon2 ensures
that passwords remain secure.

 (OWASP Foundation, no date &

Wikipedia, 2024 & OneLogin, no
date)
Risk Details & Protection Mechanisms
 Insufficient Encryption of Data Risk: Without encryption, sensitive data
(such as login credentials) transmitted
between the client and server can be
intercepted. This not only jeopardizes
security but also compromises user trust.

Protection Mechanisms:

SSL/TLS Certificates encrypt data in

transit, making it unreadable to
unauthorized parties.

Encrypted Databases protect stored

sensitive data, securing it from
unauthorized access.

Regular Encryption Key Rotation ensures

that even if a key is compromised, it has
limited value over time.

 (CNRS News, no date & AppSealing,

2023 & DigiCert, no date &
Stackoverflow, no date)
Conclusion: To maintain optimal website performance, it is
essential to address security risks that could otherwise disrupt
operations and compromise user trust. By implementing
effective protection mechanisms such as WAFs, encryption, and
secure coding practices, organizations can safeguard their sites
against attacks while preserving performance. Addressing these
risks is fundamental to building a resilient, secure, and high-
performing website in today’s digital environment.
References:
1. What is a DDoS Attack? DDoS Meaning, Definition & Types | Fortinet (no
date). https://www.fortinet.com/resources/cyberglossary/ddos-attack
2. BSI - Denial-of-Service (DOS) and Distributed Denial-of-Service (DDOS) (no
date).
https://www.bsi.bund.de/EN/Themen/Verbraucherinnen-und-Verbraucher/Cyber-S
icherheitslage/Methoden-der-Cyber-Kriminalitaet/DoS-Denial-of-Service/dos-deni
al-of-service_node.html

3. Wikipedia contributors (2024) Code injection.

https://en.wikipedia.org/wiki/Code_injection
4. Mirza, D. (2023) '10+ Most common types of malware injection attacks - Host
Duplex blog,' Host Duplex.
https://www.hostduplex.com/blog/types-of-malware-injection-attacks/
5. Rapid7 (no date) What is a malware attack? Definition & best Practices.
https://www.rapid7.com/fundamentals/malware-attacks/
6. Portswigger (no date) What is cross-site scripting (XSS) and how to prevent it?
| Web Security Academy.
https://portswigger.net/web-security/cross-site-scripting
7. Wikipedia contributors (2024) SQL injection.
https://en.wikipedia.org/wiki/SQL_injection
8. Kime, C. (2023) How to prevent SQL injection: 5 key prevention Methods.
https://www.esecurityplanet.com/threats/how-to-prevent-sql-injection-attacks/
9. M5: Poor Authorization and Authentication | OWASP Foundation (no date).
https://owasp.org/www-project-mobile-top-10/2014-risks/m5-poor-authorizatio
n-and-authentication

10. What is Multi-Factor Authentication (MFA)? | OneLogin (no date).

https://www.onelogin.com/learn/what-is-mfa
11. Wikipedia contributors (2024) Argon2. https://en.wikipedia.org/wiki/Argon2
12. Ibm (2024) 'Phishing,' What is phishing?
https://www.ibm.com/topics/phishing
13. Phishing attack prevention: How to identify & avoid phishing scams (no
date).
https://www.occ.gov/topics/consumers-and-communities/consumer-protection/
fraud-resources/phishing-attack-prevention.html

14. CNRS News (no date).

https://news.cnrs.fr/opinions/data-protection-encryption-is-not-enough
15. AppSealing (2023) Insufficient Cryptography and its Impact on Mobile
Applications Security. https://www.appsealing.com/insufficient-cryptography/
16. What is SSL, TLS and HTTPS? | DigiCert (no date).