Paper 1 Web Applications Answers
These answers correspond to Paper 1 Web Applications Drills.
Answer 1: Web vs Native
The attendance system is well suited to a web application because teachers can access it through a browser on different laptops without installing separate software.
The camera app is well suited to a native application because it needs offline use and direct access to device-specific camera controls.
Mark points:
- web app linked to browser access across devices;
- web app linked to no local installation or central updates;
- native app linked to installed platform-specific software;
- native app linked to offline use or device-specific hardware access.
Common weak answer:
- saying web apps are always better because they are online. The camera scenario has requirements that fit a native app.
Answer 2: Usability
Two valid improvements:
- Add clear labels such as
UsernameandPasswordbeside the text boxes, so users can recognise what each field requires. - Replace
"Error"with a more useful message such as"Incorrect username or password", so users know what went wrong and how to recover. - Make the password field use
type="password", so typed characters are masked from casual shoulder-surfing. - Keep layout and button placement consistent, so the action is predictable.
Mark points:
- 1 mark for each concrete usability improvement;
- 1 mark for each linked benefit, up to 4 marks.
Common weak answer:
- saying only “make it nicer” without naming a specific usability change or explaining how it helps the user.
Answer 3: HTML Form Name Attribute
The name attribute gives the key used when the browser submits the form data.
Because the input has name="student_name", Flask can retrieve the submitted value using:
request.form["student_name"]Mark points:
- identifies
nameas the submitted form-data key; - links
student_nametorequest.form["student_name"].
Common weak answer:
- confusing
namewith the visible label shown to the user.
Answer 4: GET vs POST
The library search form is suitable for GET because it retrieves information and the search keyword can be included in the URL, making the search link shareable/bookmarkable.
The login form should use POST because it sends sensitive credentials in the request body and performs an authentication action.
Mark points:
GETlinked to retrieval/search;GETlinked to URL query string/shareable search;POSTlinked to login submission;POSTlinked to not placing credentials in the URL.
Common weak answer:
- saying
POSTencrypts the password. HTTPS provides encryption;POSTmainly avoids placing form data in the URL.
Answer 5: Flask Route
The route handles the URL path:
/statusWhen the path is requested, Flask calls status() and returns:
OKMark points:
- identifies
/statusas the path; - states that the returned response body is
OK.
Common weak answer:
- saying the URL path is
/OK.OKis the response, not the route path.
Answer 6: Jinja Variable
The <h1> element displays:
<h1>Asha</h1>The route passes username="Asha" into render_template. The Jinja expression {{ username }} is replaced by that value when the template is rendered.
Mark points:
- states that
Ashaappears in the page; - explains that the route passes
usernameto the template; - explains that
{{ username }}is replaced during rendering.
Common weak answer:
- saying the browser runs Python to get the value. The template is rendered by Flask on the server.
Answer 7: Static Files
{{ url_for('static', filename='style.css') }}Mark points:
- 1 mark for correctly using
url_for('static', filename='style.css').
Common weak answer:
- linking to
templates/style.css; static assets should be served fromstatic/.
Answer 8: Template Folder
This may fail because Flask normally looks for templates in a folder named:
templatesThe current folder is named template, so render_template("home.html") may not find the file.
Mark points:
- explains that Flask uses the default
templates/folder; - states the corrected folder name
templates.
Common weak answer:
- renaming the file to
template.html; the folder name is the issue.
Answer 9: Upload Risk
Risk:
profile.exemay be executable malware or an unsafe file type disguised as a profile picture.- If accepted unsafely, the file could be served, opened, or misused as executable content rather than treated as an image.
Controls:
- Reject files whose extensions are not in an allowed list such as
.png,.jpg, or.jpeg. - Use another control such as checking file size, generating a safe server-side filename, or saving uploads outside executable locations.
Extension checking alone is not a complete guarantee that the content is safe.
Mark points:
- identifies a realistic upload risk;
- links the risk to executable or unsafe file type;
- gives a suitable mitigation such as extension/type checking;
- gives an additional practical mitigation or explains how the mitigation reduces the risk.
Common weak answer:
- accepting the file because it has the word
profilein its name.
Answer 10: Local Testing
Two valid checks:
- Start the Flask app locally and visit each route to confirm there are no errors.
- Submit each form and check the expected output or database change occurs.
- Check that templates render correctly from
templates/. - Check that CSS loads from
static/. - Check that the SQLite database path is correct and the required tables exist.
Mark points:
- 1 mark for each valid local check, up to 2 marks.
Common weak answer:
- checking only that the Python file exists, without running the app or testing routes.