15 .NET Web API Interview Questions and Answers
Prepare for your interview with this guide on .NET Web API, featuring common questions and detailed answers to enhance your technical skills.
.NET Web API is a powerful framework for building HTTP services that can be consumed by a wide range of clients, including browsers and mobile devices. Leveraging the robustness of the .NET ecosystem, it allows developers to create scalable and high-performance web services with ease. Its integration with ASP.NET Core further enhances its capabilities, making it a preferred choice for modern web development.
This article provides a curated selection of interview questions designed to test your understanding and proficiency with .NET Web API. By reviewing these questions and their detailed answers, you will be better prepared to demonstrate your technical expertise and problem-solving abilities in your upcoming interviews.
.NET Web API Interview Questions and Answers
1. Explain the concept of RESTful services and how it applies to Web APIs.
RESTful services are based on principles that enhance web services’ scalability and maintainability. These include:
- Statelessness: Each client request must contain all necessary information for processing, as the server doesn’t store client context between requests.
- Client-Server Architecture: The client and server are separate entities, allowing independent evolution.
- Uniform Interface: Standard HTTP methods (GET, POST, PUT, DELETE) and status codes are used for operations on resources.
- Resource-Based: Everything is a resource, identified by a URI, and manipulated using HTTP methods.
- Representation: Resources can have multiple representations (e.g., JSON, XML), requested via the Accept header.
In .NET Web API, these principles guide the creation of user-friendly and maintainable APIs. Here’s a simple example:
using System.Collections.Generic;
using System.Web.Http;
public class ProductsController : ApiController
{
private static List<string> products = new List<string> { "Product1", "Product2", "Product3" };
// GET api/products
public IEnumerable<string> Get()
{
return products;
}
// GET api/products/5
public string Get(int id)
{
return products[id];
}
// POST api/products
public void Post([FromBody] string value)
{
products.Add(value);
}
// PUT api/products/5
public void Put(int id, [FromBody] string value)
{
products[id] = value;
}
// DELETE api/products/5
public void Delete(int id)
{
products.RemoveAt(id);
}
}
2. Describe the role of HTTP methods in a Web API.
HTTP methods, or verbs, perform actions on resources in a Web API. Common methods include:
- GET: Retrieves data without side effects.
- POST: Submits data to create a new resource.
- PUT: Updates an existing resource or creates one if it doesn’t exist.
- DELETE: Removes a specified resource.
- PATCH: Applies partial modifications to a resource.
These methods follow REST architecture principles, creating a predictable API.
3. How do you handle versioning in a Web API?
Versioning in a Web API can be managed through:
- URL Path Versioning: Includes the version number in the URL path.
- Query String Versioning: Adds a version parameter in the query string.
- Header Versioning: Specifies the version number in the request header.
- Media Type Versioning: Uses the Accept header to specify the version.
URL Path Versioning is a straightforward approach.
Example:
[ApiVersion("1.0")]
[Route("api/v{version:apiVersion}/[controller]")]
public class SampleController : ControllerBase
{
[HttpGet]
public IActionResult Get() => Ok("This is version 1.0");
}
[ApiVersion("2.0")]
[Route("api/v{version:apiVersion}/[controller]")]
public class SampleV2Controller : ControllerBase
{
[HttpGet]
public IActionResult Get() => Ok("This is version 2.0");
}
4. What is dependency injection and how is it implemented in .NET Web API?
Dependency injection (DI) in .NET Web API achieves Inversion of Control (IoC) between classes and their dependencies. It allows for the injection of services into controllers, enhancing modularity and testability.
In .NET Web API, DI is implemented using the built-in IoC container. Services are registered in the Startup class and injected into controllers via constructor injection.
Example:
// Service Interface
public interface IMyService
{
string GetData();
}
// Service Implementation
public class MyService : IMyService
{
public string GetData()
{
return "Hello from MyService";
}
}
// Startup.cs
public class Startup
{
public void ConfigureServices(IServiceCollection services)
{
services.AddControllers();
services.AddTransient<IMyService, MyService>(); // Registering the service
}
public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
}
app.UseRouting();
app.UseEndpoints(endpoints =>
{
endpoints.MapControllers();
});
}
}
// Controller
[ApiController]
[Route("[controller]")]
public class MyController : ControllerBase
{
private readonly IMyService _myService;
public MyController(IMyService myService)
{
_myService = myService;
}
[HttpGet]
public IActionResult Get()
{
var data = _myService.GetData();
return Ok(data);
}
}
5. Explain the use of attribute routing in .NET Web API.
Attribute routing in .NET Web API defines routes directly on the controller and action methods using attributes, offering more control and flexibility.
Example:
using System.Web.Http;
public class ProductsController : ApiController
{
[Route("api/products")]
[HttpGet]
public IHttpActionResult GetAllProducts()
{
// Code to retrieve all products
return Ok();
}
[Route("api/products/{id:int}")]
[HttpGet]
public IHttpActionResult GetProductById(int id)
{
// Code to retrieve a product by id
return Ok();
}
[Route("api/products")]
[HttpPost]
public IHttpActionResult CreateProduct([FromBody] Product product)
{
// Code to create a new product
return Ok();
}
}
The Route attribute defines routes for methods, enhancing readability and maintainability.
6. How would you implement authentication and authorization in a Web API?
Authentication and authorization secure a .NET Web API. Authentication verifies user identity, while authorization determines resource access.
JWT (JSON Web Tokens) are commonly used for authentication due to their stateless nature. Role-based access control (RBAC) manages authorization by assigning roles to users and defining permitted actions.
Example of JWT authentication and RBAC:
// Startup.cs
public void ConfigureServices(IServiceCollection services)
{
services.AddAuthentication(options =>
{
options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
})
.AddJwtBearer(options =>
{
options.TokenValidationParameters = new TokenValidationParameters
{
ValidateIssuer = true,
ValidateAudience = true,
ValidateLifetime = true,
ValidateIssuerSigningKey = true,
ValidIssuer = "yourIssuer",
ValidAudience = "yourAudience",
IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes("yourSecretKey"))
};
});
services.AddAuthorization(options =>
{
options.AddPolicy("AdminOnly", policy => policy.RequireRole("Admin"));
});
services.AddControllers();
}
public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
app.UseRouting();
app.UseAuthentication();
app.UseAuthorization();
app.UseEndpoints(endpoints =>
{
endpoints.MapControllers();
});
}
// ExampleController.cs
[Authorize]
[ApiController]
[Route("[controller]")]
public class ExampleController : ControllerBase
{
[HttpGet]
[Authorize(Policy = "AdminOnly")]
public IActionResult Get()
{
return Ok("This is an admin-only endpoint.");
}
}
7. Describe how middleware works in ASP.NET Core and its role in a Web API.
Middleware in ASP.NET Core is a software component in an application pipeline that handles requests and responses. Each middleware can perform operations before and after the next component is invoked. Middleware components are executed in the order they are added to the pipeline.
Example:
public class RequestLoggingMiddleware
{
private readonly RequestDelegate _next;
public RequestLoggingMiddleware(RequestDelegate next)
{
_next = next;
}
public async Task InvokeAsync(HttpContext context)
{
Console.WriteLine($"Request: {context.Request.Method} {context.Request.Path}");
await _next(context);
Console.WriteLine($"Response: {context.Response.StatusCode}");
}
}
// In Startup.cs
public void Configure(IApplicationBuilder app, IHostingEnvironment env)
{
app.UseMiddleware<RequestLoggingMiddleware>();
app.UseMvc();
}
In this example, RequestLoggingMiddleware logs request and response details.
8. How do you implement logging in a .NET Web API application?
Logging is essential for tracking application behavior, diagnosing issues, and auditing activities. In .NET, logging is implemented using the built-in logging framework.
To implement logging:
- Configure logging in
Startup.cs. - Inject the
ILoggerservice into controllers or services. - Use
ILoggermethods to log information, warnings, errors, etc.
Example:
// Startup.cs
public class Startup
{
public void ConfigureServices(IServiceCollection services)
{
services.AddControllers();
services.AddLogging(config =>
{
config.AddConsole();
config.AddDebug();
});
}
public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
}
app.UseRouting();
app.UseEndpoints(endpoints =>
{
endpoints.MapControllers();
});
}
}
// SampleController.cs
[ApiController]
[Route("[controller]")]
public class SampleController : ControllerBase
{
private readonly ILogger<SampleController> _logger;
public SampleController(ILogger<SampleController> logger)
{
_logger = logger;
}
[HttpGet]
public IActionResult Get()
{
_logger.LogInformation("Get method called");
return Ok("Hello, world!");
}
}
9. Explain the concept of content negotiation and how it is handled in .NET Web API.
Content negotiation in .NET Web API selects the appropriate response format based on the client’s request, specified via the Accept header. The MediaTypeFormatter class handles this process, with built-in formatters for JSON and XML.
Example:
public class ProductsController : ApiController
{
public IHttpActionResult Get()
{
var products = new List<Product>
{
new Product { Id = 1, Name = "Product1", Price = 10 },
new Product { Id = 2, Name = "Product2", Price = 20 }
};
return Ok(products);
}
}
The framework automatically handles content negotiation based on the client’s Accept header.
10. How would you implement rate limiting in a Web API?
Rate limiting in a Web API prevents abuse and ensures fair usage among clients. It helps maintain performance and availability by controlling traffic. In .NET Web API, rate limiting can be implemented using middleware or libraries like AspNetCoreRateLimit.
Example using AspNetCoreRateLimit:
1. Install the AspNetCoreRateLimit package via NuGet.
2. Configure rate limiting settings in appsettings.json.
3. Add services and middleware in Startup.cs.
Example:
// appsettings.json
{
"IpRateLimiting": {
"EnableEndpointRateLimiting": true,
"StackBlockedRequests": false,
"RealIpHeader": "X-Real-IP",
"ClientIdHeader": "X-ClientId",
"HttpStatusCode": 429,
"GeneralRules": [
{
"Endpoint": "*",
"Period": "1m",
"Limit": 5
}
]
}
}
// Startup.cs
public void ConfigureServices(IServiceCollection services)
{
services.AddControllers();
services.AddMemoryCache();
services.Configure<IpRateLimitOptions>(Configuration.GetSection("IpRateLimiting"));
services.AddSingleton<IRateLimitConfiguration, RateLimitConfiguration>();
services.AddInMemoryRateLimiting();
}
public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
}
app.UseIpRateLimiting();
app.UseRouting();
app.UseEndpoints(endpoints =>
{
endpoints.MapControllers();
});
}
11. Describe how CORS (Cross-Origin Resource Sharing) is configured in a Web API.
CORS (Cross-Origin Resource Sharing) is a security feature that prevents web pages from making requests to a different domain than the one that served the web page. In a .NET Web API, CORS can be configured in the Startup.cs file using middleware.
Example:
public class Startup
{
public void ConfigureServices(IServiceCollection services)
{
services.AddCors(options =>
{
options.AddPolicy("AllowSpecificOrigin",
builder => builder.WithOrigins("http://example.com")
.AllowAnyMethod()
.AllowAnyHeader());
});
services.AddControllers();
}
public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
}
app.UseRouting();
app.UseCors("AllowSpecificOrigin");
app.UseAuthorization();
app.UseEndpoints(endpoints =>
{
endpoints.MapControllers();
});
}
}
In this example, a CORS policy named “AllowSpecificOrigin” allows requests from “http://example.com” with any HTTP method and header.
12. How do you implement caching in a Web API to improve performance?
Caching in a Web API improves performance by storing results of expensive operations and reusing them for identical requests. This reduces server load and response times.
In .NET Web API, caching can be implemented using techniques like in-memory caching. Here’s an example using the MemoryCache class:
using Microsoft.Extensions.Caching.Memory;
public class MyController : ControllerBase
{
private readonly IMemoryCache _cache;
public MyController(IMemoryCache cache)
{
_cache = cache;
}
[HttpGet("data/{id}")]
public IActionResult GetData(int id)
{
string cacheKey = $"Data_{id}";
if (!_cache.TryGetValue(cacheKey, out string data))
{
// Simulate data fetching from a database or external service
data = $"Data for ID {id}";
// Set cache options
var cacheEntryOptions = new MemoryCacheEntryOptions
{
AbsoluteExpirationRelativeToNow = TimeSpan.FromMinutes(5),
SlidingExpiration = TimeSpan.FromMinutes(2)
};
// Save data in cache
_cache.Set(cacheKey, data, cacheEntryOptions);
}
return Ok(data);
}
}
In this example, MemoryCache stores and retrieves data, with cache options controlling its lifetime.
13. Explain the use of filters in .NET Web API and how they can be applied.
Filters in .NET Web API allow custom processing logic at various points in the request pipeline. Types include:
- Authorization Filters: Implement authentication and authorization logic.
- Action Filters: Execute before and after an action method.
- Exception Filters: Handle exceptions thrown by action methods.
- Result Filters: Execute before and after the action result.
Filters can be applied globally, at the controller level, or at the action level.
Example:
public class CustomActionFilter : ActionFilterAttribute
{
public override void OnActionExecuting(HttpActionContext actionContext)
{
// Code to execute before the action method is called
}
public override void OnActionExecuted(HttpActionExecutedContext actionExecutedContext)
{
// Code to execute after the action method is called
}
}
// Applying the filter at the controller level
[CustomActionFilter]
public class SampleController : ApiController
{
public IHttpActionResult Get()
{
return Ok("Hello, world!");
}
}
14. How would you implement HATEOAS (Hypermedia as the Engine of Application State) in a Web API?
HATEOAS (Hypermedia as the Engine of Application State) allows clients to interact with a RESTful API through hypermedia provided by the server. This means clients can discover actions and resources through links in responses.
To implement HATEOAS in a .NET Web API, use the Microsoft.AspNetCore.Mvc library to add hypermedia links to API responses. Create a resource model with data and hypermedia links, then populate these links in controller actions.
Example:
public class ProductResource
{
public int Id { get; set; }
public string Name { get; set; }
public decimal Price { get; set; }
public List<Link> Links { get; set; } = new List<Link>();
}
public class Link
{
public string Href { get; set; }
public string Rel { get; set; }
public string Method { get; set; }
}
[ApiController]
[Route("api/[controller]")]
public class ProductsController : ControllerBase
{
[HttpGet("{id}")]
public IActionResult GetProduct(int id)
{
var product = new ProductResource
{
Id = id,
Name = "Sample Product",
Price = 19.99m
};
product.Links.Add(new Link
{
Href = Url.Link(nameof(GetProduct), new { id = product.Id }),
Rel = "self",
Method = "GET"
});
product.Links.Add(new Link
{
Href = Url.Link(nameof(UpdateProduct), new { id = product.Id }),
Rel = "update",
Method = "PUT"
});
return Ok(product);
}
[HttpPut("{id}", Name = nameof(UpdateProduct))]
public IActionResult UpdateProduct(int id, [FromBody] ProductResource product)
{
// Update product logic here
return NoContent();
}
}
15. How do you ensure the security of sensitive data in a Web API?
Ensuring the security of sensitive data in a Web API involves several practices:
- Authentication and Authorization: Implement robust authentication mechanisms like OAuth, JWT, or API keys. Use role-based access control (RBAC) to restrict access based on user roles.
- Data Encryption: Encrypt data both at rest and in transit. Use HTTPS (TLS/SSL) for data transmission and algorithms like AES for data at rest.
- Input Validation and Sanitization: Validate and sanitize incoming data to prevent injection attacks. Use parameterized queries and ORM frameworks.
- Rate Limiting and Throttling: Implement rate limiting and throttling to prevent abuse and denial-of-service attacks.
- Logging and Monitoring: Enable logging and monitoring to detect suspicious activities. Use tools like ELK stack for tracking logs and security events.
- Security Headers: Use headers like Content Security Policy (CSP), X-Content-Type-Options, and X-Frame-Options to protect against vulnerabilities.
- Regular Security Audits: Conduct regular audits and vulnerability assessments to identify and fix security issues.
