Salesforce Interview ASP.NET Web API Interview Questions

ASP.NET Core Web API is a framework for building HTTP services that return JSON, XML, or other serialized data.

Differences from MVC:

• No Razor or HTML rendering
• Focused on RESTful services
• Controller methods return data, not views
• Routing is often attribute-based

The pipeline consists of middleware components that process HTTP requests in sequence:

• Request enters server
• Middleware handles tasks like authentication, logging, routing
• Endpoint routing selects controller/action
• Controller executes business logic
• Response flows back through middleware

Controllers handle incoming HTTP requests.

• Decorated with [ApiController] and [Route]
• Contain action methods
• Use dependency injection via constructor
• Return IActionResult or data objects

Attribute routing uses attributes to define URL patterns.

• [Route("api/[controller]")] sets base route
• [HttpGet], [HttpPost] define HTTP verbs
• Supports route parameters, constraints, defaults

Model binding maps HTTP data to method parameters.

• [FromBody] binds JSON/XML
• [FromQuery] binds query parameters
• [FromRoute] binds URL segments

Validation uses DataAnnotations and ModelState.IsValid.

Action results allow APIs to return proper HTTP responses.

• Return 200, 404, 400 etc.
• Provide flexibility using IActionResult
• Support multiple return formats

Content negotiation selects the response format based on:

• Client's Accept header
• Configured formatters (JSON, XML)

ASP.NET Core defaults to JSON.

ASP.NET Core has built-in DI.

• Register services using AddSingleton/AddScoped/AddTransient
• Injected via controller constructor
• Improves modularity and testability

Singleton: One instance for entire app.

Scoped: One instance per request.

Transient: New instance per usage.

Best practices include:

• UseExceptionHandler middleware
• Exception filters
• Centralized logging
• Returning friendly error messages

Uses System.Text.Json by default.

• High performance
• Supports converters and casing rules
• Can switch to Newtonsoft.Json if required

Action filters run before/after actions.

• Logging
• Validation
• Authentication
• Response modification

[FromBody] - reads body JSON/XML.

[FromQuery] - reads query string.

[FromRoute] - maps URL parameters.

API versioning methods:

• URL versioning: /api/v1/
• Query string versioning
• Header versioning (api-version)

Implemented using the Versioning package.

CORS allows cross-domain API access.

Configured using AddCors + middleware.

Needed for browser-based clients.

Security techniques include:

• JWT Bearer authentication
• [Authorize] attributes
• HTTPS enforcement
• Input validation
• Rate limiting

Synchronous: Thread waits for completion.

Asynchronous: Releases thread during I/O.

Async improves scalability.

Response caching reduces repeated processing.

• Uses [ResponseCache] attribute
• Decreases latency
• Improves throughput

Testing involves:

• Unit tests with mocks
• Integration tests with TestServer
• API testing tools (Postman, Swagger)
• Validating status codes, payloads, headers

Swagger provides:

• Interactive API documentation
• Endpoint visibility
• Contract testing
• Client-code generation

Middleware are components in the ASP.NET Core request pipeline that execute sequentially.

Each middleware can:

• Process the request before passing it forward
• Process the response after the next middleware has executed

Common examples include authentication, logging, CORS, and routing middleware.

Order is critical because each middleware depends on the sequence.

UseRouting identifies the matching endpoint based on the URL.

UseEndpoints executes the matched action.

Authentication, authorization, and CORS middleware should be placed between these two for correct behavior.

Custom middleware involves:

• Create a class with a constructor accepting RequestDelegate
• Implement Invoke or InvokeAsync
• Register with app.UseMiddleware<T>()

Filters run during the execution pipeline and include:

• Authorization Filters
• Resource Filters
• Action Filters
• Exception Filters
• Result Filters

Applying [ApiController] automatically triggers model validation.

Invalid models result in 400 Bad Request with error details.

Validation uses DataAnnotations like [Required], [Range], etc.

Global exception handling steps:

• Create custom exception middleware
• Wrap request processing in try/catch
• Log and return a standardized error response
• Use app.UseExceptionHandler() for production mode

Synchronous middleware: Blocks thread while executing.

Asynchronous middleware: Uses Task and await to release thread during I/O operations.

Async middleware improves scalability in high-load systems.

Logging methods:

• Use ILogger<T> via DI
• Log levels: Trace ? Critical
• Send logs to Console, Files, DB, or external providers
• Use middleware/filters for request & response logging

Diagnostic middleware provides insights into requests and system behavior.

Examples: DeveloperExceptionPage, SerilogRequestLogging, Application Insights.

Helps detect failures, anomalies, and performance issues.

CORS is configured using:

• AddCors() in Program.cs
• Define policies with allowed origins, headers, and methods
• Apply globally or per controller using [EnableCors]

Use the [Consumes] attribute:

[Consumes("application/json")]

Rejects unsupported media types with HTTP 415.

To log safely:

• Use EnableBuffering() for reading request body
• Wrap the response stream to capture outgoing body
• Avoid logging sensitive data

Endpoint routing: Pre-matches endpoints before controller activation.

Legacy routing: Occurred during MVC action selection.

Endpoint routing is more flexible and enables better middleware integration.

Use API Versioning package.

• URL versioning
• Header versioning
• Query string versioning

Decorate controllers with [ApiVersion("1.0")].

Configure using:

AddControllers().AddJsonOptions(options => { ... });

Supports camelCase, converters, and null handling.

Use IActionResult or ActionResult<T> for flexible responses.

Supports content negotiation and custom response formatting.

Use libraries like AspNetCoreRateLimit.

• Define IP or user-based rate limits
• Prevent abuse and DoS attacks
• Supports rule-based throttling

Best practices:

• Use correct lifetimes: Singleton, Scoped, Transient
• Prefer constructor injection
• Avoid service locator pattern
• Group and organize service registrations

Use monitoring platforms like:

• Application Insights
• Serilog + Seq
• ELK Stack
• Prometheus + Grafana

Track latency, errors, throughput, and resource usage.

Authentication verifies user identity in Web API.

Common implementations:

• JWT Bearer Tokens – stateless authentication for SPA and mobile apps.
• OAuth2 / OpenID Connect – external identity providers.
• Cookie authentication – mainly for browser-based apps.

Configured using AddAuthentication() and UseAuthentication().

JWT workflow:

• User logs in ? server generates a signed JWT.
• Client sends token in Authorization: Bearer <token>.
• Server validates signature and extracts claims.
• No server-side session required.

Use role-based authorization with:

[Authorize(Roles="Admin,Manager")]

Roles are validated from claims inside the JWT or identity provider.

Claims-based authorization checks user claims instead of static roles.

Implemented using policy-based authorization:

services.AddAuthorization(options =>
{
    options.AddPolicy("HRPolicy",
        policy => policy.RequireClaim("Department", "HR"));
});

Create policies in Program.cs using AddAuthorization.

Apply using [Authorize(Policy="PolicyName")].

Useful for domain-specific access control.

Authentication: Verifies user identity.

Authorization: Determines what the authenticated user can access.

Secure endpoints using:

• [Authorize] attribute
• HTTPS enforcement
• Input validation
• Rate limiting
• CORS restrictions

JWT includes an exp claim for expiration.

API rejects expired tokens automatically.

Refresh tokens extend the session securely.

API best practices:

• Use JWT instead of cookies
• Enable strict CORS policies
• Use anti-forgery tokens if cookies are used

Best practices:

• Store in Key Vault or environment variables
• Never hard-code keys
• Rotate keys periodically

OAuth2 is a secure authorization framework.

Flow: Client ? Auth Server ? Access Token ? API.

Supports scopes, roles, and claims.

Roles: Broad user categories.

Scopes: Fine-grained permissions such as read:orders.

Token revocation strategies:

• Blacklist tokens in database
• Short-lived access tokens
• Rotating refresh tokens

Multi-tenant API security includes:

• Tenant ID in claims or headers
• Middleware-based access validation
• Database filtering by tenant context

Use DTOs instead of binding directly to entity models.

Expose only allowed fields.

Always validate incoming payloads.

• Force HTTPS
• Use [Authorize]
• Limit payload size
• Use secure headers
• Validate all inputs
• Implement logging & monitoring

Best practices:

• Store refresh tokens securely
• Use rotating refresh tokens
• Issue short-lived access tokens
• Revoke tokens on suspicious activity

Use HttpContext methods:

• User.IsInRole("Admin")
• User.Claims to inspect claim values

Add claims during token creation (email, role, custom fields).

Validate claims in controllers or authorization policies.

Audit using structured logs including:

• User identity
• Action invoked
• Timestamp
• IP address
• Request and response metadata

Essential for compliance and threat detection.

API versioning ensures backward compatibility and predictable updates.

Common approaches:

• URL versioning: /api/v1/resource
• Query versioning: ?api-version=1.0
• Header versioning: api-version: 1.0

Use the Microsoft.AspNetCore.Mvc.Versioning package and decorate controllers with [ApiVersion("1.0")].

Enable compression using:

services.AddResponseCompression()

Supports Gzip and Brotli to reduce payload size and improve performance.

Global exception handling centralizes error responses.

Use:

• UseExceptionHandler() middleware
• Custom exception-handling middleware
• Standardized error payloads and logging

Include:

• statusCode
• message
• errors (validation details)
• traceId

Avoid exposing internal details for security.

Use libraries like AspNetCoreRateLimit to:

• Limit requests per IP or client
• Protect server from abuse
• Apply global or endpoint-specific rules

Use streaming techniques:

• IFormFile for uploads
• Avoid full in-memory buffering
• Enable compression where needed

Use:

• ETag
• Last-Modified
• If-None-Match or If-Modified-Since

Returns 304 Not Modified when content is unchanged.

Use field selection / projection such as:

?fields=name,email

Implement DTOs to avoid returning unnecessary properties.

HATEOAS enriches responses with navigational links.

Example:

Order response may include:

• self link
• update link
• cancel link

Use:

• Redis
• SQL Server distributed cache
• Memcached

Useful for multi-instance API deployments.

Avoid sending PII or sensitive fields.

Use DTOs, masking, or encryption.

Always enforce HTTPS.

Best practices:

• Maintain old versions
• Introduce new versioned endpoints
• Document migration paths

Use Skip and Take (LINQ).

Include:

• page
• pageSize
• totalCount
• totalPages

Expose query parameters for filtering and sorting:

• ?status=active
• ?sort=name_desc

Combine with pagination for scalable responses.

Use monitoring tools:

• Application Insights
• Prometheus + Grafana
• Serilog

Track duration, throughput, failure rates, response sizes.

Use built-in health checks:

services.AddHealthChecks();

Expose /health endpoint to monitor DB, disk, and external services.

Keep older versions active.

Deprecate API versions gradually.

Provide documentation for migration.

Use Swagger / OpenAPI:

• Interactive documentation
• Multiple version support
• Authentication integration
• Schema validation

To integrate EF Core with Web API:

• Install EF Core packages such as Microsoft.EntityFrameworkCore and Microsoft.EntityFrameworkCore.SqlServer.
• Register your DbContext in Program.cs using AddDbContext.
• Inject DbContext via constructor injection in controllers or services.
• Use migrations and LINQ for strongly-typed database access.

DbContext manages the database connection, querying, saving, and tracking of entities.

DbSet<T> represents a table and allows querying and CRUD operations for that entity type.

DTOs decouple API contracts from internal entity models.

Benefits:

• Prevents over-posting
• Improves security
• Helps with API versioning
• Simplifies maintenance

Mapping can be done manually or using AutoMapper.

The Repository Pattern abstracts the data access layer.

It provides:

• Clean separation of concerns
• Mockable interfaces for testing
• Consistent CRUD interface

The Unit of Work pattern groups operations under one transaction.

DbContext naturally acts as a Unit of Work; calling SaveChangesAsync commits all changes atomically.

Use explicit transactions via:

await context.Database.BeginTransactionAsync();

Wrap operations in try/catch to commit or rollback.

Use async LINQ extensions:

• ToListAsync()
• FirstOrDefaultAsync()
• SingleOrDefaultAsync()

Improves scalability by freeing threads during database I/O.

Use LINQ:

• Where() for filtering
• OrderBy()/OrderByDescending() for sorting
• Skip()/Take() for pagination

Use DTOs and map only allowed fields.

Avoid binding client input directly to entity models.

Add an IsDeleted flag and filter queries:

.Where(x => !x.IsDeleted)

Useful for audits and data recovery.

Use a RowVersion (timestamp) column.

EF detects conflicts and throws DbUpdateConcurrencyException.

Eager: Include()

Lazy: Navigation property auto-loading (requires proxies)

Explicit: context.Entry(entity).Collection(...).Load()

EF Core 5+ supports many-to-many with:

HasMany().WithMany()

Junction table is auto-created unless custom entity is needed.

Use TransactionScope for distributed transactions.

Or share the same database connection among contexts.

Use:

• FromSqlRaw() for queries
• ExecuteSqlRaw() for commands

Always use parameters to prevent SQL injection.

Use:

• IMemoryCache for local cache
• Redis for distributed cache

Cache expensive queries and invalidate on updates.

Use:

Skip((page-1)*pageSize).Take(pageSize)

Combine with filtering and sorting before applying pagination.

Use:

• Add-Migration
• Update-Database

Supports schema evolution and controlled deployments.

Best practices:

• Use projection via Select()
• Use pagination
• Avoid ToList() on large tables
• Optimize queries with indexes

Testing strategies:

• Use InMemory provider for unit tests
• Use SQLite in-memory for integration tests
• Mock repositories/DbContext for isolation

Common Web API design patterns improve maintainability, scalability, and testability:

• Repository Pattern – Abstracts data access; simplifies unit testing and business logic separation.
• Unit of Work – Groups operations under a single transaction for consistency.
• CQRS – Separates read and write operations for scalability and performance.
• Mediator / MediatR – Decouples request-handling logic using command/query handlers.
• Decorator Pattern – Adds logging, caching, or auditing without modifying core business logic.

Centralized logging ensures consistent tracking across all API requests.

• Use ILogger<T> via dependency injection.
• Capture structured logs with levels (Trace ? Critical).
• Write logs to console, files, databases, or providers like Seq, ELK, Splunk, or Application Insights.
• Use middleware to log incoming requests, outgoing responses, and execution duration.

To log request/response bodies safely:

• Use custom middleware to intercept HTTP pipeline.
• Enable request buffering using HttpRequest.EnableBuffering().
• Buffer and copy response streams using a wrapper.
• Avoid logging sensitive fields such as passwords, tokens, and PII.
• Include traceId or correlationId for cross-service tracking.

Effective caching improves performance and reduces database load:

• Use the [ResponseCache] attribute for client caching.
• Use server-side caching middleware for heavy endpoints.
• Leverage distributed caches like Redis or Memcached for load-balanced apps.
• Apply cache invalidation strategies to prevent stale data.

Swagger/OpenAPI improves discoverability and client integration.

• Install Swashbuckle.AspNetCore.
• Configure AddSwaggerGen() in Program.cs.
• Include XML comments for controllers and models.
• Support authentication, versioning, schema examples, and UI customization.

Large-scale APIs require structured endpoint organization:

• Use feature-based folder structure instead of traditional controller-based.
• Group routes using /api/v1/[module]/[controller].
• Use Areas for large domains.
• Apply consistent naming and versioning strategies.

To handle async exceptions:

• Wrap async operations in try/catch.
• Ensure thrown exceptions bubble to global exception middleware.
• Capture structured logs for debugging.
• Avoid async void except for event handlers.

Health checks monitor service and dependency availability.

• Use Microsoft.Extensions.Diagnostics.HealthChecks.
• Expose a /health endpoint.
• Check database connections, external APIs, disk, cache, etc.
• Integrate with monitoring tools (Kubernetes, Azure, AWS, Prometheus).

Resilience protects APIs from transient failures and cascading outages:

• Use Polly for retry, circuit breaker, timeout, fallback, and bulkhead isolation policies.
• Retry only for safe operations (idempotent GET or PUT).
• Use exponential backoff and jitter to avoid retry storms.
• Wrap external API calls, DB operations, and messaging clients with policies.
• Monitor policy behavior to detect fragile dependencies.

Versioned Swagger ensures clarity when multiple API versions coexist:

• Configure multiple SwaggerDoc groups in AddSwaggerGen().
• Use ApiExplorerSettings to group endpoints by version.
• Apply versioned routes (v1, v2) or header/query-based versioning.
• Expose separate Swagger UI endpoints for each version.
• Helps clients migrate safely while maintaining backward compatibility.

Consistent querying ensures scalable and predictable API behavior:

• Use query parameters: page, pageSize, sort, filter.
• Implement logic in repositories or service layer for maintainability.
• Combine pagination with filtering and sorting before DB execution.
• Cache frequently accessed listings for performance.
• Return metadata: total records, total pages, current page, page size.

HATEOAS improves API discoverability and client navigation:

• Embed hypermedia links (self, edit, delete, related resources) in response models.
• Generate URLs using UrlHelper or route names.
• Encapsulate link-building logic in DTOs or dedicated services.
• Useful in large RESTful ecosystems where clients discover workflows dynamically.

Correlation IDs enable tracking a request across microservices:

• Generate or read a CorrelationId header in middleware.
• Pass it to downstream services and logs.
• Use logging scopes so all log entries share the same ID.
• Send correlationId in the API response for client troubleshooting.
• Critical for debugging distributed API flows.

Response compression improves performance for large payloads:

• Enable AddResponseCompression() middleware.
• Use Gzip or Brotli for optimal compression ratios.
• Whitelisted MIME types ensure only necessary content is compressed.
• Compression reduces bandwidth use and improves client response times.

Effective testing ensures correctness, stability, and performance:

• Unit test controllers using mocked services (Moq, NSubstitute).
• Use WebApplicationFactory or TestServer for integration tests.
• Use Postman/Newman or CI pipelines for end-to-end validation.
• Validate headers, status codes, responses, and edge cases.
• Load test APIs using JMeter, k6, or Locust to verify scalability.

Backward compatibility prevents breaking existing clients:

• Version APIs instead of modifying existing contracts.
• Deprecate older versions gradually with communication.
• Use DTOs to control exposed data without altering entities.
• Document breaking changes and provide migration guides.
• Avoid removing fields abruptly; mark them as deprecated first.