Webapi Interview Questions Rest Security Versioning 2025 Interview Questions & Answers

30 questions available

Q1:

What is the difference between REST Uniform Interface and RPC-based APIs, and why does it matter for large systems?

Mid

Answer

REST requires: Resource-based URI Stateless operations Representations (JSON/XML) HATEOAS (optional but ideal) RPC: Action-based URIs (/getUser, /updateStatus) Tight coupling with client Harder long-term scalability REST enforces loose coupling and evolvability.
Q2:

Explain idempotency in REST with POST, PUT, PATCH, DELETE.

Mid

Answer

POST ? non-idempotent PUT ? idempotent (replace state) PATCH ? partially idempotent depending on payload DELETE ? idempotent (deleting twice gives same result) Idempotency protects APIs under retries and failures.
Q3:

Why should REST APIs avoid exposing database identifiers?

Mid

Answer

Reasons: Enumeration attacks Data mining Security leakage Predictable IDs ease scraping Solutions: ULIDs GUIDs Snowflake IDs Hash IDs
Q4:

Difference between Authentication, Authorization, and Delegation in APIs.

Mid

Answer

Authentication ? Who are you? Authorization ? What can you access? Delegation ? Acting on behalf of another (OAuth 2.0)
Q5:

How does OAuth2 Authorization Code Flow with PKCE secure mobile/web APIs?

Mid

Answer

PKCE adds: Code verifier Code challenge Prevents code interception attacks Ideal for SPA and mobile apps.
Q6:

Why is JWT unsafe without short expiry and rotation?

Mid

Answer

Long-lived JWTs cause: Token replay Unrevokable access Stolen-token persistence Best practice: Short expiry (5–15 min) Refresh tokens with rotation Server-side token store.
Q7:

Difference between HATEOAS and Schema-Driven APIs (OpenAPI).

Mid

Answer

HATEOAS: Hypermedia links discover resource actions Schema-driven: Actions inferred from API specification HATEOAS = runtime discoverability OpenAPI = development-time discoverability.
Q8:

Why do global exception handlers beat try/catch inside controllers?

Mid

Answer

Because: Centralized error format Reduced boilerplate Consistent logging Unified error codes Supports RFC 7807 Problem Details.
Q9:

Why does PUT require full resource while PATCH allows partial updates?

Mid

Answer

PUT ? complete replacement PATCH ? delta updates (JSON Patch or Merge Patch) PATCH is more network-efficient.
Q10:

What is API Gateway Token Exchange and why is it used?

Mid

Answer

Gateway exchanges: Client token ? internal service token Protects internal services Reduces token exposure Minimizes permissions.
Q11:

Explain pessimistic throttling vs optimistic throttling in REST APIs.

Mid

Answer

Pessimistic throttling: Deny early based on pre-calculated usage. Optimistic throttling: Allow and evaluate limit post-execution. Optimistic is better for distributed systems.
Q12:

Why is ETag-based caching preferred over timestamp caching?

Mid

Answer

Timestamps: Time-zone issues Clock drift Partial content mismatch ETag: Hash-based versioning Exact matches Supports optimistic concurrency.
Q13:

Compare API Versioning via URL, Header, Query String, Accept Header.

Mid

Answer

URL versioning ? most explicit Header versioning ? clean URLs Query versioning ? not RESTful but simple Accept-header versioning ? best REST practice
Q14:

Why is content negotiation essential in mature REST APIs?

Mid

Answer

Enables: JSON / XML / MsgPack / Protobuf Versioning via Accept header Extensible APIs without breaking clients.
Q15:

What causes HTTP 409 Conflict vs HTTP 412 Precondition Failed?

Mid

Answer

409 ? resource state conflict 412 ? ETag mismatch (optimistic locking)
Q16:

Why do REST APIs prefer statelessness and what breaks it?

Mid

Answer

Stateless: Scalable Cacheable Load-balanced easily Breaks statelessness: Server sessions In-memory user data Sticky sessions
Q17:

Explain rate-limiting algorithms: Token Bucket, Leaky Bucket, Sliding Window, Fixed Window.

Mid

Answer

Token Bucket ? burst-friendly Leaky Bucket ? constant rate Fixed Window ? simplest, inaccurate at edges Sliding Window ? most accurate for production
Q18:

Why do APIs implement Circuit Breakers?

Mid

Answer

Circuit Breakers prevent: Cascading failures Downstream overload States: Closed Open Half-open
Q19:

Difference between API Composition and Aggregation in microservices.

Mid

Answer

Composition: Gateway merges responses from multiple services Aggregation: Backend services aggregate internally Composition = external merge Aggregation = internal merge
Q20:

Why should you avoid returning detailed server errors?

Mid

Answer

Because detailed errors reveal: Internal architecture DB/table hints Framework details Attack vectors Return generic messages instead.
Q21:

Difference between PUT /resource/id and POST /resource/id/action.

Mid

Answer

PUT ? updates or replaces a resource at the given URI POST action ? executes a workflow or domain action not tied to a resource identity Action-based POSTs are ideal for: State transitions Commands Non-resource operations.
Q22:

Why is HTTP/2 or HTTP/3 recommended for modern APIs?

Mid

Answer

HTTP/2: Multiplexing Binary framing Header compression HTTP/3: QUIC protocol Zero-RTT Better performance under packet loss Both drastically reduce API latency.
Q23:

What is anti-overposting and how do DTOs prevent it?

Mid

Answer

Overposting occurs when clients send fields not intended for update. DTOs prevent it by: Defining allowed fields Ignoring unknown fields Enforcing strict validation Ensures security and data integrity.
Q24:

Explain the difference between Offset Pagination and Cursor Pagination.

Mid

Answer

Offset: Simple Slow on large tables Causes duplicate/skip anomalies Cursor: Uses unique ID or timestamp Fast Consistent Ideal for infinite scrolling and real-time data.
Q25:

Why are GUIDs and ULIDs ideal for distributed REST systems?

Mid

Answer

GUID/ULID benefits: Avoid sequential key exposure Support high concurrency Work across distributed clusters Globally unique ULIDs also provide sortable IDs.
Q26:

Why must REST APIs validate at both client and server?

Mid

Answer

Client-side validation ? UX improvement Server-side validation ? Security + Data integrity Server must never trust client inputs.
Q27:

Why should REST APIs return typed error responses instead of plain strings?

Mid

Answer

Typed errors provide: Consistent structure Machine-readable format Better debugging Compliance with RFC 7807 Problem Details Plain strings break automation and consistency.
Q28:

Why is HSTS critical even for API endpoints?

Mid

Answer

HSTS forces HTTPS at browser level. Prevents: SSL stripping MITM attacks Protocol downgrade Adds strong API security hardening.
Q29:

When should an API use WebSockets instead of REST?

Mid

Answer

Use WebSockets for: Real-time chat Notifications Live dashboards Stock price streaming Multiplayer games REST is request-response; WebSockets are bi-directional streaming.
Q30:

Why do modern APIs use structured logging (JSON logs)?

Mid

Answer

JSON logs are: Machine-readable Easy to index Searchable in ELK, Splunk, Azure Monitor Support correlation IDs Ideal for large distributed APIs.