🌐 1. What are RESTful APIs, and how are they implemented in ASP.NET Core?
📌 Why this is asked:
To verify you understand REST principles and how to apply them in .NET.
✅ Answer:
REST APIs expose resources via standard HTTP methods (GET, POST, PUT, DELETE) using meaningful URIs. In ASP.NET Core, REST APIs are implemented using controllers, route attributes, and model binding. I also follow best practices like versioning, proper status codes, and HATEOAS when needed.
🔐 2. How do you implement authentication and authorization in ASP.NET Core APIs?
📌 Why this is asked:
To check if you understand securing endpoints and managing access.
✅ Answer:
Authentication is handled via middleware using schemes like JWT, OAuth2, or cookies. I configure AddAuthentication() and AddAuthorization() in Program.cs, decorate controllers with [Authorize], and secure sensitive endpoints with policies and roles. For public endpoints, I explicitly use [AllowAnonymous].
🪪 3. What is JWT and how is it used in securing .NET APIs?
📌 Why this is asked:
To assess your understanding of stateless authentication.
✅ Answer:
JWT (JSON Web Token) is a compact, signed token that contains user identity and claims. It's used in stateless auth — the client includes it in the Authorization header as a Bearer token. The server validates it on every request. In ASP.NET Core, I use JwtBearerDefaults.AuthenticationScheme and configure token validation parameters including issuer, audience, and signing key.
🧱 4. How do you protect your API against common security threats like SQL injection, XSS, or CSRF?
📌 Why this is asked:
To test your knowledge of API attack vectors and mitigation.
✅ Answer:
-
SQL Injection: Use parameterized queries or Entity Framework.
-
XSS: Encode output in views and sanitize inputs.
-
CSRF: Use anti-forgery tokens (mainly for web apps, not APIs).
-
JWT Protection: Use HTTPS, short token lifetimes, and refresh tokens.
-
I also validate all inputs, use middleware for rate limiting, and follow the OWASP API security checklist.
🚪 5. How do you implement API versioning in ASP.NET Core?
📌 Why this is asked:
To ensure you can manage breaking changes gracefully.
✅ Answer:
I use the Microsoft.AspNetCore.Mvc.Versioning package. Versioning can be done via:
-
URL path (e.g. /api/v1/products)
-
Query string (e.g. ?api-version=1.0)
-
Custom headers
I prefer URL-based for clarity. I register API versions and default behaviors in Startup.cs or Program.cs.
🧵 6. How do you secure sensitive configuration values like connection strings or API keys?
📌 Why this is asked:
To check how you handle secrets in environments and deployments.
✅ Answer:
I store secrets in:
-
Environment variables
-
appsettings.{env}.json (never commit to source control)
-
Azure Key Vault or User Secrets in development
I inject them using IConfiguration and IOptions<T> and avoid hardcoding credentials. For production, I use managed identities and vault integrations.
🛡️ 7. What’s the difference between authentication and authorization?
📌 Why this is asked:
To test conceptual understanding of identity and access.
✅ Answer:
-
Authentication verifies who the user is (e.g., via JWT, OAuth).
-
Authorization determines what the authenticated user is allowed to do (e.g., based on roles or claims).
In ASP.NET Core, I implement both via middleware and use [Authorize(Roles = "Admin")] or policies for granular control.
📉 8. How do you handle failed authentication/authorization requests in your APIs?
📌 Why this is asked:
To test if you can return proper responses without leaking sensitive data.
✅ Answer:
For failed authentication, the API returns 401 Unauthorized. For authenticated users without permissions, it returns 403 Forbidden. I customize these responses using middleware or by handling events in JwtBearerOptions and log access violations without revealing implementation details.
🛑 9. How do you rate-limit or throttle requests in a .NET API?
📌 Why this is asked:
To test your ability to protect APIs from abuse or DDoS attacks.
✅ Answer:
I use middleware like AspNetCoreRateLimit, which supports IP-based and client-based rate limiting. I configure limits per route, HTTP method, or client ID. For APIs behind gateways (e.g., Azure API Management), I also configure throttling at the edge layer. Rate limits help preserve server resources and ensure fair usage.
🧠 10. What are some best practices for designing secure and maintainable .NET APIs?
📌 Why this is asked:
To see your approach to building real-world APIs beyond just coding.
✅ Answer:
-
Always use HTTPS
-
Validate and sanitize inputs
-
Use proper HTTP status codes
-
Implement logging and correlation IDs
-
Follow least privilege for authorization
-
Protect secrets and use secure headers
-
Monitor and audit API access
-
Keep dependencies updated and patch vulnerabilities Secure APIs are not just about code — they involve architecture, infrastructure, and monitoring.