ASP.NET WEB API Flashcards

Question

What happens if [ValidateAntiForgeryToken] is applied to an API controller?

Answer 1

Fails for API calls, since CSRF tokens are meant for browser-based requests. No compile-time error, but it breaks API calls at runtime. ❌ Why? [ValidateAntiForgeryToken] requires an anti-CSRF token in the request. CSRF tokens only work with browser-based form submissions, not API calls. APIs do not send or validate CSRF tokens by default, so applying it to an API controller causes all POST requests to fail with 400 Bad Request – "The required anti-forgery cookie is not present". ✅ How to Fix? For APIs: Don't use [ValidateAntiForgeryToken]. Instead, use proper JWT, OAuth, or API Key authentication. For MVC Forms: [ValidateAntiForgeryToken] is useful for preventing CSRF attacks

Answer 2

The API may return 500, despite [ProducesResponseType(200)].

Answer 3

All requests will return 401 Unauthorized.

Answer 4

Fails! ASP.NET tries to bind id from the body (which doesn’t exist), leading to 400 Bad Request. If a method has only [FromBody] Model model and no [FromRoute] int id, ASP.NET may fail to bind the route parameter into the model, causing 400 Bad Request.

Answer 5

⚠️ Content-Type still remains application/json, but response is a plain string. The string won't be automatically serialized into a JSON object.

Answer 6

No compile-time error, but misleading API documentation. The method might return an unexpected type, confusing consumers.

Answer 7

The API ignores it and returns JSON. Fix: Enable XML formatters in Startup.cs.

Answer 8

Creates a route like /api/MyController/action. The method name does not need to match the action name.

Answer 9

Body is ignored! DELETE requests should not have a body, and ASP.NET does not parse it.

Answer 10

Convention-based Routing (used in MVC) Attribute-based Routing (most common in APIs) Custom Routing using Middleware Endpoint Routing Route Constraints, Tokens, and Defaults Versioning-based Routing Dynamic Routing (Custom route providers)

Answer 11

APIs need explicit routing for clarity (not assuming default {controller}/{action} structure). Less control over HTTP verbs (GET, POST, etc.). Use Attribute-based Routing instead. Explicit and readable ✅ No unnecessary route assumptions ✅ Better control over HTTP methods ✅

Answer 12

Intercept requests before hitting controllers Useful for logging, authentication, or feature toggles

Answer 13

``` app.Use(async (context, next) => { if (context.Request.Path == "/custom-route") { await context.Response.WriteAsync("Handled by custom middleware!"); return; } await next(); }); ```

Answer 14

This decouples route matching from request processing, making it more efficient. ``` app.UseRouting(); app.UseEndpoints(endpoints => { endpoints.MapControllers(); endpoints.MapGet("/status", async context => { await context.Response.WriteAsync("API is running!"); }); }); ``` Better performance (compared to previous routing systems). More flexible (integrates easily with middleware, filters). Allows mixing Web API and custom routes.

Answer 15

API versioning helps maintain backward compatibility. ``` [ApiVersion("1.0")] [Route("api/v{version:apiVersion}/users")] public class UsersControllerV1 : ControllerBase { [HttpGet] // Matches GET /api/v1/users public IActionResult GetUsers() => Ok("Users V1"); } ``` Supports multiple API versions without breaking changes. Keeps the API maintainable for long-term support.

Answer 16

You can dynamically generate routes using custom route providers. ``` [Route("api/[controller]")] public class DynamicRoutingController : ControllerBase { [HttpGet("data-{year:int:min(2000)}")] public IActionResult GetData(int year) => Ok($"Data for year {year}"); } ```

Answer 17

``` [HttpGet("products/{id:int?}")] // `id` is optional public IActionResult GetProduct(int? id) => Ok(id ?? "All Products"); ```

Answer 18

[Route] [HttpGet] Defines a URL template Binds only to HTTP GET requests Can be used at class level vs Must be used at method level [HttpGet] overrides [Route]'s HTTP method behavior.

Answer 19

It matches the request URL to an endpoint and attaches route values to HttpContext. 🔹 But no action executes yet—that happens after UseEndpoints().

Answer 20

The request URL is matched against route templates defined in [Route] and [Http*] attributes. 🔹 If no match is found, the default convention-based routing is used ({controller}/{action}/{id?}).

Answer 21

Convention-based routing (set in MapControllerRoute) applies globally. 🔹 Attribute routing ([Route], [HttpGet], etc.) is applied at the controller or action level.

Answer 22

app.MapControllers(); enables attribute routing only for controllers marked with [ApiController].

Answer 23

It sets up default MVC routing → {controller=Home}/{action=Index}/{id?}. 🔹 Only works with controllers using ControllerBase or Controller.

Answer 24

Controller-level [Route] acts as a base path for all actions inside it. 🔹 Action-level [Route] appends to the controller route to form the full path. The controller [Route] acts as a prefix, and the action [Route] appends to it. ``` [Route("api/products")] public class ProductsController : ControllerBase { [HttpGet("all")] // Final route: api/products/all public IActionResult GetAll() { } } ```

Answer 25

The method inherits the controller’s route, appending the method name as the action. ``` [Route("api/orders")] public class OrdersController : ControllerBase { [HttpGet] public IActionResult GetOrders() // Matches GET /api/orders/GetOrders } ```

Answer 26

More specific routes take priority over generic ones. GET /products/10 → Matches {id} route. GET /products/all → Matches /all explicitly.

Answer 27

The application will throw an InvalidOperationException at startup because ASP.NET Core cannot register duplicate route templates.

Answer 28

GET /latest gets matched to {id}, treating "latest"as an integer.

Answer 29

ASP.NET Core uses the most specific route to resolve conflicts. If routes are equally specific, it throws an AmbiguousMatchException.

Answer 30

Use route constraints (e.g., {id:int}) or custom route templates to differentiate the routes.

Answer 31

This will cause a route conflict because both routes have the same structure. ASP.NET Core cannot distinguish between id and name in the URL.

Answer 32

Use route prefixes Use the [Route] attribute at the controller level to define a prefix, e.g., [Route("api/[controller]")], and then use relative paths in action methods.

Answer 33

The default route template is "api/[controller]/[action]/{id?}", where [controller] and [action] are placeholders for the controller and action names.

Answer 34

Implement the IRouteConstraint interface to create custom constraints and apply them to route templates, e.g., [HttpGet("{id:customConstraint}")].

Answer 35

Use the MapControllers method in Program.cs or Startup.cs to log route registrations, or enable detailed error messages to identify conflicting routes.

Answer 36

defines a catch-all parameter, meaning it will capture everything after /search/ into the query parameter. Exact matches first (search/help). Parameterized routes second (search/{query}). Wildcard routes last (search/{*query}). Define specific routes before catch-all routes: ``` [HttpGet("search/help")] public IActionResult Help() { return Ok("Search Help Page"); } [HttpGet("search/{*query}")] public IActionResult Search(string query) { return Ok($"Searching for: {query}"); } ```

Answer 37

{query} only matches one segment (/search/term → query="term"). {*query} matches everything after (/search/csharp/aspnet → query="csharp/aspnet").

Answer 38

``` [AcceptVerbs("GET", "POST", "PUT", "DELETE")] // ✅ Allows all these methods [Route("{id}")] public IActionResult GetProduct(int id) { return Ok($"Product {id}"); } ```

Answer 39

By adding it to the RouteOptions.ConstraintMap in Program.cs.

Answer 40

The route with the most specific matching constraints is chosen

Answer 41

[Route("{value:range(1, 100)}")]

Answer 42

The route with the constraint is chosen, provided the constraint passes.

Answer 43

By accessing the values parameter of the Match method.

Answer 44

A route constraint restricts how route parameters are matched, ensuring that only specific values (e.g., integers, strings, or custom patterns) are accepted.

Answer 45

It leverages token replacement to automatically generate routes based on the controller's name The [controller] token is a placeholder that gets replaced with the name of the controller (without the "Controller" suffix). Dynamic Routing: This approach creates a consistent and predictable routing scheme, reducing the need to manually define routes for each controller. **Convention-Based Routing**: Promotes a consistent and predictable routing scheme. **Reduced Boilerplate Code**: Eliminates the need to manually define base routes for each controller. **Maintainability**: Makes it easier to manage and update routes as your API evolves. **Readability**: Improves the readability of your code by clearly defining route templates.

Answer 46

Routing helps us define URLs for API endpoints. Routing determines how incoming HTTP requests map to controller action methods

Answer 47

ASP.NET Core returns a 400 Bad Request error unless the parameter is nullable or has a default value.

Answer 48

Use an array or IEnumerable in the controller method: public IActionResult GetItems(int[] ids).

Answer 49

Route parameters take precedence over query strings unless explicitly specified using [FromQuery].

Answer 50

Large URLs can exceed browser/server limits (~2KB-8KB), impact caching, and degrade performance due to inefficient query parsing.

Answer 51

Endpoint routing maps incoming HTTP requests to specific route handlers using middleware instead of MVC route tables.

Answer 52

Traditional Routing: Defined in UseMvc(). Endpoint Routing: Uses UseRouting() and UseEndpoints(), separating routing from MVC.

Answer 53

UseRouting(): Matches requests to endpoints. UseEndpoints(): Executes the matched endpoint.

Answer 54

Requests won't be routed, leading to a 404 Not Found.

Answer 55

It reduces routing overhead by using a centralized routing table and caching route matches.

Answer 56

In minimal APIs, endpoint routing allows defining routes inline using MapGet(), MapPost(), etc.

Answer 57

Routes will be matched but not executed, causing middleware execution issues.

Answer 58

It allows route-based middleware execution, improving flexibility and performance.

Answer 59

- Use attribute routing for APIs. - Keep routes minimal and descriptive. - Use MapGroup() for grouping endpoints in minimal APIs.

Answer 60

app.UseEndpoints(endpoints => { endpoints.MapControllers().RequireAuthorization(); });

Answer 61

- Forgetting to call UseRouting() before UseEndpoints(). - Using UseMvc() instead of UseRouting().

Answer 62

The first matching endpoint is executed, unless explicit ordering is defined.

Answer 63

Middleware before UseRouting() runs for all requests, while middleware inside UseEndpoints() executes only for matched routes.

Answer 64

Minimal impact, but large route tables can increase memory usage due to caching.

Answer 65

- Exposing unintended API routes. - Open redirects via route parameters. - Middleware order affecting security layers.

Answer 66

``` app.UseRouting(); app.UseEndpoints(endpoints => { endpoints.MapControllers(); }); ```

Answer 67

`app.MapGet("/hello", () => "Hello, World!");`

Answer 68

It enables attribute routing for controllers in Web APIs.

Answer 69

It catches unmatched requests, useful for serving SPAs (e.g., React, Angular).

Answer 70

`app.MapGet("/user/{id:int}", (int id) => $"User ID: {id}");`

Answer 71

``` app.UseAuthorization(); app.UseEndpoints(endpoints => { endpoints.MapControllers().RequireAuthorization(); }); ```

Answer 72

api/{id:int}. Constraints take precedence over general parameters.

Answer 73

api/users/all. Literal matches are more specific than optional parameters.

Answer 74

Ambiguous match exception. Order does not resolve this.

Answer 75

api/reports/today. Literal matches are more specific than optional parameters.

Answer 76

api/files/{filename}.txt. More specific literal match.

Answer 77

api/data/{value}. Regex constraint fails, so the general route matches.

Answer 78

api/settings/xml. Literal matches are more specific than default parameter values.

Answer 79

api/specific. Specific routes should be defined before catch-all routes.

Answer 80

No match. The routing system requires an area to be specified for area-specific routes.

Answer 81

api/items/{id:int}. The min(10) constraint fails, so the second route is selected.

Answer 82

api/users/{name}. The guid constraint fails, so the second route is selected.

Answer 83

api/files/{filename}. The length constraint fails, so the second route is selected.

Answer 84

api/orders/{id:int?}. Optional parameter matches when nothing is provided.

Answer 85

api/products/{id:int}. The integer route constraint is met.

Answer 86

api/items/{value:bool}. Boolean constraint is met.

Answer 87

api/data/{value}. Range constraint fails, so the second route is selected.

Answer 88

api/info/{text}. Datetime constraint fails, so the second route is selected.

Answer 89

api/items/{value}. Minlength constraint fails, so the second route is selected.

Answer 90

api/data/{value}. Maxlength constraint fails, so the second route is selected.

Answer 91

Ambiguous match exception. Action name does not differentiate identical routes.

Answer 92

A component that processes requests and responses in a pipeline.

Answer 93

Each middleware component either passes the request to the next component or terminates the pipeline.

Answer 94

It adds a middleware component to the request pipeline.

Answer 95

It adds a terminal middleware that ends the pipeline.

Answer 96

It branches the pipeline based on request paths.

Answer 97

It invokes the next middleware in the pipeline.

Answer 98

By not calling the next delegate.

Answer 99

Use() allows passing to the next middleware, Run() terminates the pipeline.

Answer 100

The order they are added to the pipeline in Program.cs.

Answer 101

Authenticates the user based on provided credentials.

Answer 102

Authorizes the user based on roles and claims.

Answer 103

Serves static files like HTML, CSS, and JavaScript.

Answer 104

Matches incoming requests to endpoints.

Answer 105

Executes the matched endpoint.

Answer 106

To catch and handle exceptions in the request pipeline.

Answer 107

By implementing the IMiddleware interface or creating a class with an InvokeAsync method.

Answer 108

Request middleware modifies the request, response middleware modifies the response.

Answer 109

By accessing and modifying the HttpContext.Request.Headers or HttpContext.Response.Headers collections.

Answer 110

Middleware can add overhead, so optimize for performance.

Answer 111

Using app.Environment.IsDevelopment() or similar checks in Program.cs.

Answer 112

Redirects HTTP requests to HTTPS.

Answer 113

Enables Cross-Origin Resource Sharing.

Answer 114

Middleware can receive dependencies through constructor injection.

Answer 115

Global middleware processes all requests, scoped middleware applies to specific paths or endpoints.

Answer 116

By accessing HttpContext properties and using logging providers.

Answer 117

Provides detailed error information in development environments.

Answer 118

Using if statements or extension methods that check conditions.

Answer 119

Registers a custom middleware of type T.

Answer 120

By accessing the HttpContext.User property and performing authentication logic.

Answer 121

Middleware operates on the request/response pipeline, filters operate within the MVC pipeline.

Answer 122

Authentication won't effectively restrict access; authorization will happen before user context is established.

Answer 123

The subsequent middleware and the remaining pipeline will be executed twice, potentially causing unexpected side effects.

Answer 124

Run() terminates the pipeline, preventing subsequent middleware from executing, which is generally not desired.

Answer 125

Subsequent middleware will receive the modified request body, potentially breaking assumptions or causing errors.

Answer 126

The exception will propagate up the call stack, bypassing any exception handling middleware placed before it.

Answer 127

It can cause issues with buffering and content length, potentially corrupting the response.

Answer 128

Static files won't be served if a matching endpoint is found first, as routing takes precedence.

Answer 129

It can block the thread pool, causing performance issues. Offload I/O to background tasks or use async operations.

Answer 130

It can lead to inconsistent authorization behavior, as authorization is based on the initial user context.

Answer 131

It can change the endpoint that is matched, potentially leading to unexpected routing.

Answer 132

It effectively creates a no-op middleware that does nothing but pass the request to the next (non-existent) middleware or terminates.

Answer 133

It can mask specific errors that require different handling, and it can make debugging difficult.

Answer 134

It will throw an InvalidOperationException because headers cannot be modified after the response starts.

Answer 135

Changes will be visible to subsequent middleware, but it can create implicit dependencies and make code harder to reason about.

Answer 136

Middleware is best for cross-cutting concerns; complex logic should be in services or controllers for better separation of concerns.

Answer 137

CORS headers won't be applied to requests that require authentication, potentially causing issues with cross-origin requests.

Answer 138

It exposes the cookie to client-side scripts, increasing the risk of XSS attacks.

Answer 139

Data validation is typically handled by model binding and validation filters in the MVC pipeline.

Answer 140

It can break IP-based security checks and logging.

Answer 141

Clients may receive truncated or corrupted responses.

Answer 142

It can generate a large amount of log data, impacting performance and storage. Use selective logging.

Answer 143

It can break protocol-specific logic and cause unexpected behavior.

Answer 144

It can lead to inconsistent caching behavior and potential security issues.

Answer 145

Rate limiting is often handled by dedicated rate-limiting middleware or API gateways for better performance and scalability.

Answer 146

It can break content negotiation and lead to incorrect content processing.

Answer 147

It will throw an InvalidOperationException.

Answer 148

It can introduce dependencies and make testing difficult. Use authorization handlers or policies.

Answer 149

It can break query string parsing and lead to unexpected behavior in subsequent middleware or endpoints.

Answer 150

It can lead to unexpected redirects if the client's base URL is different.

Answer 151

Data transformations are typically handled by services or mappers for better maintainability and testability.

Answer 152

It blocks the thread, causing thread pool starvation and poor performance. Use asynchronous operations.

Answer 153

Long execution times increase response latency and reduce throughput.

Answer 154

It leads to memory allocation overhead and garbage collection pressure. Use StringBuilder.

Answer 155

LOH collections are expensive, causing performance degradation. Minimize large object allocations.

Answer 156

Blocking calls increase latency and reduce responsiveness. Use asynchronous calls with timeouts.

Answer 157

Regex matching can be CPU-intensive. Compile regexes or use specialized string matching.

Answer 158

Caching reduces database or external service load, improving performance.

Answer 159

Reflection is slow and can impact performance. Use compiled expressions or code generation.

Answer 160

Boxing and unboxing operations introduce overhead. Use generic types or avoid value type conversions.

Answer 161

Logging can be I/O-bound and CPU-intensive. Use asynchronous logging and selective logging levels.

Answer 162

Each middleware adds overhead. Use middleware only when necessary.

Answer 163

TLS incurs overhead for each thread, impacting performance under high concurrency.

Answer 164

Context switching is expensive. Minimize asynchronous operations that don't yield significant benefits.

Answer 165

It increases CPU usage and latency. Offload calculations to background tasks or use caching.

Answer 166

Excessive memory allocations lead to garbage collection pressure and performance degradation.

Answer 167

String parsing can be CPU-intensive. Use efficient parsing techniques or avoid unnecessary parsing.

Answer 168

Exception handling is expensive. Handle exceptions only when necessary.

Answer 169

Lock contention can cause thread blocking and performance degradation. Minimize lock usage.

Answer 170

Profiling helps identify performance bottlenecks and optimize code.

Answer 171

Network operations are slow and can increase latency. Use asynchronous calls with timeouts.

Answer 172

Serialization and deserialization are CPU-intensive. Use efficient data formats and minimize data transfer.

Answer 173

Timers can introduce overhead and impact performance. Use efficient timer implementations.

Answer 174

Smaller response bodies reduce network bandwidth usage and improve performance.

Answer 175

File I/O is slow and can impact performance. Cache file content or use asynchronous operations.

Answer 176

Database queries are slow and can impact performance. Cache query results or use efficient query patterns.

Answer 177

Delegate invocation introduces overhead. Use efficient delegate implementations.

Answer 178

CPU cache misses are expensive. Organize data and code to improve cache locality.

Answer 179

Object creation introduces overhead. Use object pooling or minimize object allocations.

Answer 180

Context switches are expensive. Avoid unnecessary thread creation.

Answer 181

It leads to memory leaks and performance degradation. Use using statements or dispose patterns.

Answer 182

Performance Stops invalid requests early, avoiding unnecessary processing. Security Prevents invalid or malicious data from reaching the controller. Clarity Ensures routes have predictable and meaningful parameter values. Better API Design Forces clients to follow expected input formats. Unnecessary boilerplate code otherwise to check each parameter