Inno 3.10 Configuration/Servers/SignalR Flashcards
(28 cards)
What is the dynamic keyword in C#?
The dynamic keyword bypasses compile-time type checking, allowing operations on an object to be resolved at runtime. It’s useful when dealing with objects from dynamic sources like JSON, COM objects, or reflection. However, misuse can lead to runtime errors that would typically be caught at compile time. Use dynamic carefully when you can’t determine the type at compile time.
BYPASSES COMPILE-TIME CHECKING
OPERATION ARE RESOLVED ON THE RUNTIME
What is IConfiguration in .NET?
IConfiguration is an interface used in .NET to access key-value settings from various configuration sources like appsettings.json, environment variables, or command-line arguments.
It supports hierarchical structures and can be injected via dependency injection. It’s commonly used in Startup.cs or Program.cs to configure application services. It helps centralize configuration management for flexibility and testing.
KEY-VALUE SETTINGS FROM CONFIGURATION SOURCES
HIERARCHICAL STRUCTURE
What is IOptions<T> used for in .NET?</T>
IOptions<T> is a pattern in .NET for accessing strongly-typed configuration settings. It binds configuration values to a POCO class and allows injecting those settings into services. It supports validation and can be combined with IOptionsSnapshot<T> (refreshed by request) or IOptionsMonitor<T> for dynamic reloading. It promotes cleaner and type-safe configuration handling.</T></T></T>
What are HTTPS certificates and keys used for?
HTTPS uses SSL/TLS certificates and private keys to encrypt communication between the client and server. The certificate contains the public key and is issued by a trusted Certificate Authority (CA).
The private key is securely stored on the server and is used to decrypt messages. Together, they ensure confidentiality, integrity, and authenticity of the transmitted data.
CERTIFACATE CONTAINES PUBLIC KEY
What are anti-forgery tokens and how do they prevent CSRF?
Anti-forgery tokens are unique, unpredictable values embedded in forms or headers to protect against Cross-Site Request Forgery (CSRF) attacks. When a user submits a form, the server validates the token to confirm the request originated from the legitimate client. If the token is missing or invalid, the request is rejected. In ASP.NET Core, anti-forgery protection is built-in and can be enabled via [ValidateAntiForgeryToken].
THE SERVER VALIDATES TOKEN OR HEADER
What do the headers X-Content-Type-Options, X-Frame-Options, and Content-Security-Policy do?
These HTTP security headers help mitigate common web vulnerabilities. X-Content-Type-Options: nosniff prevents MIME type sniffing to avoid running unsafe scripts. X-Frame-Options: DENY or SAMEORIGIN protects against clickjacking by controlling iframe embedding. Content-Security-Policy defines approved content sources to block XSS and data injection attacks.
What is a culture definition in .NET localization?
A culture in .NET defines rules for language, formatting (dates, numbers), and regional settings. It includes a language code (like en or fr) and an optional region (en-US, fr-FR). Setting the correct culture ensures localized content and user-friendly formats. Cultures are managed through CultureInfo objects in .NET.
RULES FOR LANGUAGE, FORMATTING DATES, REGIONAL SETTINGS
What is RequestLocalizationMiddleware used for in .NET?
RequestLocalizationMiddleware enables culture-specific behavior in a .NET web application by setting the current CultureInfo based on the request. It determines the user’s preferred culture via query strings, cookies, or headers. This middleware is essential for serving localized content. It must be added and configured early in the middleware pipeline.
ENABLES CULTURE SPECIFIC BEHAVIOUR IN .NET WEB APP
What is IStringLocalizer and how is it used?
IStringLocalizer provides a way to retrieve localized strings in .NET applications. It uses resource files (.resx) to map keys to translations based on the current culture. You inject IStringLocalizer<T> into classes to access these localized values. It simplifies internationalization and maintains clean separation between code and localized content.</T>
RETRIVE LOCALIZED STRINGS IN .NET
What are the differences between IOptions<T>, IOptionsSnapshot<T>, and IOptionsMonitor<T>?</T></T></T>
IOptions<T> provides a singleton snapshot of config values at app startup.</T>
SNAPSHOT AS APP STARTUP
IOptionsSnapshot<T> creates a scoped snapshot, typically used per HTTP request, useful for dynamic settings in web apps.</T>
CREATES A SNAPSHOT BY REQUEST
IOptionsMonitor<T> supports change notifications and is ideal for services that need to react to runtime configuration changes.
Choosing the right version depends on whether you want static, per-request, or live-updated settings.</T>
CHANGES CONFIGURATION DYNAMICLY
How do HTTPS certificates and keys work under the hood?
HTTPS uses TLS, which relies on asymmetric cryptography: a certificate contains the server’s public key, while the private key stays secret.
During the TLS handshake, the server proves its identity by signing data with its private key, and the client validates it using the public key. Once trust is established, both sides switch to symmetric encryption for speed. Certificates can be self-signed or issued by a Certificate Authority (CA).
What is CSRF and how do anti-forgery tokens mitigate it?
CSRF tricks a user into performing unwanted actions while authenticated (e.g., changing account settings). Anti-forgery tokens mitigate this by tying form submissions to a unique, session-bound token.
The server checks that the request contains both a valid token in the body and a matching value in a cookie or header. If missing or invalid, the request is rejected, blocking unauthorized cross-origin interactions that exploit the user’s credentials.
How do security headers like X-Content-Type-Options, X-Frame-Options, and CSP improve defense-in-depth?
X-Content-Type-Options: nosniff blocks MIME-type sniffing, preventing browsers from executing non-JavaScript files as scripts.
X-Frame-Options: DENY or SAMEORIGIN prevents clickjacking by disallowing the site to be embedded in iframes.
Content-Security-Policy (CSP) restricts the sources of scripts, styles, and other content, mitigating XSS and data injection.
These headers provide an extra layer of protection beyond app logic.
What are cultures and how are they structured in .NET?
A CultureInfo in .NET includes information like language, number/date formatting, and text direction (e.g., left-to-right or right-to-left).
Cultures follow the pattern languagecode-regioncode, like en-US (English - US) or pl-PL (Polish - Poland). InvariantCulture is used for culture-neutral operations like data serialization. Custom cultures can also be registered if the defaults don’t meet your localization needs.
🔹 How does RequestLocalizationMiddleware determine a request’s culture?
The middleware inspects sources such as:
Query string (?culture=fr-FR)
Cookies
HTTP headers (Accept-Language)
It uses a defined priority to select the most appropriate culture, sets CultureInfo.CurrentCulture and CurrentUICulture, and ensures consistent formatting and translations. You can register supported cultures, fallbacks, and a default culture during middleware configuration.
🔹 How does IStringLocalizer help with localization, and what are its alternatives?
IStringLocalizer retrieves localized strings using resource files (.resx) based on the current UI culture. It supports pluralization, formatting (localizer[“Welcome, {0}”, user]), and automatic fallback if a translation is missing. It’s culture-aware and avoids hardcoding translations. For more structured scenarios, IStringLocalizer<T> or IViewLocalizer (for Razor views) offer scoped localization. Alternatives include ResourceManager (manual), or third-party systems like OrchardCore.Localization or Polyglot.</T>
What are the supported server environments for ASP.NET Core apps?
ASP.NET Core apps can run on several environments:
Local Development Server: Runs via dotnet run, typically with Kestrel. Kestrel: A cross-platform web server optimized for speed, often used behind reverse proxies. IIS: Internet Information Services, used on Windows for hosting ASP.NET Core with the ASP.NET Core Module. Docker: Containerized hosting, enabling consistent deployment across environments.
How do you publish an ASP.NET Core app to IIS?
To publish to IIS:
Install the ASP.NET Core Hosting Bundle on the server. Publish the app (dotnet publish) to a folder. In IIS, create a site and point it to the published folder. Configure the application pool to use No Managed Code (ASP.NET Core runs out-of-process). The hosting bundle installs a reverse proxy module to route IIS requests to Kestrel.
What is SignalR in ASP.NET Core?
SignalR is a real-time communication library for ASP.NET Core that allows bi-directional communication between server and clients (e.g., browsers). It supports WebSockets, Server-Sent Events, and long polling as transport fallbacks. SignalR abstracts the transport logic, allowing you to call JavaScript functions from server-side C# and vice versa. It’s ideal for live dashboards, notifications, chats, or games. It scales via backplanes like Redis or Azure SignalR Service.
What is IHubContext and when do you use it?
IHubContext<T> allows you to communicate with SignalR clients from outside the Hub class. It’s typically injected into services, background jobs, or controllers to broadcast messages. Through Clients.All, Clients.User(userId), or Clients.Group(groupName), you can target specific receivers. It's essential when the logic triggering messages is decoupled from real-time Hub endpoints. The context is created per app lifetime, not per connection.</T>
ALLOWS COMMUNICATING WITH CLIENTS IN CONTROLLER
What is symmetric encryption and how does it work?
In symmetric encryption, the same key is used for both encrypting and decrypting data. It’s fast and efficient, making it suitable for encrypting large amounts of data (e.g., AES).
SAME KEY DO ENCRYPTING AND DECRYPTING
However, it requires secure key distribution — if someone intercepts the key, they can decrypt everything. It’s commonly used in combination with asymmetric encryption to encrypt the payload after securely exchanging the symmetric key.
What is asymmetric encryption and when is it used?
Asymmetric encryption uses a public key to encrypt and a private key to decrypt data. It solves the key exchange problem: the public key can be shared openly, while the private key remains secret.
PUBLIC KEY DO ENCRYPT AND PRIVATE KEY TO DECRYPT
Algorithms like RSA or ECDSA power secure communication (e.g., TLS) and digital signatures. Although slower than symmetric encryption, it’s ideal for small data, secure handshakes, and authentication. Common use cases include HTTPS and JWT signature verification.
What is the role of Kestrel in ASP.NET Core hosting?
Kestrel is the cross-platform web server built into ASP.NET Core. It’s lightweight and fast, ideal for development and production when used behind a reverse proxy like NGINX or IIS. Kestrel handles HTTP/HTTPS requests, supports HTTP/2, and is fully asynchronous.
By default, dotnet run uses Kestrel. For edge deployments (without reverse proxy), it can serve traffic directly, but you must manage HTTPS and limits carefully.
CROSS-PLATFORM, USED BEHIND REVER PROXY
🔹 Why is IIS often used as a reverse proxy with ASP.NET Core?
IIS integrates well with Windows Server environments and provides powerful features like process management, logging, and load balancing. In ASP.NET Core, it acts as a reverse proxy — forwarding requests to Kestrel, which does the actual processing. This setup benefits from IIS’s security layers, port sharing, and request filtering, while letting Kestrel handle the high-performance logic. It’s required because ASP.NET Core apps don’t run inside IIS like classic ASP.NET.
