API Design Flashcards
REST Principles
-
Stateless
Each request must contain all the information needed to process it. The server does not store session state between requests.
Why?: Improves scalability since the server does not need to track client state.
Example:
β RESTful: Each request has an Authorization token in headers.
2.** Client-Server Architecture **
The client (UI) and server(data) must be independent;
Why?: Increases flexibility; clients and servers can evolve independently.
-
Uniform Interface π―
A consistent way to interact with resources using standard methods (GET, POST, PUT, DELETE).
Why?: Simplifies API usage and improves interoperability.
Example:
β /users/123 β GET (Fetch user), PUT (Update user), DELETE (Remove user).
β /fetchUser?id=123 (Non-uniform, not RESTful).
4.** Cacheability**
Definition: Responses must define whether they are cacheable to reduce unnecessary requests.
Why?: Boosts performance, reduces server load.
-
Layered System
The client doesnβt need to know if itβs communicating with the final server or intermediary (load balancer or proxy).
Why?: Enhances security, scalability, and flexibility.
Example:
A gateway (like API Gateway) handles authentication before forwarding the request to the actual API server. -
Code on Demand (Optional)
Definition: The server can send executable code (like JavaScript or scripts) to the client to execute.
Why?: Can extend functionality dynamically
Example:
A REST API delivering a JavaScript snippet for A/B testing.
What is REST, REST API, RESTful API
REST (Representational State Transfer) is an architectural style for designing networked applications. It relies on stateless communication over HTTP and follows a resource-based approach.
REST : Implementation, may not fully conform, statelessness depends on implementation
RESTful : Strict implementation, stricly stateless
What Does Stateless Mean?
A stateless REST API means each request from the client must contain all necessary information for the server to process it.
The server does not store session state between requests.
Each request is independent, and no previous request affects the current one.
Authentication, user details, and request context (pagination details, filters, and preferences)must be sent every time.
Why is Statelessness Important?
Benefits of Stateless APIs
β
Scalability β Easy to scale horizontally (add more servers) since no session data is stored on a specific server.
β
Reliability β No risk of session data loss if a server crashes.
β
Performance β No need for expensive session lookups in memory or DB.
β
Cacheable β Stateless APIs work well with caching (ETag, Cache-Control).
β
Simplifies Failover & Load Balancing β Any request can go to any server.
[ApiController]
Automatic 400 bad request if model state, input is invalid.
Automatic detection of FromBody FromQuery
Less code for validation and binding
Auto documentation hints
Why Some APIs Might Not Be Stateless?
Complex workflows β Some applications need multi-step interactions (e.g., shopping carts).
Performance Optimization β Maintaining state in-memory reduces DB calls.
User Sessions β Some applications store user sessions for authentication.
Web Applications Needing Session State β e.g., a dashboard tracking user sessions.
Long-Lived Workflows β Workflows requiring persistent state (e.g., video uploads).
πΉ Tradeoff? β Use tokens (JWT) . If state must be stored, use Redis or DB, not in-memory storage. Else If the server restarts, data is lost.
πΉ Solution? β Use Redis, DB, or stateful APIs selectively while keeping other services stateless.
What are stateless authentication
JWT Token : elf-contained, containing user info in the token payload
OAuth
API Keys
Do not use session or cookies because server will then have to track and store
What Does Client-Server Architecture Mean?
Client-Server is a separation of concerns between the client (frontend, mobile app) and server (backend, API).
The client sends requests to the server and only handles UI/UX and interactions.
The server processes business logic, authentication, and data storage.
What happens if Violate Client Server Architecture?
β Tightly Coupled Systems β If frontend logic is hardcoded into the backend, changes require full redeployment.
β Business Logic on the Client β Leads to security risks, as logic can be manipulated by users.
πΉ Tradeoff? β Keep UI and business logic separate, use APIs for communication.
Why is Client-Server Separation Important?
β
Scalability β Servers can be upgraded independently of clients.
β
Flexibility β Clients (web, mobile, desktop) can evolve separately from backend APIs.
β
Security β Sensitive logic (authentication, database) is kept on the server.
β
Reusability β Same API can be used by multiple frontends (React, iOS, Android).
β
Performance Optimization β Clients handle UI rendering, reducing backend load.
What is Layered Architecture?
Layered Architecture in REST enforces a hierarchical structure where components are organized in layers, each performing a specific role.
Layers are independent and interact only with adjacent layers.
Clients do not need to know how the backend is structured.
Security, caching, and load balancing can be added without affecting the client.
How to Implement Client-Server Separation Correctly?
The Client Should Only Handle UI/UX
The client should not contain business logic (e.g., pricing calculations).
The backend should perform validations, authentication, and processing.
The Server Should Not Manage UI Logic
API should return raw data, not UI-specific formats (like error messages).
UI elements (e.g., dropdown options) should be handled by the frontend.
Use API Gateways for Cross-Platform Support
A single API should support multiple clients (mobile, web, IoT).
API Gateway can handle versioning, rate limiting, authentication.
Donβt Overloadin the Server with UI-Specific Endpoints. Return all necessary data in one request.
Donβt Hardcode API Calls in Frontend
Secure the Client-Server Communication
Why is Layered Architecture Important?
β
Scalability β Each layer can be scaled independently.
β
Security β Sensitive data processing happens in deeper layers, not exposed to clients.
β
Flexibility β API Gateway can be modified without affecting backend logic.
β
Maintainability β Changes in one layer do not require modifications in others.
β
Extensibility β Easy to introduce caching, logging, security layers.
How to Implement Layered Architecture Correctly?
Use an API Gateway for Routing, Security, and Load Balancing. API Gateway acts as a single entry point for all requests.
β
Good Approach: Manages authentication, rate limiting, logging, and security. Reduces direct exposure of backend services.
β Bad Example (Clients Accessing Microservices Directly)
GET /inventory/orders/12345 // Direct access
β
Good Example (Using API Gateway)
GET /orders/12345 // Routed through API Gateway
Separate Business Logic from API Controllers
Controller Layer: Handles API requests.
Service Layer: Contains business logic. Caching logic
Repository Layer: Communicates with the database.
Asynchronous processing to improve response times.
What is Cacheability in REST APIs?
Cacheability ensures that responses from a REST API can be stored and reused instead of being regenerated for each request. This improves performance, reduces server load, and minimizes latency.
Data freshness and consistency must be maintained to avoid stale data issues.
β
Lower Bandwidth Usage β Cached responses prevent unnecessary network traffic.
β
Scalability β Helps scale services to handle more users with fewer resources.
When Not to Use Caching?
β Highly Dynamic Data β Frequent changes (e.g., stock prices, real-time updates).
β Personalized Responses β User-specific data (e.g., user dashboards).
β Security-Sensitive Data β API responses containing sensitive info (e.g., authentication tokens).
πΉ Tradeoff? β Balancing freshness and performance is critical.
How to Implement Cacheability in REST APIs?
Example of a Cacheable API Response
HTTP/1.1 200 OK
Cache-Control: public, max-age=3600
ETag: βa1b2c3d4β
What are ETags
ETags (Entity Tags) help determine if a cached response is still valid.
If content is unchanged, return 304 (Not Modified) instead of 200 (OK).
Reduces bandwidth usage and speeds up requests.
First Request: Server Generates ETag
GET /products/123
HTTP/1.1 200 OK
ETag: βxyz123β
Cache-Control: public, max-age=3600
Subsequent Request with ETag Check
GET /products/123
If-None-Match: βxyz123β
Server Response (If Data Unchanged)
HTTP/1.1 304 Not Modified
Server Response (If Data Changed)
HTTP/1.1 200 OK
ETag: βabc456β // New ETag, updated content
304 response avoids sending duplicate data, saving bandwidth.
Cache Layers
Client-Side Cache Browser or mobile app stores API responses. HTTP caching, IndexedDB, Service Workers.
Proxy Cache Caches responses between client and server. Cloudflare, Akamai, Varnish.
Application Cache Stores API results within the API itself. Redis, MemoryCache (C#).
Database Query Cache Caches expensive DB queries. PostgreSQL Query Cache, MySQL Query Cache.
Caching Strategy?
Categorize API responses: static, semi-static, dynamic.
Apply caching only where it benefits performance.
Use public for shared data, private for user-specific data.
Implement no-cache for frequently changing data.
Use Layered Caching. Client Cache β CDN Cache β API Cache β Database Cache.
What is Uniform Interface in REST APIs?
The Uniform Interface is a fundamental principle of REST APIs that ensures all clients interact with the API in a consistent and predictable way. This improves scalability, interoperability, and ease of use.
πΉ Key Characteristics of a Uniform Interface
β Resource-Based URLs β Everything is treated as a resource (/users, /orders).
β Standard HTTP Methods β Use GET, POST, PUT, DELETE, PATCH correctly.
β Consistent Request & Response Formats β JSON/XML with clear structure.
β Stateless Interactions β Each request is independent.
β HATEOAS (Hypermedia as the Engine of Application State) β Responses include links for navigation.
Why is Uniform Interface Important?
β
Predictability β Clients know what to expect from the API.
β
Interoperability β Different clients (web, mobile, IoT) can use the API without special logic.
β
Decoupling β The client and server evolve independently.
β
Scalability β Standardized APIs can handle more clients efficiently.
Correct way to Uniform Interface
Verbs should be represented by HTTP methods, not in the URL.
Use Consistent Request and Response Formats
Standardized JSON format improves readability and API integration.
Include status codes, messages, and HATEOAS links (optional).
Use HATEOAS for API Discoverability
HATEOAS
HATEOAS (Hypermedia as the Engine of Application State) includes navigational links in responses.
β
β
Example: HATEOAS in User Response
β
{
βidβ: 123,
βnameβ: βJohn Doeβ,
βemailβ: βjohn@example.comβ,
βlinksβ: {
βselfβ: β/users/123β,
βordersβ: β/users/123/ordersβ,
βupdateβ: β/users/123/updateβ
}
}
Request Structure in REST APIs
Request Line (Method + URL + Version)
Headers (Metadata like authentication, content type)
Query Parameters (Filters, pagination, search)
Body (Payload for POST, PUT, PATCH)
Cookies (Optional, for session/stateful operations)
Request Headers
Headers provide metadata about the request. They can define:
Content Type (JSON, XML, etc.)
Authentication Tokens (JWT, API keys)
Caching Directives
Client Information (User-Agent, Referrer)
Encoding & Compression
Query Parameters
Query parameters modify requests dynamically, commonly used for:
Filtering (?status=active)
Sorting (?sort=name&order=asc)
Pagination (?page=1&limit=10)
Searching (?q=search-term)
Using too many query parameters β leads to long URLs. Use filters in the body for complex queries (POST /search)
What Happens If Content-Type is Missing in POST or PUT Requests?
When a POST or PUT request is sent without a Content-Type header, the server might not understand how to parse the request body. The behavior depends on the serverβs implementation. This often results in an empty request body or a 400 Bad Request error.
ASP.NET Core Returns 415 Unsupported Media Type (if body is present).
Security Concerns
Missing Content-Type increases the risk of attacks like content sniffing vulnerabilities.
If a server guesses the content type, it could misinterpret data and open security loopholes.
Example Attack Scenario:
If a server defaults to text/html, an attacker might inject malicious HTML or JavaScript, leading to XSS attacks.
What happens if a GET request has a request body?
According to the HTTP spec, GET requests should not have a body.
Many servers ignore the body, while some may return a 400 Bad Request or 411 Length Required.
Some APIs (e.g., Elasticsearch) allow a GET request body, but itβs not recommended as caching proxies may not handle it correctly.
β
Best Practice:
If you need to send data with GET, use query parameters instead of a body.
Use POST or PUT if youβre sending a complex payload.
What happens if you call DELETE /resource multiple times?
A properly designed DELETE API is idempotentβcalling it multiple times should return the same result.
First call: Deletes the resource β Returns 200 OK or 204 No Content.
Subsequent calls: Since the resource is already deleted, it should return 404 Not Found (or 204 No Content to indicate success without a body).
Bad API design: If a DELETE request throws an error when the resource doesnβt exist, it is not idempotent.
β
Best Practice:
Ensure DELETE APIs gracefully handle already-deleted resources.
Return 204 No Content or 404 Not Found instead of failing.
What happens if a PUT request is sent with partial data?
PUT is meant to replace the entire resource, so missing fields may be set to default values or removed.
If partial updates are needed, use PATCH instead of PUT.
Some APIs implement merge logic in PUT, but this is against REST principles.
β
Best Practice:
Use PATCH for partial updates.
Ensure PUT updates all required fields or rejects incomplete data with 400 Bad Request.
Why should you avoid sending sensitive data in query parameters?
Query parameters are logged in browser history, server logs, proxies and referrer headers.
They are visible in URLs, making them easy targets for attacks.
They are not encrypted in HTTPS URLs, only the request body is encrypted.
β
Best Practice:
Send sensitive data (like passwords, API keys) in the request body or Authorization headers.
Use POST /auth instead of GET /auth?user=john&password=123.
What happens if a PATCH request sends the entire object instead of just the updated fields?
If the API expects only partial updates, it may apply changes incorrectly.
Some APIs merge fields (safe), while others replace existing values with null (dangerous).
This can cause data loss if the request doesnβt include existing fields.
β
Best Practice:
Follow JSON Patch (application/json-patch+json) standard for clear field updates.
Document whether your PATCH API merges fields or replaces them.
Can a POST request be idempotent?
POST is not idempotent by defaultβit creates a new resource each time.
However, you can design a POST API to be idempotent using unique request IDs or checking for duplicate records.
Example: POST /orders should check if an order already exists before creating it.
β
Best Practice:
Use PUT for updating an existing resource (idempotent).
For POST, implement deduplication strategies (idempotency keys, unique constraints).
What happens if an API doesnβt return an explicit Content-Type in the response?
The client doesnβt know how to interpret the response.
Browsers may guess the content type, which could lead to security risks (MIME sniffing attacks).
Some clients may default to text/html, causing issues when expecting JSON.
β
Best Practice:
Always return a Content-Type header (application/json, application/xml).
Set X-Content-Type-Options: nosniff to prevent content guessing.
What happens if two concurrent PUT requests update the same resource?
Race condition: The second request may overwrite changes made by the first.
The last update βwinsβ, leading to potential data inconsistency.
This is known as the Lost Update Problem.
β
Best Practice:
Use optimistic locking (check if the version has changed).
Example:
The client reads user.version = 1.
Sends PUT /users/123 with version = 1.
If another request updated it to version = 2, the API rejects the request with 409 Conflict.
What happens if a HEAD request returns a response body?
HEAD requests should not return a response bodyβonly headers.
If the API accidentally returns a body, some clients may malfunction.
Some frameworks strip the body automatically, while others donβt.
β
Best Practice:
Ensure HEAD responses only return headers.
Validate responses in API tests (curl -I <URL>).</URL>
What is the difference between 401 Unauthorized and 403 Forbidden?
401 Unauthorized The request lacks valid authentication (e.g., missing/invalid token).
403 Forbidden The user is authenticated but lacks permission to access the resource.
If DELETE returns 200 initially and 404 on subsequent calls, is it still idempotent?
β Yes, itβs still idempotent.
Why?
Idempotency means the result is the same after multiple identical requests.
The first DELETE removes the resource β returns 200 OK (or 204 No Content).
The second DELETE doesnβt change anything (resource is already gone) β returns 404 Not Found.
Even though the status code changes, the end result remains unchanged (resource is gone).
β Bad Design (Not Idempotent)
If the second DELETE throws an error or restores the resource, then itβs not idempotent.
X-Content-Type-Options: nosniff β How does it prevent content guessing?
Problem:
If Content-Type is missing, browsers try to βguessβ the MIME type based on content.
This can be exploited by attackers to run malicious scripts.
πΉ How nosniff helps:
X-Content-Type-Options: nosniff forces the browser to respect the Content-Type header.
If a response has nosniff but no Content-Type, the browser wonβt guess and may refuse to load it.
β
Example Attack (Without nosniff)
Server sends application/json, but no X-Content-Type-Options: nosniff.
Browser guesses itβs text/html and executes JavaScript inside JSON.
This leads to XSS (Cross-Site Scripting) attacks.
β
Correct Defense:
Always set both Content-Type and X-Content-Type-Options: nosniff.
Even if someone forgets Content-Type, nosniff blocks MIME guessing.
π Takeaway:
Content-Type prevents misinterpretation of responses.
nosniff acts as a safeguard when Content-Type is missing.
What happens if an API only accepts application/json but a client sends text/plain?
The API should reject the request with 415 Unsupported Media Type.
If the API does not validate content types, it may try to parse invalid data β parsing errors, crashes, or silent failures.
β
Best Practice:
Strictly enforce Content-Type validation.
What happens if a PATCH request contains invalid fields not part of the resource?
Depends on API design:
Strict APIs: Return 400 Bad Request for unrecognized fields.
Loose APIs: Ignore unknown fields but process valid ones.
β
Best Practice:
Use JSON Schema validation to reject invalid fields.
What happens if an API does not return proper CORS headers?
Browsers block cross-origin requests from frontend apps hosted on different domains.
Example:
API hosted on api.example.com, frontend on app.example.com.
If API does not return Access-Control-Allow-Origin: *, the browser blocks the request.
β
Best Practice:
Configure CORS headers (Access-Control-Allow-Origin).
Use OPTIONS method to handle preflight requests.
What happens if POST is used instead of PUT for updating a resource?
POST creates a new resource, whereas PUT replaces an existing one.
If a client mistakenly uses POST to update:
It may create duplicate records instead of updating.
The API doesnβt guarantee idempotency.
What happens if an API does not validate request sizes?
Denial-of-Service (DoS) vulnerability:
A client could send huge payloads, consuming memory and CPU.
Database performance issues if large requests are stored directly.
β
Best Practice:
Set maximum payload size limits (e.g., 2MB per request).
Use 413 Payload Too Large when exceeded.
What happens if an API allows file uploads without validation?
Attackers can upload malicious files, including:
Executables (.exe, .sh) leading to remote code execution.
Scripts (.php, .js) leading to webshell attacks.
Large files causing storage exhaustion.
β
Best Practice:
Validate file types (MIME & extension).
Set file size limits (e.g., max 10MB).
Store files in dedicated storage (e.g., S3, Azure Blob) rather than directly in the API server.
What happens if an API does not validate JSON structure in request bodies?
If an API does not validate JSON properly, it may:
Accept malformed JSON, leading to undefined behavior.
Fail with 500 Internal Server Error instead of 400 Bad Request.
Allow SQL Injection or NoSQL Injection attacks.
β
Best Practice:
Always validate JSON schema before processing.
Return a 400 Bad Request for invalid JSON.
What happens if an API does not set HttpOnly and Secure flags on authentication cookies?
Without HttpOnly, JavaScript can steal cookies via XSS attacks.
Without Secure, cookies can be sent over HTTP (not encrypted).
Set-Cookie: session=abc123; HttpOnly; Secure; SameSite=Strict
What happens if an API does not handle large query parameters properly?
Large query parameters may exceed URL length limits (2048 characters in some browsers).
Some servers reject long URLs with 414 URI Too Long.
Could lead to DoS attacks if unvalidated.
β
Best Practice:
Use POST for large payloads instead of query parameters.
Set limits on URL lengths.
What happens if an API allows sensitive data in query parameters?
Query parameters are logged in server logs, browser history, and proxies. Can be cached by browsers or proxies.
β
Best Practice:
Use POST with request bodies for sensitive data. Never pass secrets in URLs.
What is Stateless Authentication?
Stateless authentication means that:
The server does not store user authentication state in any backend storage (DB, Redis, etc.).
Each request must contain all the necessary authentication data for validation.
Example: JWT (JSON Web Token)
When a user logs in, the server generates a JWT and sends it to the client.
On each request, the client sends the JWT in the Authorization header.
The server validates the token without querying a session store.
β
Why is it Stateless?
The server doesnβt need to remember past requests.
The authentication state is self-contained in the token.
Each request is independent and carries its own authentication info.
Why is Stateless Authentication Preferred?
Scalability β No dependency on a session store means easy horizontal scaling (multiple API servers).
Performance β No need to query Redis/DB on every request.
Fault Tolerance β No single point of failure (session store crash wonβt break authentication).
Distributed Systems β Works well in multi-server environments and microservices.
π When is Session-Based Authentication Used?
In traditional web applications where session storage is acceptable.
If tokens are too large to send in every request (e.g., when storing lots of permissions).
How to prevent brute-force attacks on login?
Implement rate limiting (X failed attempts = lock account).
Use CAPTCHAs for repeated failures.
Log suspicious login attempts.
What happens if an API does not return the correct HTTP status codes?
Breaks error handling on clients.
If an API returns 200 OK for errors, clients may misinterpret failures as success.
400 Bad Request β Client errors.
401 Unauthorized β Authentication required.
404 Not Found β Resource not found.
What happens if an API does not implement pagination for large datasets?
High database load.
Slow API responses.
Memory exhaustion on the server.
What happens if an API does not handle OPTIONS requests for CORS properly?
Browsers preflight CORS requests with OPTIONS.
If the API does not handle OPTIONS, cross-origin requests may fail.
What happens if an API does not handle trailing slashes (/) properly?
GET /users/123/ and GET /users/123 might be treated as different endpoints.
This can lead to duplicate caching issues or 404 errors.
β
Best Practice:
Use consistent URL structures.
Redirect /users/123/ β /users/123 to avoid confusion.
If DELETE returns 200 OK on first call and 404 Not Found later, is it idempotent?
Yes. Idempotency means multiple calls have the same effect. After the first delete, the resource is gone.
Can an API return 204 No Content for a GET request?
Not recommended. 204 means successful, but no content, which is usually for DELETE or updates. GET should return data or 404 if missing.
What happens if a GET request doesnβt return Content-Type?
If Content-Type is missing, the client cannot correctly parse the response. Browsers might try to guess using MIME sniffing, which is a security risk. Thatβs why X-Content-Type-Options: nosniff is used.
Why is GET considered safe?
Why is GET idempotent?
It does not modify the resource; it only fetches data.
Multiple identical GET requests return the same response (assuming no changes on the server).
When does a GET request return 304 Not Modified?
When the ETag matches, meaning the client already has the latest version.
What is the role of Cache-Control in a GET request?
It instructs how clients/proxies should cache responses (e.g., no-cache, max-age).
How does ETag improve GET request efficiency?
It helps reduce bandwidth by allowing conditional requests (If-None-Match).
What does If-Modified-Since do in a GET request?
It asks the server to return 304 Not Modified if the resource hasnβt changed since a given date.
How can GET requests be vulnerable to Cross-Site Request Forgery (CSRF)?
If an API modifies data via GET (which it shouldnβt), an attacker can trick users into triggering unwanted actions.
Can GET requests be rate-limited?
Yes, APIs can apply rate limits to prevent abuse (e.g., 429 Too Many Requests).
GET Request?
GET is meant for data retrieval only β It should never modify state.
Safe, Idempotent, Cacheable β But not inherently secure.
GET requests are vulnerable to several attacks if misused.
Exposing Sensitive Data in URLs
Problem: GET parameters appear in browser history, server logs, referrer headers.
β Example: API keys, tokens, passwords leaked in query params.
β
Solution: Use Authorization headers instead.
Open Redirects
(Phishing Risk)
β Problem: Attackers can use open redirects to trick users into phishing sites.
β
Solution: Validate and whitelist redirect URLs.
β Bad
GET /redirect?url=http://malicious.com
β
Fix
wedDomains.Contains(destination))
{
return BadRequest(βInvalid Redirect URLβ);
}
Cache Risks
β Problem: Cached responses can expose private user data in shared caches.
β
Solution: Set proper Cache-Control headers.
β Bad (Public Caching of User Data)
Cache-Control: public, max-age=3600
β
Good (Disable Caching for Sensitive Data)
Cache-Control: no-store, no-cache, must-revalidate
CSRF (Cross-Site Request Forgery)
Problem: If a GET request modifies data, attackers can trick victims into executing it.
β
Solution: GET should not modify state. If needed, use CSRF protection tokens.
β Bad API Design (GET modifies state)
GET /transfer?amount=1000&to=xyz
β
Fix (Use POST + CSRF Protection)
POST /transfer
{ βamountβ: 1000, βtoβ: βxyzβ, βcsrf_tokenβ: βsecure123β }
Why Are GET Requests Generally Faster?
Why is GET usually faster than POST?
β
Lightweight β No request body, only headers & URL.
β
Stateless β No session dependency, reducing server load.
β
Cacheable β Can be served from a local/browser cache or CDN, reducing repeated processing.
GET has no request body, is cacheable, and can be served from CDNs.
Query Injection Attacks
(SQLi, XSS)
β Problem: Poorly validated query params can lead to SQL Injection & XSS.
β
Solution: Always validate and sanitize input.
β Bad (Vulnerable to SQL Injection)
GET /search?query=β OR β1β=β1
β
Fix
Use parameterized queries instead of string concatenation.
Sanitize query params before processing.
var results = db.Query(βSELECT * FROM users WHERE name = @nameβ, new { name = search });
Why Would Some Browsers Retry a GET Request?
Some browsers automatically retry GET requests due to:
πΉ Network Errors: If a request fails due to timeout, packet loss, or DNS failure, some browsers retry it automatically.
πΉ Page Refresh: A user refreshing a page may trigger another GET request.
πΉ Connection Drops: If the TCP connection resets, some clients resend GET requests.
πΉ Idempotency Assumption: Since GET is idempotent, browsers assume retrying is safe.
π Problem? If a GET request unexpectedly modifies data, retries can cause duplicate operations (violating REST principles).
β Fix: Never use GET for state-changing operations.
How GET Uses Caching for Performance Boost
Caching Mechanisms for GET:
πΉ Browser Cache β Stores GET responses in local storage.
πΉ CDN Cache β Reduces load on origin servers.
πΉ Proxy Cache β Caches responses at the network level.
β
Key Headers for Performance
Cache-Control: public, max-age=3600
ETag: βabc123β
π Effect: Reduces redundant GET requests β Faster load times.
β Problem: If sensitive data is cached, it can be accessed later by unauthorized users.
β
Fix: Use
Cache-Control: no-store, private
What Affects GET Performance
πΉ DNS Resolution β If not cached, a fresh DNS lookup adds latency.
πΉ TLS Handshake β Secure GET requests (HTTPS) take extra time.
πΉ Header Size Overhead β Large cookies and headers increase request size.
πΉ URL Length Limitations β GET URLs longer than 2048 chars may be truncated or rejected.
β
Optimization:
Use Persistent Connections (Keep-Alive)
Minimize Header Size
Use HTTP/2 (Multiplexed requests, less latency)
πΉ Load Balancers distribute GET requests across multiple servers.
πΉ CDNs cache GET responses closer to users.
πΉ Compression (Gzip/Brotli) reduces GET response size.
β
Best Practice:
Content-Encoding: gzip
π Reduces payload size for faster transfers.
What if the GET request is slow?
Possible Causes: High DB load, unoptimized queries.
β
Solution: Use indexes, caching (Redis), async processing.
What if the GET response is too large?
Large JSON payloads increase latency.
β
Use pagination and gzip compression.
Large responses can timeout on slow connections.
β
Fix: Use pagination, Gzip compression, or smaller payloads.
GET Request That Breaks Due to Overloaded Headers
Some browsers limit header size (e.g., 8KB in Chrome).
Large headers increase request time & can be rejected.
β
Fix It
Minimize Cookie Size β Donβt store unnecessary data.
Use JWT Tokens instead of session cookies.
Remove unnecessary custom headers.
A GET request works in Postman but fails in a browser. What could be wrong?
Hint: Consider what browsers enforce that Postman doesnβt.
π‘ Answer: The server may lack proper CORS headers, so browsers block cross-origin requests.
β
Fix: Configure Access-Control-Allow-Origin properly on the server.
Your GET request contains Unicode characters (?search=δ½ ε₯½). Some users report errors, others donβt. Why?
Hint: Consider URL encoding behavior.
π‘ Answer:
Some servers or proxies may not properly handle non-ASCII characters if URLs arenβt percent-encoded.
β
Fix:
Ensure the frontend properly encodes special characters (δ½ ε₯½ β %E4%BD%A0%E5%A5%BD).
Check server-side UTF-8 compatibility.
A penetration tester uses GET requests with unusual parameters like ?id=1%20OR%201=1. What are they testing?
Hint: What does 1 OR 1=1 do in SQL?
π‘ Answer:
Theyβre testing for SQL injection, where unescaped input could allow attackers to modify database queries.
β
Fix:
Use parameterized queries.
Never trust user input in database queries.
What is CSRF (Cross-Site Request Forgery)?
CSRF is an attack where an authenticated user is tricked into performing an unwanted action on a website without their consent.
Exploits browserβs automatic credential sending (cookies, session tokens).
Victim logs into a trusted website (e.g., bank.com).
The site stores a session token (cookie) in the browser.
The victim unknowingly visits a malicious site (e.g., hacker.com).
The malicious site sends a hidden request to bank.com
Since the user is still logged in, their browser sends the request with authentication cookies.
Bank.com processes the transaction, thinking itβs a valid request from the user.
Can be used to change passwords, make unauthorized transactions, or delete accounts.
Attacker does not need to steal credentials, just needs the victim to be logged in.
How to Prevent CSRF?
CSRF Tokens: Unique, random token in forms (<input></input>).
SameSite Cookies:
Set-Cookie: sessionid=xyz; HttpOnly; Secure; SameSite=Strict
β Prevents cookies from being sent on cross-site requests.
Use Authorization Headers Instead of Cookies
CSRF mainly affects cookie-based authentication. Using Authorization: Bearer <token> reduces risk.</token>
What is CORS (Cross-Origin Resource Sharing)?
CORS is a browser security feature that blocks cross-origin requests by default to prevent unauthorized API access.
Enforced by browsers (NOT a server-side security measure).
If any site could make API requests to your bank (bank.com), attackers could steal data using JavaScript on malicious websites.
CORS prevents this by enforcing a Same-Origin Policy (SOP).
How to Allow CORS?
Access-Control-Allow-Origin: https://trusteddomain.com
Access-Control-Allow-Methods: GET, POST, OPTIONS
This allows trusteddomain.com to access the API.
π© CORS Pitfall
β Allowing Access-Control-Allow-Origin: * is a major security riskβit permits any site to access your API.
Optimistic Locking
Optimistic Locking prevents concurrent updates from overwriting each other in databases. A concurrency control method where requests include a version number or ETag to prevent lost updates.
π‘ How Does It Work?
Client fetches data (GET /user/123) and receives:
{
βidβ: 123,
βnameβ: βJohnβ,
βversionβ: 5
}
Client modifies & sends a PUT request:
PUT /user/123
Content-Type: application/json
If-Match: β5β
{
βidβ: 123,
βnameβ: βJohn Doeβ,
βversionβ: 5
}
Server checks if version=5 is still valid.
If no one else modified the resource, it updates and increments version.
If someone else already modified it, the server rejects the request with 409 Conflict.
π₯ Why is HTTP 409 Conflict Useful?
Prevents users from overwriting each otherβs changes unknowingly.
Encourages clients to re-fetch and retry updates.
β
Best Practice:
Use ETag or version numbers to track changes.
When receiving a 409 Conflict, re-fetch data before retrying the request.
What is idempotency in HTTP?
Idempotency means that making multiple identical requests results in the same outcome as a single request.
Why is POST not idempotent?
Because it creates a new resource every time it is called.
Why is PUT idempotent?
Because it updates or creates the resource at the same URL, resulting in the same final state no matter how many times itβs called.
What HTTP status code is returned if a duplicate POST is detected?
409 Conflict.
Can PUT create a resource?
Yes, if the client provides the identifier (PUT /users/123), and it remains idempotent.
Whatβs the difference between PUT and PATCH?
PUT replaces the entire resource, while PATCH modifies only specific fields.
What happens if PATCH sends the full object instead of just updates?
It can overwrite unintended fields, leading to data loss.
Why does PUT require a client-defined identifier?
Because it updates a known resource or creates it at a fixed URL, unlike POST, which generates an ID.
Why should you not allow PUT to auto-generate IDs?
Because then each call would create a different resource, violating idempotency.
What is the difference between idempotency and safety in HTTP?
Safety means the request doesnβt modify the resource (GET, HEAD, OPTIONS); idempotency means repeated requests have the same result (PUT, DELETE can modify but remain idempotent).
How can POST be made idempotent?
By using a unique X-Request-ID and rejecting duplicate submissions.
What can violate idempotency in GET requests?
Side effects like logging, analytics, or increasing a counter on every GET request.
How can PUT become non-idempotent?
If it generates unique IDs, timestamps, or modifies fields that change on every request.
Why is DELETE considered idempotent but can violate idempotency?
Deleting the same resource multiple times should have the same effect (return 404 after the first delete), but if deletion triggers cascading changes (e.g., removing related records), it may not be idempotent. if a DELETE request returns 200 on the first call and 404 on the second, It is still idempotent, as the final state (resource deleted) remains the same.
How does using auto-incremented database IDs in PUT violate idempotency?
If a new resource is created every time PUT is called with a missing ID, it creates multiple resources instead of updating the same one.
What should be done to make POST idempotent in payment APIs?
Use a request ID and reject duplicate transactions.
How does REST API versioning impact idempotency?
Different versions might handle methods differently, making idempotency behavior inconsistent.
Why is idempotency crucial in distributed systems?
Network failures, retries, and message duplication require consistent request handling.
How does 502 differ from 504?
502 is when the gateway receives an invalid response, while 504 is when it receives no response (timeout).
Why use 503 instead of 500?
503 explicitly tells clients the service is unavailable and they should retry later.
Can a 500 error expose vulnerabilities?
es, detailed stack traces in 500 errors can expose security flaws.
API fails due to DB outage
503 Service Unavailable
Why is 204 No Content useful?
Reduces response size for actions that donβt need a body.
When to use 202 instead of 201?
202 is used when processing takes time (e.g., background tasks).
Can a DELETE request return 200 instead of 204?
Yes, if the server sends back a message confirming deletion.
How does 301 differ from 302?
301 is permanent, while 302 is temporary.
Why use 304 Not Modified?
Saves bandwidth by letting clients use cached resources.
When to use 202 instead of 201?
202 is used when processing takes time (e.g., background tasks).
