ASP.NET WEB API Flashcards
What happens if you remove [ApiController]?
Model validation errors won’t trigger 400 Bad Request automatically.
How do you return a custom HTTP response in an API controller?
return StatusCode(201, new { message = “Created” });
API Controller
An API Controller in ASP.NET Core is a specialized controller that handles HTTP requests and is optimized for RESTful API development. It derives from ControllerBase and typically uses the [ApiController] attribute for automatic request validation and behavior enhancements.
Marked with [ApiController] for automatic model validation, routing, and binding improvements.
API Controllers process HTTP requests and return structured data (usually JSON).
[ApiController] enforces attribute routing, which means that conventional routing is disabled.
How are API Controllers and MVC Controllers different
Unlike MVC controllers, they do not return HTML views.
Use Case
RESTful API (JSON, XML) vs Web apps (HTML, Razor Views)
Inheritance
ControllerBase vs Controller
Return Type
IActionResult, JSON vs ViewResult, PartialView
Behavior
Lightweight, optimized for APIs vs Heavy, supports views
Model Validation
Automatic via [ApiController] vs Manual validation required
How do you handle versioning in an API controller?
Use [ApiVersion] and configure API versioning in Program.cs.
Why use API Controllers
Why use API Controllers instead of MVC Controllers for APIs?
Lightweight: No view rendering overhead.
Built-in Model Validation: Reduces manual validation logic.
Automatic HTTP Response Handling: Converts exceptions to proper status codes.
Better API Design: Encourages proper RESTful practices.
Optimized for stateless RESTful APIs.
No unnecessary MVC overhead (views, ViewData, ViewBag, etc.).
Automatic model validation and serialization.
Explicit HTTP method mapping ([HttpGet], [HttpPost], etc.).
Better API response handling (returns JSON/XML by default).
How does [Route] help in API controllers?
Defines a route template for a controller or action, guiding request matching.
What is [NonAction] used for?
Prevents a public method from being treated as an API action.
What does [AllowAnonymous] do?
Allows unauthenticated users to access an action.
What happens if you apply [HttpGet] and [HttpPost] to the same action and send a DELETE request?
The request will return a 405 Method Not Allowed error because the action does not handle DELETE.
What is the default binding source for primitive types in controller action parameters?
Query string ([FromQuery]), unless overridden.
Can an action have multiple HTTP method attributes, like [HttpGet] and [HttpPost]?
What happens if [HttpGet] and [HttpPost] are applied on the same method with different parameters?
Yes, an action can support multiple HTTP methods by applying multiple attributes, e.g., [HttpGet, HttpPost]. However, it may cause ambiguity in some cases.
Model binding may fail, or 400 Bad Request may occur.
What is the default binding source for primitive types, complex types, method without http verb attribute?
Primitive : FromQuery
Complex :Request body ([FromBody]),
HTTP Verb : POSY
What happens if an API controller has [Route(“api/[controller]”)] and an action has [Route(“get-data”)]?
The final route will be api/{controller}/get-data, replacing [controller] with the actual controller name.
What happens if you apply [Route(“{id}”)] to a POST method?
The route may not work correctly because POST typically expects data in the body, not in the route.
What happens if you use [Route] on an action but not on the controller?
The action’s route is treated as an absolute route, not inheriting any prefix.
What happens if you apply [NonAction] to a private method inside an API controller?
Nothing changes because private methods are not treated as actions by default.
The method is ignored by routing.
Can [FromBody] be used with multiple parameters in a single action method?
Can you apply [FromBody] and [FromForm] on the same parameter?
No, only one parameter per action can be bound from the body. ASP.NET Core does not allow multiple [FromBody] parameters.
No, a parameter can be bound from only one source.
What happens if an API controller has both [Authorize] and an action has [AllowAnonymous]?
The action will be publicly accessible despite the [Authorize] on the controller.
Can Any Attribute Be Used for Performance?
Directly? No. Attributes in ASP.NET Core are metadata—they do not directly improve performance. However, some attributes indirectly impact performance by controlling request processing.
Attributes That Indirectly Affect Performance:
[Produces] & [Consumes] → Reduces unnecessary content negotiation.
[ApiController] → Auto model validation prevents extra logic execution.
[ResponseCache] → Enables response caching, reducing load.
[ProducesResponseType] → Helps with API documentation but does not improve performance.
[Authorize] & [AllowAnonymous] → Controls authentication overhead.
[NonAction] → Ensures non-API methods are not mistakenly invoked.
How Is Attribute Precedence Determined?
🔹 1. Controller-Level Attributes override global settings but are overridden by method-level attributes.
🔹 2. Method-Level Attributes have the highest precedence and take priority over controller-level attributes.
🔹 3. Global Filters (via AddControllers in Startup.cs) apply to all controllers unless overridden.
What happens if [ResponseCache(Duration = 60)] is used with [HttpPost]?
No effect, because POST responses are usually not cached.
Attribute Precedence Within the Same Method
Action Filter Attributes ([Authorize], [ValidateAntiForgeryToken], etc.)
Executed before the action method runs.
Applied in the order from class-level to method-level (method-level can override).
Model Binding & Validation ([FromBody], [FromQuery], [ApiController])
Happens before filters.
[ApiController] auto-validates models before the action executes.
Routing & HTTP Verbs ([HttpGet], [Route], etc.)
Defines how the request is matched before execution starts.
[Route] on a method overrides controller-level [Route].
Response Modifiers ([Produces], [ResponseCache], [ProducesResponseType])
Applied after the action executes, affecting the response.
What happens if [Produces(“application/json”)] and [Produces(“text/plain”)] are both applied?
The API only supports the last-specified content type.
What happens if [ValidateAntiForgeryToken] is applied to an API controller?
Fails for API calls, since CSRF tokens are meant for browser-based requests.
No compile-time error, but it breaks API calls at runtime.
❌ Why?
[ValidateAntiForgeryToken] requires an anti-CSRF token in the request.
CSRF tokens only work with browser-based form submissions, not API calls.
APIs do not send or validate CSRF tokens by default, so applying it to an API controller causes all POST requests to fail with 400 Bad Request – “The required anti-forgery cookie is not present”.
✅ How to Fix?
For APIs: Don’t use [ValidateAntiForgeryToken]. Instead, use proper JWT, OAuth, or API Key authentication.
For MVC Forms: [ValidateAntiForgeryToken] is useful for preventing CSRF attacks
What happens if [ProducesResponseType(200)] is applied, but the method throws an exception?
The API may return 500, despite [ProducesResponseType(200)].
What happens if [Authorize] is applied but authentication is not configured in middleware?
All requests will return 401 Unauthorized.
Method has only [FromBody] Model model but route contains {id}
Fails! ASP.NET tries to bind id from the body (which doesn’t exist), leading to 400 Bad Request.
If a method has only [FromBody] Model model and no [FromRoute] int id, ASP.NET may fail to bind the route parameter into the model, causing 400 Bad Request.
If [Produces(“application/json”)] is applied but the method returns a string, what happens?
⚠️ Content-Type still remains application/json, but response is a plain string.
The string won’t be automatically serialized into a JSON object.
What happens if [ProducesResponseType] does not match the actual response type?
No compile-time error, but misleading API documentation.
The method might return an unexpected type, confusing consumers.
What if [Produces(“application/xml”)] is applied but XML formatters are not enabled?
The API ignores it and returns JSON.
Fix: Enable XML formatters in Startup.cs.
If [Route(“api/[controller]”)] is applied at the controller level, what does [HttpGet(“action”)] do?
Creates a route like /api/MyController/action.
The method name does not need to match the action name.
What happens if [HttpDelete] is applied but the request contains a body?
Body is ignored!
DELETE requests should not have a body, and ASP.NET does not parse it.
Types of Routing in ASP.NET Core Web API
Convention-based Routing (used in MVC)
Attribute-based Routing (most common in APIs)
Custom Routing using Middleware
Endpoint Routing
Route Constraints, Tokens, and Defaults
Versioning-based Routing
Dynamic Routing (Custom route providers)
Why is conventional routing NOT ideal for APIs?
APIs need explicit routing for clarity (not assuming default {controller}/{action} structure).
Less control over HTTP verbs (GET, POST, etc.).
Use Attribute-based Routing instead.
Explicit and readable ✅
No unnecessary route assumptions ✅
Better control over HTTP methods ✅
Why use Middleware Routing?
Intercept requests before hitting controllers
Useful for logging, authentication, or feature toggles
Code for custom routing
app.Use(async (context, next) =>
{
if (context.Request.Path == "/custom-route")
{
await context.Response.WriteAsync("Handled by custom middleware!");
return;
}
await next();
});
Endpoint Routing
This decouples route matching from request processing, making it more efficient.
app.UseRouting();
app.UseEndpoints(endpoints =>
{
endpoints.MapControllers();
endpoints.MapGet("/status", async context =>
{
await context.Response.WriteAsync("API is running!");
});
});
Better performance (compared to previous routing systems).
More flexible (integrates easily with middleware, filters).
Allows mixing Web API and custom routes.
API Versioning-based Routing
API versioning helps maintain backward compatibility.
[ApiVersion("1.0")]
[Route("api/v{version:apiVersion}/users")]
public class UsersControllerV1 : ControllerBase
{
[HttpGet] // Matches GET /api/v1/users
public IActionResult GetUsers() => Ok("Users V1");
}
Supports multiple API versions without breaking changes.
Keeps the API maintainable for long-term support.
Dynamic Routing (Custom Route Providers)
You can dynamically generate routes using custom route providers.
[Route("api/[controller]")]
public class DynamicRoutingController : ControllerBase
{
[HttpGet("data-{year:int:min(2000)}")]
public IActionResult GetData(int year) => Ok($"Data for year {year}");
}
Can a route have optional parameters?
[HttpGet("products/{id:int?}")] // `id` is optional
public IActionResult GetProduct(int? id) => Ok(id ?? "All Products");
What is the difference between [Route] and [HttpGet]?
What if a route has both [Route] and [HttpGet]?
[Route] [HttpGet]
Defines a URL template Binds only to HTTP GET requests
Can be used at class level vs Must be used at method level
[HttpGet] overrides [Route]’s HTTP method behavior.
What happens after UseRouting() in the middleware pipeline?
It matches the request URL to an endpoint and attaches route values to HttpContext.
🔹 But no action executes yet—that happens after UseEndpoints().
How does ASP.NET Core determine which controller to invoke?
The request URL is matched against route templates defined in [Route] and [Http*] attributes.
🔹 If no match is found, the default convention-based routing is used ({controller}/{action}/{id?}).
What is the difference between convention-based and attribute routing?
Convention-based routing (set in MapControllerRoute) applies globally.
🔹 Attribute routing ([Route], [HttpGet], etc.) is applied at the controller or action level.
What is MapControllers()?
app.MapControllers(); enables attribute routing only for controllers marked with [ApiController].
What is MapDefaultControllerRoute()?
It sets up default MVC routing → {controller=Home}/{action=Index}/{id?}.
🔹 Only works with controllers using ControllerBase or Controller.
How does ASP.NET Core resolve [Route] on a controller vs. an action?
What happens if [Route] is applied at both controller and action level?
Controller-level [Route] acts as a base path for all actions inside it.
🔹 Action-level [Route] appends to the controller route to form the full path.
The controller [Route] acts as a prefix, and the action [Route] appends to it.
[Route("api/products")]
public class ProductsController : ControllerBase
{
[HttpGet("all")] // Final route: api/products/all
public IActionResult GetAll() { }
}
What happens if [HttpGet] is applied without [Route]?
The method inherits the controller’s route, appending the method name as the action.
[Route("api/orders")]
public class OrdersController : ControllerBase
{
[HttpGet]
public IActionResult GetOrders() // Matches GET /api/orders/GetOrders
}
How does route precedence work?
[HttpGet(“products/{id}”)] // Specific
[HttpGet(“products/all”)] // More generic
More specific routes take priority over generic ones.
GET /products/10 → Matches {id} route.
GET /products/all → Matches /all explicitly.
What happens if two controller actions have the same route template in ASP.NET Core?
The application will throw an InvalidOperationException at startup because ASP.NET Core cannot register duplicate route templates.
[HttpGet(“{id}”)] public IActionResult GetById(int id) {} [HttpGet(“latest”)] public IActionResult GetLatest() {}
GET /latest gets matched to {id}, treating “latest”as an integer.
How does ASP.NET Core resolve route conflicts when multiple routes match a request?
ASP.NET Core uses the most specific route to resolve conflicts. If routes are equally specific, it throws an AmbiguousMatchException.
How can you resolve a route conflict between two actions with the same HTTP method and route template?
Use route constraints (e.g., {id:int}) or custom route templates to differentiate the routes.
What happens if you define a route template like [HttpGet(“{id}”)] and [HttpGet(“{name}”)] in the same controller?
This will cause a route conflict because both routes have the same structure. ASP.NET Core cannot distinguish between id and name in the URL.
How to avoid route conflicts?
Use route prefixes
Use the [Route] attribute at the controller level to define a prefix, e.g., [Route(“api/[controller]”)], and then use relative paths in action methods.
What is the default route template in ASP.NET Core Web API?
The default route template is “api/[controller]/[action]/{id?}”, where [controller] and [action] are placeholders for the controller and action names.
How can you use custom route constraints to resolve route conflicts?
Implement the IRouteConstraint interface to create custom constraints and apply them to route templates, e.g., [HttpGet(“{id:customConstraint}”)].
How can you debug route conflicts in ASP.NET Core?
Use the MapControllers method in Program.cs or Startup.cs to log route registrations, or enable detailed error messages to identify conflicting routes.
[HttpGet(“search/{*query}”)]
defines a catch-all parameter, meaning it will capture everything after /search/ into the query parameter.
Exact matches first (search/help).
Parameterized routes second (search/{query}).
Wildcard routes last (search/{*query}).
Define specific routes before catch-all routes:
[HttpGet("search/help")]
public IActionResult Help() { return Ok("Search Help Page"); }
[HttpGet("search/{*query}")]
public IActionResult Search(string query) { return Ok($"Searching for: {query}"); }
How does a wildcard parameter {*query} differ from {query}?
{query} only matches one segment (/search/term → query=”term”).
{*query} matches everything after (/search/csharp/aspnet → query=”csharp/aspnet”).
Accept All Methods
[AcceptVerbs("GET", "POST", "PUT", "DELETE")] // ✅ Allows all these methods
[Route("{id}")]
public IActionResult GetProduct(int id)
{
return Ok($"Product {id}");
}How do you register a custom route constraint?
By adding it to the RouteOptions.ConstraintMap in Program.cs.
What happens if a URL matches multiple routes with different constraints?
The route with the most specific matching constraints is chosen
How do you apply a range constraint?
[Route(“{value:range(1, 100)}”)]
If two routes match a URL, but one has a constraint and the other does not, which route is chosen?
The route with the constraint is chosen, provided the constraint passes.
How do you access the route parameter values inside of a custom IRouteConstraint?
By accessing the values parameter of the Match method.
What is a route constraint in ASP.NET Web API?
A route constraint restricts how route parameters are matched, ensuring that only specific values (e.g., integers, strings, or custom patterns) are accepted.
[Route(“api/[controller]”)]
It leverages token replacement to automatically generate routes based on the controller’s name
The [controller] token is a placeholder that gets replaced with the name of the controller (without the “Controller” suffix).
Dynamic Routing:
This approach creates a consistent and predictable routing scheme, reducing the need to manually define routes for each controller.
Convention-Based Routing: Promotes a consistent and predictable routing scheme.
Reduced Boilerplate Code: Eliminates the need to manually define base routes for each controller.
Maintainability: Makes it easier to manage and update routes as your API evolves.
Readability: Improves the readability of your code by clearly defining route templates.
What is routing
Routing helps us define URLs for API endpoints. Routing determines how incoming HTTP requests map to controller action methods
What happens if a query string parameter has an invalid type (e.g., ?page=abc when expecting int)?
ASP.NET Core returns a 400 Bad Request error unless the parameter is nullable or has a default value.
How can you bind multiple values for the same query string key (e.g., ?ids=1&ids=2&ids=3)?
Use an array or IEnumerable<T> in the controller method: public IActionResult GetItems(int[] ids).</T>
How does ASP.NET Core differentiate between query strings and route parameters when both have the same name?
Route parameters take precedence over query strings unless explicitly specified using [FromQuery].
What is a potential performance issue when using too many query string parameters?
Large URLs can exceed browser/server limits (~2KB-8KB), impact caching, and degrade performance due to inefficient query parsing.
What is endpoint routing in ASP.NET Core?
Endpoint routing maps incoming HTTP requests to specific route handlers using middleware instead of MVC route tables.
- How does endpoint routing differ from traditional routing?
Traditional Routing: Defined in UseMvc().
Endpoint Routing: Uses UseRouting() and UseEndpoints(), separating routing from MVC.
- Difference between UseRouting() and UseEndpoints()?
UseRouting(): Matches requests to endpoints.
UseEndpoints(): Executes the matched endpoint.
- What happens if UseRouting() is missing?
Requests won’t be routed, leading to a 404 Not Found.
- How does endpoint routing improve performance?
It reduces routing overhead by using a centralized routing table and caching route matches.
Use case of endpoint routing in minimal APIs?
In minimal APIs, endpoint routing allows defining routes inline using MapGet(), MapPost(), etc.
What if UseEndpoints() is not added?
Routes will be matched but not executed, causing middleware execution issues.
Why is endpoint routing preferred over conventional routing?
It allows route-based middleware execution, improving flexibility and performance.
Best practices for endpoint routing?
- Use attribute routing for APIs.
- Keep routes minimal and descriptive.
- Use MapGroup() for grouping endpoints in minimal APIs.
How to restrict routes using RequireAuthorization() in endpoint routing?
app.UseEndpoints(endpoints => { endpoints.MapControllers().RequireAuthorization(); });
Common pitfalls in endpoint routing?
- Forgetting to call UseRouting() before UseEndpoints().
- Using UseMvc() instead of UseRouting().
Edge case: What if two endpoints match the same request?
The first matching endpoint is executed, unless explicit ordering is defined.
How does endpoint routing affect middleware execution?
Middleware before UseRouting() runs for all requests, while middleware inside UseEndpoints() executes only for matched routes.
Does endpoint routing consume additional memory?
Minimal impact, but large route tables can increase memory usage due to caching.
Security risks in endpoint routing?
- Exposing unintended API routes.
- Open redirects via route parameters.
- Middleware order affecting security layers.
How to define endpoint routing in ASP.NET Core?
app.UseRouting();
app.UseEndpoints(endpoints => { endpoints.MapControllers(); });How to create a minimal API using endpoint routing?
app.MapGet("/hello", () => "Hello, World!");
How does MapControllers() work in endpoint routing?
It enables attribute routing for controllers in Web APIs.
What is MapFallback() in endpoint routing?
It catches unmatched requests, useful for serving SPAs (e.g., React, Angular).
How to define a route with constraints in endpoint routing?
app.MapGet("/user/{id:int}", (int id) => $"User ID: {id}");
How to secure API endpoints using endpoint routing?
app.UseAuthorization();
app.UseEndpoints(endpoints => { endpoints.MapControllers().RequireAuthorization(); });- Two routes: api/{id:int} and api/{name}. Input: api/123. Which route matches?
api/{id:int}. Constraints take precedence over general parameters.
- Two routes: api/users/all and api/users/{id?}. Input: api/users/all. Which route matches?
api/users/all. Literal matches are more specific than optional parameters.
- Two routes: api/items/{category}/{id} and api/items/{id}/{category}. Input: api/items/1/2. Which route matches?
Ambiguous match exception. Order does not resolve this.
- Two routes: api/reports/{date?} and api/reports/today. Input: api/reports/today. Which route matches?
api/reports/today. Literal matches are more specific than optional parameters.
- Two routes: api/files/{filename}.txt and api/files/{filename}. Input: api/files/data.txt. Which route matches?
api/files/{filename}.txt. More specific literal match.
- Two routes: api/data/{value:regex(^[0-9]+$)} and api/data/{value}. Input: api/data/abc. Which route matches?
api/data/{value}. Regex constraint fails, so the general route matches.
- Two routes: api/settings/{format=json} and api/settings/xml. Input: api/settings/xml. Which route matches?
api/settings/xml. Literal matches are more specific than default parameter values.
- Catch-all route api/{*path} and route api/specific. Input: api/specific. Which route matches?
api/specific. Specific routes should be defined before catch-all routes.
- Two routes in different areas: [Area(“Admin”)] api/users and [Area(“Public”)] api/users. Input: api/users (no area specified). Which route matches?
No match. The routing system requires an area to be specified for area-specific routes.
- Two routes: api/items/{id:int:min(10)} and api/items/{id:int}. Input: api/items/5. Which route matches?
api/items/{id:int}. The min(10) constraint fails, so the second route is selected.
- Two routes: api/users/{id:guid} and api/users/{name}. Input: api/users/invalid-guid. Which route matches?
api/users/{name}. The guid constraint fails, so the second route is selected.
- Two routes: api/files/{filename:length(5)} and api/files/{filename}. Input: api/files/datafile. Which route matches?
api/files/{filename}. The length constraint fails, so the second route is selected.
- Two routes: api/orders/{id:int?} and api/orders/new. Input: api/orders/. Which route matches?
api/orders/{id:int?}. Optional parameter matches when nothing is provided.
- Two routes: api/products/{category:alpha} and api/products/{id:int}. Input: api/products/123. Which route matches?
api/products/{id:int}. The integer route constraint is met.
- Two routes: api/items/{value:bool} and api/items/{value}. Input: api/items/true. Which route matches?
api/items/{value:bool}. Boolean constraint is met.
- Two routes: api/data/{value:range(1, 10)} and api/data/{value}. Input: api/data/15. Which route matches?
api/data/{value}. Range constraint fails, so the second route is selected.
- Two routes: api/info/{date:datetime} and api/info/{text}. Input: api/info/not-a-date. Which route matches?
api/info/{text}. Datetime constraint fails, so the second route is selected.
- Two routes: api/items/{value:minlength(5)} and api/items/{value}. Input: api/items/abc. Which route matches?
api/items/{value}. Minlength constraint fails, so the second route is selected.
- Two routes: api/data/{value:maxlength(5)} and api/data/{value}. Input: api/data/123456. Which route matches?
api/data/{value}. Maxlength constraint fails, so the second route is selected.
- Identical routes with different action names on the same controller. Input: any matching request.
Ambiguous match exception. Action name does not differentiate identical routes.
What is a middleware in ASP.NET Core?
A component that processes requests and responses in a pipeline.
How does middleware form a pipeline?
Each middleware component either passes the request to the next component or terminates the pipeline.
What is the Use() method used for in middleware?
It adds a middleware component to the request pipeline.
What is the Run() method used for in middleware?
It adds a terminal middleware that ends the pipeline.
What is the Map() method used for in middleware?
It branches the pipeline based on request paths.
What is the purpose of the next delegate in middleware?
It invokes the next middleware in the pipeline.
How do you short-circuit the middleware pipeline?
By not calling the next delegate.
What is the difference between Use() and Run()?
Use() allows passing to the next middleware, Run() terminates the pipeline.
What is the order of middleware execution?
The order they are added to the pipeline in Program.cs.
What is the role of the app.UseAuthentication() middleware?
Authenticates the user based on provided credentials.
What is the role of the app.UseAuthorization() middleware?
Authorizes the user based on roles and claims.
What is the role of the app.UseStaticFiles() middleware?
Serves static files like HTML, CSS, and JavaScript.
What is the role of the app.UseRouting() middleware?
Matches incoming requests to endpoints.
What is the role of the app.UseEndpoints() middleware?
Executes the matched endpoint.
What is the purpose of exception handling middleware?
To catch and handle exceptions in the request pipeline.
How do you create a custom middleware?
By implementing the IMiddleware interface or creating a class with an InvokeAsync method.
What is the difference between request and response middleware?
Request middleware modifies the request, response middleware modifies the response.
How can middleware modify HTTP headers?
By accessing and modifying the HttpContext.Request.Headers or HttpContext.Response.Headers collections.
What is the impact of middleware on performance?
Middleware can add overhead, so optimize for performance.
How do you configure middleware for specific environments?
Using app.Environment.IsDevelopment() or similar checks in Program.cs.
What is the purpose of the app.UseHttpsRedirection() middleware?
Redirects HTTP requests to HTTPS.
What is the purpose of the app.UseCors() middleware?
Enables Cross-Origin Resource Sharing.
How does middleware handle dependency injection?
Middleware can receive dependencies through constructor injection.
What is the difference between global and scoped middleware?
Global middleware processes all requests, scoped middleware applies to specific paths or endpoints.
How can middleware log request and response information?
By accessing HttpContext properties and using logging providers.
What is the purpose of the app.UseDeveloperExceptionPage() middleware?
Provides detailed error information in development environments.
How do you add middleware conditionally?
Using if statements or extension methods that check conditions.
What is the purpose of app.UseMiddleware<T>()?</T>
Registers a custom middleware of type T.
How do you handle authentication in a custom middleware?
By accessing the HttpContext.User property and performing authentication logic.
What is the difference between middleware and filters?
Middleware operates on the request/response pipeline, filters operate within the MVC pipeline.
What happens if app.UseAuthentication() is placed after app.UseAuthorization()?
Authentication won’t effectively restrict access; authorization will happen before user context is established.
What if you call next() twice in a middleware?
The subsequent middleware and the remaining pipeline will be executed twice, potentially causing unexpected side effects.
Why not use Run() for all middleware components?
Run() terminates the pipeline, preventing subsequent middleware from executing, which is generally not desired.
What if a middleware modifies the HttpContext.Request.Body and next() is called?
Subsequent middleware will receive the modified request body, potentially breaking assumptions or causing errors.
What happens if an exception is thrown inside a Run() middleware?
The exception will propagate up the call stack, bypassing any exception handling middleware placed before it.
What if a middleware modifies HttpContext.Response.Body after next() has been called?
It can cause issues with buffering and content length, potentially corrupting the response.
What if app.UseStaticFiles() is placed after app.UseRouting() and app.UseEndpoints()?
Static files won’t be served if a matching endpoint is found first, as routing takes precedence.
Why not perform heavy I/O operations directly in middleware?
It can block the thread pool, causing performance issues. Offload I/O to background tasks or use async operations.
What if a middleware modifies the HttpContext.User after app.UseAuthentication()?
It can lead to inconsistent authorization behavior, as authorization is based on the initial user context.
What happens if a middleware modifies HttpContext.Request.Path?
It can change the endpoint that is matched, potentially leading to unexpected routing.
What if you use app.Use() without any other middleware?
It effectively creates a no-op middleware that does nothing but pass the request to the next (non-existent) middleware or terminates.
Why not use global exception handling middleware for all errors?
It can mask specific errors that require different handling, and it can make debugging difficult.
What happens if a middleware sets a response header after the response has started?
It will throw an InvalidOperationException because headers cannot be modified after the response starts.
What if a middleware modifies HttpContext.Items collection?
Changes will be visible to subsequent middleware, but it can create implicit dependencies and make code harder to reason about.
Why not use middleware for complex business logic?
Middleware is best for cross-cutting concerns; complex logic should be in services or controllers for better separation of concerns.
What happens if app.UseCors() is placed after app.UseAuthentication()?
CORS headers won’t be applied to requests that require authentication, potentially causing issues with cross-origin requests.
What if a middleware sets a cookie without the HttpOnly flag?
It exposes the cookie to client-side scripts, increasing the risk of XSS attacks.
Why not use middleware for data validation?
Data validation is typically handled by model binding and validation filters in the MVC pipeline.
What happens if a middleware modifies HttpContext.Connection.RemoteIpAddress?
It can break IP-based security checks and logging.
What if a middleware sets a Content-Length header that doesn’t match the actual response body length?
Clients may receive truncated or corrupted responses.
Why not use middleware to log every single request and response?
It can generate a large amount of log data, impacting performance and storage. Use selective logging.
What happens if a middleware modifies HttpContext.Request.Protocol?
It can break protocol-specific logic and cause unexpected behavior.
What if a middleware sets a Cache-Control header that conflicts with other caching mechanisms?
It can lead to inconsistent caching behavior and potential security issues.
Why not use middleware to enforce rate limiting?
Rate limiting is often handled by dedicated rate-limiting middleware or API gateways for better performance and scalability.
What happens if a middleware modifies HttpContext.Request.ContentType?
It can break content negotiation and lead to incorrect content processing.
What if a middleware modifies HttpContext.Response.StatusCode after the response has started?
It will throw an InvalidOperationException.
Why not use middleware for authorization logic that depends on external services?
It can introduce dependencies and make testing difficult. Use authorization handlers or policies.
What happens if a middleware modifies HttpContext.Request.QueryString?
It can break query string parsing and lead to unexpected behavior in subsequent middleware or endpoints.
What if a middleware sets a Location header for a relative URL?
It can lead to unexpected redirects if the client’s base URL is different.
Why not use middleware for complex data transformations?
Data transformations are typically handled by services or mappers for better maintainability and testability.
What happens if a middleware performs synchronous I/O operations?
It blocks the thread, causing thread pool starvation and poor performance. Use asynchronous operations.
Why is it important to minimize middleware execution time?
Long execution times increase response latency and reduce throughput.
What happens if a middleware performs excessive string concatenations?
It leads to memory allocation overhead and garbage collection pressure. Use StringBuilder.
What if a middleware allocates large objects on the Large Object Heap (LOH)?
LOH collections are expensive, causing performance degradation. Minimize large object allocations.
Why should middleware avoid blocking calls to external services?
Blocking calls increase latency and reduce responsiveness. Use asynchronous calls with timeouts.
What happens if a middleware uses a large number of regular expressions?
Regex matching can be CPU-intensive. Compile regexes or use specialized string matching.
Why is it important to cache frequently accessed data in middleware?
Caching reduces database or external service load, improving performance.
What happens if a middleware uses reflection excessively?
Reflection is slow and can impact performance. Use compiled expressions or code generation.
Why should middleware avoid unnecessary boxing and unboxing?
Boxing and unboxing operations introduce overhead. Use generic types or avoid value type conversions.
What happens if a middleware performs excessive logging operations?
Logging can be I/O-bound and CPU-intensive. Use asynchronous logging and selective logging levels.
Why is it important to minimize the number of middleware components?
Each middleware adds overhead. Use middleware only when necessary.
What happens if a middleware uses thread-local storage (TLS) excessively?
TLS incurs overhead for each thread, impacting performance under high concurrency.
Why should middleware avoid unnecessary context switching?
Context switching is expensive. Minimize asynchronous operations that don’t yield significant benefits.
What happens if a middleware performs complex calculations on each request?
It increases CPU usage and latency. Offload calculations to background tasks or use caching.
Why is it important to optimize middleware for memory allocation?
Excessive memory allocations lead to garbage collection pressure and performance degradation.
What happens if a middleware performs excessive string parsing?
String parsing can be CPU-intensive. Use efficient parsing techniques or avoid unnecessary parsing.
Why should middleware avoid unnecessary exception handling?
Exception handling is expensive. Handle exceptions only when necessary.
What happens if a middleware uses a large number of locks?
Lock contention can cause thread blocking and performance degradation. Minimize lock usage.
Why is it important to profile middleware performance?
Profiling helps identify performance bottlenecks and optimize code.
What happens if a middleware performs excessive network operations?
Network operations are slow and can increase latency. Use asynchronous calls with timeouts.
Why should middleware avoid unnecessary serialization and deserialization?
Serialization and deserialization are CPU-intensive. Use efficient data formats and minimize data transfer.
What happens if a middleware uses a large number of timers?
Timers can introduce overhead and impact performance. Use efficient timer implementations.
Why is it important to minimize the size of the HTTP response body?
Smaller response bodies reduce network bandwidth usage and improve performance.
What happens if a middleware performs unnecessary file I/O operations?
File I/O is slow and can impact performance. Cache file content or use asynchronous operations.
Why should middleware avoid unnecessary database queries?
Database queries are slow and can impact performance. Cache query results or use efficient query patterns.
What happens if a middleware uses a large number of delegates?
Delegate invocation introduces overhead. Use efficient delegate implementations.
Why is it important to optimize middleware for CPU cache locality?
CPU cache misses are expensive. Organize data and code to improve cache locality.
What happens if a middleware performs unnecessary object creations?
Object creation introduces overhead. Use object pooling or minimize object allocations.
Why is it important to minimize the number of context switches between threads?
Context switches are expensive. Avoid unnecessary thread creation.
What happens if a middleware does not properly dispose of disposable objects?
It leads to memory leaks and performance degradation. Use using statements or dispose patterns.
why use route constraints
Performance Stops invalid requests early, avoiding unnecessary processing.
Security Prevents invalid or malicious data from reaching the controller.
Clarity Ensures routes have predictable and meaningful parameter values.
Better API Design Forces clients to follow expected input formats.
Unnecessary boilerplate code otherwise to check each parameter
