Interview Questions ๐
- Nice Intro
- Company Introduction
- Project Overview and Tech stack with version like C# .net or react version
- Security
- Design Pattern
- EF Core
- .Net core
- Azure Service (Azure Function, Azure App Service(Paas), Azure SQL Database, Azure Blob Storage,Azure Cosmos DB)
- Caching
- Microservices
- -Unit Testing Framewrok
The security can be implemented on multiple level. like
-
Authentication & Authorization
- Use OAuth 2.0 / JWT tokens for API authentication.
- Ensure role-based access control (RBAC) to limit what each user or service can do.
-
Transport Security
- Enforce HTTPS / TLS 1.2+ for all communication.
- Use mTLS for highly sensitive internal services. mTLS (Mutual TLS) is an enhanced version of TLS where both the client and server authenticate each other using certificates, not just the server.
-
Input Validation & Sanitization
- Validate all incoming requests to prevent SQL injection, XSS, and other attacks.
- Use framework-provided validation (like ASP.NET Core Model Validation).
-
CSRF Protection
- For web applications with cookies, implement anti-CSRF tokens.
- For SPAs(React, Angular, etc.), using JWT in headers, CSRF is less of a concern. Authorization: Bearer <JWT_TOKEN>
- Since JWTs are typically stored in localStorage or sessionStorage, a malicious site cannot read them (same-origin policy).
- CSRF protection is mainly for cookie-based authentication, where the browser automatically attaches credentials.
- Rate Limiting & Throttling
- Protect APIs from abuse and DDoS attacks using rate limits.
- Implementation in .NET Core
using Microsoft.AspNetCore.RateLimiting;
using System.Threading.RateLimiting;
var builder = WebApplication.CreateBuilder(args);
// Add rate limiting services
builder.Services.AddRateLimiter(options =>
{
options.AddFixedWindowLimiter("Fixed", limiterOptions =>
{
limiterOptions.PermitLimit = 100; // max 100 requests
limiterOptions.Window = TimeSpan.FromMinutes(1); // per 1 minute
limiterOptions.QueueProcessingOrder = QueueProcessingOrder.OldestFirst;
limiterOptions.QueueLimit = 20; // optional queue for extra requests
});
});
var app = builder.Build();
// Apply rate limiting globally
app.UseRateLimiter();
app.MapGet("/", () => "Hello World!");
app.Run();
*Rate Limiting Per Endpoint
app.MapGet("/api/data", () => "Data")
.RequireRateLimiting("Fixed"); // Apply limiter by name
-
Data Protection
- Encrypt sensitive data in transit (HTTPS) and at rest (database encryption).
- Mask or redact sensitive fields in logs.
-
Logging & Monitoring
- Track API access, authentication failures, and unusual patterns.
- Integrate with SIEM or monitoring tools for alerts.
-
Secure Development Practices
- Keep dependencies updated.
- Conduct regular security testing (static analysis, penetration testing).
- Follow OWASP API Security Top 10.
-
API Gateway / Middleware
- Use a gateway to centralize authentication, rate limiting, logging, and request validation.
๐ก Optional Short Version for Interviews:
"I secure APIs by enforcing HTTPS, using OAuth2/JWT for authentication, applying role-based access control, validating inputs, protecting against CSRF and XSS, encrypting sensitive data, implementing rate limiting, and monitoring all traffic through logging and API gateways. I also follow secure development practices and regularly test APIs for vulnerabilities."
Itโs a Warehouse Management System that tracks machinery, inventory, and fleet status in real-time.
-
High-Level Architecture:
- Frontend: Web app / SPA (React, Angular)
- Backend: APIs (.NET Core / .NET 9)
- Database: SQL Server / PostgreSQL
- Integrations: Telemetry devices, third-party services
- Client โ API Gateway โ Services โ Database
-
Each node/service has its own MySQL database.
-
A central database or data warehouse receives updates asynchronously.
-
Instead of writing directly to a central database, updates are sent via a message broker (like RabbitMQ)
-
Services publish events/messages when data changes.
-
Central DB or other services consume messages. -Publish Event from Local Service
// After writing to local DB
var message = JsonSerializer.Serialize(newTelemetry);
var body = Encoding.UTF8.GetBytes(message);
channel.BasicPublish(exchange: "fleet-exchange",
routingKey: "telemetry.created",
basicProperties: null,
body: body);
- Consume Event in Central DB Service
channel.BasicConsume(queue: "central-queue",
autoAck: true,
consumer: new EventingBasicConsumer(channel) {
Received = (model, ea) => {
var message = Encoding.UTF8.GetString(ea.Body.ToArray());
var telemetry = JsonSerializer.Deserialize<TelemetryEvent>(message);
centralDbContext.Telemetry.Add(telemetry);
centralDbContext.SaveChanges();
}
});
- The system is a microservices architecture: the Inventory Service handles stock, the Fleet Service handles machine telemetry, and the API Gateway manages all requests.
| 1 | Asp.net |
| 2 | C# |
| 3 | .Net Core |
| 4 | Micro services |
| 5 | Design Patterns |
| 6 | WEB API |
| 7 | Programing Skills |
| 8 | Oops concept |
| 9 | PL/SQL |
| 10 | Angular |