NET Full Stack Developer Interview Questions: The Complete Guide

Preparing for a .NET Full Stack Developer interview requires you to master both technical depth and soft skills. This guide walks you through the most common questions you’ll face, provides realistic sample answers you can adapt, and gives you a framework for thinking through problems on the fly.

Whether you’re interviewing at a startup or enterprise, the core competencies remain consistent: you need to demonstrate proficiency across the entire stack, from database design to responsive UI, plus the problem-solving mindset and communication skills that make you a valuable team member.

Common NET Full Stack Developer Interview Questions

What are the main differences between .NET Core and .NET Framework?

Why they ask this: Your answer reveals whether you understand the evolution of the .NET ecosystem and can make informed technology choices. This is foundational knowledge for any .NET developer.

Sample answer:

”.NET Core is a cross-platform, open-source framework that runs on Windows, Linux, and macOS, while the .NET Framework is Windows-only. I’ve worked with both, and the key differences matter for real projects. .NET Core generally has better performance for containerized applications and is the go-to choice for new development. The .NET Framework is still relevant for legacy applications and Windows-specific projects. In my last role, we migrated an older ASP.NET application to .NET Core specifically because we needed to deploy it on Linux containers in a Kubernetes cluster. That move cut our infrastructure costs and gave us way more deployment flexibility.”

Personalization tip: Replace the migration example with a project where you made a technology choice. If you haven’t worked with both, discuss why you’d choose one based on project requirements.

How do you secure an ASP.NET Core application?

Why they ask this: Security is non-negotiable in web development. They want to see you think about threats proactively, not just add security as an afterthought.

Sample answer:

“I approach security in layers. First, I use ASP.NET Core Identity for authentication and authorization—it handles password hashing and token management out of the box, which is better than rolling your own. I enforce HTTPS everywhere, and I’m careful about what data I expose in APIs. For sensitive data, I encrypt it at rest. I also validate all user input rigorously to prevent SQL injection and XSS attacks. In one project, I implemented OWASP security best practices into our development pipeline—things like using parameterized queries with Entity Framework, implementing CORS policies properly, and setting secure headers like Content-Security-Policy. We also ran regular security scans as part of our CI/CD process. It’s not a one-time thing; it’s woven into how we build.”

Personalization tip: Mention specific OWASP vulnerabilities you’ve actually encountered or prevented. If you haven’t worked on security extensively, discuss how you’d approach it methodically.

Explain the MVC architecture and how it benefits development.

Why they ask this: This tests your understanding of architectural patterns and your ability to explain why structure matters. It’s also a gateway question—your answer shows if you can discuss design concepts clearly.

Sample answer:

“MVC separates an application into three layers: Model handles data and business logic, View is the UI, and Controller processes user input. The real benefit is isolation—I can modify the UI without touching business logic, test components independently, and have multiple team members work on different layers simultaneously without constantly stepping on each other’s toes. In a project I worked on, we had one developer handling Entity Framework models while another built Angular components and I managed the controllers. We delivered faster because we weren’t blocked by each other. MVC also makes debugging easier—when something breaks, I can usually pinpoint whether it’s a data issue, logic issue, or UI issue pretty quickly.”

Personalization tip: Mention how you’ve used MVC to solve a specific team challenge or speed up delivery in a real project.

What is Entity Framework, and when would you use it?

Why they ask this: Entity Framework is core to most .NET projects. They’re checking if you understand ORMs, their tradeoffs, and when they’re the right tool.

Sample answer:

“Entity Framework is an ORM—it maps database tables to C# classes so you work with objects instead of raw SQL. It eliminates a ton of boilerplate. With LINQ, I can write queries that are strongly typed and easier to maintain. I’ve used it on almost every project in my last two roles. The big wins are speed—I don’t write repetitive SQL—and safety, because I’m protected from basic SQL injection. I use lazy loading carefully though, because it can bite you with N+1 query problems if you’re not thinking about it. On one project, I had a report that was running slowly because lazy loading was firing a query for every row. I fixed it with eager loading using .Include(), which cut the query time from eight seconds to under one second. That said, for really complex queries or reporting, sometimes I drop down to raw SQL with Dapper for more control.”

Personalization tip: Discuss a performance issue you solved with Entity Framework or why you chose a different approach in a specific scenario.

How do you handle state management in ASP.NET?

Why they ask this: State management is subtle but critical. Your answer shows whether you’ve thought through the implications of storing data at different scopes.

Sample answer:

“State management depends on what you’re managing. For temporary data during a single request—user preferences for that session, form validation errors—I use ViewBag or ViewData. For data that needs to persist across multiple requests for a user, I use session state or cookies. Cookies are lighter weight but limited in size and visible to the client, so I don’t store sensitive data there. Session state is better for user preferences or shopping cart data. For application-wide data that never changes, like configuration values, I load it once at startup. In my last project, we stored user preferences in session state, which let users customize the dashboard without hitting the database every time they navigated between pages. The tradeoff is that session state uses server memory, so in a cloud-scaled environment, you need to think about whether session state is shared across multiple server instances.”

Personalization tip: Describe a specific use case from a real project where you chose one approach over another.

How do you optimize application performance?

Why they ask this: Performance directly impacts user experience and costs. They want to see a methodical approach, not random guesses.

Sample answer:

“I start by profiling to find actual bottlenecks rather than assuming where the problem is. In Visual Studio, I use the diagnostic tools to see CPU and memory usage. For database queries, I look at execution times in SQL Server Management Studio. Once I find the bottleneck, I address it. I’ve optimized by caching frequently accessed data with MemoryCache or Redis to reduce database calls. I’ve improved queries by adding indexes or rewriting inefficient LINQ. For front-end performance, I bundle and minify CSS and JavaScript, lazy-load images, and minimize API calls. In one project, the initial page load was over five seconds. I profiled and found three issues: N+1 queries in Entity Framework, unoptimized images, and missing HTTP caching headers. Fixing those brought it down to 1.2 seconds. Performance is ongoing—I monitor with Application Insights to catch regressions.”

Personalization tip: Walk through a specific performance problem you diagnosed and solved with concrete metrics before and after.

What are RESTful APIs, and how do you design them?

Why they ask this: RESTful APIs are central to modern web development. Your answer shows whether you understand REST principles and can build maintainable APIs.

Sample answer:

“REST is an architectural style using HTTP methods to represent operations. GET retrieves data, POST creates, PUT updates, DELETE removes. I design APIs with meaningful resource names—/api/customers instead of /api/getCustomers. Versioning matters for backward compatibility; I use URL versioning like /api/v1/customers. I return appropriate HTTP status codes: 200 for success, 201 for creation, 400 for bad requests, 404 for not found, 500 for server errors. Documentation is crucial—I use Swagger to generate interactive API docs automatically. In my last role, I built an API for a reporting system with endpoints for customers, orders, and invoices. I kept it consistent: all endpoints returned data in the same structure, used the same error format, and I documented pagination, filtering, and sorting options. That consistency made it easy for the front-end team to consume.”

Personalization tip: Describe an API you designed or consumed, including decisions you made about versioning, authentication, or error handling.

Explain dependency injection and how you use it in .NET.

Why they ask this: Dependency injection is a best practice that shows you write testable, loosely coupled code. It’s a litmus test for code quality.

Sample answer:

“Dependency injection means passing dependencies into a class rather than having it create them internally. It makes code testable and decoupled. In .NET Core, the framework has built-in DI. I define my services in ConfigureServices in the Startup class, then inject them into controllers or other services. For example, if a controller needs a database context and a service, I define them: services.AddScoped<IRepository, Repository>() and then inject them into the controller constructor. The framework handles creating instances. The benefit is huge for testing—I can mock the repository and test the controller logic without touching the database. I also use interfaces to define contracts, so implementations can change without affecting consumers.”

Personalization tip: Show how you’ve used DI to make testing easier or to swap implementations in a real project.

What testing strategies do you use?

Why they ask this: Testing is how you prevent bugs and maintain code quality over time. Your approach shows professional maturity.

Sample answer:

“I use a layered approach. Unit tests with xUnit test individual methods and classes in isolation—I mock dependencies so I’m testing the unit of logic, not the whole system. Integration tests verify that components work together, including real database calls in a test environment. For UI, I use Selenium for end-to-end testing of critical workflows. In my last role, we had a continuous integration pipeline—every commit ran unit and integration tests automatically before merging. That caught bugs early and gave us confidence deploying multiple times a day. I aim for 70-80% code coverage on business logic, though coverage alone isn’t the goal—meaningful tests matter more than hitting a number. For coverage, I focus on critical paths and edge cases.”

Personalization tip: Mention the testing framework and tools you’ve actually used, and describe a bug that tests would have caught.

How do you approach debugging complex issues?

Why they ask this: Debugging is as important as coding. They want to see a logical process, not random flailing.

Sample answer:

“I follow a structured approach. First, I reproduce the issue consistently—if I can’t reproduce it, I can’t fix it. Then I narrow the scope: is it front-end or back-end? Database or business logic? I use the debugger to set breakpoints and inspect variables. For APIs, I use Postman to test endpoints directly. For database issues, I check SQL queries in SQL Server Management Studio. I also read error messages carefully—they usually tell you exactly what’s wrong. Once I find the root cause, I write a test case that reproduces it, fix the issue, and verify the test passes. This ensures it doesn’t regress. For production issues, I check application logs first—Application Insights shows me errors, performance metrics, and traces. I’ve debugged a gnarly issue where orders were calculating the wrong tax in specific states. It took an hour of tracing through the calculation logic before I found the issue: the state code lookup was using the wrong database column for a recent migration. Having detailed logs would have found it in five minutes.”

Personalization tip: Walk through a specific complex issue you debugged, showing your thought process.

What’s your experience with front-end frameworks like React, Angular, or Vue.js?

Why they ask this: Full-stack means you need more than just back-end skills. They’re assessing your front-end capabilities.

Sample answer:

“I’ve worked primarily with React and some Angular. With React, I’m comfortable with components, state management with hooks, and calling REST APIs from JavaScript. I use tools like npm for package management and webpack for bundling. I’ve built dashboard UIs with data grids, charts, and forms. My React experience is stronger than Angular, but I can pick up new frameworks—the underlying concepts transfer. I haven’t worked deeply with Vue.js, but I’ve read about it and understand the concepts. I’m not a designer, but I work well with designers and can translate mockups into responsive HTML and CSS. In my last project, I built a React dashboard that consumed APIs I wrote in .NET—the full-stack experience meant I understood the API contract and could build it to be front-end-friendly.”

Personalization tip: Honestly state which frameworks you know well versus which you’ve touched. Mention a front-end project you built.

How do you handle database migrations and version control?

Why they ask this: Managing database schema changes across environments is a common real-world challenge. Your answer shows you’ve thought about deployment complexity.

Sample answer:

“I use Entity Framework Code First migrations. I create migration files with Add-Migration MigrationName, review the auto-generated SQL, and apply them with Update-Database. These migrations are versioned in source control, so the team has a history of schema changes. Before running migrations in production, I test them in a staging environment first. For larger migrations or ones that need downtime, I plan carefully—sometimes I run migrations separately from code deployments. I’ve also used SQL Server Data Tools for database schema comparison. The key is making migrations idempotent and repeatable so you can reliably apply them to any environment. In one project, a migration went wrong in production because I didn’t account for the volume of data—the migration timed out. Since then, I always test migrations with production-like data volumes and have a rollback plan.”

Personalization tip: Describe a migration challenge you’ve handled and how you prevented it next time.

What’s your experience with Git and version control workflows?

Why they asks this: You’re working in teams, so version control discipline matters. They want to see you collaborate effectively.

Sample answer:

“I use Git daily—cloning repositories, creating feature branches, committing, and pushing to GitHub or Azure DevOps. I follow a workflow: create a branch for each feature, commit frequently with clear messages, then open a pull request for code review before merging to main. I write meaningful commit messages so the history is readable. I’m familiar with rebasing and merging strategies, though my team usually uses squash commits to keep history clean. I’ve resolved merge conflicts and understand how to avoid them by staying in sync with main. For releases, we tag commits so we know exactly what code is in production. I’ve also worked with pre-commit hooks to run linters and tests automatically before committing.”

Personalization tip: Describe your typical workflow and any Git workflows specific to your previous teams.

Tell me about your experience with Azure or cloud deployment.

Why they ask this: Most companies deploy to cloud now. They’re assessing your cloud comfort level.

Sample answer:

“I’ve deployed several .NET applications to Azure. I’ve used App Service for hosting ASP.NET Core applications, SQL Database for managed databases, and Key Vault for managing secrets. I’ve set up CI/CD pipelines with Azure DevOps to automate testing and deployment. For example, on a recent project, I configured a pipeline that ran on every commit: it ran unit tests, built the Docker image, pushed it to Azure Container Registry, and deployed to an App Service. That gave us confidence pushing multiple times a day. I’m less experienced with Kubernetes, but I understand the concepts. I’ve also worked with Azure Storage for file uploads and Application Insights for monitoring and logging. Azure abstracts a lot of infrastructure concerns, which is great, but I make sure I understand what’s happening under the hood—networking, authentication, scaling policies—rather than just clicking buttons.”

Personalization tip: Mention specific Azure services you’ve used or describe your CI/CD setup.

How do you stay current with technology changes in .NET?

Why they ask this: .NET evolves rapidly. They want developers who commit to continuous learning.

Sample answer:

“I follow the .NET blog and subscribe to newsletters like the .NET Foundation updates. I read articles on Medium and Dev.to about what people are building. I watch conference talks on YouTube—Microsoft Build and NDC conferences have great content. I try new features in side projects before using them in production. When our team evaluates new tools or libraries, I research thoroughly before recommending them. I also contribute to open-source projects occasionally—it keeps me sharp and connected to what’s happening in the community. Last year, I learned about minimal APIs in .NET 6 through a blog post, tested them in a side project, and then used them in a new microservice because they were a better fit than the traditional Controller approach. That learning culture isn’t just about staying employable; it makes the work more interesting.”

Personalization tip: Mention specific resources you follow or technologies you’ve learned recently.

Behavioral Interview Questions for NET Full Stack Developers

Behavioral questions explore how you work with others, handle pressure, and solve real-world challenges. Use the STAR method: describe the Situation, what Task you were responsible for, the specific Actions you took, and the Results you achieved. Be specific with numbers and outcomes.

Tell me about a time you had to debug a critical production issue. How did you approach it?

Why they ask this: They want to see your problem-solving process under pressure and whether you can stay calm and methodical.

STAR framework:

• Situation: Describe what broke, the impact (how many users were affected, what was failing), and the timeline pressure.
• Task: What was your responsibility in fixing it?
• Action: Walk through your debugging process. What tools did you use? How did you narrow down the cause? Did you collaborate with teammates?
• Result: How long did it take to fix? What was the resolution? Did you implement safeguards to prevent it happening again?

Sample answer:

“We had a production outage where orders weren’t completing. It was a Saturday, our busiest day. I was on-call. Customers couldn’t check out, so it was urgent. I checked the application logs in Application Insights and saw database timeout errors. I connected to production SQL Server and found that one query was blocking others due to a missing index. I added the index immediately, and orders started processing again within two minutes. Then I dug deeper: the query was a complex join that could have been optimized. I worked with the team Monday morning to rewrite it properly. We also added query monitoring to our Application Insights setup so we’d catch slow queries automatically. The fix took two minutes, but understanding why and preventing it next time took a few hours.”

Describe a situation where you disagreed with a teammate on a technical approach. How did you handle it?

Why they ask this: Collaboration and communication matter as much as code. They want to see you’re not stubborn but can discuss tradeoffs professionally.

STAR framework:

• Situation: What was the disagreement about? Why did each approach seem reasonable?
• Task: Your role in working toward a resolution.
• Action: How did you approach the conversation? Did you listen to their perspective? How did you present your view?
• Result: Did you reach consensus? What did you learn? What was the outcome of the technical decision?

Sample answer:

“My colleague wanted to use a stored procedure for a complex reporting query. I preferred doing it in C# with Entity Framework because it’s version-controlled and testable. We had different priorities: they valued database performance, I valued code maintainability. Instead of digging in, I asked why they preferred stored procedures and actually ran performance tests on both approaches. Turns out, the stored procedure was significantly faster for that specific report. We went with the stored procedure, but I made sure it was well-documented and we added integration tests that called it. I learned that performance at scale sometimes requires compromise, and that asking questions before debating is more productive. We’ve used that hybrid approach on other projects since.”

Tell me about a project where you delivered something under a tight deadline. How did you manage?

Why they ask this: Startups and enterprises both have deadlines. They want to see you prioritize intelligently, not panic.

STAR framework:

• Situation: What was the deadline? Why was it tight? What were you building?
• Task: What was your specific responsibility?
• Action: How did you plan? What did you cut or optimize? How did you stay organized? Did you communicate status?
• Result: Did you hit the deadline? What was the quality? Any technical debt you addressed later?

Sample answer:

“We had three weeks to build a reporting dashboard before an investor meeting. Normally that’s not enough time. I worked with the product manager to ruthlessly prioritize: we focused on three core reports that investors cared about and cut three others. I reused a base dashboard component so we didn’t build from scratch. I worked in parallel with the front-end developer—as soon as I finished API endpoints, they started building UI. We did daily stand-ups to stay in sync. I also chose pragmatic shortcuts: we used MemoryCache for demo data instead of building complex caching logic, knowing we’d improve it post-launch. We delivered on time, the investor loved it, and we addressed technical debt in the following sprint. The key was being transparent about tradeoffs—‘we can have this by Friday if we don’t do X’—and the team bought in because they understood the priority.”

Tell me about a time you had to learn a new technology quickly to solve a problem.

Why they ask this: Tech changes constantly. They want to see you’re adaptable and resourceful.

STAR framework:

• Situation: What technology did you need to learn? Why? How much time did you have?
• Task: What did you need to accomplish?
• Action: How did you approach learning? What resources did you use? How quickly did you ramp up?
• Result: Did you successfully solve the problem? How long did it take? What was the outcome?

Sample answer:

“We inherited a project that used Dapper for data access—I’d never used it. The previous developer left, and I was the sole back-end person. I had two days before the feature freeze. I watched a couple of YouTube tutorials and read the Dapper documentation. The syntax is simpler than Entity Framework, and I realized it was close enough to SQL that I could learn as I went. I paired with the QA person on complex queries, asked questions, and within a day, I was productive. By day two, I’d fixed bugs and added features. I’d probably use Entity Framework by default now, but Dapper has a place for high-performance scenarios, and I’m comfortable with it. The experience reinforced that the fundamentals of database querying transfer across tools—the unfamiliar syntax is just detail.”

Describe a time you improved a process or codebase that wasn’t working well.

Why they ask this: This shows initiative and ownership. Are you just coding, or improving how the team works?

STAR framework:

• Situation: What wasn’t working? How did it affect the team? Why did it matter enough to fix?
• Task: What was your role in improving it?
• Action: What specific improvements did you make? Did you involve the team?
• Result: What measurable improvements happened? How did the team respond?

Sample answer:

“Our codebase had no automated tests, and every deployment was nerve-wracking because we’d break something unintentionally. I proposed adding unit tests and a CI pipeline. The team was skeptical—‘It’ll slow us down.’ I started small: I wrote tests for critical business logic modules and set up a basic GitHub Actions workflow. It took a week. Within two weeks, it caught a regression in another developer’s code before it merged. The team saw the value and invested more. Six months later, we had 70% test coverage and deployed daily without fear. The initial skepticism turned into ‘how did we live without this?’ The key was proving value quickly with a small scope rather than pushing for a perfect solution upfront.”

Tell me about a time you received critical feedback. How did you respond?

Why they ask this: Defensive people don’t grow. They want to see you take feedback professionally and improve.

STAR framework:

• Situation: What feedback did you receive? From whom? How did it feel in the moment?
• Task: What did you do with it?
• Action: How did you process it? Did you ask clarifying questions? How did you implement the feedback?
• Result: Did you improve? How did that change your work or perspective?

Sample answer:

“A senior developer reviewed my code and said it was overly complex—I had nested loops and convoluted logic that could be simplified. My first reaction was defensive: I thought it was efficient. But I read their comments carefully, and they were right. I asked them to explain their simpler approach, and I learned about LINQ methods I wasn’t using effectively. I refactored the code, and it was half the lines and easier to read. I thanked them and started paying more attention to readability and simplicity. That feedback changed how I approach coding. Now when my code gets reviewed, I look for complexity I can eliminate. I also try to give that kind of constructive feedback to others.”

Technical Interview Questions for NET Full Stack Developers

Technical questions dig into your practical knowledge. Rather than memorizing answers, understand the framework for thinking through them.

How would you design an API for a multi-tenant SaaS application?

Why they ask: Multi-tenancy is complex. Your answer shows architectural thinking and awareness of isolation, security, and performance.

Framework for your answer:

• Data isolation: How do you prevent one tenant’s data from leaking to another? (Separate databases? Shared database with tenant ID filtering? Row-level security?)
• Authentication and authorization: How do users log in? How do you know which tenant they belong to?
• Resource sharing: What resources can be shared across tenants? (Code, infrastructure, configuration?)
• Scaling: If one tenant grows, how does that affect others?

Sample answer:

“I’d start with data isolation. For small-to-medium deployment, I’d use a shared database but add a TenantId to every table. At the database layer, I’d implement a query filter that automatically adds WHERE TenantId = @CurrentTenantId to every query, so developers can’t accidentally leak data. For larger deployments or enterprise clients that demand isolation, I’d provision separate databases. For authentication, I’d use Azure AD B2C or similar, and the JWT token would include the tenant ID. Every API request passes the token, and middleware validates that the user belongs to that tenant. For shared resources, I’d have a master database for configuration and billing, separate from tenant data. Infrastructure would be shared—Kubernetes cluster, Azure resources—but logically isolated. I’d implement API throttling per tenant so one tenant can’t DoS others by making too many requests. Monitoring would be tenant-aware too, so I can see performance per tenant.”

Personalization tip: Discuss whether your experience is theoretical or from a real project. If this is new, discuss what unknowns you’d research.

How do you handle caching in a distributed system?

Why they ask: Caching at scale is subtle. They want to see you understand cache invalidation, consistency, and tradeoffs.

Framework for your answer:

• What to cache: User sessions? Database queries? API responses?
• Where: In-memory (fast but doesn’t scale)? Redis (shared across servers)? CDN (for static content)?
• Invalidation: When does cached data expire or get cleared?
• Consistency: Is stale data acceptable?

Sample answer:

“Caching depends on the data and consistency requirements. For user sessions in a load-balanced environment, I’d use Redis so any server can handle the request. For database query results, I’d use MemoryCache if it’s single-server, Redis if distributed. For read-heavy queries that don’t need real-time accuracy, I’d cache with a TTL—say, five minutes—so we hit the database less often. For writes, I’d invalidate the cache immediately so users see current data. Static assets—JavaScript, CSS, images—get cached at the CDN level with long expiration times. The tricky part is cache invalidation. I’ve seen issues where stale data caused bugs because we forgot to invalidate when related data changed. I now have a pattern: when I write to the database, I also invalidate related caches. Redis has nice options like key expiration and pub/sub for cache invalidation across servers.”

Personalization tip: Describe a caching strategy you’ve implemented or a cache bug you’ve debugged.

Design a database schema for an e-commerce application.

Why they ask: Database design shows whether you understand normalization, relationships, and query patterns.

Framework for your answer:

• Core entities: What tables do you need? (Customers, Products, Orders, OrderItems, etc.)
• Relationships: One-to-many? Many-to-many?
• Constraints: Primary keys? Foreign keys? Unique constraints?
• Denormalization: When would you violate normalization for performance?
• Queries: What queries do you need to support?

Sample answer:

“I’d have Customers, Products, Orders, OrderItems, Payments, and ShippingAddresses tables. Each OrderItem is a many-to-many relationship between Orders and Products, storing quantity and price (I store price because product prices change, but order history should be immutable). Foreign key constraints maintain referential integrity. For performance, I might denormalize—storing TotalAmount on Orders instead of calculating from OrderItems every time. I’d add indexes on frequently searched columns: CustomerId on Orders, ProductId on OrderItems, OrderStatus. For queries, I’d support finding all orders for a customer, products in a category, and recent orders with status. I’d be thoughtful about transactions: when an order is placed, I need to update inventory, create an order record, and record payment atomically. This ensures consistency. One thing I’ve learned: don’t over-normalize. If I have a Payments table, do I need to join it with Orders every time? Maybe I also store PaymentStatus on Orders for faster queries without joins. It’s a tradeoff between storage and query performance.”

Personalization tip: Sketch out key tables and relationships relevant to a domain you know well.

Explain how you’d implement authentication and authorization in a web application.

Why they ask: Security is critical and misunderstood. They want to see you think through this carefully.

Framework for your answer:

• Authentication: How do you verify who the user is? (Username/password? OAuth? Tokens?)
• Password security: How do you store passwords securely? (Never plain text; use hashing and salt)
• Authorization: How do you check what they can do? (Role-based? Permission-based?)
• Token management: If using tokens, how do you handle expiration and refresh?

Sample answer:

“For a web application, I’d use ASP.NET Core Identity for user management. Users log in with a username and password. The password is hashed with a salt using bcrypt (Identity does this automatically) and stored. I never store plain text passwords. Upon successful login, I issue a JWT token with an expiration time—say, 15 minutes—and a refresh token that lasts longer. The client sends the JWT with each request; middleware validates it. If the JWT expires, the client uses the refresh token to get a new JWT without re-entering credentials. For authorization, I define roles—Admin, User, Manager—and assign them to users. On sensitive endpoints, I check role membership: [Authorize(Roles = "Admin")]. For fine-grained permissions—‘can this user edit this post?’—I write custom authorization handlers. I also use HTTPS only, set secure cookies, and implement CORS properly to prevent unauthorized requests from other domains. I log authentication events for security auditing.”

Personalization tip: Discuss OAuth/OpenID if you’ve integrated with external providers like Google or Azure AD.

How would you structure a large .NET solution with multiple projects?

Why they ask: Large projects need organization. They want to see you think about separation of concerns and scalability.

Framework for your answer:

• Project layers: Presentation (API/UI), Business Logic, Data Access, Infrastructure?
• Separation: What belongs in each layer? Why?
• Dependencies: How do layers communicate? (Dependency injection? Interfaces?)
• Shared code: Where does common code live?

Sample answer:

“I’d structure it in layers. The API project contains controllers and configuration. The Application project contains business logic—services, DTOs, validation rules. The Domain project has entities and interfaces defining the core contracts. The Infrastructure project implements interfaces for database access using Entity Framework, external service calls, and logging. Each layer depends inward: API depends on Application, Application depends on Domain and Infrastructure. Infrastructure depends on Domain. This way, if I want to swap how data is persisted, I only change Infrastructure; the rest remains unchanged. I’d also have a Tests project with unit tests and integration tests. If the solution is large, I might have multiple Infrastructure implementations for different data sources. For shared code—utilities, constants, common exceptions—I’d have a Common project. I’d be careful not to create too many projects though; it’s easy to over-engineer. I aim for 5-8 projects: enough structure without complexity.”

Personalization tip: Describe the structure of a project you worked on and why you organized it that way.

Tell me about a complex feature you built and how you approached it.

Why they ask: They want to see your thought process on a real problem, not a theoretical one.

Framework for your answer:

• Requirements: What did you need to build?
• Breakdown: How did you break it into smaller pieces?
• Technical decisions: What architecture or design patterns did you use?
• Challenges: What went wrong or was harder than expected?
• Solution: How did you solve it? What did you learn?

Sample answer:

“I built an invoice generation and delivery system. Invoices are created when orders ship, then emailed to customers and archived. Sounds simple, but there were complexities: invoices needed to be generated asynchronously because they’re computationally heavy, emailing could fail and needed retries, and we had to comply with data retention policies. I broke it into services: InvoiceGenerator handled calculations, InvoiceEmailer handled delivery, and InvoiceRepository handled storage. I used a background job service with Hangfire to run InvoiceGenerator on a schedule. If generation failed, Hangfire would retry. For emailing, I sent emails asynchronously too with exponential backoff retries—if the email service is down, we don’t want to retry immediately and overwhelm it. For archival, I implemented a job that moved old invoices to cold storage after a year. The tricky part was testing—I couldn’t easily test the retry logic. I mocked the email service to simulate failures and verified the retry behavior. I also added detailed logging so we could track what happened with each invoice. It took two weeks to get all the edge cases right, but now the system is robust.”

Personalization tip: Pick a feature that was genuinely complex and discuss what made it so and how you solved it