101. How do you validate Cross-Origin Resource Sharing (CORS) in APIs?
Answer:
CORS validation involves testing HTTP headers like Access-Control-Allow-Origin, Access-Control-Allow-Methods, and Access-Control-Allow-Headers. Use tools like Postman, curl, or browser DevTools to simulate cross-origin requests and preflight (OPTIONS) calls. Ensure correct status codes like 200 OK or 403 Forbidden for unauthorized domains.
102. How do you ensure proper input sanitization in API testing?
Answer:
Test with XSS payloads, SQL injections, and unexpected characters. Use Burp Suite, OWASP ZAP, or Fuzzing tools to inject malicious inputs. APIs must return 400 Bad Request for invalid inputs and never reflect raw input in the response. Validate server-side sanitization, not just client-side.
103. What strategies can be used to verify output sanitization in APIs?
Answer:
Ensure the API output does not contain raw HTML/JS content that could be interpreted by a client. Inject payloads and inspect the response body. Use static analysis tools, and check for output encoding like escaping special characters (<, >, &). This is critical for frontend integration.
104. How can SQL Injection vulnerabilities be identified during API testing?
Answer:
Inject SQL payloads like ‘ OR 1=1– into query parameters or request bodies. Monitor API responses and DB logs for anomalies. Use tools like SQLMap, and ensure backend uses prepared statements. Properly handle error messages to avoid exposing SQL error stacks.
105. How to test APIs for XSS (Cross-Site Scripting) vulnerabilities?
Answer:
Inject JavaScript like <script>alert(‘XSS’)</script> in request fields. Observe if this is reflected in the API response without escaping. XSS often impacts frontend rendered data, but APIs should also filter/escape user input before returning it. Tools: OWASP ZAP, Postman scripts.
106. How do you test for CSRF (Cross-Site Request Forgery) protection in APIs?
Answer:
CSRF is tested by trying unauthorized state-changing requests (like POST/PUT) without tokens. APIs should validate anti-CSRF tokens or SameSite cookie attributes. CSRF testing is most relevant for session-based authentication systems.
107. How do you handle broken link testing in REST APIs?
Answer:
Use automation scripts to check all endpoint URLs for 404 Not Found or 410 Gone. Maintain a Swagger/OpenAPI spec and auto-validate with tools like Swagger Validator, Postman Monitors, or API Fortress. Also test redirection (301, 302) behaviors if applicable.
108. How to validate proper handling of CORS preflight (OPTIONS) requests?
Answer:
Send custom OPTIONS requests with headers like Access-Control-Request-Method and Access-Control-Request-Headers. Validate the response includes appropriate Access-Control-Allow-* headers and returns 200 OK. Use curl -X OPTIONS or browser DevTools for analysis.
109. How to test multi-language support in REST APIs?
Answer:
Pass Accept-Language headers (en-US, fr-FR, etc.) in API requests. Validate that content such as messages, labels, and dates are localized. Maintain language-specific JSON or resource bundles in backend services and validate their usage.
110. How do you verify multi-currency support in APIs?
Answer:
Send currency codes (e.g., INR, USD, EUR) in request parameters or headers. Validate returned price formatting, symbols, and exchange rates. Consider using mock payment gateways to simulate real-world scenarios.
111. How to ensure APIs support multiple timezones effectively?
Answer:
Use timezone parameters or ISO 8601 timestamps. Validate that date-time values returned are offset correctly (Z, +0530). Test daylight saving transitions and use libraries like moment.js, Luxon, or Joda-Time for conversions.
112. How do you verify multi-locale support in APIs?
Answer:
Locale involves both language and region. For example, en-US vs en-GB. Test by passing the Accept-Locale or custom headers and validate locale-specific date formats, currency, and spelling. Use locale testing libraries or browser localization settings for simulation.
113. What’s the approach to test region-specific API responses?
Answer:
Pass region parameters or geo-based IPs (mocked). Ensure regional settings (content restrictions, pricing, timezones) are honored. Validate against geofencing, regulatory compliance, and region-specific APIs (e.g., GDPR-enabled responses for EU).
114. How to validate multi-tenant support in API architecture?
Answer:
Pass tenant IDs in headers or tokens (e.g., X-Tenant-ID). Ensure data isolation—users from one tenant cannot access another’s data. Check RBAC (Role-Based Access Control) policies, database sharding, and audit logs.
115. What’s the strategy for validating multi-environment support?
Answer:
Each environment (dev, staging, production) may use different URLs or credentials. Verify that configuration changes like logging levels, caching, and feature flags behave appropriately in each. Use CI/CD pipelines and environment variables for testing automation.
116. How do you verify multi-platform compatibility in API responses?
Answer:
Ensure responses are consumable across mobile, web, and IoT platforms. Validate headers like User-Agent or Platform-Type, and test JSON consistency. Simulate different devices and client libraries using Postman, Insomnia, or mobile device emulators.
117. How to test response times for different HTTP methods?
Answer:
Measure response times for GET, POST, PUT, DELETE using JMeter, Gatling, or Postman test scripts. Validate SLAs and performance thresholds. Use responseTime < X ms assertions and run under load to assess consistency.
118. How does the API handle large payloads, and how do you test this?
Answer:
Send JSON/XML payloads of increasing size and validate server behavior. Look for 413 Payload Too Large, memory errors, or timeouts. Use tools like Apache JMeter, Postman, and server logs for profiling. Implement chunked upload and pagination for large datasets.
119. How to test API behavior with minimal/small payloads?
Answer:
Send minimal valid payloads to test validation layers. Ensure APIs return appropriate messages for missing optional fields or small array sizes. Check for default values and schema fallback mechanisms.
120. How to test APIs under concurrent load and ensure thread-safety?
Answer:
Use JMeter, Locust, or k6 to simulate concurrent users. Verify that shared resources are not corrupted and response times remain within limits. Test for race conditions, database deadlocks, and locking issues in backend.
👉The Next 20 Questions-V: API TESTING
👉The Next 20 Questions-VI: API TESTING
