Core Code
Core Code Modern Dev Handbook
DOTNET Contents
Foundations (Hosting, DI, Config)
Hosting Model & Kestrel Reality DI Lifetimes (This Will Leak/Break) Options Pattern & Config Binding Env Config & Secrets (Don't Bake) Logging Basics with ILogger Health Checks: Readiness vs Liveness Graceful Shutdown Basics
Web Services Basics (ASP.NET Core)
Controllers vs Minimal APIs (Tradeoffs in Prod) Middleware Pipeline Order (Bugs You Deserve) Routing Basics (Endpoints That Bite) Endpoint Filters Basics Request/Response Streaming (Backpressure Matters) Static Files (Security Foot-guns) Shutdown Draining (Don't Drop In-Flight)
Routing, Binding & Validation
Model Binding Gotchas Validation with FluentValidation (Basics) Input Validation: What to Validate Where File Upload Basics & Hardening Querystring Filtering & Limits Multipart Size Limits (Stop Zip Bombs)
Errors & Problem Details (RFC 7807)
Exception Handling Middleware (Correctly) Problem Details (RFC 7807) Done Right Validation Errors as Problem Details Error Codes & API Contracts Global JSON Settings (Safe Defaults) 404 vs Validation (Client UX & Semantics)
Authentication & Authorization
Cookie vs Bearer Auth (Don't Mix Blindly) JWT Validation Basics (What Actually Matters) JWT Key Rotation & kid Handling AuthZ Policies, Roles, Claims Resource-Based Authorization ASP.NET Identity: When to Use It mTLS Client Certs (Basics)
Security Basics (Production)
CORS Misconfigurations (Real Impact) Security Headers (Baseline) CSRF: SameSite vs Token Defenses XSS: Output Encoding & HTML Safety Deserialization Hardening SSRF & Egress Controls Rate Limiting Basics (Server-Side) Request Size Limits (Abuse Prevention) Secrets Management for .NET Apps Dependency Vulnerability Scanning
Data Access (EF Core in Prod)
DbContext Lifetime & Pooling (Prod-Safe) Migrations Safe Rollout (No Downtime) Transactions & Isolation Levels N+1 Detection & Fix Query Performance & Index Reality Optimistic Concurrency Tokens Outbox Pattern (Basics) Soft Delete & Global Query Filters Connection Resiliency (Retries Without Lies)
HTTP Clients & Integrations
HttpClientFactory: Pooling & DNS Reality Timeouts & Deadlines (Stop Hanging Threads) Retries & Backoff Policies (When It's Okay) Circuit Breakers (Basics That Matter) Idempotency Keys for Outbound Calls Headers/Auth Forwarding (Don't Leak) HTTP/2 and HTTP/3 Considerations
Reliability Patterns
Timeouts & CancellationTokens (Correct Wiring) Retries: When NOT To (Thundering Herd) Idempotency for APIs (You Need This) Server-Side Rate Limiting (Fairness & Abuse) Bulkheads & Concurrency Limits Backpressure in Streaming (Don't OOM) Graceful Degradation & Fallbacks Saga & Compensation (Basics)
Background Jobs & Hosting
HostedService Basics (The Safe Way) Background Queue with Channels Cron Scheduling: Hangfire vs Built-in Worker Service Deploy Patterns Message Consumers & Idempotency Shutdown: Cancellation & Job Draining
Observability (Logs, Metrics, Traces)
Structured Logging with Serilog Correlation IDs & Trace Context OpenTelemetry Tracing (ASP.NET Core) OpenTelemetry Metrics (SLI-first) Health Checks Deep Dive (Readiness Done Right) Log PII Redaction (Don't Get Sued) Alerting & SLO Basics (Actionable Only) Debugging in Prod (Dumps, Traces)
Performance & Tuning
ThreadPool Starvation (Symptoms & Fix) Async Pitfalls (Deadlocks, Fire-and-Forget) Allocations & GC (What Actually Hurts) Kestrel Tuning & Limits JSON Serialization Performance EF Core Perf Hotspots (How to See Them) Caching: Response/Output Strategies
Testing & Quality Gates
Unit Testing with xUnit (Basics) Integration Tests with WebApplicationFactory Contract Tests (Basics) Mocking HTTP and Time Safely Testcontainers Basics (Real Dependencies) Coverage & Quality Gates (No Theatre) Load Testing with k6 (Basics)
Build, Release & Deploy
Build/Publish, Trimming, AOT (Basics) Dockerizing ASP.NET Core (Production) Config & Secrets in Deploy (No Baking) Blue/Green & Canary (Basics) Migrations & Deploy Order (Avoid Locking) Rollbacks vs Forward-Fix (When Each Wins) Versioning & SemVer (APIs Included) CI/CD Basics (Build, Test, Scan, Ship)
Production Runbooks
Incident Triage Playbook (First 15 Minutes) Dependency Outage Playbook (Third-Party Down) DB Latency Playbook (EF Core Included) Memory Leak Playbook (OOM Hunting) CPU Saturation Playbook (Hot Paths) Timeout Storm Playbook (Cascading Failure) Deploy Failure Playbook (Rollback Safely) Production Readiness Checklist

ASP.NET Identity: When to Use It

ASP.NET Core Identity is powerful but heavy. Learn when to use it, when not to, how it impacts scaling, and how misuse leads to auth complexity and production incidents.
On this page

Identity Is a Full Identity System, Not Just Login

ASP.NET Core Identity provides: - user store - password hashing - lockout - email confirmation - two-factor support - token generation - role management It is a complete identity management framework. Production rule: Use Identity when you need to manage users yourself. Do not use it blindly for API-only services.

Real Production Incident

Symptoms: - High latency on login endpoints. - Unexpected database load. - Lockout logic inconsistent across instances. - Complex auth bugs after scaling horizontally. Root cause: - Identity configured with default settings without understanding persistence model. - Heavy synchronous operations during login. - User store not optimized or indexed properly. - Custom extensions bolted on top without clear boundaries. Identity was used as a black box, not a system component.

Symptom → Cause → Diagnosis → Fix

Symptom: - login performance degradation - database contention on AspNetUsers tables - inconsistent lockout behavior - auth flows hard to debug Cause: - not understanding Identity’s schema and flows - no proper indexing on normalized columns - mixing Identity with external token validation poorly - extending Identity in ad-hoc ways Diagnosis: - inspect database query plans for login operations - review Identity configuration (password hashing iterations, lockout thresholds) - audit custom UserManager/SignInManager overrides - measure login endpoint latency separately Fix: - use Identity only when needed - optimize user store (indexes, constraints) - isolate Identity logic from domain logic - consider external identity provider for complex scenarios

When to Use ASP.NET Core Identity

Use Identity when: - you manage users internally - you need password-based login - you require email confirmation, password reset - you need built-in 2FA and lockout support - you control the user database schema It is well-suited for: - SaaS apps with internal user accounts - admin panels - B2C apps without external IdP

When NOT to Use Identity

Avoid Identity when: - your service is API-only and trusts external IdP (OIDC, OAuth2) - you do not manage user passwords - authentication is entirely delegated - you want stateless token validation only In these cases: - use JWT validation only - avoid unnecessary user store and schema complexity Production rule: Do not embed a full identity system in every microservice.

Anti-Pattern: Identity in Every Service

Each microservice: - has its own AspNetUsers table - manages roles locally - performs login This leads to: - duplicated user state - synchronization problems - complex migrations - security inconsistencies Correct pattern: Centralize identity in one service or external provider. Other services validate tokens and enforce authorization.

Scaling Considerations

Identity is database-backed. At scale: - login bursts can cause DB pressure - lockout counters can cause write contention - token storage (if used) can grow Mitigations: - proper indexing (NormalizedUserName, NormalizedEmail) - short-lived access tokens after login - avoid frequent writes to user record for trivial actions - use caching carefully (but do not cache sensitive auth state incorrectly) Production rule: Login endpoints are high-risk and must be load tested.

Password Hashing and Cost

Identity uses secure password hashing (PBKDF2 by default). High iteration counts increase security but increase CPU cost. Balance: - strong hashing cost - acceptable login latency Monitor: - login latency - CPU utilization during peak login events Do not: Lower hashing cost without security review.

Security Notes

- Always require HTTPS. - Enforce strong password policies appropriate for risk. - Enable account lockout with sane thresholds. - Protect against user enumeration (uniform responses for login failures). - Do not expose whether email exists. If integrating with JWT: - issue tokens only after successful Identity authentication. - validate tokens strictly in downstream services.

Operational Notes

Monitoring: - track login success/failure rates - alert on spikes in failed login attempts (possible attack) - monitor lockout rates Rollout: - Changes to password policy or hashing cost are breaking for users. - Canary changes carefully. - Test migrations that affect AspNetUsers schema. Rollback: - If auth regression blocks all logins, rollback immediately. - Maintain admin break-glass access. Governance: - Document identity flows clearly. - Keep identity code separate from business logic. - Avoid uncontrolled customization of Identity internals.

Checklist

- Identity used only where user management is required. - External IdP preferred for API-only or distributed systems. - Identity tables properly indexed. - Login endpoints load tested. - Password hashing cost balanced and monitored. - Lockout and enumeration protections configured. - Identity changes are canaried and rollbackable. - Identity logic isolated from core business domain.
mTLS Client Certs (Basics) →