Core Code
Core Code Modern Dev Handbook
DOTNET Contents
Foundations (Hosting, DI, Config)
Hosting Model & Kestrel Reality DI Lifetimes (This Will Leak/Break) Options Pattern & Config Binding Env Config & Secrets (Don't Bake) Logging Basics with ILogger Health Checks: Readiness vs Liveness Graceful Shutdown Basics
Web Services Basics (ASP.NET Core)
Controllers vs Minimal APIs (Tradeoffs in Prod) Middleware Pipeline Order (Bugs You Deserve) Routing Basics (Endpoints That Bite) Endpoint Filters Basics Request/Response Streaming (Backpressure Matters) Static Files (Security Foot-guns) Shutdown Draining (Don't Drop In-Flight)
Routing, Binding & Validation
Model Binding Gotchas Validation with FluentValidation (Basics) Input Validation: What to Validate Where File Upload Basics & Hardening Querystring Filtering & Limits Multipart Size Limits (Stop Zip Bombs)
Errors & Problem Details (RFC 7807)
Exception Handling Middleware (Correctly) Problem Details (RFC 7807) Done Right Validation Errors as Problem Details Error Codes & API Contracts Global JSON Settings (Safe Defaults) 404 vs Validation (Client UX & Semantics)
Authentication & Authorization
Cookie vs Bearer Auth (Don't Mix Blindly) JWT Validation Basics (What Actually Matters) JWT Key Rotation & kid Handling AuthZ Policies, Roles, Claims Resource-Based Authorization ASP.NET Identity: When to Use It mTLS Client Certs (Basics)
Security Basics (Production)
CORS Misconfigurations (Real Impact) Security Headers (Baseline) CSRF: SameSite vs Token Defenses XSS: Output Encoding & HTML Safety Deserialization Hardening SSRF & Egress Controls Rate Limiting Basics (Server-Side) Request Size Limits (Abuse Prevention) Secrets Management for .NET Apps Dependency Vulnerability Scanning
Data Access (EF Core in Prod)
DbContext Lifetime & Pooling (Prod-Safe) Migrations Safe Rollout (No Downtime) Transactions & Isolation Levels N+1 Detection & Fix Query Performance & Index Reality Optimistic Concurrency Tokens Outbox Pattern (Basics) Soft Delete & Global Query Filters Connection Resiliency (Retries Without Lies)
HTTP Clients & Integrations
HttpClientFactory: Pooling & DNS Reality Timeouts & Deadlines (Stop Hanging Threads) Retries & Backoff Policies (When It's Okay) Circuit Breakers (Basics That Matter) Idempotency Keys for Outbound Calls Headers/Auth Forwarding (Don't Leak) HTTP/2 and HTTP/3 Considerations
Reliability Patterns
Timeouts & CancellationTokens (Correct Wiring) Retries: When NOT To (Thundering Herd) Idempotency for APIs (You Need This) Server-Side Rate Limiting (Fairness & Abuse) Bulkheads & Concurrency Limits Backpressure in Streaming (Don't OOM) Graceful Degradation & Fallbacks Saga & Compensation (Basics)
Background Jobs & Hosting
HostedService Basics (The Safe Way) Background Queue with Channels Cron Scheduling: Hangfire vs Built-in Worker Service Deploy Patterns Message Consumers & Idempotency Shutdown: Cancellation & Job Draining
Observability (Logs, Metrics, Traces)
Structured Logging with Serilog Correlation IDs & Trace Context OpenTelemetry Tracing (ASP.NET Core) OpenTelemetry Metrics (SLI-first) Health Checks Deep Dive (Readiness Done Right) Log PII Redaction (Don't Get Sued) Alerting & SLO Basics (Actionable Only) Debugging in Prod (Dumps, Traces)
Performance & Tuning
ThreadPool Starvation (Symptoms & Fix) Async Pitfalls (Deadlocks, Fire-and-Forget) Allocations & GC (What Actually Hurts) Kestrel Tuning & Limits JSON Serialization Performance EF Core Perf Hotspots (How to See Them) Caching: Response/Output Strategies
Testing & Quality Gates
Unit Testing with xUnit (Basics) Integration Tests with WebApplicationFactory Contract Tests (Basics) Mocking HTTP and Time Safely Testcontainers Basics (Real Dependencies) Coverage & Quality Gates (No Theatre) Load Testing with k6 (Basics)
Build, Release & Deploy
Build/Publish, Trimming, AOT (Basics) Dockerizing ASP.NET Core (Production) Config & Secrets in Deploy (No Baking) Blue/Green & Canary (Basics) Migrations & Deploy Order (Avoid Locking) Rollbacks vs Forward-Fix (When Each Wins) Versioning & SemVer (APIs Included) CI/CD Basics (Build, Test, Scan, Ship)
Production Runbooks
Incident Triage Playbook (First 15 Minutes) Dependency Outage Playbook (Third-Party Down) DB Latency Playbook (EF Core Included) Memory Leak Playbook (OOM Hunting) CPU Saturation Playbook (Hot Paths) Timeout Storm Playbook (Cascading Failure) Deploy Failure Playbook (Rollback Safely) Production Readiness Checklist

JWT Key Rotation & kid Handling

JWT key rotation and kid handling must be seamless and strict. Learn how to support multiple signing keys safely, avoid downtime during rotation, and prevent accepting malicious keys.
On this page

Key Rotation Is Inevitable

Signing keys will rotate: - routine security policy - key compromise - certificate expiration - identity provider changes If your service cannot handle key rotation smoothly, you will get: - sudden 401 spikes - full production outages - emergency config hacks that weaken security Production rule: Your service must accept multiple valid signing keys during transition, and reject everything else.

Real Production Incident

Symptoms: - All authenticated requests start failing with 401 at once. - No code deployment happened. - Identity provider rotated signing key. - Service only trusted a single hardcoded key. Root cause: - No support for multiple keys. - No automatic metadata refresh. - Key rotation not tested in staging. This is not an auth bug. It is an operational failure.

Symptom → Cause → Diagnosis → Fix

Symptom: - sudden global 401 failures - valid tokens rejected - logs show signature validation errors Cause: - hardcoded IssuerSigningKey - no metadata endpoint usage - no support for multiple signing keys - no kid handling Diagnosis: - Inspect JWT header for kid. - Compare against configured keys. - Check whether key metadata endpoint changed. - Review TokenValidationParameters for key resolution logic. Fix: - Use signing key resolution via trusted metadata (e.g., OpenID Connect). - Support multiple keys simultaneously. - Refresh metadata periodically. - Monitor signature validation failures by reason.

What kid Does

JWT header contains: - alg - kid (key identifier) kid allows the verifier to: - select the correct public key among multiple active keys. Production rule: Do not ignore kid if your issuer rotates keys.

Anti-Pattern: Single Hardcoded Key

This breaks during rotation: 
options.TokenValidationParameters = new TokenValidationParameters
{
    IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes("hardcoded-secret"))
};
Problems: - no rotation - no key rollover window - secret often stored in config or repo - impossible zero-downtime rotation

Correct Pattern: Key Discovery and Multiple Keys

For external identity providers: - rely on metadata endpoint (OpenID Connect discovery) - let framework fetch signing keys - validate issuer and audience strictly Conceptually: 
options.Authority = "https://issuer.example.com";
options.TokenValidationParameters = new TokenValidationParameters
{
    ValidateIssuer = true,
    ValidateAudience = true,
    ValidateIssuerSigningKey = true
};
The framework retrieves and caches keys from the issuer’s JWKS endpoint. Production rule: Trust keys only from the configured Authority.

Rotation Window Strategy

During rotation: - Old key signs existing tokens. - New key signs new tokens. - Both must be accepted temporarily. Your service must: - accept tokens signed with old and new keys - reject tokens signed with unknown keys If you manually manage keys: - maintain key list with versioning - support overlapping validity window - remove old key only after all old tokens expired

Do Not Trust Arbitrary kid

Attack vector: Attacker crafts token with arbitrary kid and tries to force service to load malicious key. Mitigations: - Only resolve keys from trusted issuer metadata. - Do not dynamically fetch keys from arbitrary URLs derived from token. - Do not accept keys embedded in token. Production rule: Key source must be fixed and trusted, never token-driven.

Monitoring Key-Related Failures

Track: - signature validation failures - unknown kid errors - metadata fetch failures - key refresh events Alert: - sudden spike in signature failures - failure to fetch metadata - unexpected change in key set This is early warning for: - issuer rotation - misconfiguration - attack attempts

Emergency Key Compromise Scenario

If a signing key is compromised: - issuer rotates key - revoke old key immediately - tokens signed with old key must be rejected Your service must: - refresh metadata quickly - reject compromised key - tolerate short-term auth failures gracefully Production rule: Have a documented runbook for key compromise.

Operational Notes

Testing: - Simulate key rotation in staging. - Verify zero 401 spikes during planned rotation. - Test metadata refresh timing. Rollout: - When changing Authority or key config, canary. - Validate new tokens and old tokens both succeed during overlap. Rollback: - If key config misapplied and causes 401 storm, rollback config immediately. - Keep previous config ready for fast restore. Governance: - Do not embed secrets in source code. - Rotate symmetric secrets regularly if used. - Prefer asymmetric keys and external identity providers for scale.

Checklist

- JWT validation supports multiple signing keys simultaneously. - kid is used to select correct key. - Keys are sourced only from trusted issuer metadata. - No hardcoded secrets in source code. - Key rotation tested in staging before production. - Signature validation failures are monitored and alerted. - Metadata refresh strategy is understood and documented. - Runbook exists for emergency key compromise.
AuthZ Policies, Roles, Claims →