Core Code
Core Code Modern Dev Handbook
DOTNET Contents
Foundations (Hosting, DI, Config)
Hosting Model & Kestrel Reality DI Lifetimes (This Will Leak/Break) Options Pattern & Config Binding Env Config & Secrets (Don't Bake) Logging Basics with ILogger Health Checks: Readiness vs Liveness Graceful Shutdown Basics
Web Services Basics (ASP.NET Core)
Controllers vs Minimal APIs (Tradeoffs in Prod) Middleware Pipeline Order (Bugs You Deserve) Routing Basics (Endpoints That Bite) Endpoint Filters Basics Request/Response Streaming (Backpressure Matters) Static Files (Security Foot-guns) Shutdown Draining (Don't Drop In-Flight)
Routing, Binding & Validation
Model Binding Gotchas Validation with FluentValidation (Basics) Input Validation: What to Validate Where File Upload Basics & Hardening Querystring Filtering & Limits Multipart Size Limits (Stop Zip Bombs)
Errors & Problem Details (RFC 7807)
Exception Handling Middleware (Correctly) Problem Details (RFC 7807) Done Right Validation Errors as Problem Details Error Codes & API Contracts Global JSON Settings (Safe Defaults) 404 vs Validation (Client UX & Semantics)
Authentication & Authorization
Cookie vs Bearer Auth (Don't Mix Blindly) JWT Validation Basics (What Actually Matters) JWT Key Rotation & kid Handling AuthZ Policies, Roles, Claims Resource-Based Authorization ASP.NET Identity: When to Use It mTLS Client Certs (Basics)
Security Basics (Production)
CORS Misconfigurations (Real Impact) Security Headers (Baseline) CSRF: SameSite vs Token Defenses XSS: Output Encoding & HTML Safety Deserialization Hardening SSRF & Egress Controls Rate Limiting Basics (Server-Side) Request Size Limits (Abuse Prevention) Secrets Management for .NET Apps Dependency Vulnerability Scanning
Data Access (EF Core in Prod)
DbContext Lifetime & Pooling (Prod-Safe) Migrations Safe Rollout (No Downtime) Transactions & Isolation Levels N+1 Detection & Fix Query Performance & Index Reality Optimistic Concurrency Tokens Outbox Pattern (Basics) Soft Delete & Global Query Filters Connection Resiliency (Retries Without Lies)
HTTP Clients & Integrations
HttpClientFactory: Pooling & DNS Reality Timeouts & Deadlines (Stop Hanging Threads) Retries & Backoff Policies (When It's Okay) Circuit Breakers (Basics That Matter) Idempotency Keys for Outbound Calls Headers/Auth Forwarding (Don't Leak) HTTP/2 and HTTP/3 Considerations
Reliability Patterns
Timeouts & CancellationTokens (Correct Wiring) Retries: When NOT To (Thundering Herd) Idempotency for APIs (You Need This) Server-Side Rate Limiting (Fairness & Abuse) Bulkheads & Concurrency Limits Backpressure in Streaming (Don't OOM) Graceful Degradation & Fallbacks Saga & Compensation (Basics)
Background Jobs & Hosting
HostedService Basics (The Safe Way) Background Queue with Channels Cron Scheduling: Hangfire vs Built-in Worker Service Deploy Patterns Message Consumers & Idempotency Shutdown: Cancellation & Job Draining
Observability (Logs, Metrics, Traces)
Structured Logging with Serilog Correlation IDs & Trace Context OpenTelemetry Tracing (ASP.NET Core) OpenTelemetry Metrics (SLI-first) Health Checks Deep Dive (Readiness Done Right) Log PII Redaction (Don't Get Sued) Alerting & SLO Basics (Actionable Only) Debugging in Prod (Dumps, Traces)
Performance & Tuning
ThreadPool Starvation (Symptoms & Fix) Async Pitfalls (Deadlocks, Fire-and-Forget) Allocations & GC (What Actually Hurts) Kestrel Tuning & Limits JSON Serialization Performance EF Core Perf Hotspots (How to See Them) Caching: Response/Output Strategies
Testing & Quality Gates
Unit Testing with xUnit (Basics) Integration Tests with WebApplicationFactory Contract Tests (Basics) Mocking HTTP and Time Safely Testcontainers Basics (Real Dependencies) Coverage & Quality Gates (No Theatre) Load Testing with k6 (Basics)
Build, Release & Deploy
Build/Publish, Trimming, AOT (Basics) Dockerizing ASP.NET Core (Production) Config & Secrets in Deploy (No Baking) Blue/Green & Canary (Basics) Migrations & Deploy Order (Avoid Locking) Rollbacks vs Forward-Fix (When Each Wins) Versioning & SemVer (APIs Included) CI/CD Basics (Build, Test, Scan, Ship)
Production Runbooks
Incident Triage Playbook (First 15 Minutes) Dependency Outage Playbook (Third-Party Down) DB Latency Playbook (EF Core Included) Memory Leak Playbook (OOM Hunting) CPU Saturation Playbook (Hot Paths) Timeout Storm Playbook (Cascading Failure) Deploy Failure Playbook (Rollback Safely) Production Readiness Checklist

Static Files (Security Foot-guns)

Static files are a security boundary. Learn safe hosting, path traversal risks, cache headers, content-type sniffing, and how misconfigured static files leak secrets or enable XSS.
On this page

Static Files Can Be a Data Leak

Serving static files sounds harmless until you ship: - config backups - .env files - source maps with secrets - internal admin UIs - user-uploaded files from the same directory as app assets Static file hosting is an attack surface. Treat it as one.

Real Production Incident

Symptoms: - Security team reports that production secrets were exposed publicly. - Attackers downloaded a file that should never be public. - Incident response discovers that backups were accessible under /static/. Root cause: - Static files middleware was configured to serve from a directory that also contained deployment artifacts. - A “temporary” debug dump file was left on disk. - No denylist for sensitive extensions. - No CDN boundary; app served static directly. This is not “oops”. This is preventable design failure.

Symptom → Cause → Diagnosis → Fix

Symptom: - Unexpected files accessible via HTTP (e.g., /appsettings.json, /.env, /backup.zip) - Strange 200 responses for paths that should 404 - Security findings: exposed internal assets Cause: - Static file root includes sensitive directories - Misconfigured request path mappings - Serving user uploads via static middleware - Missing security headers and content-type controls Diagnosis: - Enumerate accessible static paths with automated scanning. - Check app container filesystem layout. - Verify StaticFileOptions and file providers. - Inspect response headers (cache, content-type, nosniff). Fix: - Strictly separate app assets from everything else. - Never serve secrets or build artifacts from the same root. - Lock down static file mappings and headers. - Consider serving static via CDN/object storage.

Anti-Pattern: Serving the Wrong Directory

This is how you leak files: 
app.UseStaticFiles(new StaticFileOptions
{
    FileProvider = new PhysicalFileProvider("/app"),
    RequestPath = ""
});
If /app contains: - configs - logs - dumps - backups You just exposed them. Production rule: Static file root must contain only public assets.

Correct Pattern: Dedicated Static Root

Keep public assets in a dedicated directory (wwwroot) and nothing else. Basic safe setup: 
app.UseStaticFiles();
If you must serve a custom directory, do it explicitly and narrowly: 
app.UseStaticFiles(new StaticFileOptions
{
    FileProvider = new PhysicalFileProvider("/app/public"),
    RequestPath = "/static"
});
And ensure /app/public contains only safe, intended files.

User Uploads Are Not Static Assets

Never serve user uploads from the same middleware/root as your app assets. Reasons: - content-type spoofing - stored XSS via SVG/HTML - cache poisoning - access control requirements Better patterns: - store uploads in object storage (S3, Blob Storage) - use signed URLs - scan files (AV) - enforce content-type and disposition If you must serve uploads yourself: - isolate directory - enforce strict headers - deny dangerous extensions

Content-Type Sniffing and XSS Risk

Browsers may sniff content type. If you serve untrusted content without protections, you can enable XSS. Set: - X-Content-Type-Options: nosniff Example header middleware (conceptual): 
app.Use(async (ctx, next) =>
{
    ctx.Response.Headers["X-Content-Type-Options"] = "nosniff";
    await next();
});
Production rule: Static responses should include nosniff. Especially if any user content is involved.

Cache-Control and Versioning

Static assets should be cached aggressively if they are versioned (hash in filename). If you do not version assets: - you will ship broken UIs due to stale caches - rollback becomes messy Recommended: - /app.js?v=hash or app.hash.js - Cache-Control: public, max-age=31536000, immutable (for versioned files) - Short cache for non-versioned assets But do not blindly cache sensitive content.

Directory Browsing and File Enumeration

Do not enable directory browsing. Even if it seems harmless, it increases information disclosure: - file names - build artifacts - internal structures Production rule: If users can list directories, you have already lost control.

Path Traversal Considerations

ASP.NET Core static file middleware does not simply “join strings”, but mistakes happen when people build custom file endpoints. Anti-pattern custom endpoint: 
app.MapGet("/files/{name}", (string name) =>
{
    var path = "/uploads/" + name;
    return Results.File(path);
});
This invites traversal attempts like ../../etc/passwd (platform dependent). If you must do dynamic file serving: - normalize paths - enforce allowlist - ensure resolved path is under the intended root

Operational Notes

Monitoring: - alert on requests for sensitive filenames (.env, appsettings.json, backup.zip) - track 404 spikes for scanning patterns - monitor bandwidth anomalies (static abuse) Rollout: - verify filesystem layout in container image - run security scan for exposed files before production rollout Rollback: - if you leak a file, rollback is not enough: - rotate secrets - invalidate caches/CDN - purge leaked artifacts - audit access logs Risk management: - prefer CDN/object storage for static and uploads - keep app instances for API traffic, not bulk file serving

Checklist

- Static root contains only intended public assets (no configs, logs, backups). - User uploads are isolated and not served as generic static assets. - X-Content-Type-Options: nosniff is present for static responses. - Cache-Control strategy defined (versioned assets cached aggressively). - Directory browsing is not enabled. - Requests for sensitive filenames are monitored and alerted. - Pre-deploy scanning verifies no secrets or artifacts are publicly accessible. - Incident plan includes secret rotation and cache invalidation for leaks.
Shutdown Draining (Don't Drop In-Flight) →