Core Code
Core Code Modern Dev Handbook
DOTNET Contents
Foundations (Hosting, DI, Config)
Hosting Model & Kestrel Reality DI Lifetimes (This Will Leak/Break) Options Pattern & Config Binding Env Config & Secrets (Don't Bake) Logging Basics with ILogger Health Checks: Readiness vs Liveness Graceful Shutdown Basics
Web Services Basics (ASP.NET Core)
Controllers vs Minimal APIs (Tradeoffs in Prod) Middleware Pipeline Order (Bugs You Deserve) Routing Basics (Endpoints That Bite) Endpoint Filters Basics Request/Response Streaming (Backpressure Matters) Static Files (Security Foot-guns) Shutdown Draining (Don't Drop In-Flight)
Routing, Binding & Validation
Model Binding Gotchas Validation with FluentValidation (Basics) Input Validation: What to Validate Where File Upload Basics & Hardening Querystring Filtering & Limits Multipart Size Limits (Stop Zip Bombs)
Errors & Problem Details (RFC 7807)
Exception Handling Middleware (Correctly) Problem Details (RFC 7807) Done Right Validation Errors as Problem Details Error Codes & API Contracts Global JSON Settings (Safe Defaults) 404 vs Validation (Client UX & Semantics)
Authentication & Authorization
Cookie vs Bearer Auth (Don't Mix Blindly) JWT Validation Basics (What Actually Matters) JWT Key Rotation & kid Handling AuthZ Policies, Roles, Claims Resource-Based Authorization ASP.NET Identity: When to Use It mTLS Client Certs (Basics)
Security Basics (Production)
CORS Misconfigurations (Real Impact) Security Headers (Baseline) CSRF: SameSite vs Token Defenses XSS: Output Encoding & HTML Safety Deserialization Hardening SSRF & Egress Controls Rate Limiting Basics (Server-Side) Request Size Limits (Abuse Prevention) Secrets Management for .NET Apps Dependency Vulnerability Scanning
Data Access (EF Core in Prod)
DbContext Lifetime & Pooling (Prod-Safe) Migrations Safe Rollout (No Downtime) Transactions & Isolation Levels N+1 Detection & Fix Query Performance & Index Reality Optimistic Concurrency Tokens Outbox Pattern (Basics) Soft Delete & Global Query Filters Connection Resiliency (Retries Without Lies)
HTTP Clients & Integrations
HttpClientFactory: Pooling & DNS Reality Timeouts & Deadlines (Stop Hanging Threads) Retries & Backoff Policies (When It's Okay) Circuit Breakers (Basics That Matter) Idempotency Keys for Outbound Calls Headers/Auth Forwarding (Don't Leak) HTTP/2 and HTTP/3 Considerations
Reliability Patterns
Timeouts & CancellationTokens (Correct Wiring) Retries: When NOT To (Thundering Herd) Idempotency for APIs (You Need This) Server-Side Rate Limiting (Fairness & Abuse) Bulkheads & Concurrency Limits Backpressure in Streaming (Don't OOM) Graceful Degradation & Fallbacks Saga & Compensation (Basics)
Background Jobs & Hosting
HostedService Basics (The Safe Way) Background Queue with Channels Cron Scheduling: Hangfire vs Built-in Worker Service Deploy Patterns Message Consumers & Idempotency Shutdown: Cancellation & Job Draining
Observability (Logs, Metrics, Traces)
Structured Logging with Serilog Correlation IDs & Trace Context OpenTelemetry Tracing (ASP.NET Core) OpenTelemetry Metrics (SLI-first) Health Checks Deep Dive (Readiness Done Right) Log PII Redaction (Don't Get Sued) Alerting & SLO Basics (Actionable Only) Debugging in Prod (Dumps, Traces)
Performance & Tuning
ThreadPool Starvation (Symptoms & Fix) Async Pitfalls (Deadlocks, Fire-and-Forget) Allocations & GC (What Actually Hurts) Kestrel Tuning & Limits JSON Serialization Performance EF Core Perf Hotspots (How to See Them) Caching: Response/Output Strategies
Testing & Quality Gates
Unit Testing with xUnit (Basics) Integration Tests with WebApplicationFactory Contract Tests (Basics) Mocking HTTP and Time Safely Testcontainers Basics (Real Dependencies) Coverage & Quality Gates (No Theatre) Load Testing with k6 (Basics)
Build, Release & Deploy
Build/Publish, Trimming, AOT (Basics) Dockerizing ASP.NET Core (Production) Config & Secrets in Deploy (No Baking) Blue/Green & Canary (Basics) Migrations & Deploy Order (Avoid Locking) Rollbacks vs Forward-Fix (When Each Wins) Versioning & SemVer (APIs Included) CI/CD Basics (Build, Test, Scan, Ship)
Production Runbooks
Incident Triage Playbook (First 15 Minutes) Dependency Outage Playbook (Third-Party Down) DB Latency Playbook (EF Core Included) Memory Leak Playbook (OOM Hunting) CPU Saturation Playbook (Hot Paths) Timeout Storm Playbook (Cascading Failure) Deploy Failure Playbook (Rollback Safely) Production Readiness Checklist

Validation Errors as Problem Details

Validation errors must be predictable and machine-readable. Learn how to return Problem Details for invalid input with stable field errors, consistent status codes, and zero information leaks.
On this page

Validation Errors Are the Most Common Errors

In a healthy API, 400s happen often: - clients send invalid payloads - clients run older versions - users paste garbage - third parties integrate incorrectly If validation errors are inconsistent, you create: - client-side guesswork - support ticket noise - slow incident triage - accidental information leaks Production rule: Validation failures must return a stable schema that clients can rely on.

Real Production Incident

Symptoms: - Web app shows “Unknown error” for invalid inputs because it cannot map server errors to form fields. - Mobile app shows different messages than web for the same error. - After deployment, a spike in 400s causes alarm because the team cannot distinguish “expected validation errors” from real issues. Root cause: - Validation errors were returned as ad-hoc strings. - Field-level errors were not included consistently. - Some endpoints returned 400, others returned 422 with different formats. This is an error contract failure.

Symptom → Cause → Diagnosis → Fix

Symptom: - client cannot highlight invalid fields reliably - inconsistent error formats per endpoint - confusion between expected 400s and production incidents Cause: - no standard validation error schema - mixing validation mechanisms (ModelState, FluentValidation, ad-hoc checks) - inconsistent status codes for validation failures - returning raw validator messages that change over time Diagnosis: - Submit the same invalid payload to multiple endpoints and compare responses. - Inspect whether errors contain field names and machine-readable codes. - Check whether status codes are consistent. - Audit whether error responses leak internal rule details. Fix: - Standardize validation errors using Problem Details. - Include a stable structure for field errors. - Choose a single status code strategy (usually 400) and enforce it. - Avoid exposing internal rule implementation details.

What Clients Need From Validation Errors

A production-grade validation error should provide: - stable top-level error_code - a list/map of field errors - optional per-field error codes (stable identifiers) - correlation id for debugging Clients should not parse error message strings.

Anti-Pattern: String-Based Validation Errors

This breaks clients and drifts: 
return Results.BadRequest("Quantity must be greater than zero");
Or: 
return Results.BadRequest(new { error = "invalid input" });
No field mapping. No stable codes. No contract.

Correct Pattern: Problem Details With Field Errors

Use a stable schema. Example: - status: 400 - type: https://example.com/problems/validation - error_code: VALIDATION_FAILED - errors: map of field -> list of messages/codes Example response construction (conceptual): 
var errors = new Dictionary<string, string[]>
{
    ["quantity"] = new[] { "Must be greater than 0" },
    ["sku"] = new[] { "Required" }
};

return Results.Problem(
    title: "Validation failed",
    statusCode: 400,
    type: "https://example.com/problems/validation",
    detail: "One or more fields are invalid.",
    extensions: new Dictionary<string, object?>
    {
        ["error_code"] = "VALIDATION_FAILED",
        ["errors"] = errors,
        ["correlation_id"] = http.TraceIdentifier
    });
Production rule: errors must reference stable field names used by clients.

Status Code Choice: 400 vs 422

Both can be defensible, but inconsistency is not. Recommendation for most APIs: - Use 400 for invalid input. - Keep 422 only if you have a very clear semantic split and it is documented. Production rule: Pick one strategy, apply it everywhere.

Do Not Leak Rule Implementation Details

Validator messages may reveal too much: - exact constraints that help attackers optimize payloads - internal model names - business logic details Balance: - enough info for legitimate client correction - not enough to help abuse Production rule: Use stable, safe messages. Avoid echoing raw input in errors.

Field Naming Consistency

A classic production pain: - C# property names are PascalCase - JSON uses camelCase - clients map fields by JSON names Ensure your error keys match your JSON contract: - quantity, sku, shippingAddress.postalCode (if you use dotted paths) If you change naming policy, you must update validation errors too, or clients break.

Operational Notes

Monitoring: - Track validation failures rate separately from 5xx. - Track top invalid fields (bounded cardinality). - Alert on sudden 400 spikes after deploy (breaking changes or client rollout issue). Rollout: - Validation rule changes can be breaking changes. - Canary rule changes and monitor 400 rates. - Keep backward compatibility where possible. Rollback: - If validation changes block legitimate traffic, rollback fast. - Do not disable validation globally; it becomes a security hole.

Checklist

- Validation errors return Problem Details consistently. - A stable error_code is included (e.g., VALIDATION_FAILED). - Field-level errors are included in a predictable structure. - Field names match the JSON contract used by clients. - Status codes for validation are consistent across endpoints. - Error messages are safe and do not leak internal details. - Validation failure metrics monitored separately from 5xx. - Validation rule changes are canaried and rollbackable.
Error Codes & API Contracts →