Core Code
Core Code Modern Dev Handbook
DOTNET Contents
Foundations (Hosting, DI, Config)
Hosting Model & Kestrel Reality DI Lifetimes (This Will Leak/Break) Options Pattern & Config Binding Env Config & Secrets (Don't Bake) Logging Basics with ILogger Health Checks: Readiness vs Liveness Graceful Shutdown Basics
Web Services Basics (ASP.NET Core)
Controllers vs Minimal APIs (Tradeoffs in Prod) Middleware Pipeline Order (Bugs You Deserve) Routing Basics (Endpoints That Bite) Endpoint Filters Basics Request/Response Streaming (Backpressure Matters) Static Files (Security Foot-guns) Shutdown Draining (Don't Drop In-Flight)
Routing, Binding & Validation
Model Binding Gotchas Validation with FluentValidation (Basics) Input Validation: What to Validate Where File Upload Basics & Hardening Querystring Filtering & Limits Multipart Size Limits (Stop Zip Bombs)
Errors & Problem Details (RFC 7807)
Exception Handling Middleware (Correctly) Problem Details (RFC 7807) Done Right Validation Errors as Problem Details Error Codes & API Contracts Global JSON Settings (Safe Defaults) 404 vs Validation (Client UX & Semantics)
Authentication & Authorization
Cookie vs Bearer Auth (Don't Mix Blindly) JWT Validation Basics (What Actually Matters) JWT Key Rotation & kid Handling AuthZ Policies, Roles, Claims Resource-Based Authorization ASP.NET Identity: When to Use It mTLS Client Certs (Basics)
Security Basics (Production)
CORS Misconfigurations (Real Impact) Security Headers (Baseline) CSRF: SameSite vs Token Defenses XSS: Output Encoding & HTML Safety Deserialization Hardening SSRF & Egress Controls Rate Limiting Basics (Server-Side) Request Size Limits (Abuse Prevention) Secrets Management for .NET Apps Dependency Vulnerability Scanning
Data Access (EF Core in Prod)
DbContext Lifetime & Pooling (Prod-Safe) Migrations Safe Rollout (No Downtime) Transactions & Isolation Levels N+1 Detection & Fix Query Performance & Index Reality Optimistic Concurrency Tokens Outbox Pattern (Basics) Soft Delete & Global Query Filters Connection Resiliency (Retries Without Lies)
HTTP Clients & Integrations
HttpClientFactory: Pooling & DNS Reality Timeouts & Deadlines (Stop Hanging Threads) Retries & Backoff Policies (When It's Okay) Circuit Breakers (Basics That Matter) Idempotency Keys for Outbound Calls Headers/Auth Forwarding (Don't Leak) HTTP/2 and HTTP/3 Considerations
Reliability Patterns
Timeouts & CancellationTokens (Correct Wiring) Retries: When NOT To (Thundering Herd) Idempotency for APIs (You Need This) Server-Side Rate Limiting (Fairness & Abuse) Bulkheads & Concurrency Limits Backpressure in Streaming (Don't OOM) Graceful Degradation & Fallbacks Saga & Compensation (Basics)
Background Jobs & Hosting
HostedService Basics (The Safe Way) Background Queue with Channels Cron Scheduling: Hangfire vs Built-in Worker Service Deploy Patterns Message Consumers & Idempotency Shutdown: Cancellation & Job Draining
Observability (Logs, Metrics, Traces)
Structured Logging with Serilog Correlation IDs & Trace Context OpenTelemetry Tracing (ASP.NET Core) OpenTelemetry Metrics (SLI-first) Health Checks Deep Dive (Readiness Done Right) Log PII Redaction (Don't Get Sued) Alerting & SLO Basics (Actionable Only) Debugging in Prod (Dumps, Traces)
Performance & Tuning
ThreadPool Starvation (Symptoms & Fix) Async Pitfalls (Deadlocks, Fire-and-Forget) Allocations & GC (What Actually Hurts) Kestrel Tuning & Limits JSON Serialization Performance EF Core Perf Hotspots (How to See Them) Caching: Response/Output Strategies
Testing & Quality Gates
Unit Testing with xUnit (Basics) Integration Tests with WebApplicationFactory Contract Tests (Basics) Mocking HTTP and Time Safely Testcontainers Basics (Real Dependencies) Coverage & Quality Gates (No Theatre) Load Testing with k6 (Basics)
Build, Release & Deploy
Build/Publish, Trimming, AOT (Basics) Dockerizing ASP.NET Core (Production) Config & Secrets in Deploy (No Baking) Blue/Green & Canary (Basics) Migrations & Deploy Order (Avoid Locking) Rollbacks vs Forward-Fix (When Each Wins) Versioning & SemVer (APIs Included) CI/CD Basics (Build, Test, Scan, Ship)
Production Runbooks
Incident Triage Playbook (First 15 Minutes) Dependency Outage Playbook (Third-Party Down) DB Latency Playbook (EF Core Included) Memory Leak Playbook (OOM Hunting) CPU Saturation Playbook (Hot Paths) Timeout Storm Playbook (Cascading Failure) Deploy Failure Playbook (Rollback Safely) Production Readiness Checklist

Kestrel Tuning & Limits

Kestrel tuning is about protecting the server under abusive or broken clients: connection limits, request body limits, header limits, keep-alive, and timeouts. Without sane limits, one client can pin resources and cause a platform-wide outage.
On this page

Production incident

A client starts uploading huge request bodies slowly (or a bot does it intentionally). Your server accepts the connection and keeps it open. Connections pile up, memory and sockets rise, and legitimate traffic gets starved. Another incident: a partner sends gigantic headers and blows your reverse proxy and Kestrel limits inconsistently, causing 400/431 storms. Kestrel defaults are not "secure by default" for your workload. You must set limits.

Symptoms

  • Connection count rises and does not fall.
  • Requests hang at the start (headers/body not fully received).
  • HTTP 431/413/400 spikes when limits are inconsistent across layers.
  • Throughput collapses while CPU remains moderate.

Root causes

  • No request size limits; slow clients consume resources.
  • Keep-alive and timeouts not tuned; idle connections stay forever.
  • Header limits not aligned with proxy/gateway limits.
  • Unlimited HTTP/2 streams or connection reuse patterns not understood.

Diagnosis

# Look for Kestrel configuration
grep -R "ConfigureKestrel" -n .
grep -R "KestrelServerOptions" -n .
grep -R "MaxRequestBodySize\|RequestHeadersTimeout\|KeepAliveTimeout" -n .

Check the full chain: CDN/WAF, reverse proxy (nginx/ingress), gateway, and Kestrel. If limits differ, clients will see random failures.

Anti-pattern

  • Relying on defaults for a public API with upload endpoints.
  • Setting extremely low limits globally and breaking legitimate clients.
  • Setting limits only at the proxy and not at Kestrel (defense in depth matters).

Correct pattern

Set sane global defaults and override per endpoint when needed (uploads, streaming). Align limits across layers.

// Program.cs
builder.WebHost.ConfigureKestrel(options =>
{
    options.Limits.RequestHeadersTimeout = TimeSpan.FromSeconds(10);
    options.Limits.KeepAliveTimeout = TimeSpan.FromSeconds(30);

    options.Limits.MaxRequestBodySize = 10 * 1024 * 1024; // 10 MB default
    options.Limits.MaxRequestHeadersTotalSize = 32 * 1024; // 32 KB
    options.Limits.MaxRequestHeaderCount = 100;
});

Endpoint overrides

// Allow larger body on a specific upload endpoint
app.MapPost("/upload", async (HttpContext ctx) =>
{
    // streaming processing goes here
}).WithMetadata(new RequestSizeLimitAttribute(200 * 1024 * 1024)); // 200MB

Performance and abuse controls

  • Prefer streaming uploads and downloads. Do not buffer full bodies in memory.
  • Use server-side rate limiting for expensive endpoints.
  • Set request body size limits and header limits as a hard boundary.

Security impact

  • Limits reduce DOS risk (slowloris, oversized headers, oversized bodies).
  • Aligning limits avoids weird bypasses between proxy and app.

Operational notes

  • Monitoring: connections, request queueing, 413/431 rates, request aborted counts.
  • Rollout: tighten limits gradually and watch error rates by client. Communicate breaking changes to partners.
  • Rollback: if a limit change breaks a key client, relax per-route first, not globally.

Checklist

  • Request body and header limits are explicitly configured.
  • Timeouts (headers, keep-alive) are set to avoid idle resource pinning.
  • Limits are aligned across CDN/proxy/gateway/Kestrel.
  • Uploads/downloads use streaming, not buffering.
  • 413/431/aborted request metrics are monitored.
JSON Serialization Performance →