Leaks: stack traces internal paths config values ✅ Rule Enable only in Development.
Category: Asp.Net Core
.NET Core — Model Validation Runs Before Your Code
Even before controller logic. 🧠 Why it matters Expensive validations slow APIs Happens on every request ✅ Tip Keep DTOs small and flat.
Performance — Measuring in Dev Lies to You
Local machines hide: IO waits CPU contention GC pressure ✅ Rule Benchmark under production-like load.
Security — URL Length Can Kill Requests
Browsers & proxies limit URL size. ❌ Breaks Large GET filters Search queries ✅ Fix Use POST for complex payloads.
HTTP — Caching Is Disabled More Often Than You Think
No cache headers = slower everything. ✅ Add ETag Cache-Control If-None-Match Result: fewer bytes, faster pages, happier users.
.NET Core — Request Aborted Token Is Ignored Too Often
Client disconnects — server keeps working. ✅ Fix Use: HttpContext.RequestAborted Cancel long-running operations immediately.
.NET Core — Async Controllers Can Still Block Threads
Async does NOT guarantee non-blocking. ❌ Hidden blocker Task.Result Task.Wait() ✅ Rule Async all the way — no sync-over-async.
.NET Core — Logging Too Much Can DOS Your Own App
Excessive logging is a performance bug. ❌ Symptoms Disk IO spikes Thread pool starvation ✅ Rule Log events, not flows.
.NET Core — Kestrel Has Request Limits You Might Hit
Large uploads fail silently. Default limits Request body size Header count Header length ✅ Fix Explicitly configure limits in Kestrel.
.NET Core — Response Compression Isn’t Enabled by Default
Many APIs forget this. builder.Services.AddResponseCompression(); app.UseResponseCompression(); Result Smaller payloads Faster mobile clients Lower bandwidth costs
.NET Core — MapGroup() for API Versioning Without Pain
var v1 = app.MapGroup(“/api/v1”); v1.MapGet(“/users”, GetUsers); Benefits Cleaner routing Shared filters & auth Scales beautifully
Request Body Can Only Be Read Once
Middleware reading body breaks controllers. ✅ Fix Enable buffering: context.Request.EnableBuffering(); Then rewind stream.
Scoped Services Inside Singleton = Time Bomb
public class MySingleton { public MySingleton(MyScopedService s) { } } ❌ Problem Captures first request scope forever Causes stale data & memory leaks ✅ Fix Use IServiceScopeFactory.
Model Binding Is Slower Than You Think
Large request models cost CPU. ✅ Optimization Use [FromBody] DTOs instead of giant domain models. Why Less reflection Faster deserialization Cleaner APIs
IOptionsSnapshot vs IOptionsMonitor — Subtle but Critical
Wrong choice causes stale configs or memory leaks. IOptionsSnapshot → per request IOptionsMonitor → real-time updates ✅ Rule Use Monitor only if config changes at runtime.
IHostedService vs BackgroundService
Many misuse them. 🧠 Difference IHostedService = lifecycle hooks BackgroundService = long-running loops ✅ Rule Use BackgroundService for workers.
Middleware Order Can Break Security
Order matters a lot. ❌ Wrong UseEndpoints(); UseAuthentication(); ✅ Correct UseAuthentication(); UseAuthorization(); UseEndpoints();
HttpClient Socket Exhaustion — Still Happening in 2025
This is wrong: new HttpClient(); ✅ Correct builder.Services.AddHttpClient(); Why Reuses sockets Prevents random timeouts
Minimal APIs — Why Filters Replace Middleware
Middleware runs for every request. ✅ Endpoint Filter app.MapPost(“/orders”, handler) .AddEndpointFilter<AuthFilter>(); Why Faster Scoped Cleaner
ASP.NET Core “Request Body Already Read” — Enable Buffering
Have you ever tried to read the HttpContext.Request.Body in a middleware or a filter, only to find that your API controller receives an empty body? Or worse, your application crashes? By default, the request body is a forward-only stream. Once it’s read, the pointer reaches the end, and there’s nothing left for the next component […]
ASP.NET Core “Response Compression Not Working” — The Missing MIME Types
Compression silently fails without explicit MIME config. ✅ Fix builder.Services.AddResponseCompression(options => { options.MimeTypes = ResponseCompressionDefaults.MimeTypes .Concat(new[] { “application/json” }); });
ASP.NET Core Health Checks That Actually Matter
Many health checks always return OK. ❌ Useless services.AddHealthChecks(); ✅ Useful services.AddHealthChecks() .AddSqlServer(conn) .AddRedis(redisConn); Why Kubernetes and load balancers rely on this.
ASP.NET Core “Slow Startup” — Reflection Scanning Trap
Large projects often scan assemblies repeatedly. ✅ Fix Disable automatic scanning where possible and register explicitly: services.AddScoped<IService, Service>(); Why Reflection is slow at startup — especially in containers.
ASP.NET Core Thread Pool Starvation Explained
Symptoms: Random timeouts CPU low but requests hang Root cause Blocking calls inside async code: Task.Delay(1000).Wait(); ✅ Fix await Task.Delay(1000); Rule Never block threads in ASP.NET.
ASP.NET Core Logging Slows Your API (Yes, Really)
This is expensive: _logger.LogInformation($”User {id} logged in”); ✅ Correct Way _logger.LogInformation(“User {UserId} logged in”, id); Why Avoids string interpolation Enables structured logging Reduces allocations
.NET Core “Configuration Not Updating” — Missing ReloadOnChange
If you update appsettings.json in production and nothing changes… ✔ Fix builder.Configuration.AddJsonFile( “appsettings.json”, optional: false, reloadOnChange: true ); 💡 Bonus Works even in Kubernetes (mounted config map).
ASP.NET Core “Middleware Never Executes” — The Ordering Trap
If you place middleware in the wrong order → it silently does nothing. ❌ Wrong app.UseEndpoints(…); app.UseAuthentication(); ✔ Correct app.UseAuthentication(); app.UseAuthorization(); app.UseEndpoints(…); 💡 Golden Rule Auth must come BEFORE endpoints.
.NET Core “HttpClient Exhaustion” — Why Your API Suddenly Stops Responding
Most devs know not to use new HttpClient(),but they forget the REAL killer: DNS caching. Containers change DNS → HttpClient reuses stale DNS forever. ✔ Fix Use SocketsHttpHandler.PooledConnectionIdleTimeout: builder.Services.AddHttpClient(“api”) .ConfigurePrimaryHttpMessageHandler(() => new SocketsHttpHandler { PooledConnectionIdleTimeout = TimeSpan.FromMinutes(2) }); Prevents DNS poisoning.
ASP.NET Core “Random 404 After Deploy” — Broken Routing Cache
Kestrel caches endpoints.When you add a new route but deploy without clearing the build output → ghost routes happen. ✔ Fix Add this to .csproj: <PropertyGroup> <DisableFastUpToDateCheck>true</DisableFastUpToDateCheck> </PropertyGroup> Ensures routes rebuild properly every deploy.
.NET Core “Kestrel Timeout” — The Hidden Request Body Limit
Many APIs fail mysteriously with: “Unexpected end of request content.” Because the request body timeout is too low. ✔ Fix builder.WebHost.ConfigureKestrel(o => { o.Limits.RequestBodyTimeout = TimeSpan.FromMinutes(5); }); 💡 Life-Saver For: file uploads slower mobile clients integrations with old systems