.NET
read
The request lifecycle in a .NET 9 Minimal API / MVC application follows a series of steps from incoming request to response generation. Understanding this helps in performance tuning, debugging, and implementing middleware effectively.
1️⃣ Client Sends Request → (Browser/Postman/Frontend App)
2️⃣ Kestrel Web Server Receives Request
3️⃣ Middleware Pipeline Processes Request
4️⃣ Routing Determines Controller/Minimal API
5️⃣ Model Binding & Validation (if applicable)
6️⃣ Controller Action / Minimal API Executes
7️⃣ Service Layer Handles Business Logic
8️⃣ Database Interaction Occurs (via Repository/EF Core)
9️⃣ Response Is Generated
🔟 Middleware Pipeline Handles Response
🔟 Response Is Sent Back to Client
- Kestrel is the built-in cross-platform web server in ASP.NET.
- Listens for incoming HTTP requests and forwards them to the middleware pipeline.
🔹 Example:
GET https://localhost:5001/api/expenses
- Middleware components process requests in a sequential order.
- Can short-circuit requests (e.g., authentication, caching).
- Configured in
Program.cswithapp.UseMiddleware<>.
app.Use(async (context, next) =>
{
Console.WriteLine($"Request: {context.Request.Method} {context.Request.Path}");
await next(); // Pass request to next middleware
});
| Middleware | Purpose |
|---|---|
| UseExceptionHandler | Global error handling |
| UseRouting | Determines request path |
| UseAuthentication | Handles JWT, OAuth, etc. |
| UseAuthorization | Verifies user permissions |
| UseRateLimiter | Throttles requests |
- Understanding the request lifecycle helps optimize performance.
- Middleware placement is crucial for efficient request processing.
- Asynchronous programming improves scalability.
- Database optimizations prevent performance bottlenecks.
This ensures your .NET 9 API is efficient, scalable, and production-ready! 🚀 Let me know if you need further details! 😊
read
In .NET DI, you can conditionally apply the Decorator Pattern based on configuration or runtime conditions using IServiceCollection.
public class LoggingExpenseServiceDecorator : IExpenseService
{
private readonly IExpenseService _inner;
private readonly ILogger<LoggingExpenseServiceDecorator> _logger;
public LoggingExpenseServiceDecorator(IExpenseService inner, ILogger<LoggingExpenseServiceDecorator> logger)
{
_inner = inner;
_logger = logger;
}
public async Task<string> ProcessExpenseAsync(decimal amount)
{
_logger.LogInformation($"Processing expense: {amount} USD");
var result = await _inner.ProcessExpenseAsync(amount);
_logger.LogInformation($"Expense processed successfully: {result}");
return result;
}
}
Conditionally Register the Decorator in Program.cs
var builder = WebApplication.CreateBuilder(args);
var services = builder.Services;
// Register the base service
services.AddScoped<IExpenseService, ExpenseService>();
// Conditionally apply the decorator
bool useLoggingDecorator = builder.Configuration.GetValue<bool>("UseLoggingDecorator");
if (useLoggingDecorator)
{
services.AddScoped<IExpenseService>(provider =>
{
var innerService = provider.GetRequiredService<ExpenseService>();
var logger = provider.GetRequiredService<ILogger<LoggingExpenseServiceDecorator>>();
return new LoggingExpenseServiceDecorator(innerService, logger);
});
}
var app = builder.Build();
Enable/Disable Decorator Using Configuration
{
"UseLoggingDecorator": true
}
* Set to true → Decorator will be applied.
* Set to false → Only the base service (ExpenseService) will be used.
read
- https://timdeschryver.dev/blog/the-decorator-pattern-using-nets-dependency-injection
- https://medium.com/@anderson.buenogod/mastering-the-decorator-pattern-in-c-net-8-advanced-use-cases-and-best-practices-378974abe9be
Approach 1
Approach 2
Approach 3 - Using Keyed Services to Register Multiple Implementations of the Same Interface
read
In C#, record is a reference type introduced in C# 9 that is primarily used for immutable data models. It provides several benefits over traditional class and struct types, especially when dealing with data-centric applications.
-
recordtypes are designed to be immutable by default. - Unlike
class, properties cannot be changed after object creation unless explicitly marked asmutable.
public record Person(string Name, int Age);
var person1 = new Person("Alice", 30);
// person1.Age = 31; // ❌ Compilation Error: Properties are readonly by default.
- Reduces boilerplate code compared to
class. - Supports primary constructor syntax for easier initialization.
public record Employee(string Name, string Department);
Instead of writing:
public class Employee
{
public string Name { get; }
public string Department { get; }
public Employee(string name, string department)
{
Name = name;
Department = department;
}
}
- Unlike
class, where equality is reference-based,recordcompares by value. - Two records with the same property values are considered equal.
var e1 = new Employee("Bob", "IT");
var e2 = new Employee("Bob", "IT");
Console.WriteLine(e1 == e2); // ✅ True (Value-based equality)
Whereas, with a class:
public class Employee
{
public string Name { get; }
public string Department { get; }
public Employee(string name, string department)
{
Name = name;
Department = department;
}
}
var c1 = new Employee("Bob", "IT");
var c2 = new Employee("Bob", "IT");
Console.WriteLine(c1 == c2); // ❌ False (Reference-based equality)
-
recordsupports awithexpression for making shallow copies with modifications.
var emp1 = new Employee("Alice", "HR");
var emp2 = emp1 with { Department = "Finance" }; // Copy with modified property
Console.WriteLine(emp1); // Employee { Name = Alice, Department = HR }
Console.WriteLine(emp2); // Employee { Name = Alice, Department = Finance }
- This avoids manually cloning objects in class-based designs.
- Unlike
struct,recordsupports inheritance.
public record Person(string Name);
public record Employee(string Name, string Role) : Person(Name);
- Useful when defining domain models with hierarchical relationships.
| Use Case | record or class? |
|---|---|
| Immutable Data Models | ✅ record |
| DTOs (Data Transfer Objects) | ✅ record |
| Configuration Objects | ✅ record |
| Entity Framework Models | ❌ class (EF requires mutable properties) |
| Reference Equality (e.g., Cache, Dependency Injection) | ❌ class |
public record Product(string Name, decimal Price);
- Auto-generates properties with
getaccessors. - Provides a built-in
ToString(), equality, andwithexpression support.
public record Product
{
public string Name { get; init; } = "";
public decimal Price { get; init; }
}
-
initmakes properties settable only during initialization.
- Introduced in C# 10 for value-type record behavior.
public record struct Point(int X, int Y);
- More memory-efficient for small, frequently used structures.
✅ Use record when:
- You want immutable and value-based equality behavior.
- You need concise, readable code with less boilerplate.
- You require pattern matching and efficient copying with
with.
❌ Avoidrecordwhen: - You need mutable objects (prefer
class). - You work with Entity Framework (EF requires mutable properties).
Would you like a specific example of record usage in an application, such as ASP.NET Core or a REST API? 🚀
read
To make your .NET 9 API more secure and reliable, you should implement multiple security best practices. Below are the key areas to focus on:
- Keycloak already provides OIDC-based authentication.
- Ensure access tokens are validated correctly.
- Implement role-based access control (RBAC) to restrict sensitive endpoints.
- Example in
Program.cs:app.MapGet("/admin", () => "Admin Access Only!") .RequireAuthorization(policy => policy.RequireRole("admin"));
- Enable MFA in Keycloak to require OTP-based authentication.
- Go to Authentication → Required Actions → Configure OTP.
- Limit token permissions using Keycloak’s client scopes.
- Under Clients → my-dotnet-api → Client Scopes, define:
read:expenseswrite:expenses
- Enforce HTTPS by redirecting HTTP traffic:
app.UseHttpsRedirection();
- Implement Rate Limiting with
AspNetCoreRateLimit:dotnet add package AspNetCoreRateLimit - Configure in
Program.cs:builder.Services.AddRateLimiting(options => { options.GlobalRules = new List<RateLimitRule> { new RateLimitRule { Endpoint = "*", Limit = 100, Period = "1m" } }; });
- Only allow required HTTP methods in CORS policy:
builder.Services.AddCors(options => { options.AddPolicy("AllowSpecificOrigins", policy => { policy.WithOrigins("https://trustedclient.com") .AllowMethods("GET", "POST", "PUT", "DELETE") .AllowHeaders("Authorization", "Content-Type"); }); });
- Reduce token expiration time to 15 minutes in Keycloak:
- Go to Realm Settings → Tokens → Access Token Lifespan → 15m.
- Enable refresh token rotation to prevent token reuse.
- Configure Keycloak to revoke refresh tokens upon logout.
- Use AES-256 encryption for storing sensitive data.
- Example using
System.Security.Cryptography:public static string EncryptData(string text, string key) { using var aes = Aes.Create(); aes.Key = Encoding.UTF8.GetBytes(key); aes.GenerateIV(); using var encryptor = aes.CreateEncryptor(); var bytes = Encoding.UTF8.GetBytes(text); var encrypted = encryptor.TransformFinalBlock(bytes, 0, bytes.Length); return Convert.ToBase64String(encrypted); }
- Store hashed passwords with bcrypt:
using BCrypt.Net; string hashedPassword = BCrypt.HashPassword("mypassword"); bool isValid = BCrypt.Verify("mypassword", hashedPassword);
- Use Azure Key Vault or AWS Secrets Manager to store connection strings securely.
- Always use Entity Framework Core with parameterized queries:
var expense = dbContext.Expenses .Where(e => e.Category == category) .FirstOrDefault();
- Use FluentValidation to validate API requests:
dotnet add package FluentValidation.AspNetCore - Example validation for expense creation:
public class ExpenseValidator : AbstractValidator<ExpenseDto> { public ExpenseValidator() { RuleFor(e => e.Title).NotEmpty(); RuleFor(e => e.Amount).GreaterThan(0); } }
- Install Serilog:
dotnet add package Serilog.AspNetCore - Configure in
Program.cs:Log.Logger = new LoggerConfiguration() .WriteTo.Console() .WriteTo.File("logs/log.txt", rollingInterval: RollingInterval.Day) .CreateLogger();builder.Host.UseSerilog();
- Log failed authentication attempts:
builder.Services.AddAuthentication() .AddJwtBearer(options => { options.Events = new JwtBearerEvents { OnAuthenticationFailed = context => { Log.Error("Authentication failed: {Error}", context.Exception.Message); return Task.CompletedTask; } }; });
-
Create a
Dockerfilefor containerization:FROM mcr.microsoft.com/dotnet/aspnet:9.0 COPY ./publish /app WORKDIR /app ENTRYPOINT ["dotnet", "ExpenseManager.dll"] -
Run API securely with Docker:
docker build -t expense-api . docker run -d -p 5000:80 --env ASPNETCORE_ENVIRONMENT=Production expense-api
- Use Kubernetes Network Policies to restrict API traffic.
- Use Secrets Management for storing credentials:
kubectl create secret generic api-secrets \ --from-literal=DB_CONNECTION_STRING="Server=db;Database=expense;User Id=admin;Password=securepassword"
| Security Aspect | Best Practice |
|---|---|
| Authentication | Use OAuth2.0 / OIDC with Keycloak |
| Authorization | Implement Role-Based Access Control (RBAC) |
| Rate Limiting | Prevent DDoS attacks using rate limiting |
| CORS Protection | Restrict origins, methods, and headers |
| Data Security | Encrypt sensitive data & hash passwords |
| Injection Prevention | Use parameterized queries & input validation |
| Logging & Monitoring | Implement Serilog & audit failed auth attempts |
| Deployment Security | Use Docker, Kubernetes, and Secrets Management |
By implementing these practices, your .NET 9 API will be safer, more resilient, and production-ready. 🚀
Would you like a step-by-step implementation guide for any specific practice? 😃