Refactoring vs rewriting

Refactoring changes internal structure without changing external behavior. Rewriting replaces implementation more broadly.

Good refactoring:

• has tests or clear verification
• happens in small steps
• preserves behavior
• improves naming, boundaries, or duplication

Risky refactoring:

• changes too many behaviors at once
• mixes cleanup with feature work
• lacks tests around the affected paths
• moves code without improving clarity

Refactoring should reduce future cost, not create churn.

Roslyn analyzers

Roslyn analyzers inspect C# code at compile time.

Common analyzer categories:

• correctness
• style
• security
• performance
• API usage

Enable built-in analysis in .csproj:

<PropertyGroup>
  <AnalysisLevel>latest</AnalysisLevel>
  <TreatWarningsAsErrors>false</TreatWarningsAsErrors>
</PropertyGroup>

For mature projects, teams often turn selected warnings into errors.

EditorConfig

.editorconfig keeps formatting and style consistent.

Example:

[*.cs]
dotnet_style_qualification_for_field = false:suggestion
csharp_style_namespace_declarations = file_scoped:suggestion
dotnet_diagnostic.IDE0060.severity = warning

Consistent formatting reduces review noise. Developers should discuss design, behavior, and risk instead of whitespace.

Sonar and static analysis

SonarQube or SonarCloud can identify:

• bugs
• vulnerabilities
• code smells
• duplication
• test coverage gaps

Use static analysis as a signal, not as a substitute for engineering judgment. Not every finding has equal value, and suppressions should be intentional.

Architecture tests

Architecture tests verify dependency rules.

Example rule:

Domain must not depend on Infrastructure.

Conceptual test:

[Fact]
public void Domain_Should_Not_Depend_On_Infrastructure()
{
    var result = Types.InAssembly(typeof(Order).Assembly)
        .Should()
        .NotHaveDependencyOn("Store.Infrastructure")
        .GetResult();

    Assert.True(result.IsSuccessful);
}

Architecture tests are useful when boundaries are important and easy to accidentally violate.

Refactoring workflow

A safe workflow:

1. add or confirm tests around the behavior
2. make one structural change
3. run tests
4. repeat
5. keep commits focused

For large refactors, avoid mixing:

• renames
• behavior changes
• dependency upgrades
• formatting-only changes

Separate commits make review and rollback easier.

Code review signals

Look for:

• unclear names
• hidden side effects
• duplicated business rules
• missing error handling
• weak tests around changed behavior
• abstractions with no clear purpose

Do not chase theoretical purity while ignoring real bugs. Code quality should support delivery and reliability.

Common mistakes to avoid

Watch for these issues:

• treating analyzer output as a checklist without judgment
• doing broad cleanup in unrelated feature PRs
• creating abstractions before duplication proves they are needed
• ignoring architecture drift until it is expensive to fix
• refactoring without a way to verify behavior

Sustainable code quality comes from small habits repeated consistently: clear names, focused tests, useful analyzers, architecture boundaries, and disciplined refactoring.

Next Article: Building Production-Ready .NET Systems: A Practical Roadmap

Composition root

The composition root is where the application wires dependencies together. In ASP.NET Core, this usually lives in Program.cs and extension methods called from it.

Example:

builder.Services.AddOrderProcessing(builder.Configuration);
builder.Services.AddPayments(builder.Configuration);
builder.Services.AddMessaging(builder.Configuration);

The goal is:

• register dependencies in one predictable place
• keep business classes free from container usage
• avoid scattering IServiceProvider calls through the codebase

Keyed services

Keyed services let you register multiple implementations of the same service type and choose by key.

Example:

builder.Services.AddKeyedScoped<IPaymentProcessor, StripePaymentProcessor>("stripe");
builder.Services.AddKeyedScoped<IPaymentProcessor, PaypalPaymentProcessor>("paypal");

Resolve in a minimal API:

app.MapPost("/payments/stripe", (
    [FromKeyedServices("stripe")] IPaymentProcessor processor) =>
{
    return processor.ProcessAsync();
});

Use keyed services when the key is a real application concept. Avoid using them to hide unclear design decisions.

Decorators

A decorator wraps another implementation to add behavior.

Use cases:

• logging
• caching
• metrics
• retries
• validation

Example:

public sealed class CachedProductService(
    IProductService inner,
    IMemoryCache cache) : IProductService
{
    public Task<ProductDto?> GetByIdAsync(int id, CancellationToken cancellationToken)
    {
        return cache.GetOrCreateAsync(
            $"products:{id}",
            entry =>
            {
                entry.AbsoluteExpirationRelativeToNow = TimeSpan.FromMinutes(5);
                return inner.GetByIdAsync(id, cancellationToken);
            });
    }
}

Decorators keep cross-cutting behavior outside the core implementation.

Factory patterns

Sometimes runtime values determine which implementation to use.

public sealed class PaymentProcessorFactory(IServiceProvider serviceProvider)
{
    public IPaymentProcessor GetProcessor(string provider)
    {
        return provider switch
        {
            "stripe" => serviceProvider.GetRequiredKeyedService<IPaymentProcessor>("stripe"),
            "paypal" => serviceProvider.GetRequiredKeyedService<IPaymentProcessor>("paypal"),
            _ => throw new InvalidOperationException("Unknown payment provider.")
        };
    }
}

Use factories carefully. If every class starts asking the container for dependencies, you are drifting toward the service locator anti-pattern.

Avoid service locator

This is usually a smell:

public sealed class OrderService(IServiceProvider serviceProvider)
{
    public Task SubmitAsync()
    {
        var repository = serviceProvider.GetRequiredService<IOrderRepository>();
        return Task.CompletedTask;
    }
}

Prefer explicit constructor dependencies. They make requirements visible and testing easier.

Common mistakes to avoid

Watch for these issues:

• injecting IServiceProvider everywhere
• using keyed services where a strategy object would be clearer
• registering singletons that depend on scoped services
• hiding complex composition in controllers
• creating decorators that change business behavior unexpectedly

Advanced DI should clarify composition, not make dependency graphs harder to understand.

Next Article: Refactoring and Code Quality in .NET: Analyzers, Sonar, Style, and Architecture Tests

What SignalR provides

SignalR abstracts connection management and real-time messaging.

Core concepts:

• hub: server-side entry point
• connection: a connected client
• group: named collection of connections
• client method: function invoked on the client

Basic hub:

public sealed class NotificationsHub : Hub
{
    public async Task JoinTenantGroup(string tenantId)
    {
        await Groups.AddToGroupAsync(Context.ConnectionId, $"tenant:{tenantId}");
    }
}

Register and map:

builder.Services.AddSignalR();

var app = builder.Build();

app.MapHub<NotificationsHub>("/hubs/notifications");

Sending messages

Send from outside a hub using IHubContext.

public sealed class NotificationService(
    IHubContext<NotificationsHub> hubContext)
{
    public Task NotifyTenantAsync(string tenantId, string message)
    {
        return hubContext.Clients
            .Group($"tenant:{tenantId}")
            .SendAsync("notificationReceived", message);
    }
}

This is useful when background jobs or API endpoints need to push updates.

Groups

Groups are essential for targeting messages.

Examples:

• tenant:acme
• order:42
• user:123
• dashboard:operations

Groups are not a security boundary by themselves. You still need to authorize who can join a group.

Authentication and authorization

SignalR connections can use the same ASP.NET Core authentication system.

app.MapHub<NotificationsHub>("/hubs/notifications")
   .RequireAuthorization();

Inside the hub, use claims to verify access:

var tenantId = Context.User?.FindFirst("tenant_id")?.Value;

Do not let clients join arbitrary tenant or resource groups without server-side validation.

Scaling SignalR

Single-instance SignalR is straightforward. Multiple app instances need a backplane or managed service so messages reach clients connected to any instance.

Common options:

• Azure SignalR Service
• Redis backplane
• sticky sessions in limited scenarios

For large real-time systems, prefer managed SignalR infrastructure when it fits the cloud platform. It reduces connection scaling burden.

Common mistakes to avoid

Watch for these issues:

• sending messages to all clients when groups are required
• trusting client-supplied group names
• ignoring reconnect behavior
• assuming in-memory connection state works across multiple servers
• using SignalR for workflows that only need polling or ordinary HTTP

SignalR is best when users benefit from immediate updates. Design groups, authorization, and scale-out from the beginning.

Next Article: Advanced Dependency Injection in .NET: Keyed Services, Decorators, and Composition Roots

Tenant identification

The app needs a reliable way to determine the current tenant.

Common strategies:

• subdomain: acme.example.com
• route: /tenants/acme/orders
• header: X-Tenant-Id
• token claim: tenant_id

Example middleware concept:

public sealed class TenantMiddleware(RequestDelegate next)
{
    public async Task InvokeAsync(HttpContext context, ITenantResolver resolver)
    {
        var tenant = await resolver.ResolveAsync(context);

        if (tenant is null)
        {
            context.Response.StatusCode = StatusCodes.Status400BadRequest;
            await context.Response.WriteAsync("Tenant is required.");
            return;
        }

        context.Items["Tenant"] = tenant;
        await next(context);
    }
}

Tenant resolution must happen early enough that downstream services can use it.

Data isolation patterns

Common storage models:

• shared database, shared schema, tenant column
• shared database, separate schema per tenant
• separate database per tenant

Shared database with tenant column:

• simplest operationally
• requires strict filters
• works well for many small tenants

Separate database per tenant:

• strongest isolation
• easier tenant-level backup and restore
• more operational complexity

There is no universal best option. The right model depends on tenant count, isolation needs, compliance, and operational maturity.

Tenant-aware EF Core queries

For shared-schema models, every tenant-owned row needs a tenant key.

public interface ITenantEntity
{
    string TenantId { get; set; }
}

Global query filters can help:

modelBuilder.Entity<Order>()
    .HasQueryFilter(o => o.TenantId == _tenantContext.TenantId);

This reduces accidental cross-tenant reads, but it is not a substitute for careful testing and authorization.

Tenant-specific configuration

Tenants may have different settings:

• feature flags
• branding
• connection strings
• limits and quotas
• integration credentials

Model it explicitly:

public sealed record TenantSettings(
    string TenantId,
    bool EnableAdvancedReports,
    int MaxUsers);

Cache tenant settings carefully and invalidate them when changed.

Security concerns

Multi-tenancy raises the cost of mistakes. A cross-tenant data leak is a serious incident.

Controls:

• authorize tenant membership from server-side identity
• do not trust tenant IDs supplied by the client alone
• add automated tests for tenant isolation
• log tenant context in security events
• avoid global admin shortcuts without auditing

Common mistakes to avoid

Watch for these issues:

• forgetting tenant filters in one query
• trusting headers from public clients without validation
• mixing tenant configuration with user preferences
• making tenant resolution inconsistent across APIs and workers
• ignoring background jobs that process tenant data

Multi-tenancy must be a first-class architectural concern. Add tenant context, isolation, testing, and observability early, because retrofitting them later is expensive.

Next Article: Real-Time Systems in .NET: SignalR Architecture and Scaling

Start with the hosting model

Before choosing a platform, answer:

• is the app a web API, worker, or both
• does it need containers
• does it need scale-to-zero
• who manages the runtime and OS
• what observability and secrets tools are available
• how deployments and rollbacks work

Cloud choice is architecture. It affects configuration, networking, deployment, and operations.

Azure App Service

Azure App Service is a managed platform for web apps and APIs.

Good fit:

• straightforward ASP.NET Core APIs
• teams that want minimal infrastructure management
• apps that do not require custom orchestration
• deployments from GitHub Actions or Azure DevOps

Benefits:

• managed runtime
• deployment slots
• built-in TLS support
• easy custom domains
• integration with Application Insights

Tradeoffs:

• less control than container orchestration
• some platform behavior is specific to App Service
• workers and background jobs need careful planning

Azure Container Apps

Azure Container Apps runs containers on a managed platform with scaling features.

Good fit:

• containerized APIs
• worker services
• event-driven scale
• teams that want containers without managing Kubernetes directly

Useful capabilities:

• revision-based deployments
• scale rules
• managed ingress
• environment variables and secrets
• Dapr integration when needed

Container Apps is attractive when you want container packaging but not full cluster ownership.

AWS ECS and Fargate

Amazon ECS runs containers. Fargate lets you run ECS tasks without managing EC2 instances.

Good fit:

• containerized .NET APIs
• worker services
• teams already on AWS
• services that need VPC-level integration

Core concepts:

• task definition describes containers
• service keeps tasks running
• cluster groups capacity
• load balancer routes traffic
• CloudWatch collects logs and metrics

Fargate reduces infrastructure management by removing the need to manage the underlying servers.

Configuration and secrets

Across cloud platforms, keep the same .NET design:

• use appsettings.json for non-sensitive defaults
• override with environment variables
• store secrets in platform secret stores
• validate options at startup

Example environment variable:

ConnectionStrings__Default=...

.NET configuration providers make this consistent across Azure, AWS, containers, and local development.

Health checks and scaling

Cloud platforms need to know whether the app is healthy.

builder.Services.AddHealthChecks();

app.MapHealthChecks("/health");

For production, distinguish:

• liveness: process is running
• readiness: app can handle traffic

Scaling depends on the platform:

• App Service scales instances
• Container Apps can scale by HTTP traffic, queue length, or events
• ECS services scale task count based on metrics

Choosing pragmatically

Use Azure App Service when:

• you want a simple managed web app platform
• the app is mostly HTTP
• speed of setup matters

Use Azure Container Apps when:

• containers are part of your workflow
• you need event-driven scale
• you want less operational overhead than Kubernetes

Use ECS/Fargate when:

• AWS is the primary cloud
• containers are standard
• VPC networking and AWS service integration matter

Common mistakes to avoid

Watch for these issues:

• choosing Kubernetes-level complexity too early
• storing secrets in images or source control
• missing health checks
• failing to design logging and metrics before production
• assuming local container behavior matches cloud networking exactly

Cloud platforms differ, but the application fundamentals remain stable: external configuration, health checks, logs, metrics, secure secrets, and repeatable deployments.

Next Article: Multi-Tenancy Patterns in ASP.NET Core

Why CI/CD matters

CI/CD reduces manual deployment risk. Every change should pass the same repeatable checks before it reaches users.

A baseline pipeline should answer:

• does the code restore successfully
• does it compile
• do tests pass
• can the app be packaged
• which environment receives the deployment

Basic build and test workflow

Create .github/workflows/dotnet.yml:

name: dotnet-ci

on:
  push:
    branches: [ main ]
  pull_request:
    branches: [ main ]

jobs:
  build:
    runs-on: ubuntu-latest

    steps:
      - uses: actions/checkout@v4

      - uses: actions/setup-dotnet@v4
        with:
          dotnet-version: '8.0.x'

      - run: dotnet restore
      - run: dotnet build --configuration Release --no-restore
      - run: dotnet test --configuration Release --no-build

This is the minimum useful loop for most .NET repos.

Publishing artifacts

After tests pass, publish the app:

      - run: dotnet publish src/Store.Api/Store.Api.csproj --configuration Release --output ./publish

      - uses: actions/upload-artifact@v4
        with:
          name: store-api
          path: ./publish

Artifacts give later jobs a known package to deploy. This is better than rebuilding separately for every environment.

Secrets

Never hard-code credentials in workflow files.

Use GitHub Actions secrets:

env:
  ConnectionStrings__Default: $

Rules:

• store secrets in GitHub secret stores
• scope secrets by repository, organization, or environment
• do not echo secrets in logs
• rotate credentials when needed

Environments

GitHub environments help control deployments.

Example:

deploy-staging:
  runs-on: ubuntu-latest
  environment: staging
  needs: build

Production environments can require approvals, protection rules, and separate secrets.

Build once, deploy many

A strong pipeline builds once and promotes the same artifact.

Why:

• staging and production receive the same compiled output
• fewer “works in staging but not prod” surprises
• deployment becomes a promotion decision

For containers, the equivalent is:

• build an image once
• tag it with the commit SHA
• promote that image across environments

Quality gates

Useful checks include:

• unit tests
• integration tests
• formatting checks
• static analysis
• dependency vulnerability scanning
• container image scanning

Do not add gates just to make the pipeline look sophisticated. Add checks that catch real risk for your project.

Common mistakes to avoid

Watch for these issues:

• deploying from a developer machine manually
• rebuilding different artifacts for each environment
• storing secrets in YAML
• skipping tests on pull requests
• letting production deploys happen with no approval or audit trail

CI/CD is not just automation. It is a reliability control that makes releases repeatable and traceable.

Next Article: Cloud Patterns for .NET: Azure App Service, Azure Container Apps, AWS ECS, and Fargate

Publishing the app

The basic publish command:

dotnet publish src/Store.Api/Store.Api.csproj -c Release -o publish

This creates deployable output with compiled assemblies, dependencies, and configuration files.

Use Release builds for deployment:

dotnet publish -c Release

Debug builds are for local development.

Dockerfile

A typical multi-stage Dockerfile:

FROM mcr.microsoft.com/dotnet/sdk:8.0 AS build
WORKDIR /src
COPY . .
RUN dotnet publish src/Store.Api/Store.Api.csproj -c Release -o /app/publish

FROM mcr.microsoft.com/dotnet/aspnet:8.0 AS runtime
WORKDIR /app
COPY --from=build /app/publish .
ENTRYPOINT ["dotnet", "Store.Api.dll"]

Build and run:

docker build -t store-api .
docker run -p 8080:8080 store-api

In containers, configuration usually comes from environment variables or mounted secrets, not edited files inside the image.

Linux hosting

ASP.NET Core runs well on Linux. Common hosting options:

• systemd service on a VM
• Docker container
• Kubernetes
• platform services such as Azure App Service or AWS ECS

For systemd, your service file usually starts the published app and restarts it on failure.

Reverse proxy with Nginx

In many Linux deployments, Nginx sits in front of Kestrel.

Nginx handles:

• TLS termination
• public ports
• request forwarding
• compression
• buffering
• static assets in some setups

Basic reverse proxy shape:

server {
    listen 80;
    server_name api.example.com;

    location / {
        proxy_pass http://127.0.0.1:5000;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

In ASP.NET Core, enable forwarded headers when running behind a proxy:

app.UseForwardedHeaders();

Health checks

Health checks let platforms know whether the app is alive and ready.

builder.Services.AddHealthChecks();

var app = builder.Build();

app.MapHealthChecks("/health");

For production, consider separate endpoints:

• liveness: process is running
• readiness: app can serve traffic

Readiness may include database, cache, or message broker checks, but be careful not to make health checks too expensive.

Deployment checklist

Use this baseline:

• publish Release builds
• externalize configuration
• expose a health endpoint
• log to stdout in containers
• set resource limits
• validate reverse proxy headers
• automate deployment through CI/CD

Common mistakes to avoid

Watch for these issues:

• building Docker images with secrets baked in
• running Debug builds in production
• missing health checks
• ignoring graceful shutdown
• forgetting forwarded headers behind Nginx or load balancers

Deployment quality affects reliability directly. Treat startup, shutdown, logs, configuration, and health checks as part of the app contract.

Next Article: CI/CD with GitHub Actions for .NET: Build, Test, Publish, Secrets, and Environments

What gRPC is

gRPC is a remote procedure call framework that commonly uses:

• Protocol Buffers for contracts and serialization
• HTTP/2 as the transport
• generated clients and server base classes
• unary and streaming communication patterns

It is a good fit for:

• internal service-to-service calls
• low-latency APIs
• strongly typed contracts
• streaming scenarios

It is not always the best fit for public browser APIs unless you use gRPC-Web and account for ecosystem constraints.

Defining a contract

Contracts live in .proto files.

syntax = "proto3";

option csharp_namespace = "Store.Grpc";

service ProductCatalog {
  rpc GetProduct (GetProductRequest) returns (ProductReply);
}

message GetProductRequest {
  int32 id = 1;
}

message ProductReply {
  int32 id = 1;
  string name = 2;
  double price = 3;
}

The field numbers are part of the wire contract. Do not reuse them casually.

Server implementation

.NET generates a base class from the .proto file.

public sealed class ProductCatalogService : ProductCatalog.ProductCatalogBase
{
    public override Task<ProductReply> GetProduct(
        GetProductRequest request,
        ServerCallContext context)
    {
        return Task.FromResult(new ProductReply
        {
            Id = request.Id,
            Name = "Mechanical Keyboard",
            Price = 129.00
        });
    }
}

Register gRPC:

builder.Services.AddGrpc();

var app = builder.Build();

app.MapGrpcService<ProductCatalogService>();

Client usage

Generated clients make calls strongly typed.

var channel = GrpcChannel.ForAddress("https://localhost:5001");
var client = new ProductCatalog.ProductCatalogClient(channel);

var product = await client.GetProductAsync(new GetProductRequest { Id = 42 });

In real applications, configure gRPC clients through DI rather than constructing channels everywhere.

Streaming

gRPC supports:

• unary calls
• server streaming
• client streaming
• bidirectional streaming

Server streaming example:

rpc StreamProducts (StreamProductsRequest) returns (stream ProductReply);

Implementation concept:

public override async Task StreamProducts(
    StreamProductsRequest request,
    IServerStreamWriter<ProductReply> responseStream,
    ServerCallContext context)
{
    await foreach (var product in productService.GetProductsAsync(context.CancellationToken))
    {
        await responseStream.WriteAsync(new ProductReply
        {
            Id = product.Id,
            Name = product.Name,
            Price = (double)product.Price
        });
    }
}

Streaming is useful when data arrives over time or when a response is too large to buffer comfortably.

Interop considerations

Think about:

• HTTP/2 support in hosting infrastructure
• load balancer and reverse proxy configuration
• gRPC-Web for browser clients
• versioning .proto files carefully
• deadlines and cancellation

Common mistakes to avoid

Watch for these issues:

• using gRPC for public APIs when simple REST would be easier
• changing field numbers in .proto files
• ignoring deadlines and cancellation
• exposing internal domain models directly as generated contracts
• forgetting infrastructure requirements for HTTP/2

gRPC is a strong tool for typed service communication. Use it when its contract and streaming model simplify the system, not just because it is faster on paper.

Next Article: Deploying ASP.NET Core Apps: Docker, Linux Hosting, Nginx, and Health Checks

OWASP API risks

The OWASP API Security Top 10 highlights common API failure modes. Examples include:

• broken object-level authorization
• broken authentication
• excessive data exposure
• unrestricted resource consumption
• broken function-level authorization
• unsafe consumption of third-party APIs

For .NET APIs, the practical response is:

• authorize access to each resource
• validate inputs
• avoid exposing entity models directly
• limit request sizes and rates
• log security-relevant failures
• keep dependencies updated

Object-level authorization

A common bug is checking that a user is authenticated but not checking that they can access the specific record.

Bad:

[Authorize]
[HttpGet("orders/{id:int}")]
public async Task<IActionResult> GetOrder(int id)
{
    return Ok(await repository.GetByIdAsync(id));
}

Better:

var order = await repository.GetByIdAsync(id);
if (order is null)
    return NotFound();

if (order.CustomerId != currentUser.CustomerId)
    return Forbid();

return Ok(order);

Authentication is not enough. Resource access must be checked.

Rate limiting

Rate limiting protects APIs from abusive or accidental high-volume traffic.

Example:

builder.Services.AddRateLimiter(options =>
{
    options.AddFixedWindowLimiter("api", limiter =>
    {
        limiter.PermitLimit = 100;
        limiter.Window = TimeSpan.FromMinutes(1);
    });
});

var app = builder.Build();

app.UseRateLimiter();

app.MapGet("/api/products", () => Results.Ok())
   .RequireRateLimiting("api");

Rate limiting is especially important for:

• login endpoints
• expensive search endpoints
• public APIs
• endpoints that trigger external calls

CORS

CORS controls which browser origins can call your API. It is not an authentication system.

Example:

builder.Services.AddCors(options =>
{
    options.AddPolicy("frontend", policy =>
    {
        policy
            .WithOrigins("https://app.example.com")
            .AllowAnyHeader()
            .AllowAnyMethod();
    });
});

app.UseCors("frontend");

Avoid:

.AllowAnyOrigin()
.AllowAnyHeader()
.AllowAnyMethod()

That may be acceptable for a local prototype, but it is usually too broad for production.

Security headers

APIs and web apps benefit from security headers.

Common headers:

• Strict-Transport-Security
• X-Content-Type-Options
• Content-Security-Policy
• Referrer-Policy

Example middleware:

app.Use(async (context, next) =>
{
    context.Response.Headers["X-Content-Type-Options"] = "nosniff";
    context.Response.Headers["Referrer-Policy"] = "no-referrer";
    await next();
});

For browser-facing apps, Content Security Policy deserves careful design and testing.

Input and output safety

Use request DTOs and response DTOs. Avoid binding directly to EF Core entities.

Why:

• prevents over-posting
• prevents leaking internal fields
• keeps public contracts stable
• makes validation explicit

Example:

public sealed record UpdateUserRequest(string DisplayName);
public sealed record UserResponse(int Id, string DisplayName);

Common mistakes to avoid

Watch for these issues:

• trusting client-side validation
• using CORS as a security boundary
• authorizing by role only when resource ownership matters
• logging tokens or passwords
• exposing internal entity fields in API responses
• leaving expensive endpoints without limits

API security is a set of repeated habits. Authentication gets users in the door, but authorization, validation, limits, and observability keep the system defensible.

Next Article: gRPC in .NET: Contracts, Streaming, and Interop

Start with measurement

Before changing code, answer:

• which endpoint is slow
• what latency percentile matters
• whether CPU, memory, I/O, or locking is the bottleneck
• whether the database or a downstream service dominates time

Useful tools:

• application metrics
• OpenTelemetry traces
• dotnet-counters
• dotnet-trace
• load testing tools
• BenchmarkDotNet for isolated code paths

Do not optimize a method because it looks inefficient. Optimize because evidence shows it matters.

Kestrel basics

Kestrel is the cross-platform web server used by ASP.NET Core.

Example configuration:

builder.WebHost.ConfigureKestrel(options =>
{
    options.Limits.MaxRequestBodySize = 10 * 1024 * 1024;
    options.Limits.KeepAliveTimeout = TimeSpan.FromMinutes(2);
    options.Limits.RequestHeadersTimeout = TimeSpan.FromSeconds(30);
});

Tune Kestrel when:

• request sizes need strict limits
• slow clients are tying up resources
• reverse proxy behavior requires alignment
• you need explicit endpoint configuration

Many apps should keep default Kestrel settings until measurements justify changes.

Garbage collection

.NET has a highly optimized garbage collector, but allocation-heavy code still creates pressure.

Signs of allocation problems:

• high Gen 0/Gen 1 collection rate
• large object heap growth
• memory spikes during load
• CPU spent in GC

Use dotnet-counters:

dotnet-counters monitor --process-id 12345 System.Runtime

Watch counters such as:

• GC heap size
• allocation rate
• Gen 0/1/2 collection counts
• thread pool queue length

Reducing allocations

Allocation reduction is most useful in hot paths.

Common improvements:

• avoid repeated string concatenation in loops
• use streaming instead of buffering large payloads
• project only needed data from EF Core
• avoid unnecessary LINQ in extremely hot loops
• reuse expensive objects where safe

Example:

var builder = new StringBuilder();

foreach (var item in items)
{
    builder.Append(item.Code);
    builder.Append(',');
}

var result = builder.ToString();

Do not make code unreadable to avoid tiny allocations that do not matter. Keep optimization proportional to the measured cost.

BenchmarkDotNet

BenchmarkDotNet is the standard .NET library for microbenchmarks.

Install:

dotnet add package BenchmarkDotNet

Benchmark:

[MemoryDiagnoser]
public class SlugBenchmarks
{
    private readonly string _title = "Performance Tuning in .NET";

    [Benchmark]
    public string ReplaceSpaces()
    {
        return _title.ToLowerInvariant().Replace(" ", "-");
    }
}

Run:

BenchmarkRunner.Run<SlugBenchmarks>();

Use BenchmarkDotNet for isolated algorithms and utility code. It does not replace end-to-end load tests.

Performance checklist for APIs

A practical API tuning checklist:

• use pagination for lists
• avoid over-fetching data
• use AsNoTracking for read-only EF Core queries
• set downstream timeouts
• compress responses where appropriate
• cache expensive read models carefully
• measure p95 and p99 latency, not just averages

Common mistakes to avoid

Watch for these issues:

• optimizing without production-like data
• using microbenchmarks to make claims about whole-system performance
• ignoring database indexes
• returning unbounded result sets
• treating GC as the problem before checking allocation behavior

Performance tuning is disciplined measurement followed by focused changes. The best optimization is often changing what work the app does, not making unnecessary work slightly faster.

Next Article: Security Deep Dive for .NET APIs: OWASP, Rate Limiting, Headers, and CORS