Explain the middleware pipeline in ASP.NET Core

The middleware pipeline is an ordered chain of components that each handle the HTTP request on the way in and the response on the way out, calling `next()` to pass control down the chain. Middleware can short-circuit (return early), and order matters (e.g., exception handling first, then routing, auth, endpoints). It's configured in `Program.cs` with `app.Use...`/`app.Run`.

What is the difference between ASP.NET and ASP.NET Core?

ASP.NET is the older Windows-only, .NET Framework web framework tied to System.Web/IIS. ASP.NET Core is a re-architected, cross-platform, open-source framework that runs on .NET Core/.NET 5+, with built-in DI, a unified MVC/Web API/Razor model, Kestrel server, and higher performance. ASP.NET Core is the modern, recommended choice for new development.

Explain dependency injection in ASP.NET Core (Transient, Scoped, Singleton)

ASP.NET Core has built-in DI; services are registered with a lifetime that controls instance reuse. Transient creates a new instance every time it's requested; Scoped creates one instance per HTTP request (shared within that request); Singleton creates one instance for the app's lifetime. Match lifetime to state/thread-safety needs, and never inject a shorter-lived (e.g., Scoped) service into a Singleton.

What are action filters and how do you create custom filters?

Action filters run custom logic at stages of the MVC action pipeline, ideal for cross-cutting concerns (logging, validation, caching, exception handling). The filter types run in order: Authorization, Resource, Action, Exception, and Result filters. You create one by implementing an interface like `IActionFilter`/`IAsyncActionFilter` (or deriving from `ActionFilterAttribute`) and registering it globally, on a controller, or on an action.

Explain the difference between `IActionResult`, `ActionResult `, and returning a concrete type

`IActionResult` is the non-generic return type allowing any result (e.g., `Ok`, `NotFound`) but no compile-time body type. `ActionResult ` allows returning either an action result or a `T` directly, giving both status flexibility and a typed response for Swagger/OpenAPI. Returning a concrete type (`T`) is simplest but always serializes to 200, losing the ability to express other status codes.

What is model binding and validation in ASP.NET Core?

Model binding maps incoming HTTP data (route values, query string, form, body, headers) to action parameters and complex types automatically. Validation then checks the bound model against data-annotation attributes (or custom rules), surfacing results via `ModelState.IsValid`. Together they turn raw requests into validated, strongly-typed inputs; `[ApiController]` automatically returns 400 on invalid models.

How do you implement authentication and authorization in ASP.NET Core?

Authentication is configured via `AddAuthentication` with a scheme/handler (cookies, JWT bearer, OpenID Connect) and the `UseAuthentication` middleware; authorization is configured via `AddAuthorization` (policies/roles) and `UseAuthorization`, enforced with `[Authorize]`. Order matters: `UseAuthentication` must come before `UseAuthorization`. Policies and requirements support fine-grained, claims-based rules.

Explain the difference between authentication and authorization.

Authentication verifies *who* a user is (validating credentials/identity). Authorization determines *what* that authenticated user is allowed to do (permissions, roles, policies). Authentication always precedes authorization, and the two are enforced by separate middleware in ASP.NET Core.

What is JWT and how do you implement JWT authentication?

A JWT (JSON Web Token) is a compact, URL-safe, digitally signed token with three parts — Header, Payload (claims), and Signature — used for stateless authentication. The server issues a signed token on login; the client sends it in the `Authorization: Bearer` header, and the API validates the signature/claims via JWT bearer authentication (`AddJwtBearer`) without server-side session state.

How do you handle CORS in ASP.NET Core?

CORS (Cross-Origin Resource Sharing) controls which browser origins may call your API. In ASP.NET Core you register policies with `AddCors`, then enable them with `UseCors` (placed before auth/endpoints) and optionally apply named policies per controller/endpoint via `[EnableCors]`. Configure allowed origins, headers, methods, and credentials explicitly — avoid `AllowAnyOrigin` combined with credentials.

What are the different ways to manage application configuration?

Configuration comes from layered providers merged in order: `appsettings.json`, environment-specific `appsettings.{Environment}.json`, environment variables, command-line args, user secrets (dev), and cloud stores like Azure Key Vault. Values are read via `IConfiguration` or strongly-typed with the Options pattern (`IOptions `). Later providers override earlier ones, enabling per-environment overrides without code changes.

Explain routing in ASP.NET Core (conventional vs attribute routing).

Conventional routing defines URL patterns centrally (e.g., `{controller}/{action}/{id?}`) and is common in MVC views. Attribute routing places `[Route]`/`[HttpGet("...")]` directly on controllers/actions for precise, self-documenting routes, which is the norm for Web APIs. Both map URLs to endpoints via the routing middleware; attribute routing offers finer control while conventional routing reduces repetition.

What is Razor Pages and how does it differ from MVC?

Razor Pages is a page-focused model where each page pairs a `.cshtml` view with a `PageModel` code-behind handling its requests — well-suited to page-centric, form-based UI. MVC separates concerns across Controllers, Models, and Views, better for complex apps with many actions per controller or APIs. Both use Razor and the same underlying framework; Razor Pages reduces ceremony for simple CRUD pages.

How do you implement versioning in Web APIs?

API versioning lets multiple API versions coexist so you can evolve without breaking clients, typically via the `Asp.Versioning` package. Common strategies: URL path (`/api/v1/...`), query string (`?api-version=1.0`), header, or media-type versioning. You register versioning services, mark controllers with `[ApiVersion]`, and optionally expose a version explorer for Swagger.

What are health checks in ASP.NET Core?

Health checks report the liveness/readiness of an app and its dependencies (database, cache, external services) via `AddHealthChecks` and a `/health` endpoint. Custom checks implement `IHealthCheck` and return Healthy/Degraded/Unhealthy; results can be filtered by tags and consumed by load balancers, Kubernetes probes, or orchestrators to route traffic and trigger restarts.

ASP.NET Core

The ASP.NET Core request pipeline: middleware, dependency injection, filters, routing, model binding, auth, and Web API features.

Open as page

The middleware pipeline in ASP.NET Core is a series of components that handle HTTP requests and responses. Each middleware component can:

Process an incoming request before passing it to the next component
Process the outgoing response after the next component has executed
Short-circuit the pipeline by not calling the next middleware

Key characteristics:

Middleware components are executed in the order they are added
Each component can perform operations before and after the next component
Built using the Use, Run, and Map extension methods

Example:

public void Configure(IApplicationBuilder app)
{
    // Middleware 1
    app.Use(async (context, next) =>
    {
        // Do work before next middleware
        await next.Invoke();
        // Do work after next middleware
    });

    // Middleware 2
    app.UseRouting();
    app.UseAuthentication();
    app.UseAuthorization();
    
    // Terminal middleware
    app.UseEndpoints(endpoints =>
    {
        endpoints.MapControllers();
    });
}

Common middleware order:

Exception handling
HTTPS redirection
Static files
Routing
Authentication
Authorization
Endpoints

Related Resources

ASP.NET Core Middleware

Open as page

Feature	ASP.NET	ASP.NET Core
Platform	Windows only	Cross-platform (Windows, Linux, macOS)
Framework	Built on .NET Framework	Built on .NET Core/.NET 5+
Performance	Good	Significantly faster and more efficient
Hosting	IIS only	IIS, Kestrel, Nginx, Apache, Docker
Open Source	Partially	Fully open source
Configuration	Web.config (XML)	appsettings.json, environment variables
Dependency Injection	Not built-in (needs third-party)	Built-in DI container
Web Forms	Supported	Not supported
Project Structure	Complex, tightly coupled	Modular, lightweight
Side-by-side deployment	Not supported	Supported
Cloud optimization	Limited	Highly optimized for cloud

Key advantages of ASP.NET Core:

Better performance and scalability
Modern architecture with cleaner separation of concerns
Built-in dependency injection
Unified programming model for web UI and web APIs
Can run on multiple platforms

Related Resources

Choose between ASP.NET and ASP.NET Core

Open as page

Dependency Injection (DI) is a built-in design pattern in ASP.NET Core that achieves Inversion of Control (IoC) between classes and their dependencies. Services are registered with specific lifetimes.

Service Lifetimes:

4.3.1. Transient

A new instance is created every time the service is requested
Best for lightweight, stateless services
Registered using AddTransient<TService, TImplementation>()

services.AddTransient();

Use case: Operations that don't maintain state, like sending emails or generating random numbers.

4.3.2. Scoped

A single instance is created per client request (HTTP request)
The same instance is used throughout the entire request
Registered using AddScoped<TService, TImplementation>()

services.AddScoped();

Use case: Database contexts (Entity Framework), repository patterns, services that need to maintain state during a request.

4.3.3. Singleton

A single instance is created for the entire application lifetime
The same instance is shared across all requests
Registered using AddSingleton<TService, TImplementation>()

services.AddSingleton();

Use case: Configuration, logging, caching services, thread-safe services.

Registration example in Program.cs:

var builder = WebApplication.CreateBuilder(args);

// Transient
builder.Services.AddTransient();

// Scoped
builder.Services.AddScoped();

// Singleton
builder.Services.AddSingleton(builder.Configuration);

var app = builder.Build();

Important considerations:

Avoid injecting scoped or transient services into singleton services (causes memory leaks)
Singleton services must be thread-safe
Scoped is the most commonly used lifetime for business logic

Related Resources

Dependency injection in ASP.NET Core

Open as page

Action filters are attributes that add extra processing logic before or after specific stages in the request processing pipeline. They allow cross-cutting concerns like logging, caching, authorization, and exception handling.

Filter types and execution order:

Authorization filters - Run first, verify authorization
Resource filters - Run after authorization, good for caching
Action filters - Run before and after action method execution
Exception filters - Handle exceptions
Result filters - Run before and after result execution

Creating a custom action filter:

// Method 1: Inherit from ActionFilterAttribute
public class LogActivityFilter : ActionFilterAttribute
{
    private readonly ILogger _logger;

    public LogActivityFilter(ILogger logger)
    {
        _logger = logger;
    }

    public override void OnActionExecuting(ActionExecutingContext context)
    {
        _logger.LogInformation($"Executing action: {context.ActionDescriptor.DisplayName}");
        base.OnActionExecuting(context);
    }

    public override void OnActionExecuted(ActionExecutedContext context)
    {
        _logger.LogInformation($"Executed action: {context.ActionDescriptor.DisplayName}");
        base.OnActionExecuted(context);
    }
}

// Method 2: Implement IActionFilter interface
public class ValidateModelFilter : IActionFilter
{
    public void OnActionExecuting(ActionExecutingContext context)
    {
        if (!context.ModelState.IsValid)
        {
            context.Result = new BadRequestObjectResult(context.ModelState);
        }
    }

    public void OnActionExecuted(ActionExecutedContext context)
    {
        // Logic after action execution
    }
}

// Async version
public class AsyncLoggingFilter : IAsyncActionFilter
{
    public async Task OnActionExecutionAsync(
        ActionExecutingContext context, 
        ActionExecutionDelegate next)
    {
        // Before action execution
        await next(); // Execute the action
        // After action execution
    }
}

Using filters:

// Apply to specific action
[LogActivityFilter]
public IActionResult GetUser(int id)
{
    return Ok();
}

// Apply to controller
[ValidateModelFilter]
public class UsersController : ControllerBase
{
}

// Register globally in Program.cs
builder.Services.AddControllers(options =>
{
    options.Filters.Add();
});

Related Resources

Filters in ASP.NET Core

Open as page

These are different return types for controller actions in ASP.NET Core, each with specific use cases.

4.5.1. IActionResult

Non-generic interface
Can return any type of action result
No compile-time type safety for the return value
Requires runtime type checking

[HttpGet("{id}")]
public IActionResult GetUser(int id)
{
    var user = _userService.GetUser(id);
    
    if (user == null)
        return NotFound(); // Returns 404
    
    return Ok(user); // Returns 200 with user object
}

Pros: Flexible, can return different result types Cons: No automatic OpenAPI/Swagger documentation for response type

4.5.2. ActionResult<T>

Generic wrapper combining IActionResult flexibility with type safety
Best of both worlds approach
Enables automatic API documentation
Implicit conversion from T or ActionResult

[HttpGet("{id}")]
public ActionResult GetUser(int id)
{
    var user = _userService.GetUser(id);
    
    if (user == null)
        return NotFound(); // Returns ActionResult
    
    return user; // Implicitly converted to ActionResult
}

Pros:

Type safety
Automatic OpenAPI/Swagger documentation
Can still return status codes like NotFound(), BadRequest()

Cons: Can only specify one success return type

4.5.3. Concrete Type

Returns the actual object type directly
Simplest approach
Always returns 200 OK status
Cannot return different status codes

[HttpGet]
public List GetAllUsers()
{
    return _userService.GetAllUsers();
}

[HttpGet("{id}")]
public User GetUser(int id)
{
    return _userService.GetUser(id); // Always 200 OK
}

Pros: Simple, clean code for straightforward scenarios Cons:

Cannot return different HTTP status codes
No error handling at the action level
Limited flexibility

Comparison table:

Feature	IActionResult	ActionResult<T>	Concrete Type
Multiple return types	✅ Yes	✅ Yes	❌ No
Type safety	❌ No	✅ Yes	✅ Yes
OpenAPI documentation	⚠️ Manual	✅ Automatic	✅ Automatic
HTTP status control	✅ Full	✅ Full	❌ Always 200
Recommended for APIs	⚠️ Legacy	✅ Best choice	❌ Limited use

Best practice: Use ActionResult<T> for modern ASP.NET Core Web APIs as it provides the best balance of flexibility and type safety.

Related Resources

Controller action return types

Open as page

Model binding is the process of mapping HTTP request data to action method parameters. Validation ensures that the bound data meets specified constraints before processing.

4.6.1. Model Binding

Model binding automatically extracts values from:

Form data - POST form submissions
Route values - URL segments like /users/{id}
Query strings - URL parameters like ?name=John&age=30
Request body - JSON, XML payloads
Headers - HTTP headers

Binding sources:

public class UsersController : ControllerBase
{
    // From route
    [HttpGet("{id}")]
    public IActionResult GetUser([FromRoute] int id) { }

    // From query string
    [HttpGet]
    public IActionResult Search([FromQuery] string name, [FromQuery] int? age) { }

    // From body (JSON)
    [HttpPost]
    public IActionResult Create([FromBody] UserDto user) { }

    // From form
    [HttpPost]
    public IActionResult Upload([FromForm] IFormFile file) { }

    // From header
    [HttpGet]
    public IActionResult Get([FromHeader(Name = "X-API-Key")] string apiKey) { }
}

4.6.2. Model Validation

Validation uses data annotations to define rules. ASP.NET Core automatically validates models before action execution.

Common validation attributes:

public class UserDto
{
    [Required(ErrorMessage = "Name is required")]
    [StringLength(100, MinimumLength = 2)]
    public string Name { get; set; }

    [Required]
    [EmailAddress(ErrorMessage = "Invalid email format")]
    public string Email { get; set; }

    [Range(18, 120, ErrorMessage = "Age must be between 18 and 120")]
    public int Age { get; set; }

    [Phone]
    public string PhoneNumber { get; set; }

    [Url]
    public string Website { get; set; }

    [RegularExpression(@"^[A-Z]{2}\d{6}$", ErrorMessage = "Invalid format")]
    public string Code { get; set; }

    [Compare("Email", ErrorMessage = "Emails must match")]
    public string ConfirmEmail { get; set; }

    [CreditCard]
    public string CardNumber { get; set; }
}

Checking validation in controller:

[HttpPost]
public IActionResult CreateUser([FromBody] UserDto user)
{
    if (!ModelState.IsValid)
    {
        return BadRequest(ModelState);
    }

    // Process valid model
    return Ok();
}

Custom validation attribute:

public class FutureDateAttribute : ValidationAttribute
{
    protected override ValidationResult IsValid(
        object value, 
        ValidationContext validationContext)
    {
        if (value is DateTime date)
        {
            if (date > DateTime.Now)
            {
                return ValidationResult.Success;
            }
            return new ValidationResult("Date must be in the future");
        }
        return new ValidationResult("Invalid date");
    }
}

// Usage
public class EventDto
{
    [FutureDate]
    public DateTime EventDate { get; set; }
}

Fluent validation (alternative approach):

// Install: FluentValidation.AspNetCore
public class UserDtoValidator : AbstractValidator
{
    public UserDtoValidator()
    {
        RuleFor(x => x.Name)
            .NotEmpty()
            .Length(2, 100);

        RuleFor(x => x.Email)
            .NotEmpty()
            .EmailAddress();

        RuleFor(x => x.Age)
            .InclusiveBetween(18, 120);
    }
}

Automatic validation with API behavior:

// In Program.cs - ASP.NET Core 2.1+ automatically returns 400 for invalid models
builder.Services.AddControllers()
    .ConfigureApiBehaviorOptions(options =>
    {
        options.SuppressModelStateInvalidFilter = false; // Default
    });

Key points:

Model binding happens automatically based on parameter names and types
Validation attributes are checked before the action executes
ModelState.IsValid contains validation results
For APIs, ASP.NET Core automatically returns 400 Bad Request for invalid models
Custom validation can be created via attributes or FluentValidation library

Related Resources

Model binding in ASP.NET Core

Model validation

Open as page

Authentication and authorization in ASP.NET Core are implemented through middleware and services:

Step 1: Install Required Packages

dotnet add package Microsoft.AspNetCore.Authentication.JwtBearer
dotnet add package Microsoft.AspNetCore.Identity.EntityFrameworkCore

Step 2: Configure Services in Program.cs

builder.Services.AddAuthentication(options =>
{
    options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
    options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
})
.AddJwtBearer(options =>
{
    options.TokenValidationParameters = new TokenValidationParameters
    {
        ValidateIssuer = true,
        ValidateAudience = true,
        ValidateLifetime = true,
        ValidateIssuerSigningKey = true,
        ValidIssuer = builder.Configuration["Jwt:Issuer"],
        ValidAudience = builder.Configuration["Jwt:Audience"],
        IssuerSigningKey = new SymmetricSecurityKey(
            Encoding.UTF8.GetBytes(builder.Configuration["Jwt:Key"]))
    };
});

builder.Services.AddAuthorization(options =>
{
    options.AddPolicy("AdminOnly", policy => policy.RequireRole("Admin"));
    options.AddPolicy("MinimumAge", policy => policy.Requirements.Add(new MinimumAgeRequirement(18)));
});

Step 3: Add Middleware

app.UseAuthentication();
app.UseAuthorization();

Step 4: Protect Endpoints

[Authorize]
[ApiController]
[Route("api/[controller]")]
public class SecureController : ControllerBase
{
    [Authorize(Roles = "Admin")]
    public IActionResult AdminOnly() => Ok("Admin access");
    
    [Authorize(Policy = "MinimumAge")]
    public IActionResult AgeRestricted() => Ok("Age verified");
}

Related Resources

Authentication and authorization in ASP.NET Core

Open as page

Authentication is the process of verifying WHO the user is (identity verification).

Confirms user identity through credentials (username/password, tokens, biometrics)
Answers: "Are you who you claim to be?"
Example: Logging in with username and password

Authorization is the process of verifying WHAT the user can access (permission verification).

Determines what resources/actions an authenticated user can access
Answers: "What are you allowed to do?"
Example: Checking if a user has admin rights to delete records

Key Differences:

Authentication comes before authorization
Authentication verifies identity; authorization verifies permissions
Authentication uses credentials; authorization uses roles, policies, and claims
You can be authenticated but not authorized for specific resources

Example Flow:

User Login → Authentication (verify credentials) → User Authenticated
   ↓
Access Admin Panel → Authorization (check role) → Access Granted/Denied

Related Resources

Introduction to authorization

Open as page

JWT (JSON Web Token) is a compact, URL-safe token format for securely transmitting information between parties as a JSON object. It consists of three parts: Header, Payload, and Signature.

JWT Structure:

xxxxx.yyyyy.zzzzz
Header.Payload.Signature

Implementation:

Step 1: Create JWT Token Generation Service

public class JwtTokenService
{
    private readonly IConfiguration _configuration;

    public JwtTokenService(IConfiguration configuration)
    {
        _configuration = configuration;
    }

    public string GenerateToken(string userId, string email, List roles)
    {
        var securityKey = new SymmetricSecurityKey(
            Encoding.UTF8.GetBytes(_configuration["Jwt:Key"]));
        var credentials = new SigningCredentials(securityKey, SecurityAlgorithms.HmacSha256);

        var claims = new List
        {
            new Claim(JwtRegisteredClaimNames.Sub, userId),
            new Claim(JwtRegisteredClaimNames.Email, email),
            new Claim(JwtRegisteredClaimNames.Jti, Guid.NewGuid().ToString())
        };

        claims.AddRange(roles.Select(role => new Claim(ClaimTypes.Role, role)));

        var token = new JwtSecurityToken(
            issuer: _configuration["Jwt:Issuer"],
            audience: _configuration["Jwt:Audience"],
            claims: claims,
            expires: DateTime.Now.AddHours(1),
            signingCredentials: credentials
        );

        return new JwtSecurityTokenHandler().WriteToken(token);
    }
}

Step 2: Login Endpoint

[HttpPost("login")]
public IActionResult Login([FromBody] LoginModel model)
{
    // Validate credentials (simplified)
    if (ValidateUser(model.Username, model.Password))
    {
        var token = _jwtTokenService.GenerateToken(
            userId: "123",
            email: model.Username,
            roles: new List { "User", "Admin" }
        );

        return Ok(new { token });
    }

    return Unauthorized();
}

Step 3: appsettings.json Configuration

{
  "Jwt": {
    "Key": "YourSuperSecretKeyThatIsAtLeast32CharactersLong",
    "Issuer": "YourApp",
    "Audience": "YourAppUsers"
  }
}

Related Resources

Configure JWT bearer authentication

Open as page

CORS (Cross-Origin Resource Sharing) allows you to control which domains can access your API.

Method 1: Named Policy (Recommended)

// Program.cs
builder.Services.AddCors(options =>
{
    options.AddPolicy("AllowSpecificOrigin", policy =>
    {
        policy.WithOrigins("https://example.com", "https://app.example.com")
              .AllowAnyHeader()
              .AllowAnyMethod()
              .AllowCredentials();
    });

    options.AddPolicy("AllowAll", policy =>
    {
        policy.AllowAnyOrigin()
              .AllowAnyHeader()
              .AllowAnyMethod();
    });
});

// Must be called before UseAuthorization
app.UseCors("AllowSpecificOrigin");

Method 2: Apply to Specific Controllers

[EnableCors("AllowSpecificOrigin")]
[ApiController]
[Route("api/[controller]")]
public class ProductsController : ControllerBase
{
    [HttpGet]
    public IActionResult Get() => Ok("Products");
    
    [DisableCors] // Disable CORS for specific action
    [HttpPost]
    public IActionResult Post() => Ok();
}

Method 3: Apply to Specific Actions

[HttpGet]
[EnableCors("AllowAll")]
public IActionResult GetPublicData() => Ok("Public data");

Common CORS Configurations:

// Development - Allow all
policy.AllowAnyOrigin()
      .AllowAnyHeader()
      .AllowAnyMethod();

// Production - Specific origins with credentials
policy.WithOrigins("https://myapp.com")
      .AllowAnyHeader()
      .AllowAnyMethod()
      .AllowCredentials();

// Specific methods and headers
policy.WithOrigins("https://myapp.com")
      .WithMethods("GET", "POST")
      .WithHeaders("Content-Type", "Authorization");

Related Resources

Enable CORS in ASP.NET Core

Open as page

ASP.NET Core provides multiple ways to manage configuration:

1. appsettings.json (Most Common)

{
  "Logging": {
    "LogLevel": {
      "Default": "Information"
    }
  },
  "ConnectionStrings": {
    "DefaultConnection": "Server=.;Database=MyDb;Trusted_Connection=true;"
  },
  "AppSettings": {
    "ApplicationName": "MyApp",
    "MaxFileSize": 10485760
  }
}

2. Environment-Specific Configuration

appsettings.json (base configuration)
appsettings.Development.json (development overrides)
appsettings.Production.json (production overrides)

3. User Secrets (Development Only)

dotnet user-secrets init
dotnet user-secrets set "ApiKey" "secret-key-value"

4. Environment Variables

// Access in code
var apiKey = builder.Configuration["ApiKey"];

// Set in launchSettings.json
"environmentVariables": {
    "ASPNETCORE_ENVIRONMENT": "Development",
    "ApiKey": "dev-key"
}

5. Command Line Arguments

dotnet run --ApiKey="command-line-key"

6. Azure Key Vault

builder.Configuration.AddAzureKeyVault(
    new Uri("https://myvault.vault.azure.net/"),
    new DefaultAzureCredential());

7. Options Pattern (Strongly Typed)

// Settings class
public class AppSettings
{
    public string ApplicationName { get; set; }
    public int MaxFileSize { get; set; }
}

// Register
builder.Services.Configure(
    builder.Configuration.GetSection("AppSettings"));

// Use in controller
public class HomeController : Controller
{
    private readonly AppSettings _settings;

    public HomeController(IOptions settings)
    {
        _settings = settings.Value;
    }
}

Configuration Priority (Highest to Lowest):

Command-line arguments
Environment variables
User secrets
appsettings.{Environment}.json
appsettings.json

Related Resources

Configuration in ASP.NET Core

Options pattern

Open as page

Conventional Routing defines routes in a central location using patterns.

// Program.cs
app.MapControllerRoute(
    name: "default",
    pattern: "{controller=Home}/{action=Index}/{id?}");

app.MapControllerRoute(
    name: "blog",
    pattern: "blog/{year}/{month}/{day}/{slug}",
    defaults: new { controller = "Blog", action = "Post" });

Controller using Conventional Routing:

public class HomeController : Controller
{
    // Matches: /Home/Index
    public IActionResult Index() => View();

    // Matches: /Home/About
    public IActionResult About() => View();
    
    // Matches: /Home/Details/5
    public IActionResult Details(int id) => View();
}

Attribute Routing defines routes directly on controllers and actions using attributes.

[Route("api/[controller]")]
[ApiController]
public class ProductsController : ControllerBase
{
    // GET: api/products
    [HttpGet]
    public IActionResult GetAll() => Ok();

    // GET: api/products/5
    [HttpGet("{id}")]
    public IActionResult GetById(int id) => Ok();

    // GET: api/products/5/reviews
    [HttpGet("{id}/reviews")]
    public IActionResult GetReviews(int id) => Ok();

    // POST: api/products
    [HttpPost]
    public IActionResult Create([FromBody] Product product) => Ok();

    // PUT: api/products/5
    [HttpPut("{id}")]
    public IActionResult Update(int id, [FromBody] Product product) => Ok();

    // DELETE: api/products/5
    [HttpDelete("{id}")]
    public IActionResult Delete(int id) => Ok();
}

Advanced Attribute Routing:

[Route("api/v{version:apiVersion}/[controller]")]
[ApiController]
public class CustomersController : ControllerBase
{
    // Custom route: api/v1/customers/search?name=John
    [HttpGet("search")]
    public IActionResult Search([FromQuery] string name) => Ok();

    // Route constraint: api/v1/customers/5 (id must be int)
    [HttpGet("{id:int}")]
    public IActionResult GetById(int id) => Ok();

    // Multiple routes for same action
    [HttpGet("")]
    [HttpGet("all")]
    public IActionResult GetAll() => Ok();
}

Key Differences:

Aspect	Conventional Routing	Attribute Routing
Definition Location	Centralized in Program.cs	On controllers/actions
Flexibility	Less flexible	More flexible
Best For	MVC web apps	Web APIs
Visibility	Global patterns	Local to action
Maintenance	Single location	Scattered across controllers

Related Resources

Routing in ASP.NET Core

Open as page

Razor Pages is a page-based programming model that makes building web UI easier and more productive.

Razor Pages Structure:

Pages/
├── Index.cshtml          (View)
├── Index.cshtml.cs       (PageModel - code-behind)
├── Privacy.cshtml
├── Privacy.cshtml.cs
└── Shared/
    └── _Layout.cshtml

Example Razor Page:

// Index.cshtml.cs
public class IndexModel : PageModel
{
    private readonly ILogger _logger;

    [BindProperty]
    public string UserName { get; set; }

    public List Products { get; set; }

    public IndexModel(ILogger logger)
    {
        _logger = logger;
    }

    public void OnGet()
    {
        Products = GetProducts();
    }

    public IActionResult OnPost()
    {
        if (!ModelState.IsValid)
        {
            return Page();
        }

        // Process form
        return RedirectToPage("Success");
    }
}


@page
@model IndexModel

Welcome @Model.UserName


    
    Submit


@foreach (var product in Model.Products)
{
    @product.Name
}

Key Differences:

Feature	Razor Pages	MVC
Structure	Page-centric (cshtml + cs)	Controller-centric
Routing	Convention-based on folder	Attribute or conventional
Best For	Simple CRUD, forms	Complex apps, APIs
Organization	Page-focused	Separated concerns
Learning Curve	Easier	Steeper
Handler Methods	OnGet, OnPost	Action methods

MVC Example (for comparison):

// Controller
public class HomeController : Controller
{
    public IActionResult Index()
    {
        var model = new IndexViewModel();
        return View(model);
    }

    [HttpPost]
    public IActionResult Index(IndexViewModel model)
    {
        if (!ModelState.IsValid)
            return View(model);
        
        return RedirectToAction("Success");
    }
}

When to Use:

Razor Pages: Simple pages, forms, CRUD operations, page-focused scenarios
MVC: Complex applications, RESTful APIs, when you need more control over routing

Related Resources

Introduction to Razor Pages

Open as page

API versioning allows you to maintain multiple versions of your API simultaneously.

Installation:

dotnet add package Asp.Versioning.Mvc
dotnet add package Asp.Versioning.Mvc.ApiExplorer

Method 1: URL Path Versioning (Most Common)

// Program.cs
builder.Services.AddApiVersioning(options =>
{
    options.DefaultApiVersion = new ApiVersion(1, 0);
    options.AssumeDefaultVersionWhenUnspecified = true;
    options.ReportApiVersions = true;
});

// Controller
[ApiController]
[Route("api/v{version:apiVersion}/[controller]")]
[ApiVersion("1.0")]
public class ProductsV1Controller : ControllerBase
{
    [HttpGet]
    public IActionResult Get() => Ok("Version 1.0");
}

[ApiController]
[Route("api/v{version:apiVersion}/[controller]")]
[ApiVersion("2.0")]
public class ProductsV2Controller : ControllerBase
{
    [HttpGet]
    public IActionResult Get() => Ok("Version 2.0 with new features");
}

// Usage:
// GET /api/v1/products
// GET /api/v2/products

Method 2: Query String Versioning

builder.Services.AddApiVersioning(options =>
{
    options.ApiVersionReader = new QueryStringApiVersionReader("api-version");
});

[ApiController]
[Route("api/[controller]")]
[ApiVersion("1.0")]
[ApiVersion("2.0")]
public class ProductsController : ControllerBase
{
    [HttpGet]
    [MapToApiVersion("1.0")]
    public IActionResult GetV1() => Ok("Version 1.0");

    [HttpGet]
    [MapToApiVersion("2.0")]
    public IActionResult GetV2() => Ok("Version 2.0");
}

// Usage:
// GET /api/products?api-version=1.0
// GET /api/products?api-version=2.0

Method 3: Header Versioning

builder.Services.AddApiVersioning(options =>
{
    options.ApiVersionReader = new HeaderApiVersionReader("X-Api-Version");
});

// Usage:
// GET /api/products
// Headers: X-Api-Version: 1.0

Method 4: Media Type Versioning

builder.Services.AddApiVersioning(options =>
{
    options.ApiVersionReader = new MediaTypeApiVersionReader();
});

// Usage:
// GET /api/products
// Headers: Accept: application/json;v=1.0

Deprecating Old Versions:

[ApiVersion("1.0", Deprecated = true)]
[ApiVersion("2.0")]
[ApiController]
[Route("api/v{version:apiVersion}/[controller]")]
public class ProductsController : ControllerBase
{
    // Implementation
}

Multiple Versioning Strategies:

builder.Services.AddApiVersioning(options =>
{
    options.ApiVersionReader = ApiVersionReader.Combine(
        new QueryStringApiVersionReader("api-version"),
        new HeaderApiVersionReader("X-Api-Version"),
        new UrlSegmentApiVersionReader()
    );
});

Related Resources

ASP.NET API versioning

Open as page

Health Checks allow you to monitor the health and availability of your application and its dependencies.

Basic Implementation:

// Program.cs
builder.Services.AddHealthChecks()
    .AddCheck("self", () => HealthCheckResult.Healthy())
    .AddSqlServer(
        builder.Configuration.GetConnectionString("DefaultConnection"),
        name: "database",
        timeout: TimeSpan.FromSeconds(5))
    .AddUrlGroup(
        new Uri("https://api.external.com/health"),
        name: "external-api",
        timeout: TimeSpan.FromSeconds(3))
    .AddRedis(
        builder.Configuration.GetConnectionString("Redis"),
        name: "redis");

app.MapHealthChecks("/health");

Custom Health Check:

public class CustomHealthCheck : IHealthCheck
{
    private readonly IHttpClientFactory _httpClientFactory;

    public CustomHealthCheck(IHttpClientFactory httpClientFactory)
    {
        _httpClientFactory = httpClientFactory;
    }

    public async Task CheckHealthAsync(
        HealthCheckContext context,
        CancellationToken cancellationToken = default)
    {
        try
        {
            var client = _httpClientFactory.CreateClient();
            var response = await client.GetAsync("https://api.example.com/status");

            if (response.IsSuccessStatusCode)
            {
                return HealthCheckResult.Healthy("External API is responding");
            }

            return HealthCheckResult.Degraded("External API returned non-success status");
        }
        catch (Exception ex)
        {
            return HealthCheckResult.Unhealthy("External API is not accessible", ex);
        }
    }
}

// Register
builder.Services.AddHealthChecks()
    .AddCheck("custom-check");

Health Check with Detailed Response:

app.MapHealthChecks("/health/detailed", new HealthCheckOptions
{
    ResponseWriter = async (context, report) =>
    {
        context.Response.ContentType = "application/json";

        var result = JsonSerializer.Serialize(new
        {
            status = report.Status.ToString(),
            checks = report.Entries.Select(e => new
            {
                name = e.Key,
                status = e.Value.Status.ToString(),
                description = e.Value.Description,
                duration = e.Value.Duration.ToString()
            }),
            totalDuration = report.TotalDuration
        });

        await context.Response.WriteAsync(result);
    }
});

Health Check with Tags:

builder.Services.AddHealthChecks()
    .AddSqlServer(
        connectionString,
        name: "database",
        tags: new[] { "db", "sql" })
    .AddRedis(
        redisConnection,
        name: "cache",
        tags: new[] { "cache", "redis" });

// Endpoint for specific tags
app.MapHealthChecks("/health/ready", new HealthCheckOptions
{
    Predicate = check => check.Tags.Contains("ready")
});

app.MapHealthChecks("/health/live", new HealthCheckOptions
{
    Predicate = check => check.Tags.Contains("live")
});

Health Check UI (Optional Package):

dotnet add package AspNetCore.HealthChecks.UI
dotnet add package AspNetCore.HealthChecks.UI.InMemory.Storage

builder.Services
    .AddHealthChecksUI()
    .AddInMemoryStorage();

app.MapHealthChecksUI();

// Access UI at: /healthchecks-ui

Common Use Cases:

Kubernetes liveness and readiness probes
Load balancer health endpoints
Monitoring and alerting systems
Circuit breaker patterns
Graceful degradation

Example Response:

{
  "status": "Healthy",
  "checks": [
    {
      "name": "database",
      "status": "Healthy",
      "description": "SQL Server is healthy",
      "duration": "00:00:00.1234567"
    },
    {
      "name": "redis",
      "status": "Healthy",
      "description": "Redis is healthy",
      "duration": "00:00:00.0234567"
    }
  ],
  "totalDuration": "00:00:00.1469134"
}

Related Resources

Health checks in ASP.NET Core

ASP.NET Core

Explain the middleware pipeline in ASP.NET Core

Related Resources

What is the difference between ASP.NET and ASP.NET Core?

Related Resources

Explain dependency injection in ASP.NET Core (Transient, Scoped, Singleton)

4.3.1. Transient

4.3.2. Scoped

4.3.3. Singleton

Related Resources

What are action filters and how do you create custom filters?

Related Resources

Explain the difference between `IActionResult`, `ActionResult<T>`, and returning a concrete type

4.5.1. IActionResult

4.5.2. ActionResult<T>

4.5.3. Concrete Type

Related Resources

What is model binding and validation in ASP.NET Core?

4.6.1. Model Binding

4.6.2. Model Validation

Related Resources

How do you implement authentication and authorization in ASP.NET Core?

Related Resources

Explain the difference between authentication and authorization.

Related Resources

What is JWT and how do you implement JWT authentication?

Related Resources

How do you handle CORS in ASP.NET Core?

Related Resources

What are the different ways to manage application configuration?

Related Resources

Explain routing in ASP.NET Core (conventional vs attribute routing).

Related Resources

What is Razor Pages and how does it differ from MVC?

Related Resources

How do you implement versioning in Web APIs?

Related Resources

What are health checks in ASP.NET Core?

Related Resources