ASP.NET Core Authentication Patterns: Cookie vs JWT vs OIDC
When to use cookie, JWT, or OIDC authentication in ASP.NET Core - a decision framework with threat model considerations.
Insights
Long-form engineering research, field notes, and technical deep dives.
ASP.NET Core Middleware Pipeline: The Order That Actually Matters
Middleware order determines what works and what silently breaks. ForwardedHeaders before HTTPS, Authentication before Authorization, Routing before Rate Limiting.
Rate Limiting in ASP.NET Core: Patterns That Actually Protect
Fixed window vs sliding window vs token bucket: choose the right algorithm, partition by IP or user, and handle edge cases like missing IPs and exempt endpoints.
EF Core Vector Search: Semantic Search Without a Separate Database
EF Core 10 adds native vector search with SqlVector and VECTOR_DISTANCE. Store embeddings alongside relational data and query by semantic similarity.
ForwardedHeaders and Reverse Proxies: The Trust Boundary Guide
ForwardedHeaders configuration that prevents IP spoofing: KnownNetworks vs KnownProxies, Azure/AWS/Nginx setups, and verification commands.
Minimal API Validation in .NET 10: Built-In Support That Finally Works
AddValidation() brings automatic data annotation validation to Minimal APIs. No more manual ModelState checks or third-party libraries required.
OutputCache in ASP.NET Core: Server-Controlled Caching That Actually Works
OutputCache gives you server-controlled caching independent of HTTP headers. Named policies, tag-based invalidation, and vary strategies for production ASP.NET Core applications.
Structured Logging with Serilog: The Production Setup
Serilog configuration that survives production: correlation IDs, sensitive data masking, async sinks, and environment-aware log levels.
Async/Await Pitfalls: The Deadlocks That Ship to Production
The Task.Result calls, missing ConfigureAwait, and async void patterns that cause production deadlocks in .NET applications.
Resilience Anti-Patterns: The Missing Retries That Cause Outages
The 6 resilience mistakes that turn transient failures into outages: missing retries, retry storms, broken circuit breakers, no timeouts, and missing fallbacks.