Everything you need. In one place — detailed & structured.
1. ASP.NET Core Basics
Routing
Routing matches incoming HTTP requests to endpoints. In ASP.NET Core you can use convention-based routing (with controllers) or endpoint routing (including minimal APIs). Attributes like [Route], [HttpGet] define URL patterns and HTTP verb constraints.
Logging
Built‑in logging abstraction supports providers (Console, Debug, EventLog, etc.). Use ILogger<T> to write structured logs with log levels (Trace → Critical).
Middlewares
Middleware components form the request pipeline. Each piece can inspect, modify, or short‑circuit the request/response. Classic examples: authentication, static files, exception handling. Configured via UseMiddleware<T> or extension methods like app.UseRouting().
Filters and Attributes
Filters run before/after MVC actions. Types: Authorization, Resource, Action, Exception, Result filters. They are often implemented as attributes (e.g., [Authorize], [ServiceFilter]).
Configuration and Options Pattern
Configuration sources (JSON, environment variables, command line) are loaded into key‑value pairs. The Options pattern uses classes bound to configuration sections (e.g., services.Configure<MyOptions>(Configuration)) and injected via IOptions<T>.
Authentication and Authorization
Authentication determines identity (who), authorization determines access (can they?). Schemes (JWT, Cookies, OpenID Connect) are added with AddAuthentication(). Authorization policies with AddAuthorization() and [Authorize] attribute.
Error Handling
Developer Exception Page (UseDeveloperExceptionPage) for dev, UseExceptionHandler for production. Custom middleware can handle errors globally.
Problem Details
RFC 7807 standard for machine‑readable error responses. ProblemDetails class and Results.Problem() in minimal APIs return consistent error payloads (status, title, detail, instance).
HostedService / BackgroundService
IHostedService allows long‑running background tasks. BackgroundService is a base class that simplifies implementation of a background loop (e.g., queue processing, scheduled jobs).
Health Checks
Monitor app and dependency status. Add health checks with AddHealthChecks(), map endpoint with MapHealthChecks(). Can test databases, APIs, or custom probes.
Response Compression
Reduce response size using gzip/brotli. AddResponseCompression() service and UseResponseCompression() middleware. Optionally configure MIME types and compression providers.
Rate Limiting
Introduced in .NET 7, rate limiting restricts number of requests. Use AddRateLimiter() with policies (fixed window, sliding window, token bucket, concurrency). Attach to endpoints with RequireRateLimiting().
API Versioning
Manage breaking changes by versioning APIs. Add AddApiVersioning() – supports URL path, query string, header, or media type versioning. Versions can be applied to controllers or endpoints.
Controllers
Traditional MVC pattern: classes derived from ControllerBase with attributes for routing, actions, and results. Still fully supported and feature‑rich.
Minimal APIs
Lightweight approach with WebApplication and lambda endpoints. Perfect for micro‑services or small endpoints. Supports dependency injection, binding, and results via Results static class.
FastEndpoints
A community library that offers a REPR (Request‑Endpoint‑Response) pattern, alternative to controllers/minimal APIs. Provides high performance, built‑in validation, and better organisation for vertical slices.
2. REST Fundamentals
REST Maturity Model
Leonard Richardson’s model: Level 0 (plain XML/HTTP), Level 1 (resources), Level 2 (HTTP verbs), Level 3 (HATEOAS – hypermedia controls). ASP.NET Core easily supports up to Level 2; Level 3 can be added with hypermedia libraries.
REST Constraints
Uniform interface, client‑server, stateless, cacheable, layered system, code on demand (optional). Following these ensures a true RESTful design.
HTTP Methods
GET (read), POST (create), PUT (replace), PATCH (partial update), DELETE (remove), plus HEAD, OPTIONS. Idempotent: PUT, DELETE, GET (safe). POST is not idempotent.
HTTP Status Codes
1xx (informational), 2xx (success: 200 OK, 201 Created, 204 No Content), 3xx (redirection), 4xx (client error: 400 Bad Request, 401 Unauthorized, 404 Not Found), 5xx (server error: 500).
HATEOAS
Hypermedia as the Engine of Application State. Responses contain links to discover available actions. Not common in most REST APIs but increases discoverability.
Filtering, Sorting, Pagination, Data Shaping
Common query patterns: ?filter=name eq 'john', ?sort=name desc, ?page=2&size=10, ?fields=id,name. Usually implemented manually or with libraries like OData.
3. Data Access
Entity Framework Core
ORM (object‑relational mapper) for .NET. Use LINQ queries, migrations, change tracking. Supports many database providers (SQL Server, PostgreSQL, SQLite, etc.).
Dapper
Micro‑ORM by Stack Overflow. Extremely fast, maps query results to objects with extension methods on IDbConnection. Raw SQL gives full control.
4. Dependency Injection
Microsoft DI
Built‑into the host. Register services with AddSingleton(), AddScoped(), AddTransient(). Lifetime: singleton (single instance), scoped (per request/scope), transient (created each time).
Scrub for Decorators
Microsoft DI lacks built‑in decorator registration. Community libraries (like Scrutor) add Decorate<T>() to enable decorator pattern for cross‑cutting concerns.
5. Validation
FluentValidation
Popular library for building strongly‑typed validation rules with fluent syntax. Integrates with ASP.NET Core via AddFluentValidation(). Supports async, custom validators, and dependency injection.
DataAnnotations
Attributes like [Required], [StringLength], [Range] placed on model properties. Automatically validated by model binding (ModelState.IsValid).
6. Object Mapping
Manual Mapping
Write explicit code to map from one object to another. Clear and performant, but can become repetitive.
AutoMapper ✖
Convention‑based mapper that reduces boilerplate. Use CreateMap<A, B>() and IMapper. Requires configuration and can hide complexity; not always recommended for simple cases.
Mapper✖ / Mapper✖
References to other mapping libraries (e.g., Mapster, TinyMapper) – similar goals: object‑to‑object transformation with different tradeoffs.
7. Logging & Monitoring
Microsoft Logging
Abstraction with ILogger and built‑in providers (console, debug, event source, EventLog, Azure App Services).
Serilog
Structured logging library – writes logs as JSON with rich properties. Sinks for files, Elasticsearch, Seq, etc. Simple configuration with UseSerilog().
NLog (alternative)
Mature logging platform with flexible routing and targets. Supports structured logging and async.
Elasticsearch, Loki, Seq
Log aggregators / search engines: Elastic Stack (Elasticsearch, Logstash, Kibana), Grafana Loki (lightweight, Prometheus‑like), Seq (structured log server with nice UI).
8. API Documentation
Open API
Specification (formerly Swagger) for describing REST APIs using JSON/YAML. ASP.NET Core generates OpenAPI documents via AddOpenApi() (built‑in) or Swashbuckle.
Swagger
Swashbuckle or NSwag generate interactive UI (SwaggerUI) from OpenAPI. Popular for testing endpoints.
Scalar
Modern, open‑source API client / documentation tool (alternative to SwaggerUI). Generates beautiful reference docs from OpenAPI.
9. Security
CORS
Cross‑Origin Resource Sharing. Configure with AddCors() and UseCors(), define policies for allowed origins, methods, headers.
Keycloak
Open Source Identity and Access Management. Integrate via OpenID Connect or OAuth2; Keycloak issues tokens and manages users.
OpenID Connect
Identity layer on top of OAuth2. AddOpenIdConnect() enables authentication with external providers (Azure AD, Keycloak, etc.).
Cookies
Cookie authentication stores user identity in an encrypted cookie. AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme) and AddCookie().
JWT (JSON Web Tokens)
Stateless token authentication. Use AddJwtBearer() to validate incoming tokens. Tokens contain claims, signed to prevent tampering.
Refresh Tokens
Long‑lived token that can obtain new access tokens without re‑authentication. Usually stored server‑side and rotated securely.
Basic Auth
Simple scheme: username:password in base64 header. Rarely used without HTTPS, can be implemented with custom middleware or AuthenticationHandler.
Token Auth
General term for token‑based authentication (JWT, opaque tokens).
OAuth 2.0
Authorization framework for delegated access. Flows: authorization code, client credentials, implicit, etc. ASP.NET Core supports via AddOAuth() or higher‑level OpenID Connect.
ASP.NET Core Identity
Membership system: user registration, login, roles, claims, password hashing. Works with EF Core and supports external logins, two‑factor authentication.
10. API Communication
REST
Architectural style using HTTP and JSON/XML – the most common for web APIs.
gRPC
High‑performance RPC framework using Protocol Buffers and HTTP/2. Great for internal microservices. AddGrpc() and create services deriving from Grpc.AspNetCore.
HttpClient & HttpClientFactory
IHttpClientFactory manages HttpClient lifecycle, resilience, and configuration. Add typed or named clients in DI.
GraphQL (HotChocolate)
Query language for APIs. HotChocolate is a GraphQL server for .NET. Define schema, resolvers, and handle queries/mutations/subscriptions.
SOAP (legacy)
Older XML‑based protocol. ASP.NET Core supports SOAP endpoints via libraries like CoreWCF or custom middleware, but usage is declining.
11. Task Scheduling
TickerQ
A lightweight scheduler built on top of Hangfire/Quartz concepts, often used for recurring background jobs with reliable triggers.
Hangfire
Popular library for background jobs. Supports fire‑and‑forget, delayed, recurring tasks with a built‑in dashboard. Uses persistent storage (SQL Server, Redis).
Quartz
Feature‑rich scheduler library. Use with Quartz.Extensions.Hosting to define jobs and triggers (cron expressions).
12. HTTP Clients
Refit
Type‑safe REST client library. Define an interface with methods and attributes; Refit generates implementation using HttpClient.
RestSharp (alternative)
Simple REST client with fluent API for building requests. Less type‑safe than Refit but flexible.
Polly
Resilience and transient‑fault‑handling library. Retries, circuit breakers, timeouts, etc. Integrates with HttpClient via AddPolicyHandler().
Microsoft Resilience
Built‑in resilience mechanisms in .NET 8+ with AddStandardResilienceHandler() (part of Microsoft.Extensions.Http.Resilience). Provides defaults for retries, circuit breaker, hedging.
13. Caching
StackExchange Redis
Powerful Redis client for .NET. Use AddStackExchangeRedisCache() for distributed caching, or as a general data store.
OutputCache
Caches HTTP responses based on configuration (URL, query, headers). Use AddOutputCache() and [OutputCache] attribute or policy.
HybridCache
New in .NET 9 (preview) – combines in‑memory (L1) and distributed (L2) cache with tagging, compression, and stampede protection.
FusionCache
Community library with advanced features: fail‑safe, cache stampede prevention, eager refresh, and support for multiple cache levels (memory + distributed).
14. Real‑Time Communication
WebSockets
Full‑duplex communication over a single TCP connection. Use app.UseWebSockets() and handle connections manually, or abstract with SignalR.
SignalR
Abstraction for real‑time web functionality. Supports WebSockets, Server‑Sent Events, Long Polling. Hubs allow calling client methods from server.
HotChocolate Subscriptions
GraphQL subscriptions provide real‑time updates via WebSockets. HotChocolate implements them with ITopicEventSender and in‑memory or Redis backplane.
The Complete ASP.NET Core 2026 Cheatsheet — detailed explanations for every topic.