AGIBuild/middleware-patterns
.cursor/skills/middleware-patterns/SKILL.md
Custom middleware patterns for ASP.NET Core applications. Covers request/response pipeline, middleware ordering, conditional middleware, IMiddleware factory pattern, IExceptionHandler (.NET 8+), and reusable middleware components. Use when creating custom middleware in ASP.NET Core applications, understanding middleware pipeline ordering, or implementing cross-cutting concerns like logging, authentication, and caching.
$ install --global
skillsauthnpx skillsauth add AGIBuild/Fulora middleware-patternsInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 16, 2026, 11:21 PM350.2s1 file scanned
SKILL.md
- name:
- middleware-patterns
- description:
- Custom middleware patterns for ASP.NET Core applications. Covers request/response pipeline, middleware ordering, conditional middleware, IMiddleware factory pattern, IExceptionHandler (.NET 8+), and reusable middleware components. Use when creating custom middleware in ASP.NET Core applications, understanding middleware pipeline ordering, or implementing cross-cutting concerns like logging, authentication, and caching.
ASP.NET Core Middleware Patterns
Rationale
Middleware is the backbone of ASP.NET Core request processing. Properly designed middleware enables cross-cutting concerns like logging, authentication, and caching. Understanding the pipeline order and middleware patterns is critical for building robust applications.
Pipeline Ordering
Middleware executes in the order it is registered. The order is critical -- placing middleware in the wrong position causes subtle bugs.
Recommended Order
var app = builder.Build();
// 1. Exception handling (outermost -- catches everything below)
app.UseExceptionHandler("/error");
// 2. HSTS (before any response is sent)
if (!app.Environment.IsDevelopment())
{
app.UseHsts();
}
// 3. HTTPS redirection
app.UseHttpsRedirection();
// 4. Static files (short-circuits for static content before routing)
app.UseStaticFiles();
// 5. Routing (matches endpoints but does not execute them yet)
app.UseRouting();
// 6. CORS (must be after routing, before auth)
app.UseCors();
// 7. Authentication (identifies the user)
app.UseAuthentication();
// 8. Authorization (checks permissions against the matched endpoint)
app.UseAuthorization();
// 9. Custom middleware (runs after auth, before endpoint execution)
app.UseRequestLogging();
// 10. Endpoint execution (terminal -- executes the matched endpoint)
app.MapControllers();
app.MapRazorPages();
Why Order Matters
| Mistake | Consequence |
|---------|-------------|
| UseAuthorization() before UseRouting() | Authorization has no endpoint metadata -- all requests pass |
| UseCors() after UseAuthorization() | Preflight requests fail because they lack auth tokens |
| UseExceptionHandler() after custom middleware | Exceptions in custom middleware are unhandled |
| UseStaticFiles() after UseAuthorization() | Static files require authentication unnecessarily |
Pattern 1: Convention-Based Middleware
Convention-based middleware uses a constructor with RequestDelegate and an InvokeAsync method.
public sealed class RequestTimingMiddleware
{
private readonly RequestDelegate _next;
private readonly ILogger<RequestTimingMiddleware> _logger;
public RequestTimingMiddleware(
RequestDelegate next,
ILogger<RequestTimingMiddleware> logger)
{
_next = next;
_logger = logger;
}
public async Task InvokeAsync(HttpContext context)
{
var stopwatch = Stopwatch.StartNew();
try
{
await _next(context);
}
finally
{
stopwatch.Stop();
_logger.LogInformation(
"Request {Method} {Path} completed in {ElapsedMs}ms with status {StatusCode}",
context.Request.Method,
context.Request.Path,
stopwatch.ElapsedMilliseconds,
context.Response.StatusCode);
}
}
}
public static class RequestTimingMiddlewareExtensions
{
public static IApplicationBuilder UseRequestTiming(this IApplicationBuilder app)
=> app.UseMiddleware<RequestTimingMiddleware>();
}
// Usage in Program.cs
app.UseRequestTiming();
Pattern 2: Factory-Based (IMiddleware)
For middleware that requires scoped services, implement IMiddleware. This uses DI to create middleware instances per-request:
public sealed class TenantMiddleware : IMiddleware
{
private readonly TenantDbContext _db;
public TenantMiddleware(TenantDbContext db)
{
_db = db;
}
public async Task InvokeAsync(HttpContext context, RequestDelegate next)
{
var tenantId = context.Request.Headers["X-Tenant-Id"].FirstOrDefault();
if (tenantId is not null)
{
var tenant = await _db.Tenants.FindAsync(tenantId);
context.Items["Tenant"] = tenant;
}
await next(context);
}
}
// IMiddleware requires explicit DI registration
builder.Services.AddScoped<TenantMiddleware>();
app.UseMiddleware<TenantMiddleware>();
Convention-Based vs IMiddleware
| Aspect | Convention-based | IMiddleware |
|--------|-----------------|---------------|
| Lifetime | Singleton (created once) | Per-request (from DI) |
| Scoped services | Via InvokeAsync parameters only | Via constructor injection |
| Registration | UseMiddleware<T>() only | Requires services.Add*<T>() + UseMiddleware<T>() |
| Performance | Slightly faster | Resolved from DI each request |
Pattern 3: Inline Middleware
For simple, one-off logic:
app.Use -- Pass-Through
app.Use(async (context, next) =>
{
context.Response.Headers["X-Request-Id"] = context.TraceIdentifier;
await next(context);
});
app.Run -- Terminal
app.Run(async context =>
{
await context.Response.WriteAsync("Fallback response");
});
app.Map -- Branch by Path
app.Map("/api/diagnostics", diagnosticApp =>
{
diagnosticApp.Run(async context =>
{
var data = new
{
MachineName = Environment.MachineName,
Timestamp = DateTimeOffset.UtcNow
};
await context.Response.WriteAsJsonAsync(data);
});
});
Pattern 4: Short-Circuit Logic
Middleware can short-circuit the pipeline by not calling next().
Request Validation
public sealed class ApiKeyMiddleware
{
private readonly RequestDelegate _next;
private readonly string _expectedKey;
public ApiKeyMiddleware(RequestDelegate next, IConfiguration config)
{
_next = next;
_expectedKey = config["ApiKey"]
?? throw new InvalidOperationException("ApiKey configuration is required");
}
public async Task InvokeAsync(HttpContext context)
{
if (!context.Request.Headers.TryGetValue("X-Api-Key", out var providedKey)
|| !string.Equals(providedKey, _expectedKey, StringComparison.Ordinal))
{
context.Response.StatusCode = StatusCodes.Status401Unauthorized;
await context.Response.WriteAsJsonAsync(new
{
Error = "Invalid or missing API key"
});
return; // Short-circuit
}
await _next(context);
}
}
Feature Flag Gate
app.UseWhen(
context => context.Request.Path.StartsWithSegments("/beta"),
betaApp =>
{
betaApp.Use(async (context, next) =>
{
var featureManager = context.RequestServices
.GetRequiredService<IFeatureManager>();
if (!await featureManager.IsEnabledAsync("BetaFeatures"))
{
context.Response.StatusCode = StatusCodes.Status404NotFound;
return;
}
await next(context);
});
});
Pattern 5: Request and Response Manipulation
Reading the Request Body
public sealed class RequestLoggingMiddleware
{
private readonly RequestDelegate _next;
private readonly ILogger<RequestLoggingMiddleware> _logger;
public RequestLoggingMiddleware(RequestDelegate next, ILogger<RequestLoggingMiddleware> logger)
{
_next = next;
_logger = logger;
}
public async Task InvokeAsync(HttpContext context)
{
context.Request.EnableBuffering();
if (context.Request.ContentLength > 0 && context.Request.ContentLength < 64_000)
{
context.Request.Body.Position = 0;
using var reader = new StreamReader(context.Request.Body, leaveOpen: true);
var body = await reader.ReadToEndAsync();
_logger.LogDebug("Request body for {Path}: {Body}", context.Request.Path, body);
context.Request.Body.Position = 0;
}
await _next(context);
}
}
Modifying the Response
public async Task InvokeAsync(HttpContext context)
{
var originalBodyStream = context.Response.Body;
using var responseBody = new MemoryStream();
context.Response.Body = responseBody;
await _next(context);
context.Response.Body.Seek(0, SeekOrigin.Begin);
var responseText = await new StreamReader(context.Response.Body).ReadToEndAsync();
context.Response.Body.Seek(0, SeekOrigin.Begin);
await responseBody.CopyToAsync(originalBodyStream);
}
Caution: Response body replacement adds memory overhead. Use only for diagnostics.
Pattern 6: Exception Handling Middleware
Built-in Exception Handler
app.UseExceptionHandler(exceptionApp =>
{
exceptionApp.Run(async context =>
{
context.Response.StatusCode = StatusCodes.Status500InternalServerError;
context.Response.ContentType = "application/json";
var exceptionFeature = context.Features.Get<IExceptionHandlerFeature>();
var logger = context.RequestServices.GetRequiredService<ILogger<Program>>();
logger.LogError(exceptionFeature?.Error, "Unhandled exception for {Path}", context.Request.Path);
await context.Response.WriteAsJsonAsync(new
{
Error = "An internal error occurred",
TraceId = context.TraceIdentifier
});
});
});
IExceptionHandler (.NET 8+)
Multiple handlers can be registered and are invoked in order:
public sealed class ValidationExceptionHandler : IExceptionHandler
{
public async ValueTask<bool> TryHandleAsync(
HttpContext context,
Exception exception,
CancellationToken ct)
{
if (exception is not ValidationException validationException)
return false;
context.Response.StatusCode = StatusCodes.Status400BadRequest;
await context.Response.WriteAsJsonAsync(new
{
Error = "Validation failed",
Details = validationException.Errors
}, ct);
return true;
}
}
public sealed class GlobalExceptionHandler(ILogger<GlobalExceptionHandler> logger) : IExceptionHandler
{
public async ValueTask<bool> TryHandleAsync(
HttpContext context,
Exception exception,
CancellationToken ct)
{
logger.LogError(exception, "Unhandled exception");
context.Response.StatusCode = StatusCodes.Status500InternalServerError;
await context.Response.WriteAsJsonAsync(new
{
Error = "An internal error occurred",
TraceId = context.TraceIdentifier
}, ct);
return true;
}
}
builder.Services.AddExceptionHandler<ValidationExceptionHandler>();
builder.Services.AddExceptionHandler<GlobalExceptionHandler>();
builder.Services.AddProblemDetails();
app.UseExceptionHandler();
StatusCodePages for Non-Exception Errors
app.UseStatusCodePagesWithReExecute("/error/{0}");
app.UseStatusCodePages(async context =>
{
context.HttpContext.Response.ContentType = "application/json";
await context.HttpContext.Response.WriteAsJsonAsync(new
{
Error = $"HTTP {context.HttpContext.Response.StatusCode}",
TraceId = context.HttpContext.TraceIdentifier
});
});
Pattern 7: Conditional Middleware
UseWhen -- Conditional Branch (Rejoins Pipeline)
app.UseWhen(
context => context.Request.Path.StartsWithSegments("/api"),
apiApp =>
{
apiApp.UseRateLimiter();
});
MapWhen -- Conditional Branch (Does Not Rejoin)
app.MapWhen(
context => context.WebSockets.IsWebSocketRequest,
wsApp =>
{
wsApp.Run(async context =>
{
using var ws = await context.WebSockets.AcceptWebSocketAsync();
});
});
Environment-Specific Middleware
if (app.Environment.IsDevelopment())
{
app.UseDeveloperExceptionPage();
app.UseSwagger();
app.UseSwaggerUI();
}
else
{
app.UseExceptionHandler("/error");
app.UseHsts();
}
Pattern 8: Branching Middleware
Create completely separate pipelines for different route prefixes:
app.Map("/api", apiApp =>
{
apiApp.UseExceptionHandler("/api/error");
apiApp.UseHttpsRedirection();
apiApp.UseAuthentication();
apiApp.UseAuthorization();
apiApp.UseRateLimiter();
apiApp.MapControllers();
});
app.Map("/webhooks", webhookApp =>
{
webhookApp.UseMiddleware<WebhookSignatureValidation>();
webhookApp.UseMiddleware<WebhookIdempotency>();
webhookApp.MapRazorPages();
});
app.UseExceptionHandler("/Error");
app.UseHttpsRedirection();
app.UseStaticFiles();
app.UseRouting();
app.UseAuthentication();
app.UseAuthorization();
app.MapRazorPages();
Pattern 9: Middleware with Options
public class RateLimitingMiddlewareOptions
{
public int MaxRequestsPerSecond { get; set; } = 10;
public int BurstSize { get; set; } = 20;
public TimeSpan BlockDuration { get; set; } = TimeSpan.FromMinutes(1);
}
public class RateLimitingMiddleware(
RequestDelegate next,
IOptions<RateLimitingMiddlewareOptions> options,
IMemoryCache cache)
{
private readonly RateLimitingMiddlewareOptions _options = options.Value;
public async Task Invoke(HttpContext context)
{
var clientId = GetClientIdentifier(context);
var cacheKey = $"ratelimit:{clientId}";
if (!await TryAcquireTokenAsync(cacheKey))
{
context.Response.StatusCode = StatusCodes.Status429TooManyRequests;
context.Response.Headers.RetryAfter = _options.BlockDuration.TotalSeconds.ToString();
await context.Response.WriteAsync("Rate limit exceeded");
return;
}
await next(context);
}
private string GetClientIdentifier(HttpContext context)
{
return context.User.Identity?.Name ??
context.Connection.RemoteIpAddress?.ToString() ??
"anonymous";
}
private async Task<bool> TryAcquireTokenAsync(string cacheKey) => true;
}
builder.Services.Configure<RateLimitingMiddlewareOptions>(options =>
{
options.MaxRequestsPerSecond = 5;
options.BurstSize = 10;
});
app.UseMiddleware<RateLimitingMiddleware>();
Pattern 10: Middleware Testing
public class MiddlewareTests
{
[Fact]
public async Task SecurityHeadersMiddleware_AddsRequiredHeaders()
{
var middleware = new SecurityHeadersMiddleware(async (context) =>
{
await Task.CompletedTask;
});
var context = new DefaultHttpContext();
await middleware.Invoke(context);
Assert.Equal("nosniff", context.Response.Headers["X-Content-Type-Options"].ToString());
Assert.Equal("DENY", context.Response.Headers["X-Frame-Options"].ToString());
}
[Fact]
public async Task ApiKeyMiddleware_Returns401_WhenKeyMissing()
{
var config = new ConfigurationBuilder()
.AddInMemoryCollection(new[] { new KeyValuePair<string, string?>("ApiKey", "test-key") })
.Build();
var middleware = new ApiKeyMiddleware(async (context) =>
{
await Task.CompletedTask;
}, config);
var context = new DefaultHttpContext();
context.Response.Body = new MemoryStream();
await middleware.Invoke(context);
Assert.Equal(401, context.Response.StatusCode);
}
}
Anti-Patterns
Calling Next After Response Started
// BAD: Calling next after response has started
public async Task Invoke(HttpContext context)
{
await context.Response.WriteAsync("Before");
await next(context); // May fail
await context.Response.WriteAsync("After"); // Won't work
}
// GOOD: Only modify response before calling next
public async Task Invoke(HttpContext context)
{
var originalBody = context.Response.Body;
context.Response.Body = new MemoryStream();
await next(context);
context.Response.Body.Position = 0;
await context.Response.Body.CopyToAsync(originalBody);
}
Not Restoring Context
// BAD: Not restoring HttpContext state
public async Task Invoke(HttpContext context)
{
var originalUser = context.User;
context.User = new ClaimsPrincipal();
await next(context);
// Missing: context.User = originalUser;
}
// GOOD: Always restore state
public async Task Invoke(HttpContext context)
{
var originalUser = context.User;
try
{
context.User = new ClaimsPrincipal();
await next(context);
}
finally
{
context.User = originalUser;
}
}
Key Principles
- Order is everything -- middleware executes top-to-bottom for requests and bottom-to-top for responses
- Exception handler goes first --
UseExceptionHandlermust be outermost - Prefer classes over inline for reusable middleware -- testable, composable, single-responsibility
- Use
IMiddlewarefor scoped dependencies -- convention-based is singleton - Short-circuit intentionally -- always document why a middleware does not call
next() - Avoid response body manipulation in hot paths -- doubles memory usage per request
Agent Gotchas
- Do not place
UseAuthorization()beforeUseRouting()-- authorization requires endpoint metadata. - Do not place
UseCors()afterUseAuthorization()-- CORS preflight requests lack auth tokens. - Do not forget to call
next()in pass-through middleware -- silently short-circuits the pipeline. - Do not read
Request.BodywithoutEnableBuffering()-- the body is forward-only by default. - Do not register
IMiddlewarewithout DI registration -- requires explicitservices.AddScoped<T>(). - Do not write to
Response.Bodyafter callingnext()if downstream has started response -- checkcontext.Response.HasStarted.
References
- ASP.NET Core middleware
- Write custom ASP.NET Core middleware
- Factory-based middleware activation
- Handle errors in ASP.NET Core
- IExceptionHandler in .NET 8
- Exploring ASP.NET Core (Andrew Lock)
Related Skills
AGIBuild/self-improvement
tools
VerifiedTrustedCommunity
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Claude ('No, that's wrong...', 'Actually...'), (3) User requests a capability that doesn't exist, (4) An external API or tool fails, (5) Claude realizes its knowledge is outdated or incorrect, (6) A better approach is discovered for a recurring task. Also review learnings before major tasks.
8SKILL.mdUpdated Apr 16, 2026
AGIBuild/security-headers
testing
VerifiedTrustedCommunity
Security headers configuration and best practices for ASP.NET Core Razor Pages applications. Covers CSP, HSTS, X-Frame-Options, and comprehensive security middleware setup. Use when configuring security headers in ASP.NET Core applications, implementing Content Security Policy (CSP), or setting up HSTS and other security-related HTTP headers.
8SKILL.mdUpdated Apr 16, 2026
AGIBuild/security-design-review
development
VerifiedTrustedCommunity
Reviews designs and business goals for security vulnerabilities, data protection (in transit/at rest), authorization, and compliance alignment. Use when the user asks for a security review, threat modeling, attack surface analysis, data leakage prevention, or compliance/security assessment.
8SKILL.mdUpdated Apr 16, 2026
AGIBuild/Razor Pages Patterns
development
VerifiedTrustedCommunity
Best practices for building production-grade ASP.NET Core Razor Pages applications. Focuses on structure, lifecycle, binding, validation, security, and maintainability in web apps using Razor Pages as the primary UI framework. Use when building Razor Pages applications, designing PageModels and handlers, implementing model binding and validation, or securing Razor Pages with authentication and authorization.
8SKILL.mdUpdated Apr 16, 2026