Agent skills
dotnet-aspnet-core

Agent skill

dotnet-aspnet-core

Build, debug, modernize, or review ASP.NET Core applications with correct hosting, middleware, security, configuration, logging, and deployment patterns on current .NET.

View SKILL.md on GitHub Repository

Stars 302

Forks 22

Install this agent skill to your Project

npx add-skill https://github.com/managedcode/dotnet-skills/tree/main/catalog/Frameworks/ASP.NET-Core/skills/dotnet-aspnet-core

SKILL.md

ASP.NET Core

Trigger On

working on ASP.NET Core apps, services, or middleware
changing auth, routing, configuration, hosting, or deployment behavior
deciding between ASP.NET Core sub-stacks such as Blazor, Minimal APIs, or controller APIs
debugging request pipeline issues
modernizing legacy ASP.NET to ASP.NET Core

Documentation

References

patterns.md - Detailed middleware patterns, security patterns, configuration patterns, DI patterns, error handling patterns, and logging patterns
anti-patterns.md - Common ASP.NET Core mistakes including HttpClient misuse, async anti-patterns, configuration errors, DI issues, middleware ordering problems, and security vulnerabilities

Workflow

Detect the real hosting shape first:
- top-level Program.cs structure
- middleware order and registration
- auth model (Identity, JWT, OAuth, cookies)
- endpoint registrations and routing

Follow the correct middleware order:

ExceptionHandler → HttpsRedirection → Static Files → Routing
→ CORS → Authentication → Authorization → Rate Limiting
→ Response Caching → Custom Middleware → Endpoints

Use built-in patterns correctly:
- Prefer IOptions<T> / IOptionsSnapshot<T> for configuration
- Use ILogger<T> for structured logging
- Use IHttpClientFactory for HTTP clients (never new HttpClient())
- Use IHostedService / BackgroundService for background work
Route specialized work to specific skills:
- UI and components → dotnet-blazor
- Real-time → dotnet-signalr
- RPC → dotnet-grpc
- New HTTP APIs → dotnet-minimal-apis (prefer unless controllers needed)
- Controller APIs → dotnet-web-api
Validate with build, tests, and targeted endpoint checks.

Middleware Patterns

Correct Order Matters

csharp

var app = builder.Build();

app.UseExceptionHandler("/error");      // 1. Catch all exceptions
app.UseHsts();                          // 2. Security headers
app.UseHttpsRedirection();              // 3. HTTPS redirect
app.UseStaticFiles();                   // 4. Serve static files
app.UseRouting();                       // 5. Route matching
app.UseCors();                          // 6. CORS policy
app.UseAuthentication();                // 7. Who are you?
app.UseAuthorization();                 // 8. Can you access?
app.UseRateLimiter();                   // 9. Rate limiting
app.UseResponseCaching();               // 10. Response cache
app.MapControllers();                   // 11. Endpoints

Custom Middleware Pattern

csharp

public class RequestTimingMiddleware
{
    private readonly RequestDelegate _next;
    private readonly ILogger<RequestTimingMiddleware> _logger;

    public RequestTimingMiddleware(RequestDelegate next, ILogger<RequestTimingMiddleware> logger)
    {
        _next = next;
        _logger = logger;
    }

    public async Task InvokeAsync(HttpContext context)
    {
        var sw = Stopwatch.StartNew();
        await _next(context);
        _logger.LogInformation("Request {Path} completed in {Elapsed}ms",
            context.Request.Path, sw.ElapsedMilliseconds);
    }
}

Configuration Patterns

Strongly-Typed Options

csharp

// appsettings.json
{
  "EmailSettings": {
    "SmtpServer": "smtp.example.com",
    "Port": 587
  }
}

// Registration
builder.Services.Configure<EmailSettings>(
    builder.Configuration.GetSection("EmailSettings"));

// Usage
public class EmailService(IOptions<EmailSettings> options)
{
    private readonly EmailSettings _settings = options.Value;
}

Environment-Based Configuration

csharp

builder.Configuration
    .AddJsonFile("appsettings.json", optional: false)
    .AddJsonFile($"appsettings.{builder.Environment.EnvironmentName}.json", optional: true)
    .AddEnvironmentVariables()
    .AddUserSecrets<Program>(optional: true);

Security Patterns

Authentication Setup

csharp

builder.Services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
    .AddJwtBearer(options =>
    {
        options.TokenValidationParameters = new TokenValidationParameters
        {
            ValidateIssuer = true,
            ValidateAudience = true,
            ValidateLifetime = true,
            ValidateIssuerSigningKey = true,
            ValidIssuer = builder.Configuration["Jwt:Issuer"],
            ValidAudience = builder.Configuration["Jwt:Audience"],
            IssuerSigningKey = new SymmetricSecurityKey(
                Encoding.UTF8.GetBytes(builder.Configuration["Jwt:Key"]!))
        };
    });

Authorization Policies

csharp

builder.Services.AddAuthorization(options =>
{
    options.AddPolicy("AdminOnly", policy =>
        policy.RequireRole("Admin"));
    options.AddPolicy("MinAge18", policy =>
        policy.RequireClaim("Age", "18", "19", "20")); // simplified
});

Anti-Patterns to Avoid

Anti-Pattern	Why It's Bad	Better Approach
`new HttpClient()`	Socket exhaustion	`IHttpClientFactory`
Sync-over-async (`Task.Result`)	Thread pool starvation	`await` properly
Storing secrets in `appsettings.json`	Security risk	User Secrets, Key Vault
Catching all exceptions silently	Hides bugs	Use `IExceptionHandler`
`async void` in middleware	Crashes process	`async Task`
Missing HTTPS redirect	Security risk	`UseHttpsRedirection()`

Performance Best Practices

Use async/await everywhere — avoid sync blocking calls
Pool DbContext properly — use scoped lifetime
Enable response compression — UseResponseCompression()
Use output caching — UseOutputCache() for .NET 7+
Profile with diagnostic tools — Visual Studio Diagnostic Tools, PerfView
Avoid allocations in hot paths — use Span<T>, pooling

Deliver

production-credible ASP.NET Core code and config
a clear request pipeline and hosting story
verification that matches the affected endpoints and middleware
security headers and HTTPS configured correctly

Validate

middleware order is intentional and documented
security and configuration changes are explicit
endpoint behavior is covered by tests or smoke checks
no blocking calls in async context
secrets are not committed to source control
health checks are implemented for production readiness

Maintainer

managedcode Core maintainer

Source details

Full Name: managedcode/dotnet-skills
Branch: main
Path in repo: catalog/Frameworks/ASP.NET-Core/skills/dotnet-aspnet-core
License: MIT License
Topics: claude-code skills codex gemini copilot dotnet dotnet-skills

Featured Tools

Join Our Newsletter

Stay updated with the latest AI tools, news, and offers by subscribing to our weekly newsletter.

Recommended Agent Skills

Expand your agent's capabilities with these related and highly-rated skills.

managedcode/dotnet-skills

dotnet-project-setup

Create or reorganize .NET solutions with clean project boundaries, repeatable SDK settings, and a maintainable baseline for libraries, apps, tests, CI, and local development.

302 22

Explore

managedcode/dotnet-skills

csharp-scripts

Run single-file C# programs as scripts (file-based apps) for quick experimentation, prototyping, and concept testing. Use when the user wants to write and execute a small C# program without creating a full project.

302 22

Explore

managedcode/dotnet-skills

dotnet-pinvoke

Correctly call native (C/C++) libraries from .NET using P/Invoke and LibraryImport. Covers function signatures, string marshalling, memory lifetime, SafeHandle, and cross-platform patterns. USE FOR: writing new P/Invoke or LibraryImport declarations, reviewing or debugging existing native interop code, wrapping a C or C++ library for use in .NET, diagnosing crashes, memory leaks, or corruption at the managed/native boundary. DO NOT USE FOR: COM interop, C++/CLI mixed-mode assemblies, or pure managed code with no native dependencies.

302 22

Explore

managedcode/dotnet-skills

nuget-trusted-publishing

Set up NuGet trusted publishing (OIDC) on a GitHub Actions repo — replaces long-lived API keys with short-lived tokens. USE FOR: trusted publishing, NuGet OIDC, keyless NuGet publish, migrate from NuGet API key, NuGet/login, secure NuGet publishing. DO NOT USE FOR: publishing to private feeds or Azure Artifacts (OIDC is nuget.org only). INVOKES: shell (powershell or bash), edit, create, ask_user for guided repo setup.

302 22

Explore

managedcode/dotnet-skills

dotnet-legacy-aspnet

Maintain classic ASP.NET applications on .NET Framework, including Web Forms, older MVC, and legacy hosting patterns, while planning realistic modernization boundaries.

302 22

Explore

managedcode/dotnet-skills

dotnet-code-review

Review .NET changes for bugs, regressions, architectural drift, missing tests, incorrect async or disposal behavior, and platform-specific pitfalls before you approve or merge them.

302 22

Explore

Didn't find tool you were looking for?

Search AI Tools

Install this agent skill to your Project

SKILL.md

ASP.NET Core

Trigger On

Documentation

References

Workflow

Middleware Patterns

Correct Order Matters

Custom Middleware Pattern

Configuration Patterns

Strongly-Typed Options

Environment-Based Configuration

Security Patterns

Authentication Setup

Authorization Policies

Anti-Patterns to Avoid

Performance Best Practices

Deliver

Validate

Recommended Agent Skills

dotnet-project-setup

csharp-scripts

dotnet-pinvoke

nuget-trusted-publishing

dotnet-legacy-aspnet

dotnet-code-review