1. Not Using Dependency Injection Properly
The mistake:
Registering services incorrectly or injecting IServiceProvider everywhere.
Fix it:
Stick to constructor injection and use the correct lifetime:
Singleton → One instance for the app lifetime
Scoped → One per HTTP request
Transient → New every time it’s requested
services.AddScoped<IMyService, MyService>();
2. Forgetting to Validate User Input
The mistake:
Assuming data from the client is always safe.
Fix it:
Use [Required], [StringLength], [EmailAddress], and model validation.
[HttpPost]
public IActionResult Register(UserModel model)
{
if (!ModelState.IsValid)
return BadRequest(ModelState);
// Continue...
}
3. Hardcoding Configuration Settings
The mistake:
Hardcoding connection strings, API keys, etc. in Startup.cs.
Fix it:
Use appsettings.json, environment variables, and IConfiguration.
// appsettings.json
"ConnectionStrings": {
"Default": "Server=.;Database=MyDb;Trusted_Connection=True;"
}
4. Ignoring Asynchronous Programming
The mistake:
Using synchronous calls (.Result, .Wait()) in async methods.
Fix it:
Use async/await properly to avoid deadlocks and improve scalability.
public async Task<IActionResult> GetUsers()
{
var users = await _dbContext.Users.ToListAsync();
return Ok(users);
}
5. Not Handling Exceptions Gracefully
The mistake:
Letting unhandled exceptions expose stack traces in production.
Fix it:
Use middleware like UseExceptionHandler and log exceptions.
app.UseExceptionHandler("/Home/Error");
6. Overusing Controllers for Business Logic
The mistake:
Putting too much logic inside controllers.
Fix it:
Use Services or Command Handlers to keep controllers clean.
public class UserService : IUserService
{
public Task CreateUserAsync(UserDto dto)
{
// Business logic
}
}
7. Not Enabling HTTPS and Security Headers
The mistake:
Running apps without HTTPS or headers like HSTS.
Fix it:
Use UseHttpsRedirection() and configure security headers with middleware.
app.UseHttpsRedirection();
app.UseHsts();
8. Not Using Middleware Effectively
The mistake:
Handling authentication, logging, or CORS manually in each controller.
Fix it:
Use built-in or custom middleware for cross-cutting concerns.
app.UseAuthentication();
app.UseAuthorization();
app.UseCors("MyPolicy");
9. Missing Out on API Versioning
The mistake:
Modifying live APIs without version control.
Fix it:
Use Microsoft’s Asp.Versioning package (formerly Microsoft.AspNetCore.Mvc.Versioning).
[ApiVersion("1.0")]
[Route("api/v{version:apiVersion}/[controller]")]
public class UsersController : ControllerBase
10. Not Writing Unit Tests
The mistake:
Skipping tests or testing only controllers.
Fix it:
Write unit tests for services, validation, and business logic using xUnit, Moq, etc.
[Fact]
public void AddUser_ShouldReturnTrue_WhenUserIsValid()
{
// Arrange, Act, Assert
}
🧠 Final Thoughts
Mistakes are part of every developer’s journey. The key is to recognise them early and build better habits.
By following these best practices, you’ll make your ASP.NET Core apps more secure, scalable, and maintainable.
✍️ Over to You
Have you encountered any of these mistakes before?
Got another ASP.NET Core "gotcha" to share?
Drop a comment or connect with me!
Top comments (0)