.NET Middleware Pipeline Inspector
Interactive ASP.NET Core code editor with middleware pipeline analysis, dependency injection validation, and visual request flow rendering. Edit a real Program.cs and see how middleware ordering affects the HTTP request lifecycle — the same architecture patterns built at Kiwibank and Rapid7.
Getting Started • The editor loads a production ASP.NET Core Program.cs with middleware and DI registrations • Read the code — it configures authentication, rate limiting, caching, and health checks Interact • Click 'Build & Analyze' to parse the code and generate the pipeline diagram • Edit the C# code — reorder middleware, add or remove app.UseXxx() calls • Try moving UseAuthorization() before UseAuthentication() to see a validation error • Try removing UseExceptionHandler() to see a security warning Observe • The pipeline diagram shows each middleware as a stage in the HTTP request lifecycle • Requests flow DOWN through middleware, responses flow UP • Service registrations are grouped by DI lifetime (Singleton, Scoped, Transient) • Validation output catches ordering errors and security concerns
Need Cloud Infrastructure & Platform Engineering?
From prototypes to production-grade systems.
The Problem: Invisible Architecture
ASP.NET Core’s middleware pipeline is powerful but opaque. The order of app.UseXxx() calls determines how every HTTP request is processed — authentication before authorization, exception handling before everything, CORS before authentication for preflight requests. A single misordering causes subtle, hard-to-debug failures that only manifest under specific conditions.
At Kiwibank, the middleware pipeline for the banking API proxy was 15+ stages deep. At Rapid7, the threat intelligence ingestion API needed precise ordering of rate limiting, authentication, and error handling to maintain both security and reliability under load.
Middleware Pipeline Architecture
ASP.NET Core processes every HTTP request through a chain of middleware components, each of which can:
- Short-circuit the pipeline (e.g., authentication rejects an unauthenticated request).
- Transform the request or response (e.g., HTTPS redirection, output caching).
- Pass through to the next middleware in the chain.
The critical insight is that order matters. Exception handling must wrap everything. Authentication must precede authorization. CORS must process preflight requests before the auth layer rejects them.
Dependency Injection Lifetimes
The service container manages three lifetimes:
- Singleton — One instance for the application’s lifetime. Shared across all requests.
- Scoped — One instance per HTTP request. Safe for request-specific state (DbContext).
- Transient — A new instance every time it’s requested. Lightweight stateless services.
Lifetime mismatches (e.g., a Singleton consuming a Scoped service) cause the captive dependency anti-pattern — subtle bugs that leak request-specific state across users.
Real-World Application
This tool validates the same patterns used in production:
- Kiwibank: API gateway middleware managing JWT authentication, request correlation IDs, and response caching for the banking platform.
- Rapid7: Rate-limited ingestion endpoints with custom middleware for threat intelligence data validation and backpressure signaling.