Forem: Donia Shaban The latest articles on Forem by Donia Shaban (@donia_shaban_757cda160187). https://forem.com/donia_shaban_757cda160187 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F2882021%2F9d90e811-132f-4f11-90cc-8aca36ccda35.jpg Forem: Donia Shaban https://forem.com/donia_shaban_757cda160187 en Rate Limiting in ASP.NET Core Donia Shaban Sat, 23 May 2026 05:59:50 +0000 https://forem.com/donia_shaban_757cda160187/rate-limiting-in-aspnet-core-5elf https://forem.com/donia_shaban_757cda160187/rate-limiting-in-aspnet-core-5elf <h3> What is Rate Limiting? </h3> <p>Rate limiting controls how many requests a client can make to your API within a specific time window. ASP.NET Core 7+ ships with built-in rate limiting middleware, so you don't need any third-party packages. It protects your API from abuse (DoS attacks), ensures fair usage among clients, controls infrastructure costs, and keeps the service stable under load.</p> <h3> Setup </h3> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="k">using</span> <span class="nn">System.Threading.RateLimiting</span><span class="p">;</span> <span class="k">using</span> <span class="nn">Microsoft.AspNetCore.RateLimiting</span><span class="p">;</span> </code></pre> </div> <p>These two namespaces are essential. <code>System.Threading.RateLimiting</code> contains the core algorithms and options classes. <code>Microsoft.AspNetCore.RateLimiting</code> contains the middleware and the <code>[EnableRateLimiting]</code> / <code>[DisableRateLimiting]</code> attributes.</p> <h3> Registering the Middleware </h3> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="n">builder</span><span class="p">.</span><span class="n">Services</span><span class="p">.</span><span class="nf">AddRateLimiter</span><span class="p">(</span><span class="n">options</span> <span class="p">=&gt;</span> <span class="p">{</span> <span class="p">...</span> <span class="p">});</span> </code></pre> </div> <p>This registers the rate limiter service with the DI container. Inside the lambda you define one or more <strong>policies</strong> — each policy is a named rule that you can apply to endpoints later.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="n">app</span><span class="p">.</span><span class="nf">UseRateLimiter</span><span class="p">();</span> </code></pre> </div> <p>This plugs the middleware into the pipeline. It must be called <strong>before</strong> <code>app.MapControllers()</code> so it intercepts requests before they reach your controllers.</p> <h3> Policy 1 — Fixed Window Limiter (<code>"DefaultPolicy"</code>) </h3> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="n">options</span><span class="p">.</span><span class="nf">AddFixedWindowLimiter</span><span class="p">(</span><span class="s">"DefaultPolicy"</span><span class="p">,</span> <span class="n">limiterOptions</span> <span class="p">=&gt;</span> <span class="p">{</span> <span class="n">limiterOptions</span><span class="p">.</span><span class="n">Window</span> <span class="p">=</span> <span class="n">TimeSpan</span><span class="p">.</span><span class="nf">FromMinutes</span><span class="p">(</span><span class="m">1</span><span class="p">);</span> <span class="n">limiterOptions</span><span class="p">.</span><span class="n">PermitLimit</span> <span class="p">=</span> <span class="m">100</span><span class="p">;</span> <span class="n">limiterOptions</span><span class="p">.</span><span class="n">QueueProcessingOrder</span> <span class="p">=</span> <span class="n">QueueProcessingOrder</span><span class="p">.</span><span class="n">OldestFirst</span><span class="p">;</span> <span class="n">limiterOptions</span><span class="p">.</span><span class="n">QueueLimit</span> <span class="p">=</span> <span class="m">10</span><span class="p">;</span> <span class="p">});</span> </code></pre> </div> <p><strong>The idea:</strong> Time is divided into fixed, non-overlapping windows (e.g. 0:00–1:00, 1:00–2:00, ...). Each window gets a fresh counter. The moment the window ends, the counter resets completely regardless of when requests arrived inside it.</p> <p><strong>Line by line:</strong></p> <ul> <li> <code>Window = TimeSpan.FromMinutes(1)</code> — each time window lasts 1 minute. When the minute ends, the counter resets to zero.</li> <li> <code>PermitLimit = 100</code> — at most 100 requests are allowed within each 1-minute window. Request #101 gets rejected with HTTP 429 Too Many Requests.</li> <li> <code>QueueProcessingOrder = QueueProcessingOrder.OldestFirst</code> — when the limit is hit, excess requests can be queued. This says: serve the oldest waiting request first (FIFO). The alternative is <code>NewestFirst</code> (LIFO).</li> <li> <code>QueueLimit = 10</code> — at most 10 requests can wait in the queue. If the queue is also full, the request is immediately rejected without waiting.</li> </ul> <p><strong>The problem with Fixed Window:</strong> If 100 requests arrive in the last 5 seconds of minute 1, and another 100 arrive in the first 5 seconds of minute 2, you get 200 requests in a 10-second span — a burst — because both windows reset independently. This is why Sliding Window exists.</p> <h3> Policy 2 — Sliding Window Limiter (<code>"SlidingWindow"</code>) </h3> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="n">options</span><span class="p">.</span><span class="nf">AddSlidingWindowLimiter</span><span class="p">(</span><span class="s">"SlidingWindow"</span><span class="p">,</span> <span class="n">limiterOptions</span> <span class="p">=&gt;</span> <span class="p">{</span> <span class="n">limiterOptions</span><span class="p">.</span><span class="n">Window</span> <span class="p">=</span> <span class="n">TimeSpan</span><span class="p">.</span><span class="nf">FromMinutes</span><span class="p">(</span><span class="m">1</span><span class="p">);</span> <span class="n">limiterOptions</span><span class="p">.</span><span class="n">PermitLimit</span> <span class="p">=</span> <span class="m">100</span><span class="p">;</span> <span class="n">limiterOptions</span><span class="p">.</span><span class="n">QueueProcessingOrder</span> <span class="p">=</span> <span class="n">QueueProcessingOrder</span><span class="p">.</span><span class="n">OldestFirst</span><span class="p">;</span> <span class="n">limiterOptions</span><span class="p">.</span><span class="n">QueueLimit</span> <span class="p">=</span> <span class="m">10</span><span class="p">;</span> <span class="n">limiterOptions</span><span class="p">.</span><span class="n">SegmentsPerWindow</span> <span class="p">=</span> <span class="m">6</span><span class="p">;</span> <span class="n">limiterOptions</span><span class="p">.</span><span class="n">AutoReplenishment</span> <span class="p">=</span> <span class="k">true</span><span class="p">;</span> <span class="p">});</span> </code></pre> </div> <p><strong>The idea:</strong> Instead of one big window, the window is split into smaller <strong>segments</strong>. As each segment expires, the requests that were counted in that segment become available again. The window "slides" forward segment by segment, so limits are enforced more smoothly and bursts at window boundaries are prevented.</p> <p><strong>Line by line:</strong></p> <ul> <li> <code>Window = TimeSpan.FromMinutes(1)</code> — the total window is still 1 minute.</li> <li> <code>PermitLimit = 100</code> — still 100 requests per window overall.</li> <li> <code>SegmentsPerWindow = 6</code> — the 1-minute window is split into 6 segments of 10 seconds each. Every 10 seconds, the oldest segment "falls off" and its request count is freed up.</li> <li> <code>AutoReplenishment = true</code> — the replenishment (freeing up expired segments) happens automatically in the background. If you set this to <code>false</code>, you'd have to call <code>TryReplenish()</code> manually, which is rare.</li> <li> <code>QueueProcessingOrder</code> and <code>QueueLimit</code> — same meaning as Fixed Window above.</li> </ul> <p><strong>Concrete example:</strong> At second 0 you send 100 requests. At second 10, segment 1 expires, freeing 10 slots (100/6 ≈ 16 per segment, but proportionally). The counter decrements gradually rather than resetting all at once — much fairer and burst-resistant.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F7wlrzuw0hnxdgrvpxvhz.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F7wlrzuw0hnxdgrvpxvhz.png" alt="interactive" width="799" height="443"></a></p> <h3> Policy 3 — Concurrency Limiter (<code>"Concurrency"</code>) </h3> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="n">options</span><span class="p">.</span><span class="nf">AddConcurrencyLimiter</span><span class="p">(</span><span class="s">"Concurrency"</span><span class="p">,</span> <span class="n">limiterOptions</span> <span class="p">=&gt;</span> <span class="p">{</span> <span class="n">limiterOptions</span><span class="p">.</span><span class="n">PermitLimit</span> <span class="p">=</span> <span class="m">50</span><span class="p">;</span> <span class="n">limiterOptions</span><span class="p">.</span><span class="n">QueueProcessingOrder</span> <span class="p">=</span> <span class="n">QueueProcessingOrder</span><span class="p">.</span><span class="n">OldestFirst</span><span class="p">;</span> <span class="n">limiterOptions</span><span class="p">.</span><span class="n">QueueLimit</span> <span class="p">=</span> <span class="m">100</span><span class="p">;</span> <span class="p">});</span> </code></pre> </div> <p><strong>The idea:</strong> This doesn't care about time windows at all. It limits how many requests are being <strong>processed simultaneously</strong> at any given moment. Think of it like a semaphore — a permit is acquired when a request enters and released when it finishes.</p> <p><strong>Line by line:</strong></p> <ul> <li> <code>PermitLimit = 50</code> — at most 50 requests can be actively running at the same time. If a 51st request comes in while all 50 slots are busy, it either queues or gets rejected.</li> <li> <code>QueueLimit = 100</code> — up to 100 requests can wait in line for a slot to free up.</li> <li> <code>QueueProcessingOrder = QueueProcessingOrder.OldestFirst</code> — the oldest queued request gets the next freed slot.</li> </ul> <p><strong>When to use it:</strong> Ideal for protecting expensive operations like DB-heavy endpoints or file processing, where you care about CPU/connection pool exhaustion rather than request rate over time.</p> <h3> Policy 4 — Per-User Policy (<code>"ApiUserPolicy"</code>) </h3> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="n">options</span><span class="p">.</span><span class="nf">AddPolicy</span><span class="p">(</span><span class="s">"ApiUserPolicy"</span><span class="p">,</span> <span class="n">httpContext</span> <span class="p">=&gt;</span> <span class="n">RateLimitPartition</span><span class="p">.</span><span class="nf">GetFixedWindowLimiter</span><span class="p">(</span> <span class="n">partitionKey</span><span class="p">:</span> <span class="n">httpContext</span><span class="p">.</span><span class="n">User</span><span class="p">.</span><span class="n">Identity</span><span class="p">?.</span><span class="n">Name</span> <span class="p">??</span> <span class="s">"anonymous"</span><span class="p">,</span> <span class="n">factory</span><span class="p">:</span> <span class="n">_</span> <span class="p">=&gt;</span> <span class="k">new</span> <span class="n">FixedWindowRateLimiterOptions</span> <span class="p">{</span> <span class="n">Window</span> <span class="p">=</span> <span class="n">TimeSpan</span><span class="p">.</span><span class="nf">FromMinutes</span><span class="p">(</span><span class="m">1</span><span class="p">),</span> <span class="n">PermitLimit</span> <span class="p">=</span> <span class="m">1000</span><span class="p">,</span> <span class="n">AutoReplenishment</span> <span class="p">=</span> <span class="k">true</span> <span class="p">}));</span> </code></pre> </div> <p><strong>The idea:</strong> This is a <strong>partitioned</strong> policy — meaning each user gets their own independent rate limit counter. User A's requests don't affect User B's quota. This is how real-world APIs (like GitHub's API) work: each authenticated user has their own limit.</p> <p><strong>Line by line:</strong></p> <ul> <li> <code>RateLimitPartition.GetFixedWindowLimiter(...)</code> — creates a Fixed Window limiter, but partitioned per key rather than global.</li> <li> <code>partitionKey: httpContext.User.Identity?.Name ?? "anonymous"</code> — the partition key is the <strong>authenticated username</strong>. If the user is not authenticated, all unauthenticated users share the key <code>"anonymous"</code> (meaning they share one limit together — a deliberate design to pressure them into authenticating).</li> <li> <code>PermitLimit = 1000</code> — authenticated users get a generous limit of 1000 requests/minute, suitable for API consumers with tokens.</li> <li> <code>AutoReplenishment = true</code> — the window resets automatically without manual intervention.</li> </ul> <h3> Policy 5 — Per-IP Policy (<code>"IpPolicy"</code>) </h3> <p>csharp<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="n">options</span><span class="p">.</span><span class="nf">AddPolicy</span><span class="p">(</span><span class="s">"IpPolicy"</span><span class="p">,</span> <span class="n">httpContext</span> <span class="p">=&gt;</span> <span class="n">RateLimitPartition</span><span class="p">.</span><span class="nf">GetSlidingWindowLimiter</span><span class="p">(</span> <span class="n">partitionKey</span><span class="p">:</span> <span class="n">httpContext</span><span class="p">.</span><span class="n">Connection</span><span class="p">.</span><span class="n">RemoteIpAddress</span><span class="p">?.</span><span class="nf">ToString</span><span class="p">()</span> <span class="p">??</span> <span class="s">"unknown"</span><span class="p">,</span> <span class="n">factory</span><span class="p">:</span> <span class="n">_</span> <span class="p">=&gt;</span> <span class="k">new</span> <span class="n">SlidingWindowRateLimiterOptions</span> <span class="p">{</span> <span class="n">Window</span> <span class="p">=</span> <span class="n">TimeSpan</span><span class="p">.</span><span class="nf">FromMinutes</span><span class="p">(</span><span class="m">1</span><span class="p">),</span> <span class="n">PermitLimit</span> <span class="p">=</span> <span class="m">100</span><span class="p">,</span> <span class="n">SegmentsPerWindow</span> <span class="p">=</span> <span class="m">6</span><span class="p">,</span> <span class="n">AutoReplenishment</span> <span class="p">=</span> <span class="k">true</span> <span class="p">}));</span> </code></pre> </div> <p><strong>The idea:</strong> Same partitioned concept as above, but the partition key is the <strong>client's IP address</strong> instead of the username. This is useful for public endpoints where users aren't authenticated — you limit by IP to prevent one machine from hammering your API.</p> <p><strong>Line by line:</strong></p> <ul> <li> <code>partitionKey: httpContext.Connection.RemoteIpAddress?.ToString() ?? "unknown"</code> — extracts the caller's IP address as a string (e.g. <code>"192.168.1.5"</code>). If somehow the IP can't be determined, falls back to <code>"unknown"</code>.</li> <li>Uses a Sliding Window internally (same as Policy 2) — smoother enforcement, no burst problem at boundaries.</li> <li> <code>PermitLimit = 100</code> with <code>SegmentsPerWindow = 6</code> — each IP gets 100 requests/minute, enforced per 10-second segments.</li> </ul> <h3> Applying Policies to Endpoints </h3> <p>There are two ways:</p> <p><strong>Via attribute on a Controller action:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="p">[</span><span class="n">HttpGet</span><span class="p">]</span> <span class="p">[</span><span class="nf">EnableRateLimiting</span><span class="p">(</span><span class="n">policyName</span><span class="p">:</span> <span class="s">"DefaultPolicy"</span><span class="p">)]</span> <span class="k">public</span> <span class="k">async</span> <span class="n">Task</span><span class="p">&lt;</span><span class="n">IActionResult</span><span class="p">&gt;</span> <span class="nf">Get</span><span class="p">(...)</span> <span class="p">{</span> <span class="p">...</span> <span class="p">}</span> </code></pre> </div> <p>The <code>[EnableRateLimiting]</code> attribute on the <code>Get</code> action tells the middleware: apply <code>"DefaultPolicy"</code> to this specific endpoint. Other actions in the same controller (like <code>GetById</code>, <code>Post</code>, <code>Put</code>, <code>Delete</code>) have no attribute, so they are <strong>not rate-limited</strong> by default.</p> <p><strong>Via Minimal API:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="n">app</span><span class="p">.</span><span class="nf">MapGet</span><span class="p">(</span><span class="s">"/api/products-mn"</span><span class="p">,</span> <span class="k">async</span> <span class="p">(...)</span> <span class="p">=&gt;</span> <span class="p">{</span> <span class="p">...</span> <span class="p">}).</span><span class="nf">RequireRateLimiting</span><span class="p">(</span><span class="s">"DefaultPolicy"</span><span class="p">);</span> </code></pre> </div> <p>For Minimal APIs, you chain <code>.RequireRateLimiting("policyName")</code> on the endpoint definition. The second Minimal API endpoint (<code>/api/products-mn/{productId:int}</code>) has no <code>.RequireRateLimiting()</code> call, so it's unrestricted.</p> <h3> What Happens When the Limit is Exceeded? </h3> <p>When a request is rejected (limit hit + queue full), the middleware automatically returns <strong>HTTP 429 Too Many Requests</strong>. You can customize the rejection response globally using <code>options.OnRejected</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="n">options</span><span class="p">.</span><span class="n">OnRejected</span> <span class="p">=</span> <span class="k">async</span> <span class="p">(</span><span class="n">context</span><span class="p">,</span> <span class="n">cancellationToken</span><span class="p">)</span> <span class="p">=&gt;</span> <span class="p">{</span> <span class="n">context</span><span class="p">.</span><span class="n">HttpContext</span><span class="p">.</span><span class="n">Response</span><span class="p">.</span><span class="n">StatusCode</span> <span class="p">=</span> <span class="m">429</span><span class="p">;</span> <span class="k">await</span> <span class="n">context</span><span class="p">.</span><span class="n">HttpContext</span><span class="p">.</span><span class="n">Response</span><span class="p">.</span><span class="nf">WriteAsync</span><span class="p">(</span><span class="s">"Too many requests. Please slow down."</span><span class="p">);</span> <span class="p">};</span> </code></pre> </div> <h3> Summary of All Policies </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Policy</th> <th>Algorithm</th> <th>Limit</th> <th>Partition By</th> </tr> </thead> <tbody> <tr> <td>DefaultPolicy</td> <td>Fixed Window</td> <td>100 req/min</td> <td>Global</td> </tr> <tr> <td>SlidingWindow</td> <td>Sliding Window</td> <td>100 req/min</td> <td>Global</td> </tr> <tr> <td>Concurrency</td> <td>Concurrency</td> <td>50 simultaneous</td> <td>Global</td> </tr> <tr> <td>ApiUserPolicy</td> <td>Fixed Window</td> <td>1000 req/min</td> <td>Per username</td> </tr> <tr> <td>IpPolicy</td> <td>Sliding Window</td> <td>100 req/min</td> <td>Per IP address</td> </tr> </tbody> </table></div> api csharp dotnet security Caching in ASP.NET Core Donia Shaban Wed, 20 May 2026 03:35:57 +0000 https://forem.com/donia_shaban_757cda160187/caching-in-aspnet-core-29e https://forem.com/donia_shaban_757cda160187/caching-in-aspnet-core-29e <h2> Caching in ASP.NET Core — A Complete Guide </h2> <p>Caching is the single most impactful performance optimization you can apply to a web app. The idea is simple: instead of recomputing or re-fetching the same data on every request, you store it somewhere fast and serve it from there. ASP.NET Core gives you three distinct caching mechanisms, each operating at a different layer of your app. Let's break each one down.</p> <h3> Why do we actually use caching? </h3> <p>A <strong>100ms delay causes 7% fewer conversions</strong> — meaning if your checkout page takes even one tenth of a second longer, you statistically lose customers. Amazon calculated this years ago and it still holds. A <strong>3-second load time loses 40% of users</strong> entirely — they leave before the page finishes.</p> <p>The reason caching is the go-to fix is the bottleneck breakdown the PDF shows: <strong>60% of slowness comes from the database</strong>, 25% from slow API calls, and only 15% from memory/other issues. Caching directly attacks the biggest problem — the DB. Instead of hitting SQL Server 1000 times for the same product data, you hit it once and serve the cached result 999 times. That's where the "80–90% DB load reduction" figure comes from.</p> <p>The Netflix example (70% startup time reduction) is real — they heavily cache user profiles, recommendation lists, and content metadata in Redis so that when you open the app, almost nothing needs a live DB query.</p> <h3> Where do the actual problems come from? </h3> <p><strong>Database (60% of problems)</strong> — This is the classic N+1 query problem, missing indexes, fetching entire tables when you need 3 rows, and hitting the DB on every single request for data that barely changes (like a list of product categories). Caching fixes this directly.</p> <p><strong>APIs (25% of problems)</strong> — Calling external services (payment gateways, weather APIs, third-party data) on every request. If you call an exchange rate API on every page load, you're adding 200–500ms of network latency every time. Cache that response for 5 minutes and the latency disappears.</p> <p><strong>Memory (15% of problems)</strong> — This is actually caused by bad caching, not a lack of it. When you cache without expiration policies or cache huge objects carelessly, you put pressure on the GC (Garbage Collector). The server starts spending CPU time collecting memory instead of serving requests. This is why the "set expiration policies" rule matters so much — cache is not free RAM, it's borrowed RAM.</p> <p>The performance metrics from the PDF are also worth internalizing for your own apps: target average response time under 200ms, keep CPU below 70%, memory below 80%, and HTTP 5xx errors below 0.1%. Those are the numbers you'd put on a production monitoring dashboard.</p> <h3> 1. In-Memory Cache (<code>IMemoryCache</code>) </h3> <p><strong>What it is:</strong> Data is stored directly in the server process's RAM. It's the fastest cache available — a dictionary lookup with no network round-trip.</p> <p><strong>Where it lives:</strong> Inside your application process. If you restart the server, the cache is gone. If you have multiple servers behind a load balancer, each server has its own isolated cache.</p> <p><strong>Best for:</strong> Single-server apps, frequently read but rarely changed data (e.g., lookup tables, config values, user roles).</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvwkeua049c5vdfwbj4gj.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvwkeua049c5vdfwbj4gj.jpg" alt="in_memory_cache_flow" width="800" height="306"></a></p> <p><strong>How to use it:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="c1">// Program.cs</span> <span class="n">builder</span><span class="p">.</span><span class="n">Services</span><span class="p">.</span><span class="nf">AddMemoryCache</span><span class="p">();</span> <span class="c1">// In your service</span> <span class="k">public</span> <span class="k">class</span> <span class="nc">ProductService</span><span class="p">(</span><span class="n">IMemoryCache</span> <span class="n">cache</span><span class="p">,</span> <span class="n">AppDbContext</span> <span class="n">db</span><span class="p">)</span> <span class="p">{</span> <span class="k">public</span> <span class="k">async</span> <span class="n">Task</span><span class="p">&lt;</span><span class="n">Product</span><span class="p">?&gt;</span> <span class="nf">GetProductAsync</span><span class="p">(</span><span class="kt">int</span> <span class="n">id</span><span class="p">)</span> <span class="p">{</span> <span class="k">if</span> <span class="p">(</span><span class="n">cache</span><span class="p">.</span><span class="nf">TryGetValue</span><span class="p">(</span><span class="s">$"product:</span><span class="p">{</span><span class="n">id</span><span class="p">}</span><span class="s">"</span><span class="p">,</span> <span class="k">out</span> <span class="n">Product</span><span class="p">?</span> <span class="n">cached</span><span class="p">))</span> <span class="k">return</span> <span class="n">cached</span><span class="p">;</span> <span class="kt">var</span> <span class="n">product</span> <span class="p">=</span> <span class="k">await</span> <span class="n">db</span><span class="p">.</span><span class="n">Products</span><span class="p">.</span><span class="nf">FindAsync</span><span class="p">(</span><span class="n">id</span><span class="p">);</span> <span class="kt">var</span> <span class="n">options</span> <span class="p">=</span> <span class="k">new</span> <span class="nf">MemoryCacheEntryOptions</span><span class="p">()</span> <span class="p">.</span><span class="nf">SetAbsoluteExpiration</span><span class="p">(</span><span class="n">TimeSpan</span><span class="p">.</span><span class="nf">FromMinutes</span><span class="p">(</span><span class="m">10</span><span class="p">))</span> <span class="p">.</span><span class="nf">SetSlidingExpiration</span><span class="p">(</span><span class="n">TimeSpan</span><span class="p">.</span><span class="nf">FromMinutes</span><span class="p">(</span><span class="m">2</span><span class="p">));</span> <span class="n">cache</span><span class="p">.</span><span class="nf">Set</span><span class="p">(</span><span class="s">$"product:</span><span class="p">{</span><span class="n">id</span><span class="p">}</span><span class="s">"</span><span class="p">,</span> <span class="n">product</span><span class="p">,</span> <span class="n">options</span><span class="p">);</span> <span class="k">return</span> <span class="n">product</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p><strong>Key concepts to know:</strong></p> <ul> <li> <strong>Absolute expiration</strong> — the item is always removed after X time, no matter how much it's accessed.</li> <li> <strong>Sliding expiration</strong> — the timer resets every time the item is accessed; it's evicted only if nobody touches it for X time.</li> <li> <strong>Eviction policies</strong> — when RAM gets tight, ASP.NET Core uses LRU (Least Recently Used) to drop items. You can also set <code>CacheItemPriority</code> to protect critical entries.</li> <li> <strong>Cache Stampede</strong> — if 100 requests arrive simultaneously on a cache miss, they all hit the DB at once. Use <code>GetOrCreateAsync</code> or a <code>SemaphoreSlim</code> lock to handle this safely.</li> </ul> <h3> 2. Distributed Cache (<code>IDistributedCache</code>) </h3> <p><strong>What it is:</strong> Data is stored in an external shared store — Redis being the most common choice — that all your servers can reach. When you scale out to 3 servers, they all read from and write to the same cache.<br> <strong>Where it lives:</strong> Outside your app process, usually Redis or SQL Server.</p> <p><strong>Best for:</strong> Multi-server deployments, session data, anything that must be consistent across servers, large-scale apps.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fbv1olfknb12x2yjlx74l.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fbv1olfknb12x2yjlx74l.jpg" alt="distributed_cache_flow" width="800" height="353"></a></p> <p><strong>How to use it (with Redis):</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="c1">// Program.cs</span> <span class="n">builder</span><span class="p">.</span><span class="n">Services</span><span class="p">.</span><span class="nf">AddStackExchangeRedisCache</span><span class="p">(</span><span class="n">options</span> <span class="p">=&gt;</span> <span class="p">{</span> <span class="n">options</span><span class="p">.</span><span class="n">Configuration</span> <span class="p">=</span> <span class="s">"localhost:6379"</span><span class="p">;</span> <span class="n">options</span><span class="p">.</span><span class="n">InstanceName</span> <span class="p">=</span> <span class="s">"MyApp:"</span><span class="p">;</span> <span class="p">});</span> <span class="c1">// In your service</span> <span class="k">public</span> <span class="k">class</span> <span class="nc">ProductService</span><span class="p">(</span><span class="n">IDistributedCache</span> <span class="n">cache</span><span class="p">,</span> <span class="n">AppDbContext</span> <span class="n">db</span><span class="p">)</span> <span class="p">{</span> <span class="k">public</span> <span class="k">async</span> <span class="n">Task</span><span class="p">&lt;</span><span class="n">Product</span><span class="p">?&gt;</span> <span class="nf">GetProductAsync</span><span class="p">(</span><span class="kt">int</span> <span class="n">id</span><span class="p">)</span> <span class="p">{</span> <span class="kt">var</span> <span class="n">key</span> <span class="p">=</span> <span class="s">$"product:</span><span class="p">{</span><span class="n">id</span><span class="p">}</span><span class="s">"</span><span class="p">;</span> <span class="kt">var</span> <span class="n">cached</span> <span class="p">=</span> <span class="k">await</span> <span class="n">cache</span><span class="p">.</span><span class="nf">GetStringAsync</span><span class="p">(</span><span class="n">key</span><span class="p">);</span> <span class="k">if</span> <span class="p">(</span><span class="n">cached</span> <span class="k">is</span> <span class="k">not</span> <span class="k">null</span><span class="p">)</span> <span class="k">return</span> <span class="n">JsonSerializer</span><span class="p">.</span><span class="n">Deserialize</span><span class="p">&lt;</span><span class="n">Product</span><span class="p">&gt;(</span><span class="n">cached</span><span class="p">);</span> <span class="kt">var</span> <span class="n">product</span> <span class="p">=</span> <span class="k">await</span> <span class="n">db</span><span class="p">.</span><span class="n">Products</span><span class="p">.</span><span class="nf">FindAsync</span><span class="p">(</span><span class="n">id</span><span class="p">);</span> <span class="kt">var</span> <span class="n">options</span> <span class="p">=</span> <span class="k">new</span> <span class="nf">DistributedCacheEntryOptions</span><span class="p">()</span> <span class="p">.</span><span class="nf">SetAbsoluteExpirationRelativeToNow</span><span class="p">(</span><span class="n">TimeSpan</span><span class="p">.</span><span class="nf">FromMinutes</span><span class="p">(</span><span class="m">10</span><span class="p">));</span> <span class="k">await</span> <span class="n">cache</span><span class="p">.</span><span class="nf">SetStringAsync</span><span class="p">(</span><span class="n">key</span><span class="p">,</span> <span class="n">JsonSerializer</span><span class="p">.</span><span class="nf">Serialize</span><span class="p">(</span><span class="n">product</span><span class="p">),</span> <span class="n">options</span><span class="p">);</span> <span class="k">return</span> <span class="n">product</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Notice that unlike <code>IMemoryCache</code>, the distributed cache stores <strong>bytes/strings</strong>, so you serialize/deserialize yourself. This is the price of network storage — but the payoff is consistency across all your servers.</p> <h3> 3. Output Caching &amp; Response Caching </h3> <p>These two are often confused. They both cache the HTTP response, but they work at different layers.</p> <p><strong>Response Caching</strong> — sets HTTP cache headers (<code>Cache-Control</code>, <code>Expires</code>) that tell the <strong>client or proxy</strong> to cache the response. The server itself doesn't store anything; it just instructs whoever's asking.</p> <p><strong>Output Caching</strong> (ASP.NET Core 7+) — the <strong>server</strong> caches the full HTTP response and serves it directly on repeat requests, before your controller action even executes. No business logic, no DB query.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fzcg1w8y59fsjdlc5s9b5.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fzcg1w8y59fsjdlc5s9b5.jpg" alt="output_vs_response_cache_fixed" width="800" height="964"></a></p> <p><strong>Output Caching setup:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="c1">// Program.cs</span> <span class="n">builder</span><span class="p">.</span><span class="n">Services</span><span class="p">.</span><span class="nf">AddOutputCache</span><span class="p">(</span><span class="n">options</span> <span class="p">=&gt;</span> <span class="p">{</span> <span class="n">options</span><span class="p">.</span><span class="nf">AddBasePolicy</span><span class="p">(</span><span class="n">b</span> <span class="p">=&gt;</span> <span class="n">b</span><span class="p">.</span><span class="nf">Cache</span><span class="p">());</span> <span class="n">options</span><span class="p">.</span><span class="nf">AddPolicy</span><span class="p">(</span><span class="s">"Products"</span><span class="p">,</span> <span class="n">b</span> <span class="p">=&gt;</span> <span class="n">b</span><span class="p">.</span><span class="nf">Cache</span><span class="p">()</span> <span class="p">.</span><span class="nf">Expire</span><span class="p">(</span><span class="n">TimeSpan</span><span class="p">.</span><span class="nf">FromMinutes</span><span class="p">(</span><span class="m">5</span><span class="p">))</span> <span class="p">.</span><span class="nf">Tag</span><span class="p">(</span><span class="s">"products-tag"</span><span class="p">));</span> <span class="p">});</span> <span class="n">app</span><span class="p">.</span><span class="nf">UseOutputCache</span><span class="p">();</span> <span class="c1">// In your controller</span> <span class="p">[</span><span class="nf">HttpGet</span><span class="p">(</span><span class="s">"products"</span><span class="p">)]</span> <span class="p">[</span><span class="nf">OutputCache</span><span class="p">(</span><span class="n">PolicyName</span> <span class="p">=</span> <span class="s">"Products"</span><span class="p">)]</span> <span class="k">public</span> <span class="k">async</span> <span class="n">Task</span><span class="p">&lt;</span><span class="n">IActionResult</span><span class="p">&gt;</span> <span class="nf">GetProducts</span><span class="p">()</span> <span class="p">{</span> <span class="p">...</span> <span class="p">}</span> <span class="c1">// Invalidation: purge a specific tag</span> <span class="k">await</span> <span class="n">_cache</span><span class="p">.</span><span class="nf">EvictByTagAsync</span><span class="p">(</span><span class="s">"products-tag"</span><span class="p">,</span> <span class="n">token</span><span class="p">);</span> </code></pre> </div> <p><strong>Response Caching setup:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="c1">// Program.cs</span> <span class="n">builder</span><span class="p">.</span><span class="n">Services</span><span class="p">.</span><span class="nf">AddResponseCaching</span><span class="p">();</span> <span class="n">app</span><span class="p">.</span><span class="nf">UseResponseCaching</span><span class="p">();</span> <span class="c1">// In your controller</span> <span class="p">[</span><span class="nf">HttpGet</span><span class="p">(</span><span class="s">"products"</span><span class="p">)]</span> <span class="p">[</span><span class="nf">ResponseCache</span><span class="p">(</span><span class="n">Duration</span> <span class="p">=</span> <span class="m">300</span><span class="p">,</span> <span class="n">VaryByQueryKeys</span> <span class="p">=</span> <span class="k">new</span><span class="p">[]</span> <span class="p">{</span> <span class="s">"category"</span> <span class="p">})]</span> <span class="k">public</span> <span class="k">async</span> <span class="n">Task</span><span class="p">&lt;</span><span class="n">IActionResult</span><span class="p">&gt;</span> <span class="nf">GetProducts</span><span class="p">(</span><span class="kt">string</span> <span class="n">category</span><span class="p">)</span> <span class="p">{</span> <span class="p">...</span> <span class="p">}</span> </code></pre> </div> <p>The <code>ResponseCache</code> attribute tells the framework to emit <code>Cache-Control: public, max-age=300</code> headers. The browser or CDN does the actual caching.</p> <h3> Quick Comparison </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th><strong>Feature</strong></th> <th><strong>In-Memory</strong></th> <th><strong>Distributed</strong></th> <th><strong>Output Cache</strong></th> <th><strong>Response Cache</strong></th> </tr> </thead> <tbody> <tr> <td><strong>Where stored</strong></td> <td>Server RAM</td> <td>Redis / SQL Server</td> <td>Server (middleware)</td> <td>Client / Proxy</td> </tr> <tr> <td><strong>Survives restart?</strong></td> <td>No</td> <td>Yes</td> <td>No (unless backed by Redis)</td> <td>Yes (in browser)</td> </tr> <tr> <td><strong>Multi-server safe?</strong></td> <td>No</td> <td>Yes</td> <td>Yes</td> <td>N/A</td> </tr> <tr> <td><strong>Caches</strong></td> <td>Any object</td> <td>Bytes / strings</td> <td>Full HTTP response</td> <td>Full HTTP response</td> </tr> <tr> <td><strong>Granularity</strong></td> <td>Fine (per key)</td> <td>Fine (per key)</td> <td>Per endpoint/route</td> <td>Per URL</td> </tr> <tr> <td><strong>Best for</strong></td> <td>Fast lookups, small data</td> <td>Sessions, scaled apps</td> <td>Read-heavy API endpoints</td> <td>Public, static-ish content</td> </tr> </tbody> </table></div> backend dotnet performance tutorial