Running .NET web apps at scale? .NET 10 gives you faster releases, stronger security, and leaner cloud spend—without a rewrite.
What leaders get:
Performance: Output caching, low-allocation JSON, and connection pooling → higher RPS, lower p95, smaller bills.
Security: OAuth2/OIDC with scoped JWT, rate limiting, and secrets in vault → reduced attack surface and cleaner audits.
Reliability & Observability: Timeouts/retries/circuit breaker (Polly) + OpenTelemetry traces & structured logs → SLOs stay green, MTTR down.
I help organizations assess, pilot, and productionize .NET 10 upgrades with minimal disruption to teams and timelines.
1) Program.cs — essential services & middleware:
var builder = WebApplication.CreateBuilder(args);
// PERF
builder.Services.AddResponseCompression(); // gzip/br
builder.Services.AddOutputCache(opt =>
opt.AddBasePolicy(p => p.Expire(TimeSpan.FromMinutes(1))
.SetVaryByRouteValue("id")));
// SECURITY
builder.Services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
.AddJwtBearer(o =>
{
o.Authority = "https://login.microsoftonline.com//v2.0";
o.Audience = "api://your-api-id";
o.TokenValidationParameters.ValidateAudience = true;
});
builder.Services.AddAuthorization(options =>
options.AddPolicy("read", p => p.RequireClaim("scp", "api.read")));
// RATE LIMITING
builder.Services.AddRateLimiter(options =>
{
options.RejectionStatusCode = StatusCodes.Status429TooManyRequests;
options.AddPolicy("fixed", ctx =>
RateLimitPartition.GetFixedWindowLimiter(
ctx.Connection.RemoteIpAddress?.ToString() ?? "anon",
_ => new FixedWindowRateLimiterOptions { PermitLimit = 100, Window = TimeSpan.FromMinutes(1) }));
});
// RELIABILITY (HTTP clients)
builder.Services.AddHttpClient("downstream")
.AddStandardResilienceHandler(); // .NET 8+ built-in (timeouts/retries/circuit breaker)
// OBSERVABILITY
builder.Services.AddOpenTelemetry()
.WithTracing(t => t.AddAspNetCoreInstrumentation()
.AddHttpClientInstrumentation()
.AddOtlpExporter())
.WithMetrics(m => m.AddAspNetCoreInstrumentation()
.AddHttpClientInstrumentation());
builder.Services.AddEndpointsApiExplorer().AddSwaggerGen();
builder.Services.AddProblemDetails(); // standardized error responses
var app = builder.Build();
app.UseResponseCompression();
app.UseRateLimiter();
app.UseOutputCache();
app.UseAuthentication();
app.UseAuthorization();
if (app.Environment.IsDevelopment())
{
app.UseSwagger();
app.UseSwaggerUI();
}
2) Low-allocation JSON (source-generated) for hot paths:
// WeatherForecast.cs
public record WeatherForecast(int Id, DateOnly Date, int TempC, string Summary);
// Source-gen context (compile-time model metadata)
[JsonSerializable(typeof(WeatherForecast))]
[JsonSerializable(typeof(List))]
public partial class AppJsonContext : JsonSerializerContext { }
// Usage in endpoint
app.MapGet("/fast/forecast", () =>
{
var item = new WeatherForecast(1, DateOnly.FromDateTime(DateTime.UtcNow), 28, "Sunny");
return Results.Text(JsonSerializer.Serialize(item, AppJsonContext.Default.WeatherForecast),
"application/json");
});