dotnet

.NET Code Review Rules

Security (Critical)

• Use [Authorize] attribute with policies
• Validate anti-forgery tokens for forms
• Use parameterized queries (EF Core does this by default)
• Don't log sensitive data
• Use HTTPS redirection middleware
• Store secrets in Azure Key Vault or environment variables
• Use User Secrets for local development
• Never commit secrets to source control
• Validate and sanitize all user input to prevent injection attacks
• Avoid storing sensitive data or security-relevant instructions in HTML comments

Dependency Injection

• Register services with appropriate lifetime:
  • Singleton: stateless, thread-safe services
  • Scoped: per-request services (DbContext, etc.)
  • Transient: lightweight, stateless services