🪴 Shoyeb's Dev Diary

Middleware Ordering

Sunday Jul 06, 2025

🔷 What is Middleware in ASP.NET Core?

Middleware is software that’s assembled into an application pipeline to handle requests and responses.

Each piece of middleware:

  • Can perform work before and after the next component in the pipeline.

  • Must call next() to pass control to the next middleware, otherwise, the pipeline stops.

🔷 Why Middleware Order Matters

The order middleware is added in Program.cs or Startup.cs determines the behavior of your app.

Incorrect order can:

  • Skip authentication (if routing is done before auth).

  • Prevent static files from serving.

  • Block exception handling middleware.

  • Allow requests without authorization.

✅ Common Middleware Order (Best Practice)

Here’s the typical correct order (simplified):

var builder = WebApplication.CreateBuilder(args);
var app = builder.Build();
 
app.UseExceptionHandler("/Home/Error"); // 1. Global error handler
app.UseHsts();                          // 2. HSTS (after exception handler)
 
app.UseHttpsRedirection();             // 3. Redirect HTTP to HTTPS
app.UseStaticFiles();                  // 4. Serve static files (CSS, JS, images)
 
app.UseRouting();                      // 5. Routing decides which endpoint to call
 
app.UseAuthentication();               // 6. Who are you?
app.UseAuthorization();                // 7. Are you allowed?
 
app.MapControllers();                  // 8. Finally, call controller
 
app.Run();

🧪 Detailed Explanation

1. UseExceptionHandler()

  • Catches unhandled exceptions in the pipeline.

  • Needs to come early to wrap the pipeline.

2. UseHsts()

  • Enforces HTTPS usage, only meaningful after errors are handled.

3. UseHttpsRedirection()

  • Redirects HTTP requests to HTTPS.

4. UseStaticFiles()

  • Serves wwwroot content.

  • Must come before authentication or authorization (you usually don’t need to secure static files).

5. UseRouting()

  • Finds out which endpoint matches the request (e.g., controller or Razor page).

6. UseAuthentication()

  • Verifies identity (who are you?).

  • Needs to happen before Authorization.

7. UseAuthorization()

  • Verifies permissions (are you allowed?).

  • Comes after Authentication and after Routing (because policies depend on endpoint info).

8. MapControllers()

  • Actually maps requests to your controller actions (like GET /products).

🧠 Example: Middleware Order Gone Wrong

❌ WRONG ORDER

app.UseAuthorization(); // BAD: Authorization before Authentication
app.UseAuthentication();
  • Authorization will fail because there’s no user identity yet.

🧪 Test Example: Visual

Let’s say we create a small Program.cs for Web API:

var builder = WebApplication.CreateBuilder(args);
 
// Add services
builder.Services.AddAuthentication("CookieAuth")
    .AddCookie("CookieAuth", options => {
        options.LoginPath = "/account/login";
    });
 
builder.Services.AddAuthorization();
builder.Services.AddControllers();
 
var app = builder.Build();
 
// Order matters here!
app.UseRouting();
 
app.UseAuthentication(); // Must come before Authorization
app.UseAuthorization();
 
app.MapControllers();
 
app.Run();

✅ Correct Order:

  • UseRouting() must come before auth middlewares.

  • UseAuthentication() before UseAuthorization()

🧪 Mini-Demo Middleware

You can define your own middleware to see the order:

app.Use(async (context, next) =>
{
    Console.WriteLine("👉 Middleware 1 - Before");
    await next.Invoke();
    Console.WriteLine("👈 Middleware 1 - After");
});
 
app.Use(async (context, next) =>
{
    Console.WriteLine("👉 Middleware 2 - Before");
    await next.Invoke();
    Console.WriteLine("👈 Middleware 2 - After");
});

If you run this and hit an endpoint, you’ll see the logs:

👉 Middleware 1 - Before
👉 Middleware 2 - Before
👈 Middleware 2 - After
👈 Middleware 1 - After

This shows how each middleware wraps the next one like an onion.

🧭 Summary Table

MiddlewareShould Come Before
UseExceptionHandlerEverything else
UseHttpsRedirectionUseRouting
UseStaticFilesUseRouting
UseRoutingUseAuthentication
UseAuthenticationUseAuthorization
UseAuthorizationMapControllers

✅ Final Tips

  • Always place authentication before authorization.

  • Middleware runs in the order you register them.

  • Use logging or a test middleware to visualize the order.

Question: If you don’t use the correct middleware ordering in ASP.NET Core, you can absolutely run into problems. Some apps might partially work or fail silently, while others might have security vulnerabilities or broken features.

❗ What Happens If You Ignore Middleware Ordering?

Here are real-world problems that can occur if you misorder middleware:

🔴 1. Authentication or Authorization Failures

Example: Authorization before Authentication

app.UseAuthorization();  // ❌ Wrong: No user is authenticated yet
app.UseAuthentication();

  • Result: Every request will be unauthorized (401), even if the user is logged in.

  • Why? Authorization needs a User.Identity. But the user hasn’t been authenticated yet.

🔴 2. Static Files Not Served

app.UseRouting();        // Handles endpoints first
app.UseStaticFiles();    // ❌ Wrong: Static files may not be served

  • Result: Requests for CSS, JS, images, etc., return 404.

  • Why? UseRouting() intercepts the request first and tries to match it to endpoints, skipping the static file logic.

🔴 3. HTTPS Redirect Doesn’t Work

app.UseRouting();             // ❌ Too late
app.UseHttpsRedirection();   // Won't work correctly

  • Result: Site doesn’t redirect HTTP to HTTPS.

  • Why? The routing logic has already started processing the request.

🔴 4. Global Exception Handling Doesn’t Catch Errors

app.UseRouting();
app.UseExceptionHandler("/error"); // ❌ Too late

  • Result: Unhandled exceptions cause app crashes or expose stack traces.

  • Why? UseExceptionHandler must wrap the entire pipeline to catch any errors properly.

🔴 5. Security Vulnerabilities

If you allow access to controllers before applying UseAuthorization(), sensitive endpoints may be hit without permission checks.

🟢 When You Might Not Notice a Problem

  • For very simple APIs without authentication, routing, or static files, you may not notice problems immediately.

  • But as soon as you add security, error handling, or routing, incorrect ordering will bite you.

✅ Rule of Thumb

Middleware order is like plumbing — if pipes are connected wrong, the water won’t flow right.

Always follow the best-practice order (see previous answer), especially:

  • Authentication → Authorization → Routing

  • StaticFiles and HTTPS Redirection before Routing

  • ExceptionHandler at the very top