Getting Middleware Order Right in ASP.NET Core
Configuring middleware correctly in ASP.NET Core is crucial—it impacts your app’s security, performance, and how requests are handled. Getting the order wrong can cause hard-to-find bugs, allow unauthorized access, or make your API unusable from browsers. Let’s make this simple.
What is Middleware Order?
Think of the request handling in ASP.NET Core as a series of gates. Each piece of middleware is a gate. The order you set in Program.cs or Startup.cs decides how requests are checked and what protections or logic are applied. Requests pass through each gate in sequence.
Recommended Order
Here’s a typical, reliable way to configure the most common middleware:
app.UseRouting();
app.UseCors(); // Handles cross-origin requests
app.UseAuthentication(); // Identifies who the user is
app.UseAuthorization(); // Checks user permissions
app.MapControllers();
UseRouting figures out which endpoint (API or page) should handle the request.
UseCors decides if the request is allowed to cross from another domain. Always place this before authentication-related middleware.
UseAuthentication checks who the user is—are they logged in?
UseAuthorization determines if the user can access the requested resource.
MapControllers finally runs the matching controller or endpoint.
Visual Example
Picture requests moving through each step:
Routing → finds out where to go
CORS → checks if this visitor (maybe from another website) is allowed to make the request
Authentication → is this request from a known, logged-in user?
Authorization → does this user have permission for this action?
Controllers → your application logic responds
Why the Order Matters
CORS before others: CORS handles browser requests coming from other origins. If it’s run late (after authentication/authorization), those cross-origin requests get blocked incorrectly—or your browser never even reaches the login logic.
Authentication before Authorization: Authentication identifies the user first. Authorization needs this info to make its decisions.
Avoid security holes: If you mix up this order, your app might skip important security checks or block valid requests by mistake.
Common Mistakes
Placing UseAuthentication() or UseAuthorization() before UseRouting() —this can slow things down and cause confusing permission errors.
Missing UseCors() , or placing it after the endpoints—it won’t apply to most routes and causes browser errors.
Real-World Pipeline Example
Here’s how a real setup might look, including other important middleware:
if (app.Environment.IsDevelopment())
app.UseDeveloperExceptionPage();
else
app.UseExceptionHandler("/Error");
app.UseHsts();
app.UseHttpsRedirection();
app.UseStaticFiles();
app.UseRouting();
app.UseCors();
app.UseAuthentication();
app.UseAuthorization();
app.MapControllers();
app.Run();
Exception handling and security layers (HTTPS, HSTS) come first to catch errors and enforce encryption.
Static files (like images or CSS) are served early, so requests not needing authentication don’t go through the whole chain.
Routing, then CORS, then authentication, then authorization , as explained above.
Key Takeaways
Always put CORS before authentication and authorization.
Authentication should come right before authorization.
Use routing first so endpoints and policies are correctly matched.
Following this order minimizes bugs and keeps your API safe.