Rate Limiting — Complete Guide

Introduction

Rate Limiting — Complete Guide is essential for .NET developers building ShopNest Enterprise Commerce Platform — Toolliyo's 215-article ASP.NET Core master path covering MVC, EF Core, security, SignalR, microservices, Docker, Kubernetes, and enterprise projects. Every article includes minimum 2 ultra-detailed real-world examples, internal pipeline explanation, security, and cloud-native deployment (banking, e-commerce, ERP, SaaS, healthcare).

In Indian delivery projects (TCS, Infosys, Wipro), interviewers expect rate limiting with real HDFC-style banking SRP fixes, Flipkart OCP payment strategies, TCS ERP LSP, Freshworks ISP, or Apollo hospital refactoring examples — not toy animal demos. This article delivers two mandatory enterprise examples on SECURITY.

After this article you will

• Explain Rate Limiting in plain English and in ASP.NET Core pipeline and enterprise web terms
• Implement rate limiting in ShopNest Enterprise Commerce Platform (SECURITY)
• Compare the wrong approach vs the production-ready enterprise approach
• Answer fresher, mid-level, and senior ASP.NET Core and system design interview questions confidently
• Connect this lesson to Article 147 and the 215-article ASP.NET Core roadmap

Prerequisites

• Software: .NET 8 SDK, VS 2022 or VS Code, SQL Server Express / LocalDB
• Knowledge: C# basics
• Previous: Article 145 — Secure APIs — Complete Guide
• Time: 24 min reading + 30–45 min hands-on

Concept deep-dive

Level 1 — Analogy

Rate Limiting on ShopNest teaches production ASP.NET Core step by step.

Level 2 — Technical

Rate Limiting integrates with the LINQ query layer: write queries against IEnumerable or IQueryable, understand deferred execution, project to DTOs for ShopNest reports. On ShopNest this powers SECURITY without coupling UI to database internals.

Level 3 — Architecture

[Browser] → [HTTPS/Kestrel] → [Middleware Pipeline]
  → [Routing] → [Controller Action] → [Service Layer]
  → [EF Core / Identity] → [Razor View Engine] → [HTML Response]

Project structure

ShopNest/
├── ShopNest/
├── src/
│   ├── ShopNest.Api/       ← ASP.NET Core Web API
│   ├── ShopNest.Core/      ← Repository interfaces
│   ├── ShopNest.AdoNet/    ← SqlConnection, SPs, transactions
│   ├── ShopNest.Reports/   ← Streaming readers, GL reports
│   └── ShopNest.Tests/     ← Integration tests (Testcontainers SQL)
├── sql/
│   ├── migrations/
│   └── stored-procedures/
└── docker-compose.yml                 ← SQL Server 2022 + Redis

Step-by-Step Implementation — ShopNest (SECURITY)

Follow the prompt template: create project → core classes → interfaces → pattern implementation → client code → run → enterprise refactor.

Step 1 — The wrong way

// ❌ BAD — wrong middleware order, fat controller, no DI
public class OrderController : Controller {
    public IActionResult Create() {
        var db = new ShopDbContext(); // new per request
        db.Orders.Add(new Order());
        db.SaveChanges();
        return View();
    }
}

Step 2 — The right way

// ✅ PRODUCTION — Rate Limiting on ShopNest (SECURITY)
builder.Services.AddDbContext(o =>
    o.UseSqlServer(builder.Configuration.GetConnectionString("Default")));
app.UseRouting();
app.UseAuthentication();
app.UseAuthorization();
app.MapControllers();

Step 3 — Apply Rate Limiting

// Rate Limiting — ShopNest (SECURITY)
builder.Services.AddScoped<IRateLimitingService, RateLimitingService>();

dotnet run --project ShopNest.Api
# Verify Rate Limiting — check Swagger UI and unit test pass rate and integration tests pass

Problem before Rate Limiting

Legacy ASP.NET Framework apps mixed Web.config, HttpModules, and tight IIS coupling. Without Rate Limiting, ShopNest-style apps face wrong middleware order, weak auth, and unscalable monoliths.

ASP.NET Core request pipeline

Rate Limiting — category SECURITY

Kestrel → Middleware chain → Routing → Auth → Endpoint (MVC / Minimal API)
ShopNest: Serilog → ExceptionHandler → HTTPS → StaticFiles → Routing → Auth → Controllers

Internal pipeline & hosting

• Kestrel — cross-platform web server
• In-process vs out-of-process — IIS reverse proxy vs direct Kestrel
• Configuration — appsettings + env vars + Azure Key Vault
• DI lifetimes — Singleton / Scoped / Transient on ShopNest services

Security & cloud-native scaling

• JWT + Identity for ShopNest customer and admin portals
• Redis distributed cache for catalog and session
• Docker + AKS + Azure App Service deployment paths
• OpenTelemetry + Serilog + Prometheus for production

Real-world example 1 — Swiggy Order Tracking

Domain: Logistics. Polling order status every 3s. SignalR hub groups per orderId push rider location.

Before

setInterval(() => fetch('/api/status'), 3000);

After (ShopNest)

await hubConnection.invoke('JoinOrder', orderId);
hubConnection.on('LocationUpdated', updateMap);

Outcome: Server load down 70%; live map UX.

Real-world example 2 — Flipkart Checkout API

Domain: E-Commerce. Middleware order wrong — auth ran after controller. Fixed pipeline: exception → HTTPS → routing → auth → endpoints.

Before

app.UseAuthorization();
app.UseRouting(); // wrong order

After (ShopNest)

app.UseRouting();
app.UseAuthentication();
app.UseAuthorization();
app.MapControllers();

Outcome: 401/403 bugs eliminated; PCI audit passed.

When not to use / tradeoffs

Minimal APIs for 200-endpoint ERP may hurt discoverability — use Clean Architecture + controllers. SignalR for simple CRUD is overkill — use SSE or polling first.

Testing ASP.NET Core

public class ProductsControllerTests {
    [Fact]
    public async Task Get_ReturnsOk() {
        var factory = new WebApplicationFactory<Program>();
        var client = factory.CreateClient();
        var res = await client.GetAsync("/api/products");
        res.EnsureSuccessStatusCode();
    }
}

Common errors & fixes

🔴 Mistake 1: Wrong middleware order (auth before routing)
✅ Fix: UseRouting → UseAuthentication → UseAuthorization → MapControllers.

🔴 Mistake 2: Scoped DbContext in Singleton service
✅ Fix: Never capture DbContext in singleton — inject scoped services correctly.

🔴 Mistake 3: Missing ValidateAntiForgeryToken on POST forms
✅ Fix: Add token to forms and validate on state-changing actions.

🔴 Mistake 4: Secrets in appsettings committed to Git
✅ Fix: User secrets locally; Azure Key Vault or env vars in production.

Best practices

• 🟢 Use async/await end-to-end for database and I/O calls
• 🟢 Register DbContext as Scoped; avoid capturing it in singletons
• 🟡 Use IQueryable until the last moment; avoid multiple enumeration; project with Select before ToList
• 🟡 Prefer method syntax for complex chains; use query syntax for joins when readability wins
• 🔴 Log structured data with Serilog — include OrderId, UserId, not passwords
• 🔴 Use HTTPS, secure cookies, and authorization policies in production

Interview questions

Fresher level

Q1: Explain Rate Limiting in ASP.NET Core.
A: Rate Limiting on ShopNest — describe pipeline placement, DI registration, and one production pitfall.

Q2: Middleware vs filters?
A: Middleware is global HTTP pipeline; filters are MVC-specific around actions — use both appropriately.

Q3: Singleton vs Scoped vs Transient?
A: Singleton one instance; Scoped per request (DbContext); Transient every injection — match lifetime to usage.

Mid / senior level

Q4: How do you secure a Web API?
A: JWT bearer, HTTPS, authorization policies, rate limiting, CORS whitelist.

Q5: Deploy ASP.NET Core to production?
A: Docker → AKS or Azure App Service; health checks; Serilog + OpenTelemetry.

Q6: EF Core N+1 problem?
A: Use Include/ThenInclude, AsNoTracking for reads, projection with Select, split queries when needed.

Coding round

Implement Rate Limiting for ShopNest SECURITY: show interface, concrete class, DI registration, and xUnit test with mock.

public class RateLimitingPatternTests
{
    [Fact]
    public async Task ExecuteAsync_ReturnsSuccess()
    {
        var mock = new Mock();
        mock.Setup(s => s.ExecuteAsync(It.IsAny(), default))
            .ReturnsAsync(Result.Success("test-id"));
        var result = await mock.Object.ExecuteAsync(new Request("test-id"));
        Assert.True(result.IsSuccess);
    }
}

Summary & next steps

• Article 146: Rate Limiting — Complete Guide
• Module: Module 12: Security & Authentication · Level: INTERMEDIATE
• Applied to ShopNest — SECURITY

Previous: Secure APIs — Complete Guide
Next: Secure Headers — Complete Guide

Practice: Add one small feature using today's pattern — commit with feat(aspnet-core): article-146.

FAQ