Q&A

Building Secure and Scalable APIs in .NET 9

• By David Ramel
• 08/05/2025

With APIs serving as the backbone of modern web applications, ensuring they can scale effectively while staying secure is a top priority for developers and architects alike. As data sensitivity and traffic loads continue to grow, so does the importance of building APIs that are robust, efficient, and protected against abuse.

In his upcoming session at the big Sept. 8-12 VSLive! San Diego 2025 developer conference, seasoned developer Tony Champion will explore the strategies and lessons learned from real-world projects that required high-performance, highly secure APIs. Titled "Building Secure and Scalable APIs in .NET 9," the session will delve into best practices and architectural insights for crafting APIs using Microsoft's latest .NET platform.

Champion, President of Champion DS, brings decades of experience in application architecture to this talk, highlighting improvements in .NET 9 that directly impact API development -- including performance enhancements, security upgrades, and middleware support for rate limiting. Attendees can expect practical guidance on scalability patterns, such as horizontal scaling with containers, and essential tactics like API versioning and consumer-specific rate limiting.

We caught up with Champion ahead of the event to get a deeper look at the topics he'll be covering and the key takeaways for developers attending his session.

VisualStudioMagazine: What inspired you to present a session on this topic?
Champion: APIs have been a big part of my career. Regardless of what the front-end is doing or written in, there were always APIs that also needed to be built.

Over the last several projects, I have worked with some very high-traffic APIs where security was of utmost importance. The lessons learned over these projects are the inspiration behind this session. Some things worked amazingly, some things not so much. I've put these lessons into this session to help guide developers and architects through some best practices to use and some of the pitfalls to avoid.

Are there any key changes or improvements in .NET 9 that specifically impact API scalability compared to .NET 8?
.NET 9 continues Microsoft's history of significant performance enhancements in each iteration. With the performance gains and improved memory usage, APIs developers will see reduced response times and increased throughput simply by upgrading to .NET 9. On the security side, several improvements have been made in authentication and data protection.

Is there a recommended approach in .NET 9 for implementing rate limiting to prevent abuse of public APIs?
Microsoft has a great middleware for implementing rate limiting. This can be used to implement API wide rate limiting, down to user or tenant based limiting with multiple configuration paths. It is recommended to always use rate limiting on any public APIs and to focus on the individual consumer. Whether you are tracking at the IP level or at the token level, rate limiting is important for the health of your API.

When building APIs for large-scale systems, do you prefer horizontal scaling through containers or vertical scaling on stronger servers?
Horizontal scaling is usually your best approach for large-scale systems. This helps to promote healthy API architecture and gives you the most flexibility (you can only get so large of a server). Of course, every use case is unique. However, typically if you find yourself needing to scale vertically, one of two things is going on. You've either missed a step in your architecture and workflows need to be separated out more or you are over-taxing part of your system that you weren't expecting to and you need to figure out that cause.

What's your go-to method for handling versioning in APIs built with .NET 9?
I version every single API I build. Even if I don't think I'll ever need it. Unfortunately, that has bitten me one too many times. ASP.NET supports multiple flavors or versioning, however, I typically stick to url path versioning. For most applications, it is easier to track and debug visually. However, there are definite use cases for query string, header, and media type versioning.

Note: Those wishing to attend the session can save money by registering early, according to the event's pricing page. "Save $300 when you register by the Aug. 15 Early Bird deadline" said the organizer of the event, which is presented by the parent company of Visual Studio Magazine.