Skip to content

Latest commit

 

History

History
85 lines (62 loc) · 4.4 KB

File metadata and controls

85 lines (62 loc) · 4.4 KB

HttpClient.Resilience.Analyzers Rules

This page is the rule catalog for HttpClient.Resilience.Analyzers, a Roslyn analyzer package for .NET HttpClient, IHttpClientFactory, typed clients, Polly, and Microsoft.Extensions.Http.Resilience.

Each rule page includes:

  • why the pattern is risky;
  • bad and better C# examples;
  • current detection scope;
  • code-fix behavior when available;
  • suppression guidance;
  • references to relevant .NET, Polly, or Roslyn documentation.

Rules by Category

Lifetime

Rule Title Default profile Fix support
HCR001 Do not create and dispose HttpClient per request Warning Partial
HCR002 Long-lived manual HttpClient should configure PooledConnectionLifetime Warning Yes
HCR003 Do not cache IHttpClientFactory.CreateClient() results long-term Warning Guide

Typed Clients and Named Clients

Rule Title Default profile Fix support
HCR004 Do not inject typed HttpClient clients into singleton services Warning Guide
HCR005 Do not separately register a typed client already registered by AddHttpClient<T>() Warning Yes
HCR083 Configure BaseAddress for typed clients that use relative URLs Warning Guide
HCR084 Avoid duplicated string literals for named HttpClient names Warning Guide

Handlers

Rule Title Default profile Fix support
HCR020 DelegatingHandler should not capture scoped request data Warning Guide

Resilience

Rule Title Default profile Fix support
HCR040 Do not stack duplicate resilience handlers Warning Yes
HCR041 Unsafe HTTP methods should not be retried unless explicitly configured Warning Yes
HCR082 Avoid per-request creation of resilience pipelines Warning Guide

Response Lifetime and Request Correctness

Rule Title Default profile Fix support
HCR060 Dispose HttpResponseMessage when using ResponseHeadersRead Warning Yes
HCR061 Check HTTP response success before reading content Warning Guide
HCR062 Prefer per-request headers over mutating DefaultRequestHeaders Warning Guide
HCR063 Avoid sync-over-async around outbound HTTP Warning Guide
HCR064 Use cancellation-aware HTTP APIs when a token is available Warning Guide
HCR081 Dispose streams returned from HTTP content Warning Guide

Concurrency

Rule Title Default profile Fix support
HCR080 High-concurrency HTTP fan-out should use bounded concurrency or connection limits Suggestion Guide

Adoption Priority

For brownfield services, start with the rules most likely to prevent production incidents:

Priority Rules Why
1 HCR041, HCR060, HCR061, HCR062, HCR063, HCR064, HCR081 These catch unsafe retries, response ownership mistakes, shared header mutation, sync-over-async calls, and missing cancellation.
2 HCR001, HCR002, HCR003, HCR004, HCR005, HCR020 These catch lifetime and dependency-injection problems that are costly to debug after deployment.
3 HCR040, HCR080, HCR082, HCR083, HCR084 These improve resilience configuration, fan-out control, URI safety, and named-client maintainability.

Severity Profiles

The package ships with profiles under profiles/:

Profile Purpose
default.editorconfig Keeps production-safety diagnostics visible for new or actively maintained services.
brownfield-adoption.editorconfig Reduces noise while an existing codebase is being triaged.
strict-ci.editorconfig Promotes production-safety warnings to CI-enforced errors.
library-author.editorconfig Tightens response and stream ownership expectations for reusable libraries.

Prefer changing individual dotnet_diagnostic.<RULE_ID>.severity values over disabling the whole package.