The ASP.NET Core request pipeline is a Chain of Responsibility. Every request passes through a series of "Middleware" components like Auth, Routing, and Logging.
If a middleware component detects a problem (e.g., the user is not authenticated), it can return a response immediately and 'Short-circuit' the pipeline. The request never reaches the controller. This is highly efficient for performance and security.
A middleware can run code twice: once when the request is going IN, and once when the response is coming OUT. This is how the **Exception Handling Middleware** works—it waits for an exception, catches it, and turns it into a clean JSON error response for the user.
Middleware is global (app-wide). **Action Filters** are specific to a controller or action. Use middleware for low-level cross-cutting concerns (Request Logging, Security Headers). Use filters for high-level business logic (Permission checks, Model validation).
Q: "Why does the ORDER of middleware in Program.cs matter?"
Architect Answer: "The order is the **Order of Execution**. If you put `UseEndpoints()` before `UseAuthentication()`, your controllers will run BEFORE the security check! An architect must ensure that safety (CORS, SSL, Auth) always comes first in the builder chain, followed by business routing, then followed by static files."