When a team produces an enterprise solution with a Single-Page Application (SPA) front-end and .NET Web API back-end, what are the options to host the two beasts?
Ultimately, we want to preserve the front-end bundle unchanged between environments, inject environment variables and have custom caching policies.

A popular bundle of .NET + SPA framework (e.g. Angular, React, Vue) has a notorious problem of enforcing contracts between the back-end and the front-end. Among all solutions, code generation tools are particular tempting. And here is analysis of all the major players to get the job done: NSwag, Swagger Codegen, OpenAPI Generator, AutoRest, WebApiClientGen and TypeWriter (plus 2 extra tools with partial functionality).

Cross-site scripting (XSS) is one of the most common application-layer web attacks. Are Angular or React apps safe? And if not, how to protect them? Some methods are easy to implement, others (like Content Security Policy) require more attention. Anyway, applying right settings is not a smooth ride, and some potholes and gotchas are described here.

For professional developers, code/peer review is an essential step of the internal QA. Over the years, among a wide variety of problems revealed on code reviews, I found that some appear more often than others. Here is a list of the most common ones. So, the code is working, meets acceptance criteria, passed dev's testing and here we go...

Strongly typed Reactive Forms is the elephant in the room the Angular team doesn't want to talk about. In the absence of the official solution, developers can use some tricks to enforce type checking in the Reactive Forms. Here are two plausible solutions.