Add a header to all responses in ASP.NET Core MVC
Solution 1
Using app.use(...) and mutating context.Response.Headers from within Startup.Configure is correct, but it's important to do it at the right point in the chain. ASP.NET Core middleware components can "short-circuit" (see the ASP.NET Core Middleware docs), preventing further middleware from being called, and by experimenting with it I've inferred that UseMvc() does so. In an MVC application, then, this means you have to put your app.use(...) call before app.UseMvc().
In other words, starting from the template ASP.NET Core 2.0 application that Visual Studio generates for you, you want to modify Startup.Configure in Startup.cs to look something like this:
public void Configure(IApplicationBuilder app, IHostingEnvironment env)
{
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
}
// Add header:
app.Use((context, next) =>
{
context.Response.Headers["Access-Control-Allow-Origin"] = "*";
return next.Invoke();
});
app.UseMvc();
}
Solution 2
I tried your code, and it worked beautifully... Placement is key: I'm pretty sure it needs to be early in the chain.
public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory)
{
loggerFactory.AddConsole(Configuration.GetSection("Logging"));
loggerFactory.AddDebug();
//app.UseCors(builder => builder.AllowAnyHeader().AllowAnyMethod().AllowAnyOrigin());
app.Use((context, next) => {
context.Response.Headers.Add("Access-Control-Allow-Origin", new[] { "*" });
return next.Invoke();
});
app.UseMvc();
app.UseWebSockets();
app.UseSignalR();
}
Solution 3
You can also try to use the in built CORS Middleware in the asp.net core framework rather than creating your own Middleware.
In Configure method of the Startup class add the following code.
// Add CORS for YourAnotherSite
app.UseCors(builder =>
builder.WithOrigins("http://YourAnotherSite.com"));
OR
Use Named Policies
In Configure method of the Startup class
options.AddPolicy("AllowMyOrigin",
builder => builder.WithOrigins("http://YourAnotherSite.com"));
and then in the ConfigureServices method of the startup class.
app.UseCors("AllowMyOrigin");
Alternatively, the Policy can be applied at each Controller or Action methods.
Related videos on Youtube
05 : 03
03 : 43
06 : 17
37 : 01
33 : 33
23 : 17
18 : 07
15 : 29
19 : 48
![[FromHeader] attribute: Bind the header data | ASP.NET Core 5.0 Web API Tutorial](https://i.ytimg.com/vi/jYwqwRsXLWc/hq720.jpg?sqp=-oaymwEcCNAFEJQDSFXyq4qpAw4IARUAAIhCGAFwAcABBg==&rs=AOn4CLA5lRbfxZjSrLYhGRVEWM7rDo7yJw)
02 : 16
18 : 11
Comments
-
MuriloKunze almost 2 years
I would like to know how I can add
Access-Control-Allow-Origin:*to my headers.I've tried this unsuccessfully:
app.Use((context, next) => { context.Response.Headers.Add("Access-Control-Allow-Origin", new[] { "*" }); return next.Invoke(); }); -
Amorphis over 5 yearsWhen app.UseMvc is last the app.UseCors... works perfectly
-
Percy about 5 yearsHi, using
app.UseCorsdoesn't add a header to the response (or it doesn't seem to) but does it still achieve the same? -
Abhinav Galodha about 5 years@Percy - The Cors Headers are only added for the Cross-domain requests. If you are requesting from the same Origin, the ASP.net core wouldn't add the CORS headers. -
Polynomial almost 5 yearsSince it's the example here, it's worth noting that setting this particular header to
*comes with security implication as it effectively disables the same-origin security policy, which can lead to cross-site request forgery attacks. Only use*when you want to open up ajax request access to the whole internet (e.g. in the context of a public API) and ensure that all non-idempotent requests you expose have some form of CSRF protection.
