AppStd/DbFirst
8
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Improve CORS config: block all if no origins specified

Browse Source 
Refined CORS policy in Program.cs for better security. In development, all origins are allowed. In production, only configured origins are allowed; if none are specified, all cross-origin requests are blocked by default. Switched to Array.Empty<string>() for clarity.
This commit is contained in:
OlgunR
2026-01-19 17:08:55 +01:00
parent 7a78a48d03
commit 6b89f7bd72
1 changed files with 11 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
DbFirst.API/Program.cs
View File

@@ -1,6 +1,7 @@
using DbFirst.API.Middleware; using DbFirst.API.Middleware;
using DbFirst.Application; using DbFirst.Application;
using DbFirst.Application.Repositories; using DbFirst.Application.Repositories;
using DbFirst.Domain;
using DbFirst.Infrastructure; using DbFirst.Infrastructure;
using DbFirst.Infrastructure.Repositories; using DbFirst.Infrastructure.Repositories;
@@ -26,11 +27,15 @@ builder.Services.AddCors(options =>
} }
else else
{ {
var origins = builder.Configuration.GetSection("Cors:AllowedOrigins").Get<string[]>() ?? []; var origins = builder.Configuration.GetSection("Cors:AllowedOrigins").Get<string[]>() ?? Array.Empty<string>();
if (origins.Length > 0)
{
policy.WithOrigins(origins) policy.WithOrigins(origins)
.AllowAnyHeader() .AllowAnyHeader()
.AllowAnyMethod(); .AllowAnyMethod();
} }
// if no origins configured, deny all by leaving policy without allowances
}
}); });
}); });