|
1 | 1 | --- |
2 | 2 | title: Security considerations in ASP.NET Core SignalR |
| 3 | +ai-usage: ai-assisted |
3 | 4 | author: wadepickett |
4 | 5 | description: Learn about security in ASP.NET Core SignalR. |
5 | 6 | monikerRange: '>= aspnetcore-2.1' |
6 | 7 | ms.author: wpickett |
7 | 8 | ms.custom: mvc |
8 | | -ms.date: 02/20/2024 |
| 9 | +ms.date: 03/31/2026 |
9 | 10 | uid: signalr/security |
10 | 11 | --- |
| 12 | + |
11 | 13 | # Security considerations in ASP.NET Core SignalR |
12 | 14 |
|
13 | 15 | By [Andrew Stanton-Nurse](https://twitter.com/anurse) |
@@ -39,6 +41,44 @@ For example, the following highlighted CORS policy allows a SignalR browser clie |
39 | 41 |
|
40 | 42 | In the previous example, the CORS policy is customized to allow specific origins, methods, and credentials. For more information on customizing CORS policies and middleware in ASP.NET Core, see [CORS middleware: CORS with named policy and middleware](xref:security/cors#cors-with-named-policy-and-middleware). |
41 | 43 |
|
| 44 | +### Apply a CORS policy to SignalR hub endpoints |
| 45 | + |
| 46 | +Instead of applying a CORS policy globally with the `UseCors` middleware, you can apply CORS specifically to SignalR hub endpoints. This approach allows different CORS policies for different parts of the app. |
| 47 | + |
| 48 | +There are two ways to apply a CORS policy to SignalR hubs: chaining `RequireCors` on the endpoint mapping, or adding the `[EnableCors]` attribute to the Hub class. Both approaches require a named CORS policy to be registered in the service configuration. The following example defines a policy named `"SignalRPolicy"`: |
| 49 | + |
| 50 | +```csharp |
| 51 | +builder.Services.AddCors(options => |
| 52 | +{ |
| 53 | + options.AddPolicy("SignalRPolicy", policy => |
| 54 | + { |
| 55 | + policy.WithOrigins("https://example.com") |
| 56 | + .AllowAnyHeader() |
| 57 | + .WithMethods("GET", "POST") |
| 58 | + .AllowCredentials(); |
| 59 | + }); |
| 60 | +}); |
| 61 | +``` |
| 62 | + |
| 63 | +**Apply the CORS policy on the hub endpoint mapping** by chaining <xref:Microsoft.AspNetCore.Builder.CorsEndpointConventionBuilderExtensions.RequireCors%2A> on the `MapHub` call: |
| 64 | + |
| 65 | +```csharp |
| 66 | +app.MapHub<ChatHub>("/chatHub") |
| 67 | + .RequireCors("SignalRPolicy"); |
| 68 | +``` |
| 69 | + |
| 70 | +**Apply the CORS policy on the Hub class** by adding the [`[EnableCors]`](xref:Microsoft.AspNetCore.Cors.EnableCorsAttribute) attribute: |
| 71 | + |
| 72 | +```csharp |
| 73 | +[EnableCors("SignalRPolicy")] |
| 74 | +public class ChatHub : Hub |
| 75 | +{ |
| 76 | + // ... |
| 77 | +} |
| 78 | +``` |
| 79 | + |
| 80 | +For more information on enabling CORS with endpoint routing, see [Enable CORS with endpoint routing](xref:security/cors#enable-cors-with-endpoint-routing). |
| 81 | + |
42 | 82 | ## WebSocket Origin Restriction |
43 | 83 |
|
44 | 84 | The protections provided by CORS don't apply to WebSockets. For origin restriction on WebSockets, read [WebSockets origin restriction](xref:fundamentals/websockets#websocket-origin-restriction). |
|
0 commit comments