From bdd837c5cfdfcbabd664af8ef0ea7950c3a11839 Mon Sep 17 00:00:00 2001 From: Copilot <198982749+Copilot@users.noreply.github.com> Date: Wed, 1 Apr 2026 12:10:56 -0700 Subject: [PATCH] Add docs for applying CORS to SignalR hubs without global middleware (#36936) * Initial plan * Add content about enabling CORS for SignalR without applying the policy globally Add a new subsection "Apply a CORS policy to SignalR hub endpoints" under the CORS section in SignalR security docs. Documents two approaches: 1. Using RequireCors on the MapHub endpoint mapping 2. Using the [EnableCors] attribute on the Hub class Applied across all relevant moniker versions (8.0+, 7.0, 6.0, 3.0-5.x). Agent-Logs-Url: https://github.com/dotnet/AspNetCore.Docs/sessions/c6bf092e-343b-49ad-bfa1-e83078d9e265 Co-authored-by: wadepickett <10985336+wadepickett@users.noreply.github.com> * Add named CORS policy registration example to SignalR hub CORS subsection Show the AddCors/AddPolicy snippet that defines "SignalRPolicy" before it's referenced in the RequireCors and [EnableCors] examples. Agent-Logs-Url: https://github.com/dotnet/AspNetCore.Docs/sessions/eeaca9de-513b-4a43-a838-4e3f6ca91450 Co-authored-by: wadepickett <10985336+wadepickett@users.noreply.github.com> * Add author information to security.md * Apply suggestion from @wadepickett * Apply suggestions from code review Co-authored-by: Wade Pickett * Apply suggestions from code review Co-authored-by: Wade Pickett * Revert changes to security2.1-5.md, security6.md, and security7.md Per BrennanConroy's feedback, these are unsupported versions and don't need the CORS documentation update. The new CORS subsection is retained only in security.md (aspnetcore 8.0+). Agent-Logs-Url: https://github.com/dotnet/AspNetCore.Docs/sessions/c741589c-d9d2-40d2-ad8e-14eed4304350 Co-authored-by: wadepickett <10985336+wadepickett@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: wadepickett <10985336+wadepickett@users.noreply.github.com> Co-authored-by: Wade Pickett --- aspnetcore/signalr/security.md | 42 +++++++++++++++++++++++++++++++++- 1 file changed, 41 insertions(+), 1 deletion(-) diff --git a/aspnetcore/signalr/security.md b/aspnetcore/signalr/security.md index ff9e3fc1004e..5433c1483208 100644 --- a/aspnetcore/signalr/security.md +++ b/aspnetcore/signalr/security.md @@ -1,13 +1,15 @@ --- title: Security considerations in ASP.NET Core SignalR +ai-usage: ai-assisted author: wadepickett description: Learn about security in ASP.NET Core SignalR. monikerRange: '>= aspnetcore-2.1' ms.author: wpickett ms.custom: mvc -ms.date: 02/20/2024 +ms.date: 03/31/2026 uid: signalr/security --- + # Security considerations in ASP.NET Core SignalR By [Andrew Stanton-Nurse](https://twitter.com/anurse) @@ -39,6 +41,44 @@ For example, the following highlighted CORS policy allows a SignalR browser clie In the previous example, the CORS policy is customized to allow specific origins, methods, and credentials. For more information on customizing CORS policies and middleware in ASP.NET Core, see [CORS middleware: CORS with named policy and middleware](xref:security/cors#cors-with-named-policy-and-middleware). +### Apply a CORS policy to SignalR hub endpoints + +Instead of applying a CORS policy globally with the `UseCors` middleware, you can apply CORS specifically to SignalR hub endpoints. This approach allows different CORS policies for different parts of the app. + +There are two ways to apply a CORS policy to SignalR hubs: chaining `RequireCors` on the endpoint mapping, or adding the `[EnableCors]` attribute to the Hub class. Both approaches require a named CORS policy to be registered in the service configuration. The following example defines a policy named `"SignalRPolicy"`: + +```csharp +builder.Services.AddCors(options => +{ + options.AddPolicy("SignalRPolicy", policy => + { + policy.WithOrigins("https://example.com") + .AllowAnyHeader() + .WithMethods("GET", "POST") + .AllowCredentials(); + }); +}); +``` + +**Apply the CORS policy on the hub endpoint mapping** by chaining on the `MapHub` call: + +```csharp +app.MapHub("/chatHub") + .RequireCors("SignalRPolicy"); +``` + +**Apply the CORS policy on the Hub class** by adding the [`[EnableCors]`](xref:Microsoft.AspNetCore.Cors.EnableCorsAttribute) attribute: + +```csharp +[EnableCors("SignalRPolicy")] +public class ChatHub : Hub +{ + // ... +} +``` + +For more information on enabling CORS with endpoint routing, see [Enable CORS with endpoint routing](xref:security/cors#enable-cors-with-endpoint-routing). + ## WebSocket Origin Restriction The protections provided by CORS don't apply to WebSockets. For origin restriction on WebSockets, read [WebSockets origin restriction](xref:fundamentals/websockets#websocket-origin-restriction).