👀 Views: 3142 💬 Answers: 1 📅 Created: 2025-06-11

asp.net-core cors middleware web-api C#

I'm maintaining legacy code that I've searched everywhere and can't find a clear answer... I'm experiencing an issue where my custom middleware in an ASP.NET Core 6 application seems to be ignoring route constraints when applying CORS policies. I have set up a CORS policy at the application level to allow specific origins, but for some routes, I need to restrict it further based on route parameters. Here’s the relevant part of my `Startup.cs`: ```csharp public void ConfigureServices(IServiceCollection services) { services.AddCors(options => { options.AddPolicy("CustomPolicy", builder => { builder.WithOrigins("https://example.com") .AllowAnyMethod() .AllowAnyHeader(); }); }); services.AddControllers(); } public void Configure(IApplicationBuilder app, IWebHostEnvironment env) { app.UseCors("CustomPolicy"); app.UseRouting(); app.UseEndpoints(endpoints => { endpoints.MapGet("/api/products/{id:int}", async context => { // Logic to fetch product }); endpoints.MapGet("/api/products/{name}", async context => { // Logic to fetch product by name }); }); } ``` I expected the CORS policy to only allow requests from `https://example.com` for the `/api/products/{id:int}` route, but it seems that requests from other origins are still getting through. I’ve tried adjusting the order of middleware in the pipeline and explicitly defining CORS for specific routes, but the behavior remains the same. When I inspect the responses, the `Access-Control-Allow-Origin` header is not filtering as expected and is allowing all origins. Has anyone encountered this issue or have suggestions on how I can enforce CORS based on route constraints more effectively? Also, are there best practices for managing route-specific CORS policies in ASP.NET Core? I appreciate any guidance you can offer! Any ideas what could be causing this? What would be the recommended way to handle this?