Cirreum.Cors
1.0.108
dotnet add package Cirreum.Cors --version 1.0.108
NuGet\Install-Package Cirreum.Cors -Version 1.0.108
This command is intended to be used within the Package Manager Console in Visual Studio, as it uses the NuGet module's version of Install-Package.
<PackageReference Include="Cirreum.Cors" Version="1.0.108" />
For projects that support PackageReference, copy this XML node into the project file to reference the package.
<PackageVersion Include="Cirreum.Cors" Version="1.0.108" />
<PackageReference Include="Cirreum.Cors" />
For projects that support Central Package Management (CPM), copy this XML node into the solution Directory.Packages.props file to version the package.
paket add Cirreum.Cors --version 1.0.108
The NuGet Team does not provide support for this client. Please contact its maintainers for support.
#r "nuget: Cirreum.Cors, 1.0.108"
#r directive can be used in F# Interactive and Polyglot Notebooks. Copy this into the interactive tool or source code of the script to reference the package.
#:package Cirreum.Cors@1.0.108
#:package directive can be used in C# file-based apps starting in .NET 10 preview 4. Copy this into a .cs file before any lines of code to reference the package.
#addin nuget:?package=Cirreum.Cors&version=1.0.108
#tool nuget:?package=Cirreum.Cors&version=1.0.108
The NuGet Team does not provide support for this client. Please contact its maintainers for support.
Cirreum.Cors
A flexible and secure CORS (Cross-Origin Resource Sharing) configuration library for ASP.NET Core applications. This library provides a configuration-driven approach to managing CORS policies with built-in security validations and automatic header management.
Features
- Configuration-driven: Define CORS policies in
appsettings.json - Multiple named policies: Support for multiple CORS policies in a single application
- Security validations: Automatic HTTPS enforcement for non-wildcard origins
- Wildcard subdomain support: Built-in support for subdomain wildcards (e.g.,
https://*.example.com) - Automatic header injection: Automatically adds required headers like
X-Cirreum-App-Name - Flexible policy selection: Uses default policy or first configured policy automatically
Installation
# Package installation command will depend on your distribution method
# If published to NuGet:
dotnet add package Cirreum.Cors
Quick Start
1. Configure CORS in appsettings.json
{
"Cirreum": {
"Cors": {
"default": {
"origins": ["https://*.mycompany.com", "https://app.mycompany.com"],
"methods": ["GET", "POST", "PUT", "DELETE"],
"headers": ["Authorization", "Content-Type"],
"exposedHeaders": ["Content-Disposition"]
}
}
}
}
2. Add CORS to your application
using Microsoft.AspNetCore.Hosting;
var builder = WebApplication.CreateBuilder(args);
// Configure CORS from appsettings.json
builder.ConfigureCors();
var app = builder.Build();
// Use the configured CORS policy
app.UseConfiguredCors();
app.Run();
Configuration
Basic Configuration Structure
The CORS configuration is defined under the Cirreum:Cors section in your appsettings.json. Each key represents a named policy:
{
"Cirreum": {
"Cors": {
"policy-name": {
"origins": ["array of allowed origins"],
"methods": ["array of allowed HTTP methods"],
"headers": ["array of allowed headers"],
"exposedHeaders": ["array of headers to expose to client"]
}
}
}
}
Configuration Properties
| Property | Type | Description | Example |
|---|---|---|---|
origins |
string[] |
List of allowed origins. Use ["*"] for any origin, https://*.domain.com for subdomain wildcards |
["https://app.example.com", "https://*.api.example.com"] |
methods |
string[] |
Allowed HTTP methods (case-sensitive, uppercase) | ["GET", "POST", "PUT", "DELETE"] |
headers |
string[] |
Request headers that clients can send | ["Authorization", "Content-Type"] |
exposedHeaders |
string[] |
Response headers exposed to client-side code | ["Content-Disposition", "X-Total-Count"] |
Multiple Policies Example
{
"Cirreum": {
"Cors": {
"default": {
"origins": ["https://*.mycompany.com"],
"methods": ["GET", "POST", "PUT", "DELETE"],
"headers": ["Authorization", "Content-Type"],
"exposedHeaders": ["Content-Disposition"]
},
"public-api": {
"origins": ["*"],
"methods": ["GET"],
"headers": ["Authorization"],
"exposedHeaders": []
},
"admin-panel": {
"origins": ["https://admin.mycompany.com"],
"methods": ["GET", "POST", "PUT", "DELETE", "PATCH"],
"headers": ["Authorization", "Content-Type", "X-Admin-Token"],
"exposedHeaders": ["X-Rate-Limit-Remaining"]
}
}
}
}
Usage Patterns
Using Specific Named Policies
While UseConfiguredCors() automatically selects the default or first policy, you can also use specific policies:
// Use a specific named policy
app.UseCors("public-api");
Accessing Pre-defined Policy Names
The library provides constants for common policy names:
using Cirreum.Cors;
// Use pre-defined policy name constants
var defaultPolicy = Policies.DefaultPolicyName; // "Default"
var allowAllPolicy = Policies.AllowAllPolicyName; // "AllowAll"
// ... other predefined policy names
Security Features
HTTPS Enforcement
The library automatically enforces HTTPS for all non-wildcard origins:
// ✅ Valid configurations
{
"origins": ["*"] // Wildcard allowed
}
{
"origins": ["https://api.example.com"] // HTTPS required
}
// ❌ Invalid - will throw exception
{
"origins": ["http://api.example.com"] // HTTP not allowed for specific origins
}
Wildcard Origin Handling
When "*" is present in the origins array, all other origins are ignored:
{
"origins": ["*", "https://example.com", "https://api.example.com"]
// Only "*" will be used, others are ignored with a warning
}
Automatic Header Injection
The library automatically adds the X-Cirreum-App-Name header to your CORS configuration to support Application identification.
Advanced Usage
Custom Policy Selection
The library uses this policy selection logic:
- If a "default" policy exists, it's used as the default policy
- If no "default" policy exists, the first configured policy is used
- You can override this by explicitly calling
UseCors("policy-name")
Wildcard Subdomain Support
The library supports subdomain wildcards:
{
"origins": ["https://*.api.example.com"]
// Allows: https://v1.api.example.com, https://v2.api.example.com, etc.
}
Requirements
- .NET Core: Compatible with modern .NET applications
- ASP.NET Core: Built for ASP.NET Core applications
- Configuration section: Requires
Cirreum:Corssection in configuration
Error Handling
The library provides clear error messages for common configuration issues:
- Missing configuration: Throws
InvalidOperationExceptionifCirreum:Corssection is missing - No default policy: Throws
InvalidOperationExceptionif no "Default" policy is configured - HTTP origins: Throws
ArgumentExceptionfor HTTP origins when not using wildcards
Contributing
This package is part of the Cirreum ecosystem. Follow the established patterns when contributing new features or provider implementations.
For more information about CORS in ASP.NET Core, see the official Microsoft documentation.
| Product | Versions Compatible and additional computed target framework versions. |
|---|---|
| .NET | net10.0 is compatible. net10.0-android was computed. net10.0-browser was computed. net10.0-ios was computed. net10.0-maccatalyst was computed. net10.0-macos was computed. net10.0-tvos was computed. net10.0-windows was computed. |
Compatible target framework(s)
Included target framework(s) (in package)
Learn more about Target Frameworks and .NET Standard.
-
net10.0
- No dependencies.
NuGet packages (1)
Showing the top 1 NuGet packages that depend on Cirreum.Cors:
| Package | Downloads |
|---|---|
|
Cirreum.Runtime.Server
The Cirreum Runtime for Servers. |
GitHub repositories
This package is not used by any popular GitHub repositories.