Remove Headers Added By WebServer (nginx) In Aspcore Application

jack
February 13, 2021
62 views
0 votes
2 Answers

I am using aspcore sdk3.1, when I published my application on nginx without any configuration in My App, I saw that the web server automatically added 1access-control-allow-origin:*1 Header to all my requests.

Can I delete this header in my application And Add My Own Allow-Origin Header? , because I do not have access to the web server settings

Tags: asp.net asp.net-core c#nginx webserver

Answers

Chosen as BEST ANSWER

http {

##
# Basic Settings
##

sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
# server_tokens off;

# server_names_hash_bucket_size 64;
# server_name_in_redirect off;

include /etc/nginx/mime.types;
default_type application/octet-stream;

##
# SSL Settings
##

ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;

##
# Logging Settings
##

access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;

##
# Gzip Settings
##

gzip on;

#proxy_cache_path  /data/nginx/cache  levels=1:2    keys_zone=STATIC:10m
#inactive=14d  max_size=10g;

upstream dotnet {
    zone dotnet 64k;
    server 0.0.0.0:5005;
} 

# gzip_vary on;
# gzip_proxied any;
# gzip_comp_level 6;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

##
# Virtual Host Configs
##
    include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;

}

This IS My Config Code Whats Wrong?

(Edit)

If nginx adds the CORS allow all origin header, then there must be some configuration like this one here

#
# Wide-open CORS config for nginx
#
location / {
     if ($request_method = 'OPTIONS') {
        add_header 'Access-Control-Allow-Origin' '*';
        #
        # Om nom nom cookies
        #
        add_header 'Access-Control-Allow-Credentials' 'true';
        add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
        #
        # Custom headers and headers various browsers *should* be OK with but aren't
        #
        add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
        #
        # Tell client that this pre-flight info is valid for 20 days
        #
        add_header 'Access-Control-Max-Age' 1728000;
        add_header 'Content-Type' 'text/plain charset=UTF-8';
        add_header 'Content-Length' 0;
        return 204;
     }
     if ($request_method = 'POST') {
        add_header 'Access-Control-Allow-Origin' '*';
        add_header 'Access-Control-Allow-Credentials' 'true';
        add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
        add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
     }
     if ($request_method = 'GET') {
        add_header 'Access-Control-Allow-Origin' '*';
        add_header 'Access-Control-Allow-Credentials' 'true';
        add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
        add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
     }
}

Just remove the add_header lines wherever you don’t want them and you’ll be fine.
Beware that you don’t change all the applications, someone else might be using it, so configure for your location only.
If you don’t have access, then just liase with the administrator to make you a new configuration for the application.

It seems that https://serverfault.com/questions/751678/how-can-i-replace-access-control-allow-origin-header-in-proxy-response-with-ngin/927668#927668 add header will override the one added to the request by net-core configuration, so you seem to be out of luck.

Please signup or login to give your own answer.

Click here to cancel reply.