Closed StephanieKeown closed 3 years ago
domaindrivendev
commented
4 years ago I’m not overly familiar with the UseHsts middleware - is that the middleware that is supposed to add the desired headers? If so, have you tried inserting it before the Swagger middlewares instead of after? As the Swagger middlewares are “terminal” (that is they terminate the middleware pipeline), anything after them will be ignored
StephanieKeown
commented
4 years ago Thank you kindly for your response. The hsts header is the strict transport security header. It's the only one I need for the api. I Ave actually tried adding it before the swagger is called in the middle ware pipeline but to no avail. Can any HTTP Response headers be added when the swagger middleware is called? Perhaps I could add it in a customised header.
domaindrivendev
commented
4 years ago OK - maybe I'm not fully understanding your issue. I initilly thought you were having problems with the Swagger pages actually participating in the STS protocol but on further reading it sounds like maybe the problem is that the STS header is not being described within the Swagger pages. Is that correct?
If so, you can inject an IOperationFilter (see readme) which will allow you to enrich the generated OpenApiOperation metadata as you see fit. For example, you could edit the operation.Responses property to add additional header descriptions (e.g. Secure-Transport-Security) for all or a specific set of operations.
domaindrivendev
commented
4 years ago Here's an example of one such filter that might work for you:
public class CustomHeadersFilter : IOperationFilter
{
public void Apply(OpenApiOperation operation, OperationFilterContext context)
{
foreach (var entry in operation.Responses)
{
if (entry.Key.StartsWith("2"))
{
entry.Value.Headers["Strict-Transport-Security"] = new OpenApiHeader
{
Schema = new OpenApiSchema { Type = "string" }
};
}
}
}
}
bhanuprakash-1
commented
2 years ago Hi @domaindrivendev, Is there a way to format the response header as below (basically without Schema):
"headers": { "x-ms-error-code": { "x-ms-client-name": "ErrorCode", "type": "string" } }
instead of the below:
"headers": { "x-ms-error-code": { "schema": { "type": "string" }, "x-ms-client-name": "ErrorCode" } }
x-ms-error-code is the custom header I want to add, and x-ms-client-name is an extension I want to add, which is used in client-generation.
I originally posted to the swagger ui team and they pointed me here.
To summarise I want to know if there is a feature to create HTTP Response headers from a net core Web api. Details below.
OS: [Windows 10 ] Browser: [Chrome] Version: [83.0.4103.116] Method of installation: [nu-get] Swagger-UI version: [e.g. 3.0.1] Swagger/OpenAPI version: [OpenAPI 3.0.1] Content & configuration I am running Swagger via .Net Core in visual studio. In my startup.cs:
Configure(){ ... services.AddSwaggerGen((options) => { options.SwaggerDoc("v1", new OpenApiInfo { Title = "myapp", Version = "v1" }); }); ... }
ConfigureServices(){ app.UseSwagger();
app.UseSwaggerUI(c => { c.SwaggerEndpoint("../swagger/v1/swagger.json", "myapp"); });
app.UseHsts(); }
How can we help? I have to get an API past PEN testing. We have been left with one issue - the swagger.index.html UI does not describe the desired headers, in this instance it is the hsts header. It appears The UI for swagger does not obey any middleware compenents called in the startup.cs(I am using .NetCore, so no web.config). I have tried using NWebSec, and using some suggestions I have found online for adding custom headers. I have been here: https://swagger.io/docs/specification/2-0/describing-responses/ but I cannot how to implement it! There are a few properties i suspect I can configure in the UseSwaggerUI() method but I do not know the syntax or exactly which out of path, schema, and responses, I should be calling.