I’ve deployed my microservice solution on a staging Kubernetes cluster at our cloud provider, and it works fine when accessing the Blazor WebAssembly app via the domain name. To avoid having to start all the services locally when developing the Blazor app, we previously added "App__CorsOrigins": "https://localhost:44346" in the Helm Chart. This worked fine in ABP 9.0.x but not in 9.2.3. In that case, the web browser shows the following message: Refused to display 'https://auth.staging.mydomain.com/Error?httpStatusCode=400' in a frame because it set 'X-Frame-Options' to 'SAMEORIGIN'. Is there a good and convenient way to configure this, with minimal impact on the services and Blazor?
3 Answer(s)
-
0
To allow your backend to accept requests from a locally running Blazor WebAssembly app while your services are deployed (e.g., on Kubernetes), you need to ensure proper CORS configuration in your microservice solution. In ABP 9.2.3, the CORS configuration approach remains similar, but you should also be aware of the
X-Frame-Options
header, which is set by default for security reasons.Here’s how to configure your environment for local Blazor development with minimal impact:
- Update CORS Origins in appsettings.json or Helm Chart: Ensure your backend services (especially AuthServer and API gateways) have the following in their configuration:
"App": { "CorsOrigins": "https://localhost:44346,https://your-staging-domain.com" }
- You can add multiple origins, separated by commas.
- Make sure there are no trailing slashes.
- Apply CORS Middleware:
In your service’s
OnApplicationInitialization
method, ensure:
app.UseCors();
This should be before
app.UseAuthentication()
andapp.UseAuthorization()
.- X-Frame-Options Issue:
The error you see (
Refused to display ... in a frame because it set 'X-Frame-Options' to 'SAMEORIGIN'
) is due to the default security headers. If you are embedding the AuthServer in an iframe (e.g., for login), you need to adjust the frame options. In your AuthServer, you can override the default header:
app.Use(async (context, next) => { context.Response.Headers.Remove("X-Frame-Options"); // Or set to allow from your localhost // context.Response.Headers["X-Frame-Options"] = "ALLOW-FROM https://localhost:44346"; await next(); });
- Only do this for development; do not allow this in production for security reasons.
Environment-Specific Configuration: Use environment variables or environment-specific appsettings (e.g.,
appsettings.Development.json
) to include localhost only in development.Restart Services: After updating the configuration, restart your backend services to apply the changes.
Browser Cache: Clear your browser cache or use an incognito window to avoid cached CORS or header responses.
This setup allows you to run your Blazor WebAssembly app locally and connect to your remote backend securely and conveniently.
Sources:
This response was generated by AI. If it didn’t solve your problem, feel free to post a new answer — our support team will jump in to help you soon.
-
0
hi
These security headers were added by ABP Security Header middleware.
You can remove all
app.UseAbpSecurityHeaders
from your apps.https://abp.io/docs/latest/framework/ui/mvc-razor-pages/security-headers https://github.com/abpframework/abp/blob/dev/framework/src/Volo.Abp.AspNetCore/Volo/Abp/AspNetCore/Security/AbpSecurityHeadersMiddleware.cs#L42-L43 Thanks.
-
0
Thanks for fast response :-)
I was disabling the security headers in the auth-server project.
However, I still get the same error in the browser console: Refused to display 'https://auth.staging.mydomain.com/Error?httpStatusCode=400' in a frame because it set 'X-Frame-Options' to 'SAMEORIGIN'.
In which projects do I need disable the headers, I thought that auth-server is enough?
Thanks :-)