SourceMapSecurity.AspDotNetCore
1.0.0
dotnet add package SourceMapSecurity.AspDotNetCore --version 1.0.0
NuGet\Install-Package SourceMapSecurity.AspDotNetCore -Version 1.0.0
<PackageReference Include="SourceMapSecurity.AspDotNetCore" Version="1.0.0" />
paket add SourceMapSecurity.AspDotNetCore --version 1.0.0
#r "nuget: SourceMapSecurity.AspDotNetCore, 1.0.0"
// Install SourceMapSecurity.AspDotNetCore as a Cake Addin #addin nuget:?package=SourceMapSecurity.AspDotNetCore&version=1.0.0 // Install SourceMapSecurity.AspDotNetCore as a Cake Tool #tool nuget:?package=SourceMapSecurity.AspDotNetCore&version=1.0.0
SourceMapSecurity
Easy to use ASP.NET Core middleware for restricting access to JavaScript and CSS source map (.map) files.
This middleware allows you to deploy your source maps to your production environment without worrying about the public from viewing your source maps or debugging JavaScript.
It works by intercepting HTTP requests for .map files and deciding whether or not they should be displayed to the user, depending on your own rules.
Motivations
This project exists because using source maps in production is great, as long as the source map files are protected from public access.
Prerequisites
Your source maps must be external files. This middleware does not help you if you're using inline source maps.
The source map file extensions must end in ".map" (i.e. .js.min.map, .css.min.map, etc.).
(optional) Generate source maps which contain the contents of the original source files, instead of just listing the file paths of the source files and deploying those too. This middleware only protects your source map files, therefore it is highly recommended that you do not deploy your source files separately at all.
Product | Versions Compatible and additional computed target framework versions. |
---|---|
.NET | net5.0 was computed. net5.0-windows was computed. net6.0 was computed. net6.0-android was computed. net6.0-ios was computed. net6.0-maccatalyst was computed. net6.0-macos was computed. net6.0-tvos was computed. net6.0-windows was computed. net7.0 was computed. net7.0-android was computed. net7.0-ios was computed. net7.0-maccatalyst was computed. net7.0-macos was computed. net7.0-tvos was computed. net7.0-windows was computed. net8.0 was computed. net8.0-android was computed. net8.0-browser was computed. net8.0-ios was computed. net8.0-maccatalyst was computed. net8.0-macos was computed. net8.0-tvos was computed. net8.0-windows was computed. net9.0 was computed. net9.0-android was computed. net9.0-browser was computed. net9.0-ios was computed. net9.0-maccatalyst was computed. net9.0-macos was computed. net9.0-tvos was computed. net9.0-windows was computed. |
.NET Core | netcoreapp3.1 is compatible. |
-
.NETCoreApp 3.1
- Microsoft.AspNetCore.Http (>= 2.2.2)
NuGet packages
This package is not used by any NuGet packages.
GitHub repositories
This package is not used by any popular GitHub repositories.
Version | Downloads | Last updated |
---|---|---|
1.0.0 | 873 | 10/26/2021 |
How to use
All you need to do is add this middleware to your Configure method in the Startup class.
NOTE: The placement of this middleware in your pipeline is important. You need to make sure this it's added before app.UseStaticFiles();, otherwise it will not restrict access to your source map files.
Most basic configuration (no options specified).
// Default options, all clients are forbidden from downloading source maps and by
// default receive a 403 status code.
app.UseSourceMapSecurity();
More advanced configuration
app.UseSourceMapSecurity(new SourceMapSecurityOptions()
{
// You can modify the HTTP status code returned to the client when they don't have access,
// in case you would rather not show that a resource is there at all.
DisallowedHttpStatusCode = 404,
// You can modify this method to determine whether or not source maps should be returned
// to the client, based on their HttpContext.
// Returning true means source maps are allowed.
// Returning false means source maps are disallowed.
// In this example implementation below, source maps are only allowed if you're logged in,
// or in the development environment.
IsAllowedAsync = async (context) =>
{
if (!env.IsDevelopment() && !context.User.Identity.IsAuthenticated)
{
return false;
}
return true;
}
});