Menu
Hopefully this is a simple question for someone out there.
Basically upon receiving a request to my MVC controller, I want to:
It appears the act of redirecting, strips out all my custom headers and redirects.
My question, how can I add a new header, AND perform a redirect, AND have that header show up in the headers for the receiving host [at the end of the redirect] to read?
655
Unlike custom headers, which are returned in every response from a Web server, redirect headers are returned only when redirection occurs. The <add> element was not modified in IIS 10.0.
In the Connections pane, go to the site, application, or directory for which you want to set a custom HTTP header. In the Home pane, double-click HTTP Response Headers. In the HTTP Response Headers pane, click Add... in the Actions pane. In the Add Custom HTTP Response...
If we want to ensure all responses in our ASP.NET Core Web API application return a custom header, we can make use of the ASP.NET Core middleware. We can add a custom header to the ASP.NET Core middleware in Program.cs: Firstly, we use the IApplicationBuilder interface and call the Use method.
Security headers are a technique that can be used to improve the security of a web application. There are several ways in which you can specify security headers in your ASP.NET Core MVC application. This article talks about these ways with code examples wherever appropriate.
You can't. That's not how HTTP works. First, a "redirect" is just a 301, 302, or (since HTTP 1.1) 307 status code with the Location header set to the URL the client should go to. It's the client that initiates the request to that URL, so you have no control over what headers they send.
Second, HTTP is stateless, so the fact that an Authorization header was sent in some response at some point has zero bearing on anything that happens in any future requests. Web browsers and other HTTP clients skirt around the stateless nature of HTTP by using sessions on the server-side and cookies on the client side. The client sends the cookie to the server with the request. The cookie matches an item in the session store on the server, and the server loads up the data from that session to give the appearance as though state was maintained.
Third, cookies don't work in this situation, because they are domain bound and are not sent along with requests to domains they did not originate from. So, even if you were to create session to maintain the authorization, the other site would never see it.
FWIW, the basic premise here, sharing authentication state with a different domain, is exactly what technologies like OAuth were developed for. So direct future research in that direction.
77
No - 302 redirect are handled by browser and it will not re-attach headers.
Options:
38
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
