dotnet add package SourceMapSecurity.AspDotNetCore --version 1.0.0
NuGet\Install-Package SourceMapSecurity.AspDotNetCore -Version 1.0.0
<PackageReference Include="SourceMapSecurity.AspDotNetCore" Version="1.0.0" />
paket add SourceMapSecurity.AspDotNetCore --version 1.0.0
#r "nuget: SourceMapSecurity.AspDotNetCore, 1.0.0"
// Install SourceMapSecurity.AspDotNetCore as a Cake Addin #addin nuget:?package=SourceMapSecurity.AspDotNetCore&version=1.0.0 // Install SourceMapSecurity.AspDotNetCore as a Cake Tool #tool nuget:?package=SourceMapSecurity.AspDotNetCore&version=1.0.0
It works by intercepting HTTP requests for .map files and deciding whether or not they should be displayed to the user, depending on your own rules.
This project exists because using source maps in production is great, as long as the source map files are protected from public access.
Your source maps must be external files. This middleware does not help you if you're using inline source maps.
The source map file extensions must end in ".map" (i.e. .js.min.map, .css.min.map, etc.).
(optional) Generate source maps which contain the contents of the original source files, instead of just listing the file paths of the source files and deploying those too. This middleware only protects your source map files, therefore it is highly recommended that you do not deploy your source files separately at all.
|.NET||net5.0 net5.0-windows net6.0 net6.0-android net6.0-ios net6.0-maccatalyst net6.0-macos net6.0-tvos net6.0-windows net7.0 net7.0-android net7.0-ios net7.0-maccatalyst net7.0-macos net7.0-tvos net7.0-windows|
- Microsoft.AspNetCore.Http (>= 2.2.2)
This package is not used by any NuGet packages.
This package is not used by any popular GitHub repositories.
How to use
All you need to do is add this middleware to your Configure method in the Startup class.
NOTE: The placement of this middleware in your pipeline is important. You need to make sure this it's added before app.UseStaticFiles();, otherwise it will not restrict access to your source map files.
Most basic configuration (no options specified).
// Default options, all clients are forbidden from downloading source maps and by
// default receive a 403 status code.
More advanced configuration
// You can modify the HTTP status code returned to the client when they don't have access,
// in case you would rather not show that a resource is there at all.
DisallowedHttpStatusCode = 404,
// You can modify this method to determine whether or not source maps should be returned
// to the client, based on their HttpContext.
// Returning true means source maps are allowed.
// Returning false means source maps are disallowed.
// In this example implementation below, source maps are only allowed if you're logged in,
// or in the development environment.
IsAllowedAsync = async (context) =>
if (!env.IsDevelopment() && !context.User.Identity.IsAuthenticated)