Serial podcast creator and .NET Core maniac.
Can often be found talking about everything and nothing on one of the many podcasts that he produces (only one of them is about .NET Core, honest)
Location
Leeds, UK
Education
Computer Science with Games Development - BSc
Work
.NET Development Contractor; Podcast host, producer and editor
In the case of ASP NET Core (which I'm assuming you're using, since you asked about the middleware), your request pipeline is wired up so that all responses are sent to Kestrel, Kestrel then sends those requests to whichever reverse proxy fed it the request. Kestrel communicates with nginx, IIS, Apache, etc. in a similar way to how ASP NET communicates with IIS (for example).
As such, you can totally replace the header values at the nginx level. I can't speak for exactly how nginx handles things (because I haven't looked too deeply into it), but my gut feeling is that the headers would be replaced as-is by nginx.
Let's say that your MVC pipeline added the Cross Site Scripting Protection header with the following value:
X-XSS-Protection "1"
but nginx had the following config:
X-XSS-Protection"1;mode=block"always;
then the value of the header generated in ASP NET Core MVC land would be replaced by the one generated by nginx.
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
Great question.
In the case of ASP NET Core (which I'm assuming you're using, since you asked about the middleware), your request pipeline is wired up so that all responses are sent to Kestrel, Kestrel then sends those requests to whichever reverse proxy fed it the request. Kestrel communicates with nginx, IIS, Apache, etc. in a similar way to how ASP NET communicates with IIS (for example).
As such, you can totally replace the header values at the nginx level. I can't speak for exactly how nginx handles things (because I haven't looked too deeply into it), but my gut feeling is that the headers would be replaced as-is by nginx.
Let's say that your MVC pipeline added the Cross Site Scripting Protection header with the following value:
but nginx had the following config:
then the value of the header generated in ASP NET Core MVC land would be replaced by the one generated by nginx.