Skip to content

Commit 625f167

Browse files
DerekRobertsDerekRoberts
committed
docs: correct middleware response flow comment
Fix middleware response flow description to accurately reflect LIFO behavior: - Response flow is: Route Handler -> CORSMiddleware -> SecurityHeadersMiddleware - CORSMiddleware processes first (adds CORS headers) - SecurityHeadersMiddleware processes last (adds security headers without overriding CORS) This is the desired behavior as security headers complement rather than override CORS headers. Addresses Copilot review feedback
1 parent 4f96820 commit 625f167

File tree

1 file changed

+3
-3
lines changed

1 file changed

+3
-3
lines changed

backend-py/src/main.py

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -147,9 +147,9 @@ async def logging_middleware(request: Request, call_next):
147147
# for both requests and responses when using add_middleware.
148148
# Since CORSMiddleware is added first and SecurityHeadersMiddleware is added second,
149149
# SecurityHeadersMiddleware becomes the outermost layer and the response flow is:
150-
# Route Handler -> SecurityHeadersMiddleware -> CORSMiddleware
151-
# This ensures SecurityHeadersMiddleware processes the response first, then CORS.
152-
# Since security headers are set first, they won't be overridden by CORS headers.
150+
# Route Handler -> CORSMiddleware -> SecurityHeadersMiddleware
151+
# This ensures CORSMiddleware processes the response first (adding CORS headers),
152+
# then SecurityHeadersMiddleware adds additional security headers without overriding CORS.
153153
app.add_middleware(SecurityHeadersMiddleware)
154154

155155

0 commit comments

Comments
 (0)