dotnet
diff --git a/‎aspnetcore/blazor/call-web-api.md‎
Lines changed: 20 additions & 17 deletions b/‎aspnetcore/blazor/call-web-api.md‎
Lines changed: 20 additions & 17 deletions
diff --git a/‎aspnetcore/blazor/components/httpcontext.md‎
Lines changed: 13 additions & 0 deletions b/‎aspnetcore/blazor/components/httpcontext.md‎
Lines changed: 13 additions & 0 deletions
diff --git a/‎aspnetcore/blazor/fundamentals/dependency-injection.md‎
Lines changed: 6 additions & 0 deletions b/‎aspnetcore/blazor/fundamentals/dependency-injection.md‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎aspnetcore/blazor/fundamentals/startup.md‎
Lines changed: 3 additions & 0 deletions b/‎aspnetcore/blazor/fundamentals/startup.md‎
Lines changed: 3 additions & 0 deletions
@@ -5,7 +5,7 @@ description: Learn how to call a web API from Blazor apps.
 monikerRange: '>= aspnetcore-3.1'
 ms.author: wpickett
 ms.custom: mvc
-ms.date: 04/29/2025
+ms.date: 05/30/2025
 uid: blazor/call-web-api
 ---
 # Call a web API from ASP.NET Core Blazor
@@ -33,7 +33,7 @@ For more information, see the following resources:
 
 ## Microsoft identity platform for web API calls
 
-Blazor Web Apps that use use [Microsoft identity platform](/entra/identity-platform/)/[Microsoft Identity Web packages](/entra/msal/dotnet/microsoft-identity-web/) for [Microsoft Entra ID](https://www.microsoft.com/security/business/microsoft-entra) can make streamlined web API calls with API provided by the [`Microsoft.Identity.Web.DownstreamApi` NuGet package](https://www.nuget.org/packages/Microsoft.Identity.Web.DownstreamApi).
+Blazor Web Apps that use use [Microsoft identity platform](/entra/identity-platform/) with [Microsoft Identity Web packages](/entra/msal/dotnet/microsoft-identity-web/) for [Microsoft Entra ID](https://www.microsoft.com/security/business/microsoft-entra) can make streamlined web API calls with API provided by the [`Microsoft.Identity.Web.DownstreamApi` NuGet package](https://www.nuget.org/packages/Microsoft.Identity.Web.DownstreamApi).
 
 [!INCLUDE[](~/includes/package-reference.md)]
 
@@ -291,13 +291,13 @@ The solution includes a demonstration of obtaining weather data securely via an
 
 ### `BlazorWebAppEntra`
 
-A Blazor Web App with global Auto interactivity that uses [Microsoft identity platform](/entra/identity-platform/)/[Microsoft Identity Web packages](/entra/msal/dotnet/microsoft-identity-web/) for [Microsoft Entra ID](https://www.microsoft.com/security/business/microsoft-entra). The solution includes a demonstration of obtaining weather data securely via an external web API when a component that adopts Interactive Auto rendering is rendered on the client.
+A Blazor Web App with global Auto interactivity that uses [Microsoft identity platform](/entra/identity-platform/) with [Microsoft Identity Web packages](/entra/msal/dotnet/microsoft-identity-web/) for [Microsoft Entra ID](https://www.microsoft.com/security/business/microsoft-entra). The solution includes a demonstration of obtaining weather data securely via an external web API when a component that adopts Interactive Auto rendering is rendered on the client.
 
 ### `BlazorWebAppEntraBff`
 
 A Blazor Web App with global Auto interactivity that uses:
 
-* [Microsoft identity platform](/entra/identity-platform/)/[Microsoft Identity Web packages](/entra/msal/dotnet/microsoft-identity-web/) for [Microsoft Entra ID](https://www.microsoft.com/security/business/microsoft-entra).
+* [Microsoft identity platform](/entra/identity-platform/) with [Microsoft Identity Web packages](/entra/msal/dotnet/microsoft-identity-web/) for [Microsoft Entra ID](https://www.microsoft.com/security/business/microsoft-entra).
 * The [Backend for Frontend (BFF) pattern](/azure/architecture/patterns/backends-for-frontends), which is a pattern of app development that creates backend services for frontend apps or interfaces.
 
 The solution includes a demonstration of obtaining weather data securely via an external web API when a component that adopts Interactive Auto rendering is rendered on the client.
@@ -1095,6 +1095,9 @@ public class CookieHandler : DelegatingHandler
 }
 ```
 
+> [!NOTE]
+> For guidance on how to access an `AuthenticationStateProvider` from a `DelegatingHandler`, see <xref:blazor/security/additional-scenarios#access-authenticationstateprovider-in-outgoing-request-middleware>.
+
 The `CookieHandler` is registered in the `Program` file:
 
 ```csharp
@@ -1117,10 +1120,10 @@ For a demonstration, see <xref:blazor/security/webassembly/standalone-with-ident
 When composing an <xref:System.Net.Http.HttpRequestMessage>, set the browser request credentials and header directly:
 
 ```csharp
-var requestMessage = new HttpRequestMessage() { ... };
+var request = new HttpRequestMessage() { ... };
 
-requestMessage.SetBrowserRequestCredentials(BrowserRequestCredentials.Include);
-requestMessage.Headers.Add("X-Requested-With", [ "XMLHttpRequest" ]);
+request.SetBrowserRequestCredentials(BrowserRequestCredentials.Include);
+request.Headers.Add("X-Requested-With", [ "XMLHttpRequest" ]);
 ```
 
 ## `HttpClient` and `HttpRequestMessage` with Fetch API request options
@@ -1153,7 +1156,7 @@ requestMessage.Headers.Add("X-Requested-With", [ "XMLHttpRequest" ]);
 
     private async Task PostRequest()
     {
-        var requestMessage = new HttpRequestMessage()
+        var request = new HttpRequestMessage()
         {
             Method = new HttpMethod("POST"),
             RequestUri = new Uri("https://localhost:10000/todoitems"),
@@ -1169,13 +1172,13 @@ requestMessage.Headers.Add("X-Requested-With", [ "XMLHttpRequest" ]);
 
         if (tokenResult.TryGetToken(out var token))
         {
-            requestMessage.Headers.Authorization =
+            request.Headers.Authorization =
                 new AuthenticationHeaderValue("Bearer", token.Value);
 
-            requestMessage.Content.Headers.TryAddWithoutValidation(
+            request.Content.Headers.TryAddWithoutValidation(
                 "x-custom-header", "value");
 
-            var response = await Http.SendAsync(requestMessage);
+            var response = await Http.SendAsync(request);
             var responseStatusCode = response.StatusCode;
 
             responseBody = await response.Content.ReadAsStringAsync();
@@ -1219,10 +1222,10 @@ To opt-out of response streaming globally, use either of the following approache
 
 To opt-out of response streaming globally, set the `DOTNET_WASM_ENABLE_STREAMING_RESPONSE` environment variable to `false` or `0`.
 
-To opt-out of response streaming for an individual request, set <xref:Microsoft.AspNetCore.Components.WebAssembly.Http.WebAssemblyHttpRequestMessageExtensions.SetBrowserResponseStreamingEnabled%2A> to `false` on the <xref:System.Net.Http.HttpRequestMessage> (`requestMessage` in the following example):
+To opt-out of response streaming for an individual request, set <xref:Microsoft.AspNetCore.Components.WebAssembly.Http.WebAssemblyHttpRequestMessageExtensions.SetBrowserResponseStreamingEnabled%2A> to `false` on the <xref:System.Net.Http.HttpRequestMessage> (`request` in the following example):
 
 ```csharp
-requestMessage.SetBrowserResponseStreamingEnabled(false);
+request.SetBrowserResponseStreamingEnabled(false);
 ```
 
 :::moniker-end
@@ -1232,22 +1235,22 @@ requestMessage.SetBrowserResponseStreamingEnabled(false);
 The HTTP response is typically buffered to enable support for synchronous reads on the response content. To enable support for response streaming, set <xref:Microsoft.AspNetCore.Components.WebAssembly.Http.WebAssemblyHttpRequestMessageExtensions.SetBrowserResponseStreamingEnabled%2A>  to `true` on the <xref:System.Net.Http.HttpRequestMessage>:
 
 ```csharp
-requestMessage.SetBrowserResponseStreamingEnabled(true);
+request.SetBrowserResponseStreamingEnabled(true);
 ```
 
 By default, [`HttpCompletionOption.ResponseContentRead`](xref:System.Net.Http.HttpCompletionOption) is set, which results in the <xref:System.Net.Http.HttpClient> completing after reading the entire response, including the content. In order to be able to use the <xref:Microsoft.AspNetCore.Components.WebAssembly.Http.WebAssemblyHttpRequestMessageExtensions.SetBrowserResponseStreamingEnabled%2A> option on large files, set [`HttpCompletionOption.ResponseHeadersRead`](xref:System.Net.Http.HttpCompletionOption) to avoid caching the file's content in memory:
 
 ```diff
-- var response = await Http.SendAsync(requestMessage);
-+ var response = await Http.SendAsync(requestMessage, HttpCompletionOption.ResponseHeadersRead);
+- var response = await Http.SendAsync(request);
++ var response = await Http.SendAsync(request, HttpCompletionOption.ResponseHeadersRead);
 ```
 
 :::moniker-end
 
 To include credentials in a cross-origin request, use the <xref:Microsoft.AspNetCore.Components.WebAssembly.Http.WebAssemblyHttpRequestMessageExtensions.SetBrowserRequestCredentials%2A> extension method:
 
 ```csharp
-requestMessage.SetBrowserRequestCredentials(BrowserRequestCredentials.Include);
+request.SetBrowserRequestCredentials(BrowserRequestCredentials.Include);
 ```
 
 For more information on Fetch API options, see [MDN web docs: WindowOrWorkerGlobalScope.fetch(): Parameters](https://developer.mozilla.org/docs/Web/API/fetch#Parameters).
 
@@ -32,6 +32,19 @@ For additional context in *advanced* edge cases&dagger;, see the discussion in t
 
 &dagger;Most developers building and maintaining Blazor apps don't need to delve into advanced concepts when the general guidance in this article is followed. The most important concept to keep in mind is that <xref:Microsoft.AspNetCore.Http.HttpContext> is fundamentally a server-based, request-response feature that's only generally available on the server during static SSR and only created when a user's circuit is established.
 
+## Don't set or modify headers after the response starts
+
+Attempting to set or modify a header after the first rendering (after the response starts) results in an error:
+
+> :::no-loc text="System.InvalidOperationException: 'Headers are read-only, response has already started.'":::
+
+Examples of situations that result in this error include:
+
+* Calling <xref:Microsoft.AspNetCore.Identity.SignInManager%601.PasswordSignInAsync%2A?displayProperty=nameWithType>, which must set headers for Identity to function correctly, while adopting [streaming rendering](xref:blazor/components/rendering#streaming-rendering).
+* Attempting to set or modify a header after the response has started during interactive rendering.
+
+For guidance on setting headers before the response starts, see <xref:blazor/fundamentals/startup#control-headers-in-c-code>.
+
 :::moniker-end
 
 :::moniker range="< aspnetcore-8.0"
 
@@ -610,6 +610,12 @@ public static class CircuitServicesServiceCollectionExtensions
 }
 ```
 
+Call `AddCircuitServicesAccessor` in the app's `Program` file:
+
+```csharp
+builder.Services.AddCircuitServicesAccessor();
+```
+
 Access the circuit-scoped services by injecting the `CircuitServicesAccessor` where it's needed.
 
 For an example that shows how to access the <xref:Microsoft.AspNetCore.Components.Authorization.AuthenticationStateProvider> from a <xref:System.Net.Http.DelegatingHandler> set up using <xref:System.Net.Http.IHttpClientFactory>, see <xref:blazor/security/additional-scenarios#access-authenticationstateprovider-in-outgoing-request-middleware>.
 
@@ -525,6 +525,9 @@ Control headers at startup in C# code using the following approaches.
 
 In the following examples, a [Content Security Policy (CSP)](https://developer.mozilla.org/docs/Web/HTTP/Guides/CSP) is applied to the app via a CSP header. The `{POLICY STRING}` placeholder is the CSP policy string. For more information on CSPs, see <xref:blazor/security/content-security-policy>.
 
+> [!NOTE]
+> Headers can't be set after the response starts. The approaches in this section only set headers before the response starts, so the approaches described here are safe. For more information, see <xref:blazor/components/httpcontext#dont-set-or-modify-headers-after-the-response-starts>.
+
 ### Server-side and prerendered client-side scenarios
 
 Use [ASP.NET Core Middleware](xref:fundamentals/middleware/index) to control the headers collection.