shesha-io · ktsapo · Mar 31, 2026
diff --git a/shesha-core/src/Shesha.Web.Host/Startup/Startup.cs b/shesha-core/src/Shesha.Web.Host/Startup/Startup.cs
@@ -212,7 +212,7 @@ public void Configure(IApplicationBuilder app, IBackgroundJobClient backgroundJo
             });
 
             app.UseMiddleware<GraphQLMiddleware>();
-            if (_hostEnvironment.IsDevelopment())
+            if (!_hostEnvironment.IsProduction())
             {
                 app.UseGraphQLPlayground(); //to explorer API navigate https://*DOMAIN*/ui/playground
             }

diff --git a/...-tests/backend/src/Boxfusion.SheshaFunctionalTests.Web.Host/Controllers/HomeController.cs b/...-tests/backend/src/Boxfusion.SheshaFunctionalTests.Web.Host/Controllers/HomeController.cs
@@ -1,4 +1,3 @@
-using System;
 using System.Threading.Tasks;
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Mvc;
@@ -10,7 +9,6 @@ namespace Boxfusion.SheshaFunctionalTests.Web.Host.Controllers
     [AllowAnonymous]
     public class HomeController : SheshaControllerBase
     {
-
         private readonly ISecuritySettings _securitySettings;
 
         public HomeController(ISecuritySettings securitySettings)

diff --git a/...-functional-tests/backend/src/Boxfusion.SheshaFunctionalTests.Web.Host/Startup/Startup.cs b/...-functional-tests/backend/src/Boxfusion.SheshaFunctionalTests.Web.Host/Startup/Startup.cs
@@ -38,7 +38,9 @@
 using Swashbuckle.AspNetCore.SwaggerGen;
 using System;
 using System.IO;
+using System.Linq;
 using System.Reflection;
+using Microsoft.Extensions.Hosting;
 using Shesha.Specifications;
 
 namespace Boxfusion.SheshaFunctionalTests.Web.Host.Startup
@@ -156,11 +158,21 @@ public void Configure(IApplicationBuilder app, IBackgroundJobClient backgroundJo
 				options.UseAbpRequestLocalization = false;
 			}); 
 
+			// Security headers
+			app.UseSecurityHeaders();
+
+			// global cors policy
+			var corsOrigins = _appConfiguration["App:CorsOrigins"]?
+				.Split(",", StringSplitOptions.RemoveEmptyEntries)
+				.Select(o => o.Trim().TrimEnd('/'))
+				.Where(o => !string.IsNullOrEmpty(o))
+				.ToArray() ?? Array.Empty<string>();
 			app.UseCors(x => x
 				.AllowAnyMethod()
 				.AllowAnyHeader()
-				.SetIsOriginAllowed(origin => true) // allow any origin
-				.AllowCredentials()); // allow credentials
+				.WithOrigins(corsOrigins)
+				.AllowCredentials());
+
 			app.UseStaticFiles();
 			app.UseAuthentication();
 			app.UseAbpRequestLocalization();
@@ -198,15 +210,16 @@ public void Configure(IApplicationBuilder app, IBackgroundJobClient backgroundJo
 					.GetManifestResourceStream("Boxfusion.SheshaFunctionalTests.Web.Host.wwwroot.swagger.ui.index.html");
 			}); // URL: /swagger
 
-
-
             app.UseHangfireDashboard("/hangfire",
 				new DashboardOptions
 				{
 					Authorization = new[] { new HangfireAuthorizationFilter() }
 				});
 			app.UseMiddleware<GraphQLMiddleware>();
-			app.UseGraphQLPlayground(); //to explorer API navigate https://*DOMAIN*/ui/playground
+			if (!_hostEnvironment.IsProduction())
+			{
+				app.UseGraphQLPlayground(); //to explorer API navigate https://*DOMAIN*/ui/playground
+			}
 		}
 
 		private void AddApiVersioning(IServiceCollection services)