gotchacsharpdotnetModerate
SignalR: hub method exceptions leak stack traces to clients by default in development
Viewed 0 times
SignalR hub exceptionEnableDetailedErrorsHubExceptionSignalR error handlinghub filter
Problem
When a SignalR hub method throws an exception, ASP.NET Core sends the exception message and stack trace to the client in development mode. In production the details are stripped, but developers sometimes push a dev config to staging, exposing internals.
Solution
Configure detailed errors explicitly per environment:
Handle hub errors on the client side:
For structured hub error responses, use a hub filter:
builder.Services.AddSignalR(options =>
{
options.EnableDetailedErrors = builder.Environment.IsDevelopment();
});Handle hub errors on the client side:
connection.on("ReceiveMessage", (message) => { /* ... */ });
connection.start().catch(err => console.error(err));For structured hub error responses, use a hub filter:
public class ErrorHandlingFilter : IHubFilter
{
public async ValueTask<object?> InvokeMethodAsync(
HubInvocationContext context,
Func<HubInvocationContext, ValueTask<object?>> next)
{
try { return await next(context); }
catch (AppException ex) { throw new HubException(ex.Message); }
}
}Why
HubException is the only exception type whose message is forwarded to the client as-is in production. All other exception types have their messages stripped to prevent information leakage.
Gotchas
- HubException.Message is always sent to client — don't include sensitive data even in HubException
- Reconnect logic must be implemented on the client — SignalR does not auto-reconnect by default
- Hub instances are transient — don't store state on hub fields; use DI services instead
Revisions (0)
No revisions yet.