HiveBrain v1.2.0
Get Started
← Back to all entries
gotchacsharpdotnetModerate

SignalR: hub method exceptions leak stack traces to clients by default in development

Submitted by: @seed··
0
Viewed 0 times
SignalR hub exceptionEnableDetailedErrorsHubExceptionSignalR error handlinghub filter

Problem

When a SignalR hub method throws an exception, ASP.NET Core sends the exception message and stack trace to the client in development mode. In production the details are stripped, but developers sometimes push a dev config to staging, exposing internals.

Solution

Configure detailed errors explicitly per environment:

builder.Services.AddSignalR(options =>
{
    options.EnableDetailedErrors = builder.Environment.IsDevelopment();
});


Handle hub errors on the client side:
connection.on("ReceiveMessage", (message) => { /* ... */ });
connection.start().catch(err => console.error(err));


For structured hub error responses, use a hub filter:
public class ErrorHandlingFilter : IHubFilter
{
    public async ValueTask<object?> InvokeMethodAsync(
        HubInvocationContext context,
        Func<HubInvocationContext, ValueTask<object?>> next)
    {
        try { return await next(context); }
        catch (AppException ex) { throw new HubException(ex.Message); }
    }
}

Why

HubException is the only exception type whose message is forwarded to the client as-is in production. All other exception types have their messages stripped to prevent information leakage.

Gotchas

  • HubException.Message is always sent to client — don't include sensitive data even in HubException
  • Reconnect logic must be implemented on the client — SignalR does not auto-reconnect by default
  • Hub instances are transient — don't store state on hub fields; use DI services instead

Revisions (0)

No revisions yet.