Add middleware customization guide for Strapi Cloud production environment#3148
Add middleware customization guide for Strapi Cloud production environment#3148raulbalestra wants to merge 4 commits into
Conversation
|
|
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
derrickmehaffy
added
pr: new content
…nment Closes #8943 and #8944: document that config/middlewares.ts is overwritten on Cloud deploys and that customizations must go in config/env/production/middlewares.ts. Covers CSP and CORS use cases with JS/TS examples following the docs style guide.
raulbalestra
force-pushed
the
cloud/add-middleware-customization-guide
branch
from
6b42f5c to
729b8f4
Compare
derrickmehaffy
left a comment
derrickmehaffy
left a comment
There was a problem hiding this comment.
Page is solid and the core explanation (NODE_ENV=production + injected prod config) is exactly right. A few changes before merge:
Not tied to a specific line:
cloud/advanced/upload.mdstill instructs users to edit the global./config/middlewares.jsfor thestrapi::securityblock (see its "Configure the Security Middleware" section, lines ~236–399). Per this new page, that won't take effect on Cloud. Either updateupload.mdto useconfig/env/production/middlewares.ts, or at minimum add a cross-link fromupload.md→ this page. Without it the two docs contradict each other.- No link to the standard middlewares reference (
/cms/configurations/middlewares). Users will need the full options table forsecurity,cors, etc. — add a pointer in the intro or aSee alsosection. - Sibling pages (
upload.md,email.md) open with a:::prerequisitesblock. Consider adding one (e.g. Cloud project, local Strapi v4.8.2+) for consistency.
| # Middleware Configuration for Strapi Cloud | ||
|
|
||
| <Tldr> | ||
| On Strapi Cloud, middleware customizations must go in `config/env/production/middlewares.ts` — changes to the global config file are overwritten on deploy. |
There was a problem hiding this comment.
Tldr says .ts only, but the page documents both .js and .ts. Suggest: config/env/production/middlewares.{ts,js} (or .ts / .js).
There was a problem hiding this comment.
| On Strapi Cloud, middleware customizations must go in `config/env/production/middlewares.ts` — changes to the global config file are overwritten on deploy. | |
| On Strapi Cloud, middleware customizations must go in `config/env/production/middlewares`. Changes to the global config file are overwritten on deploy. |
| To apply custom middleware configuration on Strapi Cloud, place your changes in: | ||
|
|
||
| ``` | ||
| config/env/production/middlewares.ts |
There was a problem hiding this comment.
Same — show both extensions, otherwise JS users will assume the override only works for TS.
There was a problem hiding this comment.
Indeed @raulbalestra , we actually need the full Tabs system here.
Please see agents/templates/components/tabs.md on how to apply them.
| directives: { | ||
| 'connect-src': ["'self'", 'https:'], | ||
| 'img-src': [ | ||
| "'self'", | ||
| 'data:', | ||
| 'blob:', | ||
| 'market-assets.strapi.io', | ||
| 'your-custom-domain.com', // replace with your provider domain | ||
| ], | ||
| 'media-src': [ | ||
| "'self'", | ||
| 'data:', | ||
| 'blob:', | ||
| 'market-assets.strapi.io', | ||
| 'your-custom-domain.com', // replace with your provider domain | ||
| ], | ||
| }, |
There was a problem hiding this comment.
Missing upgradeInsecureRequests: null inside directives. Both the canonical reference (cms/configurations/middlewares.md, AWS-S3 example) and the existing cloud/advanced/upload.md include it — omitting it breaks mixed-content loads for several providers. Apply to the TS block below as well.
| directives: { | ||
| 'connect-src': ["'self'", 'https:'], | ||
| 'img-src': [ | ||
| "'self'", | ||
| 'data:', | ||
| 'blob:', | ||
| 'market-assets.strapi.io', | ||
| 'your-custom-domain.com', // replace with your provider domain | ||
| ], | ||
| 'media-src': [ | ||
| "'self'", | ||
| 'data:', | ||
| 'blob:', | ||
| 'market-assets.strapi.io', | ||
| 'your-custom-domain.com', // replace with your provider domain | ||
| ], | ||
| }, |
There was a problem hiding this comment.
Same as the JS block above — add upgradeInsecureRequests: null to the directives object.
| name: 'strapi::cors', | ||
| config: { | ||
| enabled: true, | ||
| origin: [process.env.CLIENT_URL], |
There was a problem hiding this comment.
Rest of the docs use Strapi's env() helper rather than process.env directly. The middleware array doesn't take ({ env }) natively, so this works — but for consistency with every other example in the docs, prefer env('CLIENT_URL') via a factory function, or at minimum note that CLIENT_URL must be set in Cloud → Settings → Variables. Same applies to the TS block (line 182).
| ## Important notes | ||
|
|
||
| :::caution | ||
| Both CSP and CORS can be combined in a single `config/env/production/middlewares.ts` file. Make sure to include the full middleware array — partial configs may cause other middlewares to be dropped. |
There was a problem hiding this comment.
Wording is vague — "partial configs may cause other middlewares to be dropped" undersells it. The production-env array fully replaces the global one, so the file must contain the complete middleware list (errors, security, cors, poweredBy, logger, query, body, session, favicon, public). Suggest stating that directly.
There was a problem hiding this comment.
^ What Derrick said
Plus, another instance of .ts suffix to remove. Please simply replace it with config/env/production/middleware
| Upload size limits on Strapi Cloud are enforced at the infrastructure level (Cloudflare gateway) and cannot be overridden via the `strapi::body` config. See [Upload Provider Configuration](/cloud/advanced/upload) for guidance on using external providers to handle larger file sizes. | ||
| ::: | ||
|
|
||
| This behavior applies to all Strapi Cloud plans and to both Strapi v4 and v5. |
There was a problem hiding this comment.
v4 is EOL — referencing it here is unnecessary and may mislead users into thinking v4-specific guidance lives on this page. Drop the v4 mention.
- Add :::prerequisites block to middlewares.md for consistency with sibling pages - Add See also section linking to /cms/configurations/middlewares reference - Update upload.md Security Middleware section with :::caution pointing to config/env/production/middlewares.ts and cross-linking the new guide
- Tldr and path block now show both .ts and .js extensions - Add upgradeInsecureRequests: null to CSP directives (JS and TS) - CORS examples use factory function with env() helper instead of process.env - Rewrite caution block to explicitly state the production array fully replaces the global one and list all required middlewares - Remove v4 EOL mention
Update file path titles from ./config/middleware.js to ./config/env/production/middlewares.js (and .ts) to match the correct Cloud override path documented in the new middlewares guide.
|
Hi @derrickmehaffy, all your feedback has been addressed: Review comments: Updated upload.md, added a :::caution block with a cross-link to this page, updated step 1, and fixed all 4 code block titles to point to config/env/production/middlewares.js|ts. Tldr and path block now show both .ts and .js. |
| ``` | ||
|
|
||
| :::note | ||
| You can keep your existing `config/middlewares.ts` file as-is — it will not cause conflicts. The production-specific file takes precedence on Strapi Cloud. |
There was a problem hiding this comment.
| You can keep your existing `config/middlewares.ts` file as-is — it will not cause conflicts. The production-specific file takes precedence on Strapi Cloud. | |
| You can keep your existing `config/middlewares` file as-is as it will not cause conflicts. The production-specific file takes precedence on Strapi Cloud. |
Also @raulbalestra please ensure there are no em-dashes — in content. AIs definitely overuse them. Feel free to pass your content through the Style Checker, or point your AI system to it; it should automatically flag them.
|
I've just done a complete review, technical writing wise, @raulbalestra What needs to be changed before I can merge it: Drastically simplify the page structure. As it is, it doesn't quite fit with the rest of the docs pages. Here are my recommendations:
Hope everything is clear. I can make the changes for you if it's easier. |
4 participants
Description
Adds a new page
cloud/advanced/middlewaresdocumenting how to correctly configure custom middlewares on Strapi Cloud.Why it's needed: On Strapi Cloud,
NODE_ENVis alwaysproductionand the platform injects its own middleware configuration at the production env level. This means changes made to the globalconfig/middlewares.tsare silently overwritten on each deploy. Users must place their customizations inconfig/env/production/middlewares.tsinstead, but this behavior is not currently documented anywhere.What the page covers:
config/middlewares.tschanges don't apply on Cloudconfig/env/production/middlewares.tsas the correct override pathAlso adds the new page to the Cloud sidebar under "Advanced configuration".
Related issue(s)/PR(s)