Add middleware customization guide for Strapi Cloud production environment#3148
Merged
pwizla merged 5 commits intoMay 20, 2026
Merged
Conversation
|
|
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
derrickmehaffy
added
pr: new content
…nment Closes #8943 and #8944: document that config/middlewares.ts is overwritten on Cloud deploys and that customizations must go in config/env/production/middlewares.ts. Covers CSP and CORS use cases with JS/TS examples following the docs style guide.
raulbalestra
force-pushed
the
cloud/add-middleware-customization-guide
branch
from
6b42f5c to
729b8f4
Compare
derrickmehaffy
requested changes
May 11, 2026
Member
derrickmehaffy
left a comment
derrickmehaffy
left a comment
There was a problem hiding this comment.
Page is solid and the core explanation (NODE_ENV=production + injected prod config) is exactly right. A few changes before merge:
Not tied to a specific line:
cloud/advanced/upload.mdstill instructs users to edit the global./config/middlewares.jsfor thestrapi::securityblock (see its "Configure the Security Middleware" section, lines ~236–399). Per this new page, that won't take effect on Cloud. Either updateupload.mdto useconfig/env/production/middlewares.ts, or at minimum add a cross-link fromupload.md→ this page. Without it the two docs contradict each other.- No link to the standard middlewares reference (
/cms/configurations/middlewares). Users will need the full options table forsecurity,cors, etc. — add a pointer in the intro or aSee alsosection. - Sibling pages (
upload.md,email.md) open with a:::prerequisitesblock. Consider adding one (e.g. Cloud project, local Strapi v4.8.2+) for consistency.
| Upload size limits on Strapi Cloud are enforced at the infrastructure level (Cloudflare gateway) and cannot be overridden via the `strapi::body` config. See [Upload Provider Configuration](/cloud/advanced/upload) for guidance on using external providers to handle larger file sizes. | ||
| ::: | ||
|
|
||
| This behavior applies to all Strapi Cloud plans and to both Strapi v4 and v5. |
Member
There was a problem hiding this comment.
v4 is EOL — referencing it here is unnecessary and may mislead users into thinking v4-specific guidance lives on this page. Drop the v4 mention.
- Add :::prerequisites block to middlewares.md for consistency with sibling pages - Add See also section linking to /cms/configurations/middlewares reference - Update upload.md Security Middleware section with :::caution pointing to config/env/production/middlewares.ts and cross-linking the new guide
- Tldr and path block now show both .ts and .js extensions - Add upgradeInsecureRequests: null to CSP directives (JS and TS) - CORS examples use factory function with env() helper instead of process.env - Rewrite caution block to explicitly state the production array fully replaces the global one and list all required middlewares - Remove v4 EOL mention
Update file path titles from ./config/middleware.js to ./config/env/production/middlewares.js (and .ts) to match the correct Cloud override path documented in the new middlewares guide.
Author
|
Hi @derrickmehaffy, all your feedback has been addressed: Review comments: Updated upload.md, added a :::caution block with a cross-link to this page, updated step 1, and fixed all 4 code block titles to point to config/env/production/middlewares.js|ts. Tldr and path block now show both .ts and .js. |
pwizla
reviewed
May 13, 2026
Collaborator
|
I've just done a complete review, technical writing wise, @raulbalestra What needs to be changed before I can merge it: Drastically simplify the page structure. As it is, it doesn't quite fit with the rest of the docs pages. Here are my recommendations:
Hope everything is clear. I can make the changes for you if it's easier. |
pwizla
requested changes
May 13, 2026
- Remove ## Common use cases: upgrade CSP and CORS sections to H2 - Remove ## Important notes H2: move caution after file path block - Merge two :::note blocks into one with 2 bullet points - Remove ## Related resources: add Middlewares config link to intro paragraph - Fix Tabs: add default to all JS TabItems, quote code block titles - Remove v4 version requirement from prerequisites
raulbalestra
force-pushed
the
cloud/add-middleware-customization-guide
branch
from
dccd817 to
5344a28
Compare
pwizla
approved these changes
May 18, 2026
Collaborator
pwizla
left a comment
pwizla
left a comment
There was a problem hiding this comment.
LGTM now, thank you, Raul! 🚀
derrickmehaffy
approved these changes
May 19, 2026
pwizla
added a commit
that referenced
this pull request
May 20, 2026
…nment (#3148) (#3193) * Add middleware customization guide for Strapi Cloud production environment Closes #8943 and #8944: document that config/middlewares.ts is overwritten on Cloud deploys and that customizations must go in config/env/production/middlewares.ts. Covers CSP and CORS use cases with JS/TS examples following the docs style guide. * Address review feedback on middleware guide - Add :::prerequisites block to middlewares.md for consistency with sibling pages - Add See also section linking to /cms/configurations/middlewares reference - Update upload.md Security Middleware section with :::caution pointing to config/env/production/middlewares.ts and cross-linking the new guide * Apply inline review feedback from derrickmehaffy - Tldr and path block now show both .ts and .js extensions - Add upgradeInsecureRequests: null to CSP directives (JS and TS) - CORS examples use factory function with env() helper instead of process.env - Rewrite caution block to explicitly state the production array fully replaces the global one and list all required middlewares - Remove v4 EOL mention * Fix code block titles in upload.md Security Middleware section Update file path titles from ./config/middleware.js to ./config/env/production/middlewares.js (and .ts) to match the correct Cloud override path documented in the new middlewares guide. * Apply structural simplification per reviewer feedback - Remove ## Common use cases: upgrade CSP and CORS sections to H2 - Remove ## Important notes H2: move caution after file path block - Merge two :::note blocks into one with 2 bullet points - Remove ## Related resources: add Middlewares config link to intro paragraph - Fix Tabs: add default to all JS TabItems, quote code block titles - Remove v4 version requirement from prerequisites Co-authored-by: raulbalestra <63110244+raulbalestra@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Adds a new page
cloud/advanced/middlewaresdocumenting how to correctly configure custom middlewares on Strapi Cloud.Why it's needed: On Strapi Cloud,
NODE_ENVis alwaysproductionand the platform injects its own middleware configuration at the production env level. This means changes made to the globalconfig/middlewares.tsare silently overwritten on each deploy. Users must place their customizations inconfig/env/production/middlewares.tsinstead, but this behavior is not currently documented anywhere.What the page covers:
config/middlewares.tschanges don't apply on Cloudconfig/env/production/middlewares.tsas the correct override pathAlso adds the new page to the Cloud sidebar under "Advanced configuration".
Related issue(s)/PR(s)