Add middleware customization guide for Strapi Cloud production environment#3148
Add middleware customization guide for Strapi Cloud production environment#3148raulbalestra wants to merge 5 commits into
Conversation
|
|
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
derrickmehaffy
added
pr: new content
…nment Closes #8943 and #8944: document that config/middlewares.ts is overwritten on Cloud deploys and that customizations must go in config/env/production/middlewares.ts. Covers CSP and CORS use cases with JS/TS examples following the docs style guide.
raulbalestra
force-pushed
the
cloud/add-middleware-customization-guide
branch
from
6b42f5c to
729b8f4
Compare
derrickmehaffy
left a comment
derrickmehaffy
left a comment
There was a problem hiding this comment.
Page is solid and the core explanation (NODE_ENV=production + injected prod config) is exactly right. A few changes before merge:
Not tied to a specific line:
cloud/advanced/upload.mdstill instructs users to edit the global./config/middlewares.jsfor thestrapi::securityblock (see its "Configure the Security Middleware" section, lines ~236–399). Per this new page, that won't take effect on Cloud. Either updateupload.mdto useconfig/env/production/middlewares.ts, or at minimum add a cross-link fromupload.md→ this page. Without it the two docs contradict each other.- No link to the standard middlewares reference (
/cms/configurations/middlewares). Users will need the full options table forsecurity,cors, etc. — add a pointer in the intro or aSee alsosection. - Sibling pages (
upload.md,email.md) open with a:::prerequisitesblock. Consider adding one (e.g. Cloud project, local Strapi v4.8.2+) for consistency.
| ## Important notes | ||
|
|
||
| :::caution | ||
| Both CSP and CORS can be combined in a single `config/env/production/middlewares.ts` file. Make sure to include the full middleware array — partial configs may cause other middlewares to be dropped. |
There was a problem hiding this comment.
Wording is vague — "partial configs may cause other middlewares to be dropped" undersells it. The production-env array fully replaces the global one, so the file must contain the complete middleware list (errors, security, cors, poweredBy, logger, query, body, session, favicon, public). Suggest stating that directly.
There was a problem hiding this comment.
^ What Derrick said
Plus, another instance of .ts suffix to remove. Please simply replace it with config/env/production/middleware
| Upload size limits on Strapi Cloud are enforced at the infrastructure level (Cloudflare gateway) and cannot be overridden via the `strapi::body` config. See [Upload Provider Configuration](/cloud/advanced/upload) for guidance on using external providers to handle larger file sizes. | ||
| ::: | ||
|
|
||
| This behavior applies to all Strapi Cloud plans and to both Strapi v4 and v5. |
There was a problem hiding this comment.
v4 is EOL — referencing it here is unnecessary and may mislead users into thinking v4-specific guidance lives on this page. Drop the v4 mention.
- Add :::prerequisites block to middlewares.md for consistency with sibling pages - Add See also section linking to /cms/configurations/middlewares reference - Update upload.md Security Middleware section with :::caution pointing to config/env/production/middlewares.ts and cross-linking the new guide
- Tldr and path block now show both .ts and .js extensions - Add upgradeInsecureRequests: null to CSP directives (JS and TS) - CORS examples use factory function with env() helper instead of process.env - Rewrite caution block to explicitly state the production array fully replaces the global one and list all required middlewares - Remove v4 EOL mention
Update file path titles from ./config/middleware.js to ./config/env/production/middlewares.js (and .ts) to match the correct Cloud override path documented in the new middlewares guide.
|
Hi @derrickmehaffy, all your feedback has been addressed: Review comments: Updated upload.md, added a :::caution block with a cross-link to this page, updated step 1, and fixed all 4 code block titles to point to config/env/production/middlewares.js|ts. Tldr and path block now show both .ts and .js. |
|
I've just done a complete review, technical writing wise, @raulbalestra What needs to be changed before I can merge it: Drastically simplify the page structure. As it is, it doesn't quite fit with the rest of the docs pages. Here are my recommendations:
Hope everything is clear. I can make the changes for you if it's easier. |
- Remove ## Common use cases: upgrade CSP and CORS sections to H2 - Remove ## Important notes H2: move caution after file path block - Merge two :::note blocks into one with 2 bullet points - Remove ## Related resources: add Middlewares config link to intro paragraph - Fix Tabs: add default to all JS TabItems, quote code block titles - Remove v4 version requirement from prerequisites
raulbalestra
force-pushed
the
cloud/add-middleware-customization-guide
branch
from
dccd817 to
5344a28
Compare
pwizla
left a comment
pwizla
left a comment
There was a problem hiding this comment.
LGTM now, thank you, Raul! 🚀
4 participants
Description
Adds a new page
cloud/advanced/middlewaresdocumenting how to correctly configure custom middlewares on Strapi Cloud.Why it's needed: On Strapi Cloud,
NODE_ENVis alwaysproductionand the platform injects its own middleware configuration at the production env level. This means changes made to the globalconfig/middlewares.tsare silently overwritten on each deploy. Users must place their customizations inconfig/env/production/middlewares.tsinstead, but this behavior is not currently documented anywhere.What the page covers:
config/middlewares.tschanges don't apply on Cloudconfig/env/production/middlewares.tsas the correct override pathAlso adds the new page to the Cloud sidebar under "Advanced configuration".
Related issue(s)/PR(s)