[using the `X-` prefix](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers).

But if you have custom headers that you want a client in a browser to be able to see, you need to add them to your CORS configurations (read more in [CORS (Cross-Origin Resource Sharing)](../tutorial/cors.md)), using the parameter `expose_headers` documented in [Starlette's CORS docs](https://www.starlette.dev/middleware/#corsmiddleware)....

## CSRF Risk { #csrf-risk }

This default behavior provides protection against a class of **Cross-Site Request Forgery (CSRF)** attacks in a very specific scenario.

These attacks exploit the fact that browsers allow scripts to send requests without doing any CORS preflight check when they:

                    ),
                )
            }
            if (crossVersionTests.size > 1) {
                buildType(
                    PartialTrigger(
                        "All Cross-Version Tests for ${stage.stageName.stageName}",
                        "Stage_${stage.stageName.id}_CrossVersionTests",
                        model,
                        crossVersionTests + previousCrossVersionTests,

- **回應**：路由 → MiddlewareA → MiddlewareB

這種堆疊行為可確保中介軟體以可預期且可控制的順序執行。

## 其他中介軟體 { #other-middlewares }

你之後可以在[進階使用者指南：進階中介軟體](../advanced/middleware.md)閱讀更多關於其他中介軟體的內容。

* 响应：路由 → MiddlewareA → MiddlewareB

这种栈式行为确保中间件按可预测且可控的顺序执行。

## 其他中间件 { #other-middlewares }

你可以稍后在[高级用户指南：高级中间件](../advanced/middleware.md)中阅读更多关于其他中间件的内容。

│   ├── log/                   # Log index (search logs, click logs)
│   └── user/                  # User index (users, groups, roles)
├── helper/                    # Cross-cutting utilities (~40+ helpers)
├── crawler/                   # Crawling engine (processor, transformer, service)
├── sso/                       # SSO implementations (oic, saml, spnego, entraid)

# install it manually. We use Twine in nightly builds to upload Python packages
# to PyPI.
if [[ "$TFCI_MACOS_TWINE_INSTALL_ENABLE" == 1 ]]; then
  pip install twine==3.6.0
fi

# When cross-compiling with RBE, we need to copy the macOS sysroot to be
# inside the TensorFlow root directory. We then define them as a filegroup
# target inside "tensorflow/tools/toolchains/cross_compile/cc" so that Bazel

        assertFalse(projectFoldersWithCrossVersionTests.isEmpty())
        projectFoldersWithCrossVersionTests.forEach {
            assertTrue(projectDirsWithCrossVersionTests.contains(it), "Contains cross-version tests: $it")
        }
    }

    @Test
    fun integTestFolderDoesNotContainCrossVersionTests() {

   * hashed directly (in that order).
   *
   * <p><b>Warning:</b> This method will produce different output than most other languages do when
   * running the same hash function on the equivalent input. For cross-language compatibility, use
   * {@link #hashString}, usually with a charset of UTF-8. For other use cases, use {@code
   * hashUnencodedChars}.
   *
   * @since 15.0 (since 11.0 as hashString(CharSequence)).
   */

預設情況下，FastAPI 會對 JSON 請求主體使用嚴格的 `Content-Type` 標頭檢查。也就是說，JSON 請求必須包含有效的 `Content-Type` 標頭（例如 `application/json`），請求主體（body）才能被解析為 JSON。

## CSRF 風險 { #csrf-risk }

這個預設行為在某個非常特定的情境下，能對一類跨站請求偽造（CSRF, Cross-Site Request Forgery）攻擊提供保護。

這類攻擊利用了瀏覽器在以下情況下允許腳本發送請求而不進行任何 CORS 預檢（preflight）檢查的事實：

- 沒有 `Content-Type` 標頭（例如以 `fetch()` 並使用 `Blob` 作為 body）
- 且沒有送出任何身分驗證憑證

這種攻擊主要與以下情境相關：

- 應用在本機（例如 `localhost`）或內部網路中執行