From 9c288d23ef5e5acd263566e6ff427372016c7a0f Mon Sep 17 00:00:00 2001
From: Copilot <198982749+Copilot@users.noreply.github.com>
Date: Fri, 2 Jan 2026 15:32:27 -0800
Subject: [PATCH 1/2] Fix CORS wildcard subdomain documentation (#36321)

* Initial plan

* Fix CORS wildcard subdomain documentation and code samples

Co-authored-by: tdykstra <1569635+tdykstra@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: tdykstra <1569635+tdykstra@users.noreply.github.com>
---
 aspnetcore/security/cors.md                                  | 5 +++--
 .../cors/3.1sample/Cors/WebAPI/StartupAllowSubdomain.cs      | 2 +-
 aspnetcore/security/cors/6.0sample/Cors/WebAPI/Program.cs    | 2 +-
 aspnetcore/security/cors/8.0sample/Cors/Web2API/Program.cs   | 2 +-
 aspnetcore/security/cors/includes/cors56.md                  | 4 ++--
 aspnetcore/security/cors/includes/cors7.md                   | 2 +-
 aspnetcore/security/cors/sample/CorsExample4/Startup.cs      | 2 +-
 7 files changed, 10 insertions(+), 9 deletions(-)

diff --git a/aspnetcore/security/cors.md b/aspnetcore/security/cors.md
index be7931ff921b..12662e2a3ee8 100644
--- a/aspnetcore/security/cors.md
+++ b/aspnetcore/security/cors.md
@@ -1,10 +1,11 @@
 ---
 title: Enable Cross-Origin Requests (CORS) in ASP.NET Core
+ai-usage: ai-assisted
 author: tdykstra
 description: Learn how CORS as a standard for allowing or rejecting cross-origin requests in an ASP.NET Core app.
 ms.author: tdykstra
 ms.custom: mvc
-ms.date: 09/29/2025
+ms.date: 11/10/2025
 uid: security/cors
 ---
 # Enable Cross-Origin Requests (CORS) in ASP.NET Core
@@ -211,7 +212,7 @@ This section describes the various options that can be set in a CORS policy:
 
 [!code-csharp[](~/security/cors/8.0sample/Cors/Web2API/Program.cs?name=snippet_aa)]
 
-In the preceding code, `SetIsOriginAllowedToAllowWildcardSubdomains` is called with the base origin `"https://example.com"`. This configuration allows CORS requests from any subdomain of `example.com`, such as `https://subdomain.example.com` or `https://api.example.com`. The wildcard matching is handled by the method, so the origin should be specified without the `*` wildcard character.
+In the preceding code, `SetIsOriginAllowedToAllowWildcardSubdomains` is called with the wildcard origin `"https://*.example.com"`. This configuration allows CORS requests from any subdomain of `example.com`, such as `https://subdomain.example.com` or `https://api.example.com`. The `*` wildcard character must be included in the origin to enable wildcard subdomain matching.
 
 ### Set the allowed HTTP methods
 
diff --git a/aspnetcore/security/cors/3.1sample/Cors/WebAPI/StartupAllowSubdomain.cs b/aspnetcore/security/cors/3.1sample/Cors/WebAPI/StartupAllowSubdomain.cs
index e552c2d6cf17..802bdb85cc81 100644
--- a/aspnetcore/security/cors/3.1sample/Cors/WebAPI/StartupAllowSubdomain.cs
+++ b/aspnetcore/security/cors/3.1sample/Cors/WebAPI/StartupAllowSubdomain.cs
@@ -27,7 +27,7 @@ public void ConfigureServices(IServiceCollection services)
                 options.AddPolicy("MyAllowSubdomainPolicy",
                     policy =>
                     {
-                        policy.WithOrigins("https://example.com")
+                        policy.WithOrigins("https://*.example.com")
                             .SetIsOriginAllowedToAllowWildcardSubdomains();
                     });
                 #endregion
diff --git a/aspnetcore/security/cors/6.0sample/Cors/WebAPI/Program.cs b/aspnetcore/security/cors/6.0sample/Cors/WebAPI/Program.cs
index afd8007d4cbd..e809f1d456f2 100644
--- a/aspnetcore/security/cors/6.0sample/Cors/WebAPI/Program.cs
+++ b/aspnetcore/security/cors/6.0sample/Cors/WebAPI/Program.cs
@@ -259,7 +259,7 @@
     options.AddPolicy(name: MyAllowSpecificOrigins,
         policy =>
         {
-            policy.WithOrigins("https://example.com")
+            policy.WithOrigins("https://*.example.com")
                 .SetIsOriginAllowedToAllowWildcardSubdomains();
         });
 });
diff --git a/aspnetcore/security/cors/8.0sample/Cors/Web2API/Program.cs b/aspnetcore/security/cors/8.0sample/Cors/Web2API/Program.cs
index 0c7ac891ee62..01ad4447f691 100644
--- a/aspnetcore/security/cors/8.0sample/Cors/Web2API/Program.cs
+++ b/aspnetcore/security/cors/8.0sample/Cors/Web2API/Program.cs
@@ -261,7 +261,7 @@
     options.AddPolicy(name: MyAllowSpecificOrigins,
         policy =>
         {
-            policy.WithOrigins("https://example.com")
+            policy.WithOrigins("https://*.example.com")
                 .SetIsOriginAllowedToAllowWildcardSubdomains();
         });
 });
diff --git a/aspnetcore/security/cors/includes/cors56.md b/aspnetcore/security/cors/includes/cors56.md
index 20917f7c1520..c13a0d4b68a8 100644
--- a/aspnetcore/security/cors/includes/cors56.md
+++ b/aspnetcore/security/cors/includes/cors56.md
@@ -206,7 +206,7 @@ This section describes the various options that can be set in a CORS policy:
 
 [!code-csharp[](~/security/cors/6.0sample/Cors/WebAPI/Program.cs?name=snippet_aa)]
 
-In the preceding code, `SetIsOriginAllowedToAllowWildcardSubdomains` is called with the base origin `"https://example.com"`. This configuration allows CORS requests from any subdomain of `example.com`, such as `https://subdomain.example.com` or `https://api.example.com`. The wildcard matching is handled by the method, so the origin should be specified without the `*` wildcard character.
+In the preceding code, `SetIsOriginAllowedToAllowWildcardSubdomains` is called with the wildcard origin `"https://*.example.com"`. This configuration allows CORS requests from any subdomain of `example.com`, such as `https://subdomain.example.com` or `https://api.example.com`. The `*` wildcard character must be included in the origin to enable wildcard subdomain matching.
 
 ### Set the allowed HTTP methods
 
@@ -823,7 +823,7 @@ This section describes the various options that can be set in a CORS policy:
 
 [!code-csharp[](~/security/cors/3.1sample/Cors/WebAPI/StartupAllowSubdomain.cs?name=snippet)]
 
-In the preceding code, `SetIsOriginAllowedToAllowWildcardSubdomains` is called with the base origin `"https://example.com"`. This configuration allows CORS requests from any subdomain of `example.com`, such as `https://subdomain.example.com` or `https://api.example.com`. The wildcard matching is handled by the method, so the origin should be specified without the `*` wildcard character.
+In the preceding code, `SetIsOriginAllowedToAllowWildcardSubdomains` is called with the wildcard origin `"https://*.example.com"`. This configuration allows CORS requests from any subdomain of `example.com`, such as `https://subdomain.example.com` or `https://api.example.com`. The `*` wildcard character must be included in the origin to enable wildcard subdomain matching.
 
 ### Set the allowed HTTP methods
 
diff --git a/aspnetcore/security/cors/includes/cors7.md b/aspnetcore/security/cors/includes/cors7.md
index e81a91f566ea..6d8165294d6b 100644
--- a/aspnetcore/security/cors/includes/cors7.md
+++ b/aspnetcore/security/cors/includes/cors7.md
@@ -207,7 +207,7 @@ This section describes the various options that can be set in a CORS policy:
 
 [!code-csharp[](~/security/cors/8.0sample/Cors/Web2API/Program.cs?name=snippet_aa)]
 
-In the preceding code, `SetIsOriginAllowedToAllowWildcardSubdomains` is called with the base origin `"https://example.com"`. This configuration allows CORS requests from any subdomain of `example.com`, such as `https://subdomain.example.com` or `https://api.example.com`. The wildcard matching is handled by the method, so the origin should be specified without the `*` wildcard character.
+In the preceding code, `SetIsOriginAllowedToAllowWildcardSubdomains` is called with the wildcard origin `"https://*.example.com"`. This configuration allows CORS requests from any subdomain of `example.com`, such as `https://subdomain.example.com` or `https://api.example.com`. The `*` wildcard character must be included in the origin to enable wildcard subdomain matching.
 
 ### Set the allowed HTTP methods
 
diff --git a/aspnetcore/security/cors/sample/CorsExample4/Startup.cs b/aspnetcore/security/cors/sample/CorsExample4/Startup.cs
index 04cadbc80553..ec657bcb4b02 100644
--- a/aspnetcore/security/cors/sample/CorsExample4/Startup.cs
+++ b/aspnetcore/security/cors/sample/CorsExample4/Startup.cs
@@ -100,7 +100,7 @@ public void ConfigureServices(IServiceCollection services)
                 options.AddPolicy("AllowSubdomain",
                     policy =>
                     {
-                        policy.WithOrigins("https://example.com")
+                        policy.WithOrigins("https://*.example.com")
                             .SetIsOriginAllowedToAllowWildcardSubdomains();
                     });
                 // END11

From 9aa8d62fe2b1d0c17e2221789a3a63da2c5f7513 Mon Sep 17 00:00:00 2001
From: damienbod <damien_bod@hotmail.com>
Date: Sat, 3 Jan 2026 17:53:21 +0100
Subject: [PATCH 2/2] Update MFA docs, ASP.NET Core now supports passkeys
 (#36567)

---
 aspnetcore/security/authentication/mfa.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/aspnetcore/security/authentication/mfa.md b/aspnetcore/security/authentication/mfa.md
index 5e7700d4287f..03ecb54812b5 100644
--- a/aspnetcore/security/authentication/mfa.md
+++ b/aspnetcore/security/authentication/mfa.md
@@ -56,7 +56,7 @@ passkeys/FIDO2 is currently:
 * The most secure way of achieving MFA.
 * MFA that protects against phishing attacks. (As well as certificate authentication and Windows for business)
 
-At present, ASP.NET Core doesn't support passkeys/FIDO2 directly. Passkeys/FIDO2 can be used for MFA or passwordless flows.
+ASP.NET Core supports passkeys using ASP.NET Core Identity. Passkeys/FIDO2 can be used for MFA or passwordless flows. For more information, see <xref:security/authentication/passkeys/index>.
 
 Microsoft Entra ID provides support for passkeys/FIDO2 and passwordless flows. For more information, see [Passwordless authentication options](/azure/active-directory/authentication/concept-authentication-passwordless).