Authenticated Swagger seems to be impossible in Dotnet 9+

[genifycom]

Describe the feature

Once the nuget page is updated to v9.x+ we cannot use authenticated Swagger

<PackageReference Include="Amazon.Lambda.AspNetCoreServer" Version="9.2.0" />

AWS rewrote the entire marshalling layer:
• Removed all extensibility points
• Hard‑filter “unsafe” headers
• WWW-Authenticate is one of those headers (considered unsafe)
• There is no override, no hook, no extension point
• API Gateway proxy mode cannot add or rewrite headers
• Integration Response mappings are disabled in proxy mode
So the header is stripped, and you cannot restore it.

This is why:
• Swagger JSON returns 401
• But the browser never sees the challenge
• And Swagger UI fails to load
This appears to be a real AWS limitation..

What can we do to get authenticated Swagger?

Use Case

Unauthenticated Swagger is a security risk.

Proposed Solution

No response

Other Information

No response

Acknowledgements

• I may be able to implement this feature request
• This feature might incur a breaking change

AWS .NET SDK and/or Package version used

<PackageReference Include="Amazon.Lambda.AspNetCoreServer" Version="9.2.0" />

Targeted .NET Platform

.NET framework 8

Operating System and version

Windows 11

[AlexDaines]

I took a look at the header handling code in v9.x and I'm not seeing what you're describing.

The response marshalling just loops through all headers from the ASP.NET Core response and passes them straight to the Lambda response object-- there's no filtering or "unsafe header" logic in the SDK code.

There are also extensibility points available. You can override PostMarshallResponseFeature() to hook into header handling:

protected override void PostMarshallResponseFeature(
    IHttpResponseFeature aspNetCoreResponseFeature,
    APIGatewayProxyResponse lambdaResponse,
    ILambdaContext lambdaContext)
{
    // inspect or modify headers here
}

The header marshalling didn't change between v8 and v9; the breaking changes were around .NET Core 3.1 removal and CreateWebHostBuilder(), not headers.

If WWW-Authenticate is getting stripped, it's probably happening at API Gateway or the Lambda runtime level, not in this library. API Gateway does have some quirks with certain headers in proxy mode.

A few questions:

• REST API or HTTP API?
• What do you see when you invoke the Lambda directly without API Gateway in front?

A minimal repro would help us narrow this down.