[Internal review URL](https://review.docs.microsoft.com/en-us/aspnet/core/signalr/security?view=aspnetcore-2.1&branch=pr-en-us-9088)
- Kill long sentences. Long sentences are difficult for native speakers and impossible for MT (machine translation)
- Format code to prevent horizontal scroll bar on tablets 85 characters wide. You can simulate tablets by viewing in a browser of the maximum width that doesn't have left or right panes (TOC's).
- Prune dead wood. Avoid unnecessary words that don't add meaning to the text.
- Avoid "you" except when it make the statement more clear.
- For example, the following CORS policy allows a SignalR browser client hosted on `http://example.com` to access **your** SignalR app:
-For example, the following CORS policy allows a SignalR browser client hosted on `http://example.com` to access the SignalR app hosted on `http://signalr.example.com`:
- Avoid Wikipedia links
- Code snippets
Explicit sign-off required on my security rewording below:
- [ ] Allow cross-origin requests only from domains you trust or control.
The following are slightly too long but I couldn't find an elegant way to shorten them (not that my other trimming was elegant):
- Applications should be configured to validate these headers to ensure that only WebSockets coming from the expected origins are allowed.
* initial prose, samples still todo
* add sample and docs on Windows Auth
* add sample download link
* fix some code samples
* fix xref
* clarify sample comment when it's embedded in the document
* pr feedback
* add section on buffer management
* feedback
* some feedback
* update index/toc
* Update authn-and-authz.md
Rick Anderson
Andrew Stanton-Nurse
Scott Addie