Skip to content

Security: restrict forwarded-header trust to configured proxies #49

Description

@CryptoJones

Problem

Program.cs clears KnownIPNetworks and KnownProxies, so X-Forwarded-For and X-Forwarded-Proto are accepted from any client. Rate limiting partitions on RemoteIpAddress, which is affected by forwarded headers.

Impact

If Kestrel is exposed directly, a caller can spoof X-Forwarded-For to bypass per-IP rate limits and spoof X-Forwarded-Proto to affect HTTPS-sensitive behavior.

References

  • api/ApplyTrack.Api/Program.csForwardedHeadersOptions and rate-limit partitioning

Acceptance criteria

  • Production mode supports configured KnownProxies / KnownIPNetworks.
  • Untrusted direct requests cannot spoof rate-limit partition IPs.
  • Local/dev reverse-proxy behavior remains documented and easy to enable.
  • Tests cover forwarded headers from trusted and untrusted sources if practical under TestServer.

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't workingoperationsDeployment and operationssecuritySecurity hardening

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions