Skip to content

Document .NET 8 breaking change: Forwarded Headers Middleware ignores X-Forwarded-* headers from unknown proxies #47985

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open

Document .NET 8 breaking change: Forwarded Headers Middleware ignores X-Forwarded-* headers from unknown proxies #47985

wants to merge 4 commits into from
+84 −7

Conversation

Copilot
Copy link
Contributor

@Copilot Copilot AI commented Aug 16, 2025
edited by github-actions bot
Loading

This PR documents the breaking change introduced in ASP.NET Core 8.0.17 where the Forwarded Headers Middleware now ignores X-Forwarded-* headers from proxies that are not explicitly configured as trusted.

Changes Made

  • Created new breaking change document: docs/core/compatibility/aspnet-core/8.0/forwarded-headers-unknown-proxies.md

    • Documents the security hardening change that affects how forwarded headers are processed
    • Includes detailed explanation of previous vs new behavior
    • Provides comprehensive recommended actions with code examples
    • Lists affected APIs and cross-references to related documentation

  • Updated main breaking changes index: docs/core/compatibility/8.0.md

    • Added entry for the new breaking change in alphabetical order
    • Categorized as "Behavioral change"

Key Details

The breaking change affects applications that rely on forwarded headers from proxies not configured in the trusted proxy list (KnownProxies and KnownNetworks). Previously, headers like X-Forwarded-Prefix, X-Forwarded-Proto, and X-Forwarded-Host were processed from any source, but now only trusted proxies are honored for security reasons.

This can cause issues like infinite redirects with HTTPS redirection middleware or authentication failures when using TLS termination, requiring developers to properly configure their proxy topology or use workarounds like the ASPNETCORE_FORWARDEDHEADERS_ENABLED environment variable.

The documentation follows Microsoft's breaking change documentation guidelines and includes proper API cross-references, code examples, and links to related proxy configuration documentation.

Fixes #47446.

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

Internal previews

📄 File 🔗 Preview link
docs/core/compatibility/8.0.md Breaking changes in .NET 8
docs/core/compatibility/9.0.md Breaking changes in .NET 9
docs/core/compatibility/aspnet-core/8.0/forwarded-headers-unknown-proxies.md Forwarded Headers Middleware ignores X-Forwarded-* headers from unknown proxies
docs/core/compatibility/toc.yml docs/core/compatibility/toc

@learn-build-service-prod Learn Build Service (PROD)
Copy link
Contributor

PoliCheck Scan Report

The following report lists PoliCheck issues in PR files. Before you merge the PR, you must fix all severity-1 issues. Other issues are also a high priority. The AI Review Details column lists suggestions for either removing or replacing the terms. If you find a false positive result, mention it in a PR comment and include this text: #policheck-false-positive. This feedback helps reduce false positives in future scans.

✅ No issues found

More information about PoliCheck

Information: PoliCheck | Severity Guidance | Term
For any questions: Try searching the learn.microsoft.com contributor guides or post your question in the Learn support channel.

@Copilot Copilot AI changed the title [WIP] Document .NET 8 breaking change in ASP.NET Core Document .NET 8 breaking change: Forwarded Headers Middleware ignores X-Forwarded-* headers from unknown proxies Aug 16, 2025
Copilot finished work on behalf of gewarren August 16, 2025 00:54
@Copilot Copilot AI requested a review from gewarren August 16, 2025 00:54
@learn-build-service-prod Learn Build Service (PROD)
Copy link
Contributor

PoliCheck Scan Report

The following report lists PoliCheck issues in PR files. Before you merge the PR, you must fix all severity-1 issues. Other issues are also a high priority. The AI Review Details column lists suggestions for either removing or replacing the terms. If you find a false positive result, mention it in a PR comment and include this text: #policheck-false-positive. This feedback helps reduce false positives in future scans.

✅ No issues found

More information about PoliCheck

Information: PoliCheck | Severity Guidance | Term
For any questions: Try searching the learn.microsoft.com contributor guides or post your question in the Learn support channel.

@gewarren gewarren marked this pull request as ready for review August 16, 2025 01:37
@gewarren gewarren requested a review from a team as a code owner August 16, 2025 01:37
@gewarren gewarren requested a review from BrennanConroy August 16, 2025 01:38
@learn-build-service-prod Learn Build Service (PROD)
Copy link
Contributor

PoliCheck Scan Report

The following report lists PoliCheck issues in PR files. Before you merge the PR, you must fix all severity-1 issues. Other issues are also a high priority. The AI Review Details column lists suggestions for either removing or replacing the terms. If you find a false positive result, mention it in a PR comment and include this text: #policheck-false-positive. This feedback helps reduce false positives in future scans.

✅ No issues found

More information about PoliCheck

Information: PoliCheck | Severity Guidance | Term
For any questions: Try searching the learn.microsoft.com contributor guides or post your question in the Learn support channel.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gewarren gewarren Awaiting requested review from gewarren

@BrennanConroy BrennanConroy Awaiting requested review from BrennanConroy

At least 1 approving review is required to merge this pull request.

Assignees

@gewarren gewarren

Copilot code review Copilot

Labels
dotnet-fundamentals/svc
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Document .NET 8 breaking change in ASP.NET Core
2 participants
@Copilot @gewarren