daohualiuxiang
/
AspNetCore.Docs
mirror of https://github.com/dotnet/AspNetCore.Docs.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
AspNetCore.Docs/aspnetcore/includes/spoof.md

8 lines
721 B
Markdown
Raw Normal View History

Warn on port spoofing /7 (#29463) * Warn on port spoofing /7 * Warn on port spoofing /7 * Warn on port spoofing /7 * Warn on port spoofing /7 * Warn on port spoofing /7 * Warn on port spoofing /7 * Update aspnetcore/includes/spoof.md Co-authored-by: Luke Latham <1622880+guardrex@users.noreply.github.com> * Apply suggestions from code review Co-authored-by: Luke Latham <1622880+guardrex@users.noreply.github.com> * Warn on port spoofing /7 * Warn on port spoofing /7 * Warn on port spoofing /7 * Warn on port spoofing /7 * Warn on port spoofing /7 * Warn on port spoofing /7 * Update aspnetcore/includes/spoof.md Co-authored-by: Chris Ross <chrross@microsoft.com> --------- Co-authored-by: Luke Latham <1622880+guardrex@users.noreply.github.com> Co-authored-by: Chris Ross <chrross@microsoft.com>
2023-06-15 02:24:46 +08:00
> [!WARNING]
> API that relies on the [Host header](https://developer.mozilla.org/docs/Web/HTTP/Headers/Host), such as <xref:Microsoft.AspNetCore.Http.HttpRequest.Host%2A?displayProperty=nameWithType> and <xref:Microsoft.AspNetCore.Builder.RoutingEndpointConventionBuilderExtensions.RequireHost%2A>, are subject to potential spoofing by clients.
>
> To prevent host and port spoofing, use one of the following approaches:
>
> * Use <xref:Microsoft.AspNetCore.Http.HttpContext.Connection%2A?displayProperty=nameWithType> (<xref:Microsoft.AspNetCore.Http.ConnectionInfo.LocalPort?displayProperty=nameWithType>) where the ports are checked.
Tiny NIT and update Blazor doc to use the INCLUDE (#29525)
2023-06-15 20:15:44 +08:00
> * Employ [Host filtering](xref:fundamentals/servers/kestrel/host-filtering).