diff --git a/aspnetcore/grpc/test-tools.md b/aspnetcore/grpc/test-tools.md index deaaabadb9..ea69cd5908 100644 --- a/aspnetcore/grpc/test-tools.md +++ b/aspnetcore/grpc/test-tools.md @@ -50,6 +50,30 @@ When gRPC reflection is set up: * Client apps that support gRPC reflection can call the reflection service to discover services hosted by the server. * gRPC services are still called from the client. Reflection only enables service discovery and doesn't bypass server-side security. Endpoints protected by [authentication and authorization](xref:grpc/authn-and-authz) require the caller to pass credentials for the endpoint to be called successfully. +### Reflection service security + +gRPC reflection returns a list of available APIs, which could contain sensitive information. Care should be taken to limit access to the gRPC reflection service. + +gRPC reflection is usually only required in a local development environment. For local development, the reflection service should only be mapped when [IsDevelopment](/en-us/dotnet/api/microsoft.aspnetcore.hosting.hostingenvironmentextensions.isdevelopment) returns true: + +```csharp +if (env.IsDevelopment()) +{ + app.MapGrpcReflectionService(); +} +``` + +Access to the service can be controlled through standard ASP.NET Core authorization extension methods, such as [`AllowAnonymous`](/dotnet/api/microsoft.aspnetcore.builder.authorizationendpointconventionbuilderextensions.allowanonymous) and [`RequireAuthorization`](/dotnet/api/microsoft.aspnetcore.builder.authorizationendpointconventionbuilderextensions.requireauthorization). + +For example, if an app has been configured to require authorization by default, configuration the gRPC reflection endpoint with `AllowAnonymous` to skip authentication and authorization. + +```csharp +if (env.IsDevelopment()) +{ + app.MapGrpcReflectionService().AllowAnonymous(); +} +``` + ## gRPCurl gRPCurl is a command-line tool created by the gRPC community. Its features include: @@ -311,4 +335,4 @@ The tool launches a browser window with the interactive web UI. gRPC services ar * * -:::moniker-end \ No newline at end of file +:::moniker-end