Merge pull request #823 from DuendeSoftware/ev/bff/auto-wireup

maartenba · web-flow · commit df6428f85a94 · 2025-07-24T15:37:46.000+02:00
auto-wireup &amp; xforward docs
diff --git a/src/content/docs/bff/architecture/multi-frontend.md b/src/content/docs/bff/architecture/multi-frontend.md
@@ -67,19 +67,13 @@ If you don't want this automatic mapping of BFF middleware, you can turn it off
 ```csharp
 var app = builder.Build();
 
-app.UseBffFrontendSelection();
-app.UseBffPathMapping();
-app.UseBffOpenIdCallbacks();
+app.UseBffPreProcessing();
 
 // TODO: your custom middleware goes here
 app.UseRouting(); 
 app.UseBff();
 
-// NOTE: Only add this if you want to proxy remote APIs. 
-app.UseBffRemoteRoutes();
-
-app.MapBffManagementEndpoints();
-app.UseBffIndexPages();
+app.UseBffPostProcessing();
 
 app.Run();
 ```
diff --git a/src/content/docs/bff/fundamentals/options.md b/src/content/docs/bff/fundamentals/options.md
@@ -200,3 +200,28 @@ The following options are available:
     BffClientAuthenticationStateProvider to the /bff/user endpoint. Defaults to 5000
     ms.
 
+
+# Proxy Servers and Load Balancers :badge[v4.0]
+
+When your BFF is hosted behind another reverse proxy or load balancer, you'll want to use `X-Forwarded-*` headers. 
+
+BFF automatically registers the `ForwardedHeaders` middleware in the pipeline, without any additional configuration. You will need to configure which headers should be considered by the middleware, typically the `X-Forwarded-For` and `X-Forwarded-Proto` headers. Here's an example of how you can configure this.  
+
+```csharp
+// Program.cs
+builder.Services.Configure<ForwardedHeadersOptions>(options =>
+{
+    // Consider configuring the 'KnownProxies' and the 'AllowedHosts' to prevent IP spoofing attacks
+    options.ForwardedHeaders =
+        ForwardedHeaders.XForwardedFor | ForwardedHeaders.XForwardedProto;
+});
+```
+
+See [proxy servers and load balancers](https://learn.microsoft.com/en-us/aspnet/core/host-and-deploy/proxy-load-balancer?view=aspnetcore-9.0) in the Microsoft documentation for more information. 
+
+:::note
+Be careful processing `X-Forwarded-*` headers from untrusted sources. Accepting these headers without validating the proxy IP address or network origin may leave you vulnerable to IP Spoofing attacks.
+
+See [Microsoft Security Advisory CVE-2018-0787](https://github.com/aspnet/Announcements/issues/295) for information 
+on an elevation-of-privileges vulnerability that affects systems where the proxy doesn't validate or restrict `Host` headers to known good values.
+:::
