From fee6c6ca0fd06232fccb6193dc44df903ecc84e5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Martynas=20Jaku=C4=8Dionis?=
 <88670233+MartynasJa@users.noreply.github.com>
Date: Mon, 9 Jun 2025 04:22:56 -0700
Subject: [PATCH 1/5] Update Program.cs (#35599)

---
 aspnetcore/grpc/grpcweb/sample/8.x/GrpcGreeter/Program.cs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/aspnetcore/grpc/grpcweb/sample/8.x/GrpcGreeter/Program.cs b/aspnetcore/grpc/grpcweb/sample/8.x/GrpcGreeter/Program.cs
index 06e8fb83460b..be494a3dbff7 100644
--- a/aspnetcore/grpc/grpcweb/sample/8.x/GrpcGreeter/Program.cs
+++ b/aspnetcore/grpc/grpcweb/sample/8.x/GrpcGreeter/Program.cs
@@ -33,7 +33,7 @@
 
 app.UseGrpcWeb(new GrpcWebOptions { DefaultEnabled = true });
 
-app.MapGrpcService<GreeterService>().EnableGrpcWeb();
+app.MapGrpcService<GreeterService>();
 app.MapGet("/", () => "All gRPC service are supported by default in this example, and are callable from browser apps using the gRPC-Web protocol");
 
 app.Run();

From 28cacf55aae92e61b4a4d64f773fd093e6e1c51f Mon Sep 17 00:00:00 2001
From: Wade Pickett <wpickett@microsoft.com>
Date: Mon, 9 Jun 2025 12:07:46 -0700
Subject: [PATCH 2/5] WN update prev 5: Validaton Min API and OpenAPI (#35587)

* WN update prev 5: Validaton Min API and OpenAPI

* Removed unused empty file

* typo fix

* Update aspnetcore/release-notes/aspnetcore-10/includes/OpenApiPopulateXMLDocComments.md

Co-authored-by: Mike Kistler <mikekistler@microsoft.com>

* Update aspnetcore/release-notes/aspnetcore-10/includes/OpenApiNetUpdatePrev.md

Co-authored-by: Tom Dykstra <tdykstra@microsoft.com>

---------

Co-authored-by: Mike Kistler <mikekistler@microsoft.com>
Co-authored-by: Tom Dykstra <tdykstra@microsoft.com>
---
 aspnetcore/release-notes/aspnetcore-10.0.md               | 2 +-
 .../aspnetcore-10/includes/OpenApiNetUpdatePrev.md        | 8 ++++++++
 .../aspnetcore-10/includes/OpenApiNetUpdatePrev17.md      | 6 ------
 .../aspnetcore-10/includes/ValidationSupportMinAPI.md     | 3 +++
 4 files changed, 12 insertions(+), 7 deletions(-)
 create mode 100644 aspnetcore/release-notes/aspnetcore-10/includes/OpenApiNetUpdatePrev.md
 delete mode 100644 aspnetcore/release-notes/aspnetcore-10/includes/OpenApiNetUpdatePrev17.md

diff --git a/aspnetcore/release-notes/aspnetcore-10.0.md b/aspnetcore/release-notes/aspnetcore-10.0.md
index b18926db30ad..b73a7fa8825e 100644
--- a/aspnetcore/release-notes/aspnetcore-10.0.md
+++ b/aspnetcore/release-notes/aspnetcore-10.0.md
@@ -61,7 +61,7 @@ This section describes new features for OpenAPI.
 
 [!INCLUDE[](~/release-notes/aspnetcore-10/includes/OpenApiSchemasInTransformers.md)]
 
-[!INCLUDE[](~/release-notes/aspnetcore-10/includes/OpenApiNetUpdatePrev17.md)]
+[!INCLUDE[](~/release-notes/aspnetcore-10/includes/OpenApiNetUpdatePrev.md)]
 
 ### Authentication and authorization
 
diff --git a/aspnetcore/release-notes/aspnetcore-10/includes/OpenApiNetUpdatePrev.md b/aspnetcore/release-notes/aspnetcore-10/includes/OpenApiNetUpdatePrev.md
new file mode 100644
index 000000000000..0b261f3e81e2
--- /dev/null
+++ b/aspnetcore/release-notes/aspnetcore-10/includes/OpenApiNetUpdatePrev.md
@@ -0,0 +1,8 @@
+### OpenAPI.NET updated to Preview.18
+
+The OpenAPI.NET library used in ASP.NET Core OpenAPI document generation was upgraded to [v2.0.0-preview18](https://www.nuget.org/packages/Microsoft.OpenApi/2.0.0-preview.18). The v2.0.0-preview18 version improves compatibility with the updated library version.
+
+The previous v2.0.0-preview17 version included a number of bug fixes and improvements and also introduced some breaking changes. The breaking changes should only affect users that use document, operation, or schema transformers. Breaking changes in this version that may affect developers include the following:
+
+* [Ephemeral object properties are now in Metadata](https://github.com/microsoft/OpenAPI.NET/blob/main/docs/upgrade-guide-2.md#ephemeral-object-properties-are-now-in-metadata)
+* [Use HTTP Method Object Instead of Enum](https://github.com/microsoft/OpenAPI.NET/blob/main/docs/upgrade-guide-2.md#use-http-method-object-instead-of-enum)
diff --git a/aspnetcore/release-notes/aspnetcore-10/includes/OpenApiNetUpdatePrev17.md b/aspnetcore/release-notes/aspnetcore-10/includes/OpenApiNetUpdatePrev17.md
deleted file mode 100644
index 1da51018b6be..000000000000
--- a/aspnetcore/release-notes/aspnetcore-10/includes/OpenApiNetUpdatePrev17.md
+++ /dev/null
@@ -1,6 +0,0 @@
-### OpenAPI.NET updated to Preview.17
-
-The OpenAPI.NET library used in ASP.NET Core OpenAPI document generation was upgraded to [v2.0.0-preview17](https://www.nuget.org/packages/Microsoft.OpenApi/2.0.0-preview.17). This version includes a number of bug fixes and improvements and also introduces some breaking changes. The breaking changes should only affect users that use document, operation, or schema transformers. Breaking changes in this iteration that may affect developers include the following:
-
-* [Ephemeral object properties are now in Metadata](https://github.com/microsoft/OpenAPI.NET/blob/main/docs/upgrade-guide-2.md#ephemeral-object-properties-are-now-in-metadata)
-* [Use HTTP Method Object Instead of Enum](https://github.com/microsoft/OpenAPI.NET/blob/main/docs/upgrade-guide-2.md#use-http-method-object-instead-of-enum)
diff --git a/aspnetcore/release-notes/aspnetcore-10/includes/ValidationSupportMinAPI.md b/aspnetcore/release-notes/aspnetcore-10/includes/ValidationSupportMinAPI.md
index 85e9628fe60b..4525d0fc7e9d 100644
--- a/aspnetcore/release-notes/aspnetcore-10/includes/ValidationSupportMinAPI.md
+++ b/aspnetcore/release-notes/aspnetcore-10/includes/ValidationSupportMinAPI.md
@@ -31,3 +31,6 @@ app.MapPost("/products",
         => TypedResults.Ok(productId))
     .DisableValidation();
 ```
+
+> [!NOTE]
+> Several small improvements and fixes have been made to the Minimal APIs validation generator introduced in ASP.NET Core for .NET 10. To support future enhancements, the underlying validation resolver APIs are now marked as experimental. The top-level `AddValidation` APIs and the built-in validation filter remain stable and non-experimental.

From cb9bd1d81dec5ec90126092ca62dcff1347ae3c6 Mon Sep 17 00:00:00 2001
From: Tom Dykstra <tdykstra@microsoft.com>
Date: Mon, 9 Jun 2025 17:56:57 -0700
Subject: [PATCH 3/5] Customizable security descriptors for HTTP.sys (#35595)

---
 aspnetcore/release-notes/aspnetcore-10.0.md   |  6 ++--
 .../aspnetcore-10/includes/httpsys.md         | 17 ++++++++++
 .../samples/HttpSysConfig/Program.cs          | 33 +++++++++++++++++++
 3 files changed, 54 insertions(+), 2 deletions(-)
 create mode 100644 aspnetcore/release-notes/aspnetcore-10/includes/httpsys.md
 create mode 100644 aspnetcore/release-notes/aspnetcore-10/samples/HttpSysConfig/Program.cs

diff --git a/aspnetcore/release-notes/aspnetcore-10.0.md b/aspnetcore/release-notes/aspnetcore-10.0.md
index b73a7fa8825e..cc43fb503daa 100644
--- a/aspnetcore/release-notes/aspnetcore-10.0.md
+++ b/aspnetcore/release-notes/aspnetcore-10.0.md
@@ -13,7 +13,6 @@ This article highlights the most significant changes in ASP.NET Core in .NET 10
 
 This article will be updated as new preview releases are made available. For breaking changes, see [Breaking changes in .NET](/dotnet/core/compatibility/breaking-changes).
 
-<!-- New content should be added to ~/aspnetcore-9/includes/newFeatureName.md files. This will help prevent merge conflicts in this file. -->
 
 ## Blazor
 
@@ -90,8 +89,9 @@ For more information, see [ASP.NET Core Authorization and Authentication metrics
 
 This section describes miscellaneous new features in .NET 10.
 
-[!INCLUDE[](~/release-notes/aspnetcore-10/includes/testAppsTopLevel.md)]
+[!INCLUDE[](~/release-notes/aspnetcore-10/includes/httpsys.md)]
 
+[!INCLUDE[](~/release-notes/aspnetcore-10/includes/testAppsTopLevel.md)]
 
 [!INCLUDE[](~/release-notes/aspnetcore-10/includes/jsonPatch.md)]
 
@@ -116,3 +116,5 @@ if (RedirectHttpResult.IsLocalUrl(url))
 Thank you [@martincostello](https://github.com/martincostello) for this contribution!
 
 ## Related content
+
+<xref:fundamentals/servers/httpsys>
diff --git a/aspnetcore/release-notes/aspnetcore-10/includes/httpsys.md b/aspnetcore/release-notes/aspnetcore-10/includes/httpsys.md
new file mode 100644
index 000000000000..2f684863509a
--- /dev/null
+++ b/aspnetcore/release-notes/aspnetcore-10/includes/httpsys.md
@@ -0,0 +1,17 @@
+### Customizable security descriptors for HTTP.sys
+<!--PR: https://github.com/dotnet/aspnetcore/pull/61325-->
+
+You can now specify a custom security descriptor for HTTP.sys request queues. The new [RequestQueueSecurityDescriptor](https://source.dot.net/#Microsoft.AspNetCore.Server.HttpSys/HttpSysOptions.cs,a556950881fd2d87) property on <xref:Microsoft.AspNetCore.Server.HttpSys.HttpSysOptions> enables more granular control over access rights for the request queue. This granular control lets you tailor security to your application's needs.
+
+#### What you can do with the new property
+
+A *request queue* in HTTP.sys is a kernel-level structure that temporarily stores incoming HTTP requests until your application is ready to process them. By customizing the security descriptor, you can allow or deny specific users or groups access to the request queue. This is useful in scenarios where you want to restrict or delegate HTTP.sys request handling at the operating system level.
+
+#### How to use the new property
+
+The `RequestQueueSecurityDescriptor` property applies only when creating a new request queue. The property doesn't affect existing request queues. To use this property, set it to a <xref:System.Security.AccessControl.GenericSecurityDescriptor> instance when configuring your HTTP.sys server.
+
+For example, the following code allows all authenticated users but denies guests:
+[!code-csharp[](~/release-notes/aspnetcore-10/samples/HttpSysConfig/Program.cs)]
+
+For more information, see <xref:fundamentals/servers/httpsys>.
diff --git a/aspnetcore/release-notes/aspnetcore-10/samples/HttpSysConfig/Program.cs b/aspnetcore/release-notes/aspnetcore-10/samples/HttpSysConfig/Program.cs
new file mode 100644
index 000000000000..28cedb07ca94
--- /dev/null
+++ b/aspnetcore/release-notes/aspnetcore-10/samples/HttpSysConfig/Program.cs
@@ -0,0 +1,33 @@
+using System.Security.AccessControl;
+using System.Security.Principal;
+using Microsoft.AspNetCore.Server.HttpSys;
+
+// Create a new security descriptor
+var securityDescriptor = new CommonSecurityDescriptor(isContainer: false, isDS: false, sddlForm: string.Empty);
+
+// Create a discretionary access control list (DACL)
+var dacl = new DiscretionaryAcl(isContainer: false, isDS: false, capacity: 2);
+dacl.AddAccess(
+    AccessControlType.Allow,
+    new SecurityIdentifier(WellKnownSidType.BuiltinUsersSid, null),
+    -1,
+    InheritanceFlags.None,
+    PropagationFlags.None
+);
+dacl.AddAccess(
+    AccessControlType.Deny,
+    new SecurityIdentifier(WellKnownSidType.BuiltinGuestsSid, null),
+    -1,
+    InheritanceFlags.None,
+    PropagationFlags.None
+);
+
+// Assign the DACL to the security descriptor
+securityDescriptor.DiscretionaryAcl = dacl;
+
+// Configure HTTP.sys options
+var builder = WebApplication.CreateBuilder();
+builder.WebHost.UseHttpSys(options =>
+{
+    options.RequestQueueSecurityDescriptor = securityDescriptor;
+});

From c2dc066173993b498680b9f4af9e3f6e37f78e75 Mon Sep 17 00:00:00 2001
From: Stefan <Tornhoof@users.noreply.github.com>
Date: Tue, 10 Jun 2025 13:22:22 +0200
Subject: [PATCH 4/5] Update transforms-request.md (#35603)

---
 aspnetcore/fundamentals/servers/yarp/transforms-request.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/aspnetcore/fundamentals/servers/yarp/transforms-request.md b/aspnetcore/fundamentals/servers/yarp/transforms-request.md
index e60f81285b9a..1720da06c53a 100644
--- a/aspnetcore/fundamentals/servers/yarp/transforms-request.md
+++ b/aspnetcore/fundamentals/servers/yarp/transforms-request.md
@@ -491,7 +491,7 @@ Disable default headers:
 transformBuilderContext.UseDefaultForwarders = false;
 ```
 
-When the proxy connects to the destination server, the connection is indepenent from the one the client made to the proxy. The destination server likely needs original connection information for security checks and to properly generate absolute URIs for links and redirects. To enable information about the client connection to be passed to the destination a set of extra headers can be added. Until the `Forwarded` standard was created, a common solution is to use `X-Forwarded-*` headers. There is no official standard that defines the `X-Forwarded-*` headers and implementations vary, check your destination server for support.
+When the proxy connects to the destination server, the connection is independent from the one the client made to the proxy. The destination server likely needs original connection information for security checks and to properly generate absolute URIs for links and redirects. To enable information about the client connection to be passed to the destination a set of extra headers can be added. Until the `Forwarded` standard was created, a common solution is to use `X-Forwarded-*` headers. There is no official standard that defines the `X-Forwarded-*` headers and implementations vary, check your destination server for support.
 
 This transform is enabled by default even if not specified in the route config.
 
@@ -599,4 +599,4 @@ As the inbound and outbound connections are independent, there needs to be a way
 
 Servers do minimal validation on the incoming client certificate by default. The certificate should be validated either in the proxy or the destination, see the [client certificate auth](/aspnet/core/security/authentication/certauth) docs for details.
 
-This transform will only apply if the client certificate is already present on the connection. See the [optional certs doc](/aspnet/core/security/authentication/certauth#optional-client-certificates) if it needs to be requested from the client on a per-route basis.
\ No newline at end of file
+This transform will only apply if the client certificate is already present on the connection. See the [optional certs doc](/aspnet/core/security/authentication/certauth#optional-client-certificates) if it needs to be requested from the client on a per-route basis.

From 52918b28beead469dde5235e1c49f1f33355bc24 Mon Sep 17 00:00:00 2001
From: Wade Pickett <wpickett@microsoft.com>
Date: Tue, 10 Jun 2025 12:06:29 -0700
Subject: [PATCH 5/5] Update aspnetcore-10.0.md (#35604)

Updating date and ms.author to publish
---
 aspnetcore/release-notes/aspnetcore-10.0.md | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/aspnetcore/release-notes/aspnetcore-10.0.md b/aspnetcore/release-notes/aspnetcore-10.0.md
index cc43fb503daa..e43b53f97941 100644
--- a/aspnetcore/release-notes/aspnetcore-10.0.md
+++ b/aspnetcore/release-notes/aspnetcore-10.0.md
@@ -1,10 +1,10 @@
 ---
 title: What's new in ASP.NET Core in .NET 10
-author: rick-anderson
+author: wadepickett
 description: Learn about the new features in ASP.NET Core in .NET 10.
-ms.author: riande
+ms.author: wpickett
 ms.custom: mvc
-ms.date: 4/12/2025
+ms.date: 06/10/2025
 uid: aspnetcore-10
 ---
 # What's new in ASP.NET Core in .NET 10