Revert log level severity for unknown proxy in ForwardedHeadersMiddleware #64097
+2
−1
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Hi @@BrennanConroy. This PR was just approved to be included in the upcoming servicing release. Somebody from the @dotnet/aspnet-build team will get it merged when the branches are open. Until then, please make sure all the CI checks pass and the PR is reviewed. |
There was a problem hiding this comment.
Pull Request Overview
Reverts the log level for unknown proxy detection in ForwardedHeadersMiddleware from Warning back to Debug to reduce unnecessary elevated telemetry. Also updates patch configuration to include the HttpOverrides package for servicing.
- Lowered log severity for unknown proxy detection
- Added Microsoft.AspNetCore.HttpOverrides to patch package list
Reviewed Changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| src/Middleware/HttpOverrides/src/ForwardedHeadersMiddleware.cs | Adjusts logging level for unknown proxy from Warning to Debug. |
| eng/PatchConfig.props | Includes HttpOverrides package in 2.3.7 patch configuration. |
wtgodbe
approved these changes
Oct 17, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Revert logging severity in ForwardedHeaders middleware
Description
As part of strengthening our security posture in the ForwardedHeaders middleware we increased the severity of a log from
DebugtoWarninghoping to give consumers a more obvious signal that unexpected requests were hitting their application.Unfortunately, that change doesn't have the intended effect as it's not uncommon to receive valid requests that have unknown IP addresses in the forwarded headers. e.g. In a proxy scenario where the proxy isn't hosted in a well-defined IP range, or a request goes through many proxy layers and the application is only aware of the last layer, etc.
Customer Impact
Customers are receiving lots of Warning logs, which may trigger telemetry checks, unexpectedly increase log storage size, etc.
Regression?
Change was intended as a signal that unexpected requests were being received, which isn't really accurate in real apps.
Risk
Just changing a log level to what it was before.
Verification
Packaging changes reviewed?
When servicing release/2.1