Skip to content

Include a warning about host spoofing in xml #63174

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open

Include a warning about host spoofing in xml #63174

wants to merge 4 commits into from

Conversation

divyeshio
Copy link
Contributor

Include a warning about host spoofing in xml

  • You've read the Contributor Guide and Code of Conduct.
  • You've included unit or integration tests for your change, where applicable.
  • You've included inline docs for your change, where applicable.
  • There's an open issue for the PR that you are making. If you'd like to propose a new feature or change, please open an issue to discuss the change or find an existing issue.

Summary of the changes

Adds remarks for warning about host spoofing
Changes taken from previously unmerged PR #54971

Description

Update API remarks for RoutingEndpointConventionBuilderExtensions.RequireHost to warn about host spoofing

This is how it looks like in VS code after changes. Idk why crefs are not rendered properly in VS code.

image

Fixes #48818

@Copilot Copilot AI review requested due to automatic review settings August 7, 2025 17:39
@divyeshio divyeshio requested a review from halter73 as a code owner August 7, 2025 17:39
@github-actions github-actions bot added the area-networking Includes servers, yarp, json patch, bedrock, websockets, http client factory, and http abstractions label Aug 7, 2025
@dotnet-policy-service dotnet-policy-service bot added the community-contribution Indicates that the PR has been added by a community member label Aug 7, 2025
@dotnet-policy-service Dotnet Policy Service
Copy link
Contributor

Thanks for your PR, @@divyeshio. Someone from the team will get assigned to your PR shortly and we'll get it reviewed.

Copilot
Copilot AI reviewed Aug 7, 2025
View reviewed changes
Copy link
Contributor

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR adds important security-related documentation to the RequireHost method by including XML documentation remarks that warn developers about host spoofing vulnerabilities. The changes provide guidance on how to properly verify server names and local ports to prevent spoofing attacks.

  • Adds comprehensive XML documentation with security warnings about Host header spoofing
  • Provides specific mitigation recommendations using TLS handshake verification and connection info validation
  • Includes a new using directive for Microsoft.AspNetCore.Http to support the documentation references

@build-analysis build-analysis bot mentioned this pull request Aug 7, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot code review Copilot Copilot left review comments

@halter73 halter73 Awaiting requested review from halter73 halter73 is a code owner

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
area-networking Includes servers, yarp, json patch, bedrock, websockets, http client factory, and http abstractions community-contribution Indicates that the PR has been added by a community member
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Update API remarks for RoutingEndpointConventionBuilderExtensions.RequireHost to warn about host spoofing
1 participant
@divyeshio