Update asp.net breaking change (#9934)

rbhanda · BrennanConroy · web-flow · commit c6c9df5f56a2 · 2025-06-12T13:51:36.000-07:00
* Update asp.net breaking change

* Update known-issues.md

* Update known-issues.md

* Update known-issues.md

* Update known-issues.md

---------

Co-authored-by: Brennan &lt;brecon@microsoft.com&gt;
diff --git a/release-notes/8.0/known-issues.md b/release-notes/8.0/known-issues.md
@@ -2,6 +2,14 @@
 
 You may encounter the following known issues, which may include workarounds, mitigations, or expected resolution timeframes.
 
+## ASP.NET
+
+### [8.0.17] Breaking Change: UseForwardedHeaders middleware now always checks ForwardedHeadersOptions.KnownNetworks and ForwardedHeadersOptions.KnownProxies
+
+`UseForwardedHeaders` middleware now always checks `ForwardedHeadersOptions.KnownNetworks` and `ForwardedHeadersOptions.KnownProxies`. Because both `KnownNetworks` and `KnownProxies` default to Loopback this means deployed applications may fail to apply `X-Forwarded-*` headers resulting in properties like scheme and host not being updated which can have side-effects e.g. `UseHttpsRedirection()` might always see http and always redirecting the request.
+ 
+The recommended fix is to set the `KnownNetworks` and `KnownProxies` values to the appropriate values. See https://learn.microsoft.com/aspnet/core/host-and-deploy/proxy-load-balancer for more details on using proxies and `UseForwardedHeaders()`. Alternatively, if you are fine accepting `X-Forwarded-*` headers from any source, which introduces security vulnerabilities, you can clear the `KnownNetworks` and `KnownProxies` properties.
+
 ## .NET SDK
 
 ### [8.0.4xx] `dotnet workload restore` with a workload set configured in the global.json will not work
diff --git a/release-notes/9.0/known-issues.md b/release-notes/9.0/known-issues.md
@@ -2,6 +2,14 @@
 
 You may encounter the following known issues, which may include workarounds, mitigations, or expected resolution timeframes.
 
+## ASP.NET
+
+### [9.0.6] Breaking Change: UseForwardedHeaders middleware now always checks ForwardedHeadersOptions.KnownNetworks and ForwardedHeadersOptions.KnownProxies
+
+`UseForwardedHeaders` middleware now always checks `ForwardedHeadersOptions.KnownNetworks` and `ForwardedHeadersOptions.KnownProxies`. Because both `KnownNetworks` and `KnownProxies` default to Loopback this means deployed applications may fail to apply `X-Forwarded-*` headers resulting in properties like scheme and host not being updated which can have side-effects e.g. `UseHttpsRedirection()` might always see http and always redirecting the request.
+ 
+The recommended fix is to set the `KnownNetworks` and `KnownProxies` values to the appropriate values. See https://learn.microsoft.com/aspnet/core/host-and-deploy/proxy-load-balancer for more details on using proxies and `UseForwardedHeaders()`. Alternatively, if you are fine accepting `X-Forwarded-*` headers from any source, which introduces security vulnerabilities, you can clear the `KnownNetworks` and `KnownProxies` properties.
+
 ## .NET WPF
 
 ### 1. Usage of incorrect types as DynamicResource
