app.UseForwardedHeaders() does not use X-Forwarded headers

[kevinoid]

As @ygoe mentioned in dotnet/AspNetCore.Docs#2384 (comment), the behavior of .UseForwardedHeaders without arguments is unexpected and counter-intuitive. Since I was just caught by this as well, I decided to open this issue. Would it be possible to either have .UseForwardedHeaders default to ForwardedHeaders.All or to remove the zero-argument overload of this method?

Thanks,
Kevin

[Tratcher]

Unlikely, this choice was explicit. The x-forwarded headers are actually pretty dangerous if not used carefully, they can lead to spoofing attacks. As such the configuration needs to be explicit.

The zero-argument overload is for use with options configured in ConfigureServices rather than inline.

It may make sense for the middleware to throw on startup if ForwardedHeaders is still set to None.

[kevinoid]

The zero-argument overload is for use with options configured in ConfigureServices rather than inline.

Good to know. Thanks. It could be helpful to add that to the method comment.

It may make sense for the middleware to throw on startup if ForwardedHeaders is still set to None.

That would work for me.

[mattnewell]

We were also caught by this. I'd add a +1 to this suggestion:

It may make sense for the middleware to throw on startup if ForwardedHeaders is still set to None.

See also dotnet/AspNetCore.Docs#2384 (comment)

[shirhatti]

I realize this API in its current iteration is a pit of failure, but we've doced the behavior and at this point do not want to introduce a breaking change.