Warn on port spoofing /7

[Rick-Anderson]

Fixes #29399
Solution from dotnet/aspnetcore#46057

Internal review URLS:

• Require host
• Host matching in routes with RequireHost

---

Internal previews

📄 File	🔗 Preview link
aspnetcore/fundamentals/routing.md	Routing in ASP.NET Core
aspnetcore/host-and-deploy/health-checks.md	Health checks in ASP.NET Core

[guardrex]

host port spoofing

Isn't the concern beyond just port spoofing to include the host as well? ... or did you want it with a slash there ... "host/port spoofing"?

RequireAuthorization

I'm not clear on why that would work. I didn't see that that was a solution in dotnet/aspnetcore#46057.

[Rick-Anderson]

@guardrex check my last commit on host/porr and suggest better wording.

RequireAuthorization

I'm not clear on why that would work. I didn't see that that was a solution in dotnet/aspnetcore#46057.

The PU will likely nix that but I thought I'd add it. It doesn't prevent authorized hosts from spoofing, just unauthorized, lol.

[guardrex]

I'm cool, except for this line ...

To prevent unauthorized clients from spoofing the port, call xref:Microsoft.AspNetCore.Builder.AuthorizationEndpointConventionBuilderExtensions.RequireAuthorization%2A:

... just because I don't think that's going to work.

[Rick-Anderson]

Should this be removed?

[Rick-Anderson]

I'm cool, except for this line ...

To prevent unauthorized clients from spoofing the port, call xref:Microsoft.AspNetCore.Builder.AuthorizationEndpointConventionBuilderExtensions.RequireAuthorization%2A:

... just because I don't think that's going to work.

@JamesNK will decide. It prevents unauthorized clients from port spoofing, but not authorized clients.

[JamesNK]

I'm not familiar with this attack or workaround. I'm not the right person to review.

[Rick-Anderson]

@blowdart or @Tratcher can you recommend a reviewer?