[Announcement] HttpsRedirectionMiddleware will throw if there are multiple ambiguous https ports

[Tratcher]

HttpsRedirectionMiddleware will throw if there are multiple ambiguous https ports

The HttpsRedirectionMiddleware (UseHttpsRedirection) will now throw an InvalidOperationException if it finds multiple https ports in the server config.

"Cannot determine the https port from IServerAddressesFeature, multiple values were found. Set the desired port explicitly on HttpsRedirectionOptions.HttpsPort."

Version introduced

6.0

Old behavior

When the HttpsRedirectionMiddleware isn't explicitly configured with a port it will search IServerAddressesFeature during the first request to figure out what https port it should redirect to. If there are no https ports or multiple distinct ports then it's ambiguous which should be used so the middleware logs a warning and turns itself off. Http requests will be processed normally.

New behavior

When the HttpsRedirectionMiddleware isn't explicitly configured with a port it will search IServerAddressesFeature during the first request to figure out what https port it should redirect to.

If there are no https ports the middleware still logs a warning and turns itself off. Http requests will be processed normally. This supports development scenarios without https, as well as hosted scenarios where TLS is terminated before reaching the server.

If there are multiple distinct ports then it's ambiguous which should be used so the middleware throws an exception and fails the http request.

Reason for change

This is done to prevent potentially sensitive data from being served over un-encrypted http connections when https is known to be available.

Recommended action

To enable https redirection when the server has multiple distinct https ports you must specify one port in the configuration. See https://docs.microsoft.com/en-us/aspnet/core/security/enforcing-ssl?view=aspnetcore-5.0&tabs=visual-studio#port-configuration.

If you do not need the HttpsRedirectionMiddleware in your app then remove UseHttpsRedirection from Startup.cs.

If you need to select the correct https port dynamically then please provide feedback on #21291.

Category

ASP.NET

Affected APIs

UseHttpsRedirection

---

Issue metadata

• Issue type: breaking-change

[ghost]

Thank you for contacting us. Due to a lack of activity on this discussion issue we're closing it in an effort to keep our backlog clean. If you believe there is a concern related to the ASP.NET Core framework, which hasn't been addressed yet, please file a new issue.

This issue will be locked after 30 more days of inactivity. If you still wish to discuss this subject after then, please create a new issue!