Share via

ForwardedHeadersOptions.AllowedHosts Property

  • Reference

Definition

Namespace:
Microsoft.AspNetCore.Builder
Assembly:
Microsoft.AspNetCore.HttpOverrides.dll
Package:
Microsoft.AspNetCore.HttpOverrides v2.1.0
Package:
Microsoft.AspNetCore.HttpOverrides v2.2.0
Package:
Microsoft.AspNetCore.App.Ref v3.0.1
Package:
Microsoft.AspNetCore.App.Ref v3.1.10
Package:
Microsoft.AspNetCore.App.Ref v5.0.0
Package:
Microsoft.AspNetCore.App.Ref v6.0.6
Package:
Microsoft.AspNetCore.App.Ref v7.0.5
Package:
Microsoft.AspNetCore.App.Ref v8.0.0
Package:
Microsoft.AspNetCore.App.Ref v9.0.0-rc.2.24474.3
Source:
ForwardedHeadersOptions.cs
Source:
ForwardedHeadersOptions.cs
Source:
ForwardedHeadersOptions.cs

The allowed values from x-forwarded-host. If the list is empty then all hosts are allowed. Failing to restrict this these values may allow an attacker to spoof links generated by your service.

public:
 property System::Collections::Generic::IList<System::String ^> ^ AllowedHosts { System::Collections::Generic::IList<System::String ^> ^ get(); void set(System::Collections::Generic::IList<System::String ^> ^ value); };
public System.Collections.Generic.IList<string> AllowedHosts { get; set; }
member this.AllowedHosts : System.Collections.Generic.IList<string> with get, set
Public Property AllowedHosts As IList(Of String)

Property Value

IList<String>

Remarks

  • Port numbers must be excluded.
  • A top level wildcard "*" allows all non-empty hosts.
  • Subdomain wildcards are permitted. E.g. "*.example.com" matches subdomains like foo.example.com, but not the parent domain example.com.
  • Unicode host names are allowed but will be converted to punycode for matching.
  • IPv6 addresses must include their bounding brackets and be in their normalized form.

Applies to