Note
Access to this page requires authorization. You can try signing in or .
Access to this page requires authorization. You can try .
ForwardedHeadersOptions.AllowedHosts Property
Definition
- Namespace:
- Microsoft.AspNetCore.Builder
- Assembly:
- Microsoft.AspNetCore.HttpOverrides.dll
- Package:
- Microsoft.AspNetCore.App.Ref v10.0.0
- Package:
- Microsoft.AspNetCore.App.Ref v11.0.0-preview.4.26230.115
- Package:
- Microsoft.AspNetCore.HttpOverrides v2.1.0
- Package:
- Microsoft.AspNetCore.HttpOverrides v2.2.0
- Package:
- Microsoft.AspNetCore.App.Ref v3.0.1
- Package:
- Microsoft.AspNetCore.App.Ref v3.1.10
- Package:
- Microsoft.AspNetCore.App.Ref v5.0.0
- Package:
- Microsoft.AspNetCore.App.Ref v6.0.36
- Package:
- Microsoft.AspNetCore.App.Ref v7.0.5
- Package:
- Microsoft.AspNetCore.App.Ref v8.0.19
- Package:
- Microsoft.AspNetCore.App.Ref v9.0.8
- Source:
- ForwardedHeadersOptions.cs
- Source:
- ForwardedHeadersOptions.cs
- Source:
- ForwardedHeadersOptions.cs
Important
Some information relates to prerelease product that may be substantially modified before it’s released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
The allowed values from x-forwarded-host. If the list is empty then all hosts are allowed. Failing to restrict this these values may allow an attacker to spoof links generated by your service.
public:
property System::Collections::Generic::IList<System::String ^> ^ AllowedHosts { System::Collections::Generic::IList<System::String ^> ^ get(); void set(System::Collections::Generic::IList<System::String ^> ^ value); };public System.Collections.Generic.IList<string> AllowedHosts { get; set; }member this.AllowedHosts : System.Collections.Generic.IList<string> with get, setPublic Property AllowedHosts As IList(Of String)Property Value
Remarks
- Port numbers must be excluded.
- A top level wildcard "*" allows all non-empty hosts.
- Subdomain wildcards are permitted. E.g. "*.example.com" matches subdomains like foo.example.com, but not the parent domain example.com.
- Unicode host names are allowed but will be converted to punycode for matching.
- IPv6 addresses must include their bounding brackets and be in their normalized form.
Applies to
Feedback
Was this page helpful?