Add AppContext switch in patch release to opt-out of breaking behavior change in ForwardedHeaders middleware.

[BrennanConroy]

Add AppContext switch in patch release to opt-out of breaking behavior change in ForwardedHeaders middleware.

Description

We previously fixed a bug where KnownProxies and KnownNetworks weren't being applied in common cases. We didn't realize at the time this would break many customers apps.

The workaround is to configure KnownProxies and KnownNetworks, which is intended, and our docs do state that users should configure these. But due to the bug we recently fixed, users didn't need to configure those options for the app to work.

We're adding an app context switch to opt-out of the breaking change and go back to the previous behavior. This gives users the option to update their app code at a more convenient time, e.g. when 10.0 releases.

Customer Impact

Customers have noticed that updating to the latest patch breaks scenarios like Https redirection and auth flows due to the X-Forwarded-Proto header not being applied anymore.

Regression?

• Yes
• No

2.3.4, 8.0.17, 9.0.6
Change was made on purpose to harden security, but didn't realize it would cause a regression.

Risk

• High
• Medium
• Low

Just adding an app context switch. Test coverage added for the switch as well.

Verification

• Manual (required)
• Automated

Packaging changes reviewed?

• Yes
• No
• N/A

[dotnet-policy-service]

Hi @@BrennanConroy. If this is not a tell-mode PR, please make sure to follow the instructions laid out in the servicing process document.
Otherwise, please add tell-mode label.

[Copilot]

Pull Request Overview

Adds a new AppContext switch and matching environment variable so that users can opt out of the stricter proxy validation change in the ForwardedHeaders middleware, restoring the previous behavior when no X-Forwarded-For header is present.

• Introduces a private _ignoreUnknownProxiesWithoutFor flag initialized from AppContext.SetSwitch or an environment variable.
• Wraps the existing KnownProxies/KnownNetworks check in ApplyForwarders to skip validation when the flag is enabled.
• Adds two theory-based tests verifying both the AppContext switch and the environment variable override.

Reviewed Changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File	Description
src/Middleware/HttpOverrides/src/ForwardedHeadersMiddleware.cs	Added _ignoreUnknownProxiesWithoutFor field, switch/env loading, and conditional proxy check.
src/Middleware/HttpOverrides/test/ForwardedHeadersMiddlewareTest.cs	Added tests for the AppContext switch and environment variable opt-out scenarios.

Comments suppressed due to low confidence (1)

src/Middleware/HttpOverrides/src/ForwardedHeadersMiddleware.cs:67

• Add an XML doc comment on the middleware constructor or the switch key constant to describe the purpose of this AppContext switch and the corresponding environment variable, so that it's surfaced in public API documentation.

        if (AppContext.TryGetSwitch("Microsoft.AspNetCore.HttpOverrides.IgnoreUnknownProxiesWithoutFor", out var enabled)

[Copilot]

[nitpick] Extract the switch key string into a private const string (and reuse it for the environment-variable name) to avoid magic strings and ensure consistency.

Suggested change

	if (AppContext.TryGetSwitch("Microsoft.AspNetCore.HttpOverrides.IgnoreUnknownProxiesWithoutFor", out var enabled)
	&& enabled)
	{
	_ignoreUnknownProxiesWithoutFor = true;
	}
	if (Environment.GetEnvironmentVariable("MICROSOFT_ASPNETCORE_HTTPOVERRIDES_IGNORE_UNKNOWN_PROXIES_WITHOUT_FOR") is string env
	const string SwitchKey = "Microsoft.AspNetCore.HttpOverrides.IgnoreUnknownProxiesWithoutFor";
	const string EnvVarKey = "MICROSOFT_ASPNETCORE_HTTPOVERRIDES_IGNORE_UNKNOWN_PROXIES_WITHOUT_FOR";
	if (AppContext.TryGetSwitch(SwitchKey, out var enabled) && enabled)
	{
	_ignoreUnknownProxiesWithoutFor = true;
	}
	if (Environment.GetEnvironmentVariable(EnvVarKey) is string env

[Copilot]

[nitpick] The AppContext and environment-variable tests share nearly identical setup. Consider extracting the common host setup and assertion logic into a helper or combining them into a single parameterized test to reduce duplication.

[BrennanConroy]

/backport to release/8.0

[github-actions]

Started backporting to release/8.0: https://github.com/dotnet/aspnetcore/actions/runs/16230613374

[BrennanConroy]

/backport to release/2.3

[github-actions]

Started backporting to release/2.3: https://github.com/dotnet/aspnetcore/actions/runs/16230628317

[github-actions]

@BrennanConroy backporting to "release/2.3" failed, the patch most likely resulted in conflicts:

$ git am --3way --empty=keep --ignore-whitespace --keep-non-patch changes.patch

Applying: Add AppContext switch in patch release to opt-out of breaking behavior change in ForwardedHeaders middleware.
Using index info to reconstruct a base tree...
M	src/Middleware/HttpOverrides/src/ForwardedHeadersMiddleware.cs
M	src/Middleware/HttpOverrides/test/ForwardedHeadersMiddlewareTest.cs
Falling back to patching base and 3-way merge...
Auto-merging src/Middleware/HttpOverrides/test/ForwardedHeadersMiddlewareTest.cs
CONFLICT (content): Merge conflict in src/Middleware/HttpOverrides/test/ForwardedHeadersMiddlewareTest.cs
Auto-merging src/Middleware/HttpOverrides/src/ForwardedHeadersMiddleware.cs
CONFLICT (content): Merge conflict in src/Middleware/HttpOverrides/src/ForwardedHeadersMiddleware.cs
error: Failed to merge in the changes.
hint: Use 'git am --show-current-patch=diff' to see the failed patch
hint: When you have resolved this problem, run "git am --continue".
hint: If you prefer to skip this patch, run "git am --skip" instead.
hint: To restore the original branch and stop patching, run "git am --abort".
hint: Disable this message with "git config set advice.mergeConflict false"
Patch failed at 0001 Add AppContext switch in patch release to opt-out of breaking behavior change in ForwardedHeaders middleware.
Error: The process '/usr/bin/git' failed with exit code 128

Please backport manually!