Skip to content

Commit e2e9027

Browse files
noxmwalshnoxmwalsh
committed
DC-141 Fix: Warning related to KnownIPNetworks
1 parent c60a88e commit e2e9027

1 file changed

Lines changed: 3 additions & 3 deletions

File tree

src/SEBT.Portal.Api/Program.cs

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -329,13 +329,13 @@ await context.HttpContext.Response.WriteAsJsonAsync(
329329
// from the Next.js server's single private IP, collapsing all clients into
330330
// one rate-limit bucket.
331331
//
332-
// Current configuration uses open trust (cleared KnownProxies/KnownNetworks)
332+
// Current configuration uses open trust (cleared KnownProxies/KnownIPNetworks)
333333
// which is acceptable because the API is not directly reachable from the
334334
// public internet. ForwardLimit = 1 ensures only the last proxy hop is read,
335335
// preventing clients from prepending fake entries.
336336
//
337337
// TODO: For defense-in-depth, consider restricting trust to the VPC CIDR:
338-
// options.KnownNetworks.Add(new IPNetwork(IPAddress.Parse("10.0.0.0"), 8));
338+
// options.KnownIPNetworks.Add(IPNetwork.Parse("10.0.0.0/8"));
339339
// This would reject forwarded headers from any source outside the private
340340
// network, guarding against future topology changes that might expose the API.
341341
var forwardedHeadersOptions = new ForwardedHeadersOptions
@@ -347,7 +347,7 @@ await context.HttpContext.Response.WriteAsJsonAsync(
347347
// the API is on a private network with no public ingress. Clear the defaults
348348
// (loopback) so the middleware processes headers from all sources.
349349
forwardedHeadersOptions.KnownProxies.Clear();
350-
forwardedHeadersOptions.KnownNetworks.Clear();
350+
forwardedHeadersOptions.KnownIPNetworks.Clear();
351351
app.UseForwardedHeaders(forwardedHeadersOptions);
352352

353353
app.UseRouting();

0 commit comments

Comments
 (0)