Context
Program.cs (Web) currently calls KnownIPNetworks.Clear() and KnownProxies.Clear(), which trusts all sources for X-Forwarded-For headers. This is overly permissive.
Target State
Restrict forwarded-header trust to the Azure Container Apps internal subnet range only.
Implementation
- Determine the Container Apps Environment internal CIDR (typically
10.0.0.0/16 or similar)
- Instead of clearing the lists, add only that CIDR to
KnownNetworks:
options.KnownNetworks.Add(new IPNetwork(IPAddress.Parse("10.0.0.0"), 16));
- Make the CIDR configurable via
appsettings.json for environment portability
Risk
Azure may rotate internal IPs — test thoroughly before deploying. The CIDR should be confirmed from the Container Apps Environment configuration.
Priority
Low
Context
Program.cs(Web) currently callsKnownIPNetworks.Clear()andKnownProxies.Clear(), which trusts all sources forX-Forwarded-Forheaders. This is overly permissive.Target State
Restrict forwarded-header trust to the Azure Container Apps internal subnet range only.
Implementation
10.0.0.0/16or similar)KnownNetworks:appsettings.jsonfor environment portabilityRisk
Azure may rotate internal IPs — test thoroughly before deploying. The CIDR should be confirmed from the Container Apps Environment configuration.
Priority
Low