Microsoft released a security advisory in March 2026 addressing improper validation of certain HTTP headers in ASP.NET Core authentication middleware. The issue allows an attacker to craft requests that bypass role-based checks when the application is deployed behind certain reverse proxies or load balancers.

Production sites running ASP.NET Core 9 and 10 on Windows Server with IIS are the primary targets. The vulnerability stems from how forwarded headers are trusted without sufficient sanitization, affecting applications that rely on the built-in authentication handlers.

#Who Is Affected

Any ASP.NET Core application that enables the ForwardedHeaders middleware or uses the default JWT and cookie authentication schemes without explicit header validation is exposed. Self-hosted Kestrel instances behind IIS or Azure Application Gateway require immediate review.

  • Applications using app.UseAuthentication() without custom header sanitizers
  • Sites accepting X-Forwarded-For or X-Forwarded-Proto from untrusted sources
  • Deployments on Windows Server 2022 and 2025 with default IIS request filtering

#Immediate Mitigation Steps

Apply the latest security update for .NET 10. The patch strengthens header parsing inside the authentication pipeline. After updating, add explicit configuration to limit trusted proxies.

csharp 
builder.Services.Configure<ForwardedHeadersOptions>(options =>
{
    options.ForwardedHeaders = ForwardedHeaders.XForwardedFor | ForwardedHeaders.XForwardedProto;
    options.KnownNetworks.Clear();
    options.KnownProxies.Clear();
    options.ForwardLimit = 1;
});

#Additional Hardening Recommendations

Enforce strict request filtering at the IIS level and validate all authentication claims server-side regardless of incoming headers.

  • Enable IIS request filtering rules to reject requests containing multiple X-Forwarded headers
  • Add middleware that rejects any request where the scheme or host differs from the expected public endpoint
  • Review all custom authentication handlers for direct use of HttpContext.Request.Headers

#Verification and Monitoring

After applying patches and configuration changes, run targeted penetration tests against the authentication endpoints. Monitor IIS logs for unusual header patterns and set alerts for repeated 401 responses from unexpected client IPs.

Update your deployment pipeline to include the ForwardedHeadersOptions configuration as a standard template. Schedule monthly reviews of Microsoft security advisories and test patches in a staging environment before production rollout. These steps close the current exposure and reduce similar risks in future releases.