Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 10 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,3 +1,13 @@
# 0.19.3 <small>2026-04-29</small>

## 🐛 Bug Fixes
- Add forwarded headers middleware to `Site/Program.cs` so that links (e.g. download URLs) are
generated with `https://` when the app runs behind a reverse proxy such as an AWS ALB or Azure
Application Gateway that terminates TLS. Without this, the container sees plain HTTP and generates
`http://` links, which can break downloads due to auth cookies being stripped on redirect.

<!-- CHANGELOG_BOUNDARY -->

# 0.19.2 <small>2026-04-29</small>

## 💅 Improvements
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -3,9 +3,9 @@
<TargetFramework>net10.0</TargetFramework>
<AddRazorSupportForMvc>true</AddRazorSupportForMvc>
<RootNamespace>TransformalizeModule</RootNamespace>
<Version>0.19.1</Version>
<FileVersion>0.19.1</FileVersion>
<AssemblyVersion>0.19.1</AssemblyVersion>
<Version>0.19.3</Version>
<FileVersion>0.19.3</FileVersion>
<AssemblyVersion>0.19.3</AssemblyVersion>
<GeneratePackageOnBuild>true</GeneratePackageOnBuild>
<Authors>Dale Newman</Authors>
<Copyright>Copyright © 2013-2026</Copyright>
Expand Down
15 changes: 15 additions & 0 deletions src/Site/Program.cs
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
using Microsoft.AspNetCore.HttpOverrides;
using Serilog;

var builder = WebApplication.CreateBuilder(args);
Expand Down Expand Up @@ -32,6 +33,20 @@
app.UseHsts();
}

// Trust X-Forwarded-For and X-Forwarded-Proto headers so that generated links use the correct
// scheme (https) when the app runs in a private subnet behind a public-facing reverse proxy
// (e.g. AWS ALB, Azure Application Gateway). Without this, the container only sees http and
// generates http:// links, which can cause auth cookies to be stripped on redirect and break
// downloads. KnownIPNetworks/KnownProxies are cleared so any upstream proxy is trusted —
// this is safe when the container is not directly reachable from the internet, but would allow
// header spoofing if the app were exposed publicly without a proxy in front of it.
var forwardedOptions = new ForwardedHeadersOptions {
ForwardedHeaders = ForwardedHeaders.XForwardedFor | ForwardedHeaders.XForwardedProto
};
forwardedOptions.KnownIPNetworks.Clear();
forwardedOptions.KnownProxies.Clear();
app.UseForwardedHeaders(forwardedOptions);

// app.UseHttpsRedirection();
app.UseStaticFiles();

Expand Down
Loading