Last post Apr 03, 2020 09:14 AM by timur.kh
Apr 02, 2020 12:40 PM|claudiuss|LINK
Can you please help me with a detailed list of reasons why kestrel is not secure to be exposed direct to the internet without a reverser proxy.
Also for what other reasons kestrel is problematic from security perspectives.
Apr 02, 2020 08:27 PM|timur.kh|LINK
As at version 3.1 Kestrel supports HTTPS and
Microsoft documentation mentions its use as edge web server. So as far as official guidance indicates, there's no apparent security issues with it:
Either configuration, with or without a reverse proxy server, is a supported hosting configuration.
One reason to not expose it might be the fact it does not support
Host headers, meaning you can only host one website listen on one port.
It also will not support HTTP=>HTTPS redirects as it only listens on one port - this will potentially hurt usability of your site
Apr 03, 2020 07:11 AM|claudiuss|LINK
Do you have any idea if I can fund this information documented by Microsoft?(regarding host headers and other limitations)
Apr 03, 2020 09:14 AM|timur.kh|LINK
See links in my original post: https://docs.microsoft.com/en-us/aspnet/core/fundamentals/servers/kestrel?view=aspnetcore-3.1#when-to-use-kestrel-with-a-reverse-proxy.
this is where I'm taking it all from