Skip to content

Add Kestrel security considerations article#37328

Open
BrennanConroy wants to merge 2 commits into
mainfrom
brennanconroy-kestrel-security-considerations-doc
Open

Add Kestrel security considerations article#37328
BrennanConroy wants to merge 2 commits into
mainfrom
brennanconroy-kestrel-security-considerations-doc

Conversation

@BrennanConroy

@BrennanConroy BrennanConroy commented Jul 9, 2026

Copy link
Copy Markdown
Member

Why

Kestrel has a large surface of security-relevant behaviors, configurable limits, and request-parsing decisions that weren't documented anywhere. This publishes that guidance as a proper Learn article so application developers configuring Kestrel in production and security auditors reviewing its threat surface have a single reference.

What

  • Adds aspnetcore/fundamentals/servers/kestrel/security-considerations.md, a new article covering trust boundaries and reverse-proxy topologies, transport security (TLS/mTLS), HTTP/1.1, HTTP/2, and HTTP/3 limits, request smuggling and parsing validation, forwarded headers, host filtering, rate limiting, WebSockets, named pipes, monitoring/metrics, and a production security checklist.
  • Adds a "Security considerations" entry under the Kestrel node in aspnetcore/toc.yml.

Notes for reviewers

  • Content was adapted from the source file to Learn conventions: frontmatter, sentence-case headings, Learn alerts (NOTE/TIP/IMPORTANT/WARNING), xref/site-relative links, and contractions.
  • API names are kept as inline code rather than <xref:...> cross-references to avoid fabricating unverified API doc IDs, per the repo's guidance. These can be linked later once IDs are confirmed.
  • Uses the not-latest-version-without-not-supported-content.md include, which is the required variant for articles targeting >= aspnetcore-8.0.
  • All in-page anchors, xref uids, the metrics bookmark, the include path, and external links were verified to resolve.
  • monikerRange is set to >= aspnetcore-8.0; adjust if a different lower bound is preferred.

This content is AI-assisted (ai-usage: ai-assisted in frontmatter).


Internal previews

📄 File 🔗 Preview link
aspnetcore/fundamentals/servers/kestrel/security-considerations.md aspnetcore/fundamentals/servers/kestrel/security-considerations
aspnetcore/toc.yml aspnetcore/toc

BrennanConroy and others added 2 commits July 9, 2026 15:42
Publish a new Learn article covering Kestrel's security considerations, configurable limits, and request-parsing behavior, and add a TOC entry under the Kestrel node.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
Spell out 'and' in section headings (replacing '&' and '/') so the OPS-generated bookmarks use clean single-dash anchors, and update the in-page links to match. Resolves the bookmark-not-found build warnings.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
@BrennanConroy BrennanConroy marked this pull request as ready for review July 9, 2026 23:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant