more forwarded headers config

cabinetoffice · Jan 17, 2025 · ea117ec · ea117ec
1 parent ff7638f
commit ea117ec
Showing 1 changed file with 8 additions and 0 deletions.
diff --git a/GenderPayGap.WebUI/Program.cs b/GenderPayGap.WebUI/Program.cs
@@ -17,6 +17,7 @@
 using GenderPayGap.WebUI.Search;
 using GenderPayGap.WebUI.Services;
 using Microsoft.AspNetCore.Authentication.Cookies;
+using Microsoft.AspNetCore.HttpOverrides;
 using Microsoft.AspNetCore.Mvc;
 using Microsoft.AspNetCore.Mvc.ModelBinding;
 using Microsoft.AspNetCore.Mvc.ModelBinding.Binders;
@@ -130,6 +131,13 @@ private static void ConfigureServices(IServiceCollection services)
                     options.JsonSerializerOptions.PropertyNameCaseInsensitive = true;
                     options.JsonSerializerOptions.PropertyNamingPolicy = null;
                 });
+
+            // Configure forwarded headers - this is so that the anti-forgery middleware (see below) is allowed to set a "Secure only" cookie
+            services.Configure<ForwardedHeadersOptions>(
+                options =>
+                {
+                    options.ForwardedHeaders = ForwardedHeaders.XForwardedFor | ForwardedHeaders.XForwardedProto;
+                });
 
             // Add anti-forgery token by default to forms making sure the Secure flag is always set
             services.AddAntiforgery(