Skip to content

[release/8.0] AppContext for HttpSys CBT hardening #64296

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: release/8.0
Choose a base branch
from
Open

[release/8.0] AppContext for HttpSys CBT hardening #64296

wants to merge 1 commit into from
+30 −2

Conversation

@BrennanConroy
Copy link
Member

@BrennanConroy BrennanConroy commented Nov 10, 2025

AppContext for HttpSys CBT hardening

Description

Request from a partner team to allow setting hardened security for their HTTP.Sys applications.

Customer Impact

By default there is no impact, this change is opt-in. If the change is enabled then it sets hardened security for the endpoints exposed by the HTTP.Sys application.

Regression?

  • Yes
  • No

Risk

  • High
  • Medium
  • Low

Purely opt-in change. We've also verified the change with the partner team.

Verification

  • Manual (required)
  • Automated

Packaging changes reviewed?

  • Yes
  • No
  • N/A

@BrennanConroy BrennanConroy added this to the 8.0.x milestone Nov 10, 2025
Copilot AI review requested due to automatic review settings November 10, 2025 23:02
@BrennanConroy BrennanConroy added the Servicing-consider Shiproom approval is required for the issue label Nov 10, 2025
@dotnet-policy-service
Copy link
Contributor

dotnet-policy-service bot commented Nov 10, 2025

Hi @@BrennanConroy. If this is not a tell-mode PR, please make sure to follow the instructions laid out in the servicing process document.
Otherwise, please add tell-mode label.

Copilot finished reviewing on behalf of BrennanConroy November 10, 2025 23:05
Copilot AI reviewed Nov 10, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR introduces an opt-in AppContext switch to enable Channel Binding Token (CBT) hardening for HTTP.Sys applications, allowing partner teams to set hardened security for their HTTP.Sys endpoints.

  • Adds new native interop types HTTP_AUTHENTICATION_HARDENING_LEVELS enum and HTTP_CHANNEL_BIND_INFO struct to support CBT hardening configuration
  • Implements AppContext switch Microsoft.AspNetCore.Server.HttpSys.EnableCBTHardening to conditionally apply medium-level authentication hardening during UrlGroup initialization
  • Removes unused using statements from HttpApiTypes.cs

Reviewed Changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File Description
src/Shared/HttpSys/NativeInterop/HttpApiTypes.cs Defines native interop types for CBT hardening (enum and struct) and removes unused using statements
src/Servers/HttpSys/src/NativeInterop/UrlGroup.cs Implements opt-in CBT hardening in UrlGroup constructor via AppContext switch, sets HttpServerChannelBindProperty when enabled

src/Servers/HttpSys/src/NativeInterop/UrlGroup.cs
Comment on lines +51 to +56
var channelBindingSettings = new HTTP_CHANNEL_BIND_INFO
{
Hardening = HTTP_AUTHENTICATION_HARDENING_LEVELS.HttpAuthenticationHardeningMedium,
ServiceNames = IntPtr.Zero,
NumberOfServiceNames = 0,
};
Copy link

Copilot AI Nov 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The HTTP_CHANNEL_BIND_INFO struct has a Flags field (see line 666 in HttpApiTypes.cs) that should be set, following the pattern used in other property setters in this class (e.g., SetDelegationProperty, AttachToQueue, SetMaxConnections). Consider setting Flags = (uint)HttpApiTypes.HTTP_FLAGS.HTTP_PROPERTY_FLAG_PRESENT to indicate the property is present.

Copilot uses AI. Check for mistakes.
@rbhanda rbhanda modified the milestones: 8.0.x, 8.0.23 Nov 11, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@JamesNK JamesNK JamesNK approved these changes

@halter73 halter73 Awaiting requested review from halter73 halter73 is a code owner

Assignees

No one assigned

Labels

Servicing-consider Shiproom approval is required for the issue

Projects

None yet

Milestone

8.0.23

Development

Successfully merging this pull request may close these issues.

4 participants

@BrennanConroy @JamesNK @rbhanda